The Services Menu¶

In this page you find:

DHCP server
Time server
Intrusion Prevention System
- Settings
- Rules
SNMP Server
Quality of Service
- Devices
- Classes
- Rules
- Tagging
Serial Port
- Port Configuration
- Serial Server

The 4i Edge X includes many useful services to prevent threats and to configure the networks and the running daemons, whose activation and set up is explained in this section. Among them there are the DHCP server for internal zones, the intrusion detection system, and the brand new Collector service, useful to monitor devices behind the 4i Edge X and gather big data to be used for Analytics purposes. The available services appear as items in the sub-menu list on the left-hand side of the screen.

DHCP server–DHCP server for automatic IP assignment.
Time server–enable and configure the NTP time server, set the time zone, or update the time manually.
Intrusion Prevention System–configuration of the IPS snort.
SNMP Server–enable or disable support for the Simple Network Management Protocol.
Quality of Service–IP traffic prioritisation.
Serial port–configure the serial port.

DHCP server ¶

The DHCP server is used by the clients (both workstations and servers) in the zones controlled by the 4i Edge X to receive an IP address (“lease”), which can be either a dynamic or a fixed lease, and communicate with other devices.

The DHCP server configuration consists of three pages, namely Server configuration, Fixed leases, and Dynamic leases.

Server configuration ¶

The DHCP server on an 4i Edge X can be enabled on each active zone independently. For each of the zones enabled on the 4i Edge X, this page show one checkbox, hence at least the Enable DHCP server on GREEN interface option appears. There are corresponding checkboxes for the ORANGE and BLUE zone.

Note

If both the BLUE zone and the hotspot are enabled, next to the BLUE option the message DHCP configuration is managed by hotspot appears, and the checkbox is disabled, because the IP assignment on the BLUE zone is managed by the hotspot.

At the bottom of the page, there is a textfield, labelled Custom configuration lines, that can be used by advanced users to write custom configuration lines to be added to the dhcpd.conf file (e.g., custom routes to subnets), like this example shows.

Warning

The custom configuration lines must adhere to the syntax of the /etc/dhcpd.conf file–check the manual page dhcpd.conf (5) or see it online at https://linux.die.net/man/5/dhcpd.conf, since they are not checked for errors and are inserted verbatim in the configuration file. Any typo or mistake might prevent the DHCP server from starting correctly!

To customise the DHCP parameter for each zone, tick the respective checkbox. A panel labelled Settings will appear: click on it to show the available options.

Settings

Start address, End address: The range of IP addresses to be supplied to the clients. These addresses have to be within the subnet that has been assigned to the corresponding zone. If these two fields are left blank, the whole IP range of the zone will be used to assign dynamic leases.

Hint

If some hosts should receive a fixed lease, (see below), make sure their IP addresses are included neither in this range nor in the range of the OpenVPN address pool (see Menubar ‣ VPN ‣ OpenVPN server) to avoid conflicts.
Allow only fixed leases: Tick this checkbox to use fixed leases only. No dynamic lease will be assigned.
Default lease time, Max lease time: The default and the maximum time in minutes before the assignment of each lease expires and the client requests a new lease from the DHCP server.
Domain name suffix: The default domain name suffix that is passed to the clients and that will be used for local domain searches.
Default Gateway: The default gateway that the clients in the zone will used. If left blank, the default gateway is the 4i Edge X itself.
Primary DNS, Secondary DNS: The DNS used by the clients. Since the 4i Edge X contains a caching DNS server, the default value is the firewall’s own IP address in the respective zone, though a second server or even the primary value can be changed.

Example SRV-1 - PXE boot and dhcpd.conf configuration.

The customisation of the DHCP server proves useful in different networks configuration.

One common use case is for VoIP telephones that need to retrieve their configuration files from an HTTP server at boot time In this case, the files may also reside on the 4i Edge X, so the configuration of the tftp server can be passed as extra lines like the following:

option tftp-server-name "http://192.168.0.15";
option bootfile-name "download/voip/{mac}.html";

Remember to replace 192.168.0.15 with the correct IP address and the download/voip/{mac}.html string with the correct path. Additional information about the available options can be found in the dhcpd(5) man page.

Primary NTP server, Secondary NTP server: The NTP servers used by the clients, to keep the clocks synchronised. Leave blank to use the 4i Edge X’s default NTP server.
Primary WINS server, Secondary WINS server: The WINS servers used by the clients. This option is only needed for the Microsoft Windows networks that use WINS.

Once done, click on the Save button at the bottom of the page, then on the Apply button in the green callout that will appear to restart the DHCPD server with the new configuration.

Fixed leases ¶

It is sometimes necessary or desirable for certain devices to always use the same IP address while still using DHCP, for example servers that provide a service (like, e.g., a VPN server or a code repository) or devices like printers or scanners.

A fixed lease is also called Static IP Address, since a device will always receive the same IP address when requesting a lease from the DHCP server.

This page contains the list of all the fixed leases defined in the local networks, providing several information about that lease: The device’s MAC Address and the assigned IP address, a remark, and the available actions.

By clicking on the Add a fixed lease button, a static IP address can be assigned to a device. The devices are identified by their MAC addresses.

Note

Assigning a fixed lease from the DHCP server is very different from setting up the IP address manually on a (client) device. Indeed, in the latter case, the device will still contact the DHCP server to receive its address and to announce its presence on the network. When the IP address required by the device has already been assigned, however, a dynamic lease will be given to the device.

The following parameters can be set for fixed leases:

MAC address: The client’s MAC address.
IP address: The IP address that will always be assigned to the client.
Remark: An optional description of the device receiving the lease.

Advanced options

In this panel appear three additional options.

Next address: The address of the TFTP server. This and the next two options are useful only in a few cases (see below for an example).
Filename: The boot image file name. Option needed only for thin clients or network boot.
Root path: The path of the boot image file.
Enabled: If this checkbox is not ticked, the fixed lease will be stored but not written down to the file dhcpd.conf.

A use case for a fixed lease.

A use case that shows the usefulness of a fixed lease is the case of thin clients or disk-less workstations on the network that use PXE, i.e., boot the operating system from an image supplied by a networked tftp server. If the tftp server is hosted on the same server with the DHCP, the thin client receives both the lease and the image from the same server. More often, however, the tftp server is hosted on another server on the network, hence the client must be redirected to this server by the DHCP server, an operation that can be done easily adding a fixed lease on the DHCP server for the thin client, adding a next-address and the filename of the image to boot.

Note

All leases assigned by the DHCP server are stored by default in the /var/lib/dhcp/dhcpd.leases file. Although the DHCP daemon takes care of cleaning that file, it may happen that the file stores leases that have already been expired and are quite old. This is not a problem and does not interfere with the normal DHCP server working. A typical entry in that file is:

lease 192.168.58.157 {
starts 2 2019/06/11 13:00:21;
ends 5 2019/06/14 01:00:21;
binding state active;
next binding state free;
hardware ethernet 00:14:22:b1:09:9b;
}

Dynamic leases ¶

After the DHCP server has been activated, and at least one client has received a (dynamic) IP address, the table in this page will feature the list of the clients, with these additional information: assigned dynamic IP addresses, the MAC address of the connecting device and its hostname, the expiry date and time, and the status, which can be either expired or active.

Time server ¶

The 4i Edge X uses NTP to keep its system time synchronised with time servers on the Internet. There is only one settings, displayed in the Network time server panel.

Network time server

A number of time server hosts on the Internet are preconfigured and used by the system, along with the time zone. Available options are the following.

Override default NTP servers: Tick the checkbox to replace the default NTP servers. This might prove necessary when running a setup that does not allow the 4i Edge X to reach the Internet. Several time servers addresses can be supplied, one per line, in the small form that will show up; each of them will be written in the configuration file, as value of the server option. For better performance, at least two time server should be provided here.

Hint

Each custom time server can be written as a hostname or IP address. Entries can be also vendor-specific, like e.g., 0.endian.pool.ntp.org.

Note

If for some reasons the 4i Edge X’s clock is not synchronised anymore with the NTP servers and the difference between them is high, there is the chance that a manual synchronisation be necessary. This can be done either by clicking on the Synchronize now button, or in the Localization options, under the System Settings (System ‣ Settings ‣ Localization), by manually entering the correct time and date.

Intrusion Prevention System ¶

The 4i Edge X includes the well known Intrusion Detection (IDS) and Prevention (IPS) system snort, which is directly built into iptables, to intercept and drop connections from unwanted or distrusted sources.

Settings ¶

If snort is not active, a grey switch appears on the page and can be clicked on to start the service. After a short interval, the page will contain some options to configure the service.

Intrusion Prevention System settings

This panel allows to define the automatic download and installation of the snort rules.

Automatically fetch SNORT Rules

Ticking this box will let the 4i Edge X automatically download the snort rules from the Endian Network.

Note

If the 4i Edge X is not registered, or its maintenance has expired, rules are not downloaded anymore. An informative message is also shown at the bottom of the page.

SNORT rules update schedule: The frequency of download of the rules: A drop-down menu allows to choose one of the Hourly, Daily, Weekly, or Monthly options. This option appears only if the previous option has been activated.

Rules last updated

An informative message about the last time rules have been manually downloaded, like for example: 2019-08-01 10:48:31

Update rules now

By clicking on this button, the signatures for the IPS service will be immediately downloaded from the emeringthreats.net web site.

Browse

Pick one file from the file selection window that opens upon clicking this button.

Upload custom rules

Click on this button to upload the file and use it with snort.

Rules ¶

The list of rulesets that are stored on the 4i Edge X appears in this page, along with the number of rules they contain and the actions that can be done on them.

It is possible to edit each ruleset independently, by clicking on the icon in the rightmost column, Actions, but when at least one ruleset is selected, atop the table a few buttons will appear, allowing to carry out bulk actions on all the selected rulesets at once. On the right-hand side of the button, a number in a green circle shows how many rulesets are currently selected: Click on it to select all (including those in other pages) or none of the datasets.

The rule policies in snort.

By default, the policy for all the rulesets is set to alert, shown by the passlog icon. This means that whenever a flow of traffic will match the corresponding rule or ruleset, the traffic will be allowed to pass and the intrusion attempt will be logged.

This behaviour can be changed by clicking on the alert icon to toggle the policy into block, shown by the icon blocklog , with the result that the intrusion attempt will be blocked, but no message will be recorded in the log files.

After a policy of a rule or of a whole ruleset has been changed, it is necessary to click on the Apply button, for the changes to be applied.

After clicking on the Edit button, the list of the rules included in the selected ruleset(s) is shown, which can be narrowed down by entering some terms in the text box next to the Search label. To go back to the previous page, click on the Back to rules link on the top left corner of the table.

Warning

Turning on the IPS only implies that snort is running, but it does not yet filter the traffic. For snort to filter packets, the Allow with IPS Filter policy must be selected for the rules defined in the various Firewall configuration pages.

SNMP Server ¶

The SNMP is used to monitor network-attached devices, and can be used e.g., to control the status of the internal infrastructure.

To enable the SNMP Server is sufficient to click on the grey switch. Once done so, a few options will appear in the Settings panel.

Settings

Community String: A key that is needed to read the data with an SNMP client.
Location: An identification string that can be set to anything, but it is suggested that it describe the location of the 4i Edge X.

Override global notification email address

The SNMP Server requires to configure an e-mail address as the system contact, and the global e-mail address provided during the installation procedure is used by default. In order to use a custom e-mail address, tick the checkbox to activate the next option.

System contact email address: Write the e-mail address of the administrator to be contacted.

Quality of Service ¶

The purpose of the QoS module is to prioritise the IP traffic that is flowing through the 4i Edge X depending on the service. In other words, the QoS is a convenient way to reserve a given amount of the available bandwidth (both incoming and outgoing) for a given service. Applications that typically need to be prioritised over bulk traffic are interactive services such as SSH or VoIP.

Note

On hardware 4i Edge X, only Tagging is present.

Devices ¶

The Device item is also the starting page for the QoS and is initially empty. Once populated, a table showing a list of all the Quality of Service devices appears and for each device, some parameters and the available actions are displayed.

New QoS devices can be added by clicking on the Add Quality of Service Device link above the list and by configuring a few options.

Target Device: The network interface that will be used by this device. Choices are among the existent network interfaces, the zones enabled on the system, the uplinks, and the OpenVPN tunnels if defined, and can be selected from a drop-down menu.
Downstream Bandwidth (kbit/s): The downstream speed of the interface.
Upstream Bandwidth (kbit/s): The upstream speed of the interface.
Enabled: Enable the QoS (default) or not.

When editing a device, the same form opens as when adding a new device, in which to modify the current device’s parameters.

For every device added, four items will appear under the Classes page: Three for high, medium, and low priority, respectively, and one for bulk traffic (see below).

Classes ¶

This page shows a list of all Quality of Service classes that have been created, if any. For each entry, several data are shown. New items can be added by clicking on the Add Quality of Service Class link above the list of classes. The parameters to configure are the same shown in the list:

Name: The name of the Quality of Service class.
Device: The drop down menu allows to choose the Quality of Service device for which the class was created.

Hint

At least one QoS device must have been created before defining a QoS class.
Reserved: The amount of bandwidth that has been reserved for this class from the device’s overall available bandwidth, either in percentage or in kilobit per second.
Limit: The maximum amount of bandwidth this class may use, either in percentage or in kilobit per second.
Priority: The priority of the class, from 0 (low) to 10 (high), selected from a dropdown menu

Note

The sum of reserved percentages can not be greater than 100 per device. Moreover, the reserved bandwidth can not be higher than the limit bandwidth.

Classes can be moved up or down the list: Items closer to the top of the list are the first to be processed when the bandwidth does not suffice for all the traffic and the 4i Edge X needs to choose which traffic should be prioritised.

Rules ¶

The third page displays a list of the already defined Quality of Service Rules and allows to specify which type of traffic should belong to each of the classes. To add a new Quality of Service rule click on the Add Quality of Service Rule link. In the form that will open, which is very similar to the one used to define firewall rules, several values should be configured. Many drop-down menus are employed here to ease the choices and guide through the configuration.

Source: Choose from the drop-down menu the traffic source, either a Zone or interface, a network, an IP or MAC address. Depending on this choice, different values can be specified: A zone or interface from the available ones from those that will be displayed, or one or more IP addresses, networks, or MAC addresses.
Destination Device/Traffic Class: Choose the destination device or traffic class from the drop-down menu.
Destination Network/IP: Write in the text area the target network or IP addresses, which must be reachable from the device or traffic class chosen in the previous option.
Service/Port, Protocol: These two drop-down menus are used to define the service, protocol, and destination port for the rule (when choosing one of TCP, UDP, or TCP + UDP protocols). Some predefined combinations Service/Protocol/Port exists, like HTTP/TCP/80, <ALL>/TCP+UDP/0:65535, or <ANY>, which is a shortcut for all services, protocols, and ports. Finally, in the Destination port, one or more custom port number can be supplied (this proves useful when some service does not run on a standard port).
Type: Choose from the drop-down menu which tag to use to mark the traffic: a TOS flag, a DSCP class or a DSCP value. Depending on the choice, one of the following options will appear, unless <ANY> is chosen.
Match Traffic with the following TOS [DSCP] flag: By choosing TOS or DSCP class in the previous drop-down menu allows to choose a suitable value for the traffic to match from another drop-down menu.
DSCP Value: This field appears only when DSCP value is chosen in the Type option above. It allows to enter a custom value for DSCP, that will be used to fire the rule when matched.
Enabled: Tick the checkbox to enable the rule.
Comment: A comment to identify the rule.

Note

If there is more than one service in a same Quality of Service class, they will share the reserved bandwidth.

Tagging ¶

The fourth page is different from the others as it is used to classify and prioritise traffic. In other words, the traffic can be marked or tagged to allow external devices to handle it accordingly. This is particularly useful in a scenario with limited bandwidth and the uplink device, e.g., a modem, can only prioritise traffic based on TOS or DSCP flags in the packets. When clicking on the Add Quality of Service Rule link the editor opens, which is similar to the one under the Rules page. These are the available options:

Source: Choose from the drop-down menu the traffic source, either a Zone or interface, a network or an IP, or a MAC address. Depending on this choice, different values can be specified: A zone or interface from the available ones from those that will be displayed, or one or more IP addresses, networks, or MAC addresses. The default value is <ANY>, meaning the rule will be applied to all traffic.
Destination: Choose from the drop-down menu the traffic destination, either a Zone or interface, a network or an IP. Depending on this choice, different values can be specified: A zone or interface from the available ones from those that will be displayed, or one or more IP addresses or networks.
Service/Port, Protocol: These two drop-down menus are used to choose the service, protocol, and destination port for the rule (when choosing one of TCP, UDP, or TCP + UDP protocols). Some predefined combinations Service/Protocol/Port exists, like HTTP/TCP/80, <ALL>/TCP+UDP/0:65535, or <ANY>, which is a shortcut for all services, protocols, and ports.
Destination port: In this textfield one or more custom port numbers can be supplied; this proves useful when some service does not run on a standard port).
Type: Choose from the drop-down menu which tag to use to mark the traffic: a TOS flag, a DSCP class or a DSCP value. Depending on the choice, one of the following three options will appear.
Tag traffic with the following TOS flag: This dropdown appears only when TOS is chosen in the Type option above. It allows to define the TOS flag that will be set in all matching packets.
Tag traffic with the following DSCP class: This dropdown appears when choosing DSCP Class in the Type option above. It allows to define the DSCP class that will be set in all matching packets.
Tag traffic with the following DSCP value: This field appears only when DSCP value is chosen in the Type option above. It allows to enter a custom value for DSCP, that will be set in all matching packets.
Enabled: Tick the checkbox to enable the rule.
Comment: A comment to identify the rule.

Serial Port ¶

Note

The Serial Port functionality is present only on hardware appliances.

The Serial Port pages allow to configure the 4i Edge X’s serial port as either serial console or serial server in three different operational modalities: Server, client, or console. The configuration options are grouped into two pages, Port configuration and Serial server.

Port Configuration ¶

In this page it is possible to configure the available serial ports on the 4i Edge X, by clicking on the corresponding icon.

Change serial port configuration

The available options are:

Remark: A comment about the serial port’s configuration.
Enabled: Tick the checkbox to enable the serial port.
Enable console: By ticking the checkbox, it will be possible to connect to the 4i Edge X via the serial console.

Hint

The Serial Server page allows no configuration if this option is enabled.
Serial Port standard: Choose the type of the serial port from the drop-down menu. Available options are: RS-232, RS-485, and RS-422.
Baudrate: The speed in baud of the serial port. Available values can be selected from the drop-down menu.

Hint

Modern appliances use a speed of 115,200 baud.
Parity: Choose the parity of the communication from the drop-down menu among the available values: None, Even, and Odd.
Data bits: Select the data bits from the drop-down menu. Available values are 5, 6, 7 and 8.
Stop bits: The stop bits value, either 1 or 2, chosen from the drop-down menu.

Advanced settings

When the standard used is rs232, an additional option can be configured in this panel.

Flow control: Choose the type of control to be applied to the traffic flow. Possible values are none, ctsrts, and xonxoff.

Serial Server ¶

This page carries only an empty table if in Port Configuration the Enable console option has been ticked; no configuration is allowed. The table shows the configuration–initially displaying only the name of the serial port–of the serial server.

Enabled: Tick the checkbox to enable the serial port.
Remark: A comment about the configuration.
Operation mode: Choose from the drop-down menu one of the available operation modes: Raw Client and Raw Server.

Server IP
This option only appears when Raw Client is selected. Supply one IP address to which to forward the traffic when connecting to the serial port.

Server Port
This option only appears when Raw Client is selected. Supply one port to which the traffic through the serial port will be directed.

TCP Port
This option only appears when Raw Server is selected. Provide a TCP port that will allow serial connection.

Advanced settings

Enable debug mode: By ticking this checkbox more information about connections through serial console will be logged: This proves useful for e.g., troubleshooting.