The System Menu¶
In this page you find:
The System menu provides several information about the 4i Edge X and its status, and allows to define the network setup and some access modalities (e.g., via SSH or for the Endian support).
The sub-menu on the left-hand side contains the following items, which allow for some basic administration tasks and to monitor the running activities of the 4i Edge X.
Dashboard–overview of the system and of the connections status.
Settings–various settings related to common items used throughout the GUI.
Updates–management of system updates.
Support–support request form.
Endian Network–Endian Network registration information.
Connect to Switchboard–automatically connect an Endian device to the Switchboard.
Passwords–set system passwords.
Web console–a console shell on the browser.
SSH access–enable/configure SSH access to the 4i Edge X.
Backup–backup or restore 4i Edge X settings as well as reset to factory defaults.
Shutdown–shutdown or reboot the 4i Edge X.
License Agreement–a copy of the User License Agreement.
New in version 6.0: The Settings page.
Changed in version 6.0: The GUI settings page has been removed and integrated into the new Settings page.
The remainder of this section will describe the various parts that compose the System menu items.
The Dashboard is the default landing page, the one that is displayed upon every login. It encompasses several boxes (“plugins”) organised in two columns that provide a complete overview of the running system and of its status and health. The top of each box reports the name of the box, and a click on the reload icon on the right-hand side of the title bar immediately reloads the information in the plugin, which are nonetheless updated at regular intervals.
The available plugins and the information they display are described next.
General Information Plugin
It shows several information about the installed system. It usually presents the hostname and domainname of the 4i Edge X in the title.
Hostname: The hostname and domain name
Appliance: The appliance type.
Version: The version of the firmware.
Uptime: The time since the last reboot.
Update status: A message depending on the 4i Edge X status:
UP TO DATE. No updates are available.
UPDATE REQUIRED. New packages can be installed: A click on the message leads to the Updates page where it is possible to review the list of new packages.
PLEASE REGISTER. The system has not yet been registered to Endian Network: Go to the Endian Network page on the 4i Edge X (System ‣ Endian Network), in which to compile a form to complete the registration.
Maintenance: The remaining days of validity of the maintenance support, or the NOT REGISTERED string.
Support access: Whether the support team can access the 4i Edge X or not. In the former case, it is also shown the date until the access is granted.
Support access can be enabled or disabled under System ‣ Support.
Network Interfaces Plugin
It shows information about the network interfaces of the firewall and the traffic. The upper part of this plugin shows several data about the network interfaces of the 4i Edge X: Their name, type, link (Up if a connection is established, Down otherwise), and the In- and Outgoing traffic. The latter two data are updated in real-time.
When ticking the checkbox near the device name, that device is shown in the graphs underneath. The devices’ name is coloured according to the zone they serve.
The lower part of the plugin contains two charts: The first one shows the incoming traffic, while the second one the outgoing traffic.
The traffic of each interface is coloured according to the zone it belongs to; Bridges built on one device are shown in the same colour as the device. and different interfaces belonging to the same bridge are shown with a different shade of colour.
Like the traffic data in the upper part, both charts are updated in real-time.
Up to six interfaces can be selected and shown in the charts.
This plugin carries information about events recorded by some of the services installed on the 4i Edge X and their actual status. Active services are marked with the RUNNING message, with the STOPPED otherwise. For each running service is shown a summary of the tasks accomplished during the last hour and the last day.
Hence, if some number in the summaries sounds strange or not common compared to the normal activities (e.g., the IDS has detected some attack), the logs can be controlled to search for some useful message that has been recorded.
The only supported service on the 4i Edge X is:
Intrusion Detection: The number of attacks logged by snort.
Inactive services are marked with the STOPPED message.
This plugin shows information about the memory usage of the 4i Edge X, taken from the free -m Linux command’s output. It features the usage of Total, Free, Cached, and Buffers memory.
The linux memory management is clearly described in this page.
New in version 6.0.
This plugin shows a table detailing the uplinks’ connection status. For each defined uplink are shown name, IP address, and uptime. A coloured dot on the left of the name shows the status of the uplink.
Changed in version 6.0: Simplified for improved readability.
Signature updates plugin
This plugin shows the signatures downloaded on the 4i Edge X and the date of the last update. If no service has ever started, that uses signatures, the table will be empty.
If for one uplink the option Disable signature updates if uplink is online is active (see Network ‣ Uplinks), signatures will not be downloaded.
CPU Load Plugin
New in version 6.0.
This plugin shows the load of each core of the CPU.
CPU x: The load of the CPU, where x represents the CPU number, for those appliance that have more than one CPU.
It shows information about each partition mounted on the 4i Edge X, which is provided graphically, with a small bar and percentage of used space, and in numbers, with the used and total space used.
A partition on the hard disk (e.g., main disk, data disk, and especially /var/log) must never be filled up more than 95% or more, as this can cause service disruption and data loss.
There are a few suggestions to free space on filled up partitions in this guide on Endian help portal.
This page contains settings that are used in other parts of EMI. The configuration options available here were spread across different other pages in the GUI.
New in version 6.0.
Here it is possible to modify the name of the 4i Edge X.
Changed in version 6.0: These options were previously under the Network configuration (hostname and domain name) and GUI settings (Display hostname) configuration pages.
The hostname of the 4i Edge X.
- Display hostname in window title.
When activated by ticking the checkbox, this option displays the hostname of the 4i Edge X in the browser’s window title,
The hostname is set during the Configuration Wizard and can be changed by either a factory reset, of from the CLI using the netwizard command.
- Domain name
The name of the local domain of which the 4i Edge X will be part.
This page contains options about the language and the time zone.
- Select your language
Select from the drop-down menu which language to be used for the web interface (including section names, labels, and so on).
Supported languages are: English, German, Italian, Simplified Chinese, Japanese, Portuguese, Russian, Spanish, and Turkish.
Changed in version 6.0: This option was previously under GUI settings.
The timezone is normally selected during the initial setup, but it can be changed by choosing a new one from the drop-down menu.
Adjust time manually
In this panel there is the possibility to manually change the system time. While this is usually not recommended or not necessary, this action is the only possibility to synchronise the system clock when it is way off the real time.
Indeed, automatic synchronisation using time servers is not done instantly, but the clock is slowed down or sped up a bit to recover and align to the correct time. If however the discrepancy between the system clock and the time servers is significantly large, the ntp daemon will not be able to recover. Therefore, manual synchronisation represents the only solution to immediately correct and synchronise the time of the 4i Edge X's clock to the correct time.
Some service (for example, the connection to an external LDAP server to authenticate VPN users) might not work if the clock is not synchronised.
To manually change the time and date, provide In the textfields that appear in this box the correct Year, Month, Day, Hours, and Minutes, then click on the Set time button.
Do not mind about the seconds: After the manual set up of the time, the ntp daemon will take charge of aligning the system’s time to the time server’s time.
Here it is possible to configure a SMTP mail server that will deliver the e-mails sent by the 4i Edge X, typically from the notification service. The following options are available.
- Email sender address
The address that will appear as the sender of the e-mail.
- Email recipient address for notifications
The address to which the e-mail will be sent.
- SMTP address
The IP address or domain name of the SMTP server.
- SMTP port
The port on which the SMTP server runs.
- Connection security
Choose from the drop-down menu which type of security is required by the connection, either STARTTLS or SSL/TLS.
- SMTP server required authentication
Tick the checkbox if authentication is required on the server side. The next three options appear
The username needed to authenticate on the SMTP server.
The password needed to authenticate on the SMTP server.
- Authentication method
The authentication methods required by the SMTP server: PLAIN, LOGIN, CRAM-MD5, and DIGEST-MD5 are supported. Multiple methods can be chosen by ticking the checkboxes in the multiselect drop-down menu.
- Test email recipient address
After values for the above options have been provided, verify their correctness by providing a valid e-mail address to which a test e-mail will be sent. Click on Send test email when done. If the test e-mail is delivered correctly, it is possible to save the settings.
The settings in this box concern the upstream proxy, if there is one between the 4i Edge X and the Internet: in this case, click on the Disabled switch to activate the functionality, then fill in the next options accordingly.
The IP address of the upstream proxy server.
The port on which the proxy service runs on the server.
- Proxy server requires authentication
Tick the checkbox if authentication is needed on the the upstream proxy. The next two options will appear.
The username to connect to the proxy server, if needed.
The password to connect to the proxy server, if needed.
Here it will possible to manage the HTTPS certificate used to access EMI, the web interface of the 4i Edge X.
- Certificate configuration
This drop-down menu is used to select the method of creation of a new certificate. The available options are:
When a certificate has been chosen, below the Certificate configuration drop-down menu appear the name of the currently used certificate and thelink. The latter will show all information about the certificate when clicked.
Changed in version 6.0.
The network configuration wizard is not offered anymore on the Endian appliances. Since release 6.0 it has been included in the Configuration Wizard and can be run only on either the first boot or after a factory reset has been carried out. The functionalities that were provided by this wizard can be found under the Network module, in the Uplink and in the new Zones and Interfaces sections.
Whenever some critical event takes place on the 4i Edge X (e.g., a partition is filling up, someone accesses it via SSH or HTTPS, or there are updates available), the event notification functionality allows to be immediately informed by e-mail or SMS. It is also possible to associate a python script to each event, to take immediate actions as a consequence of the event.
The configuration options for this functionality are grouped into four pages: Settings, Events, SMS, and Scripts.
This page contains the basic options to configure the E-mail and SMS settings to send the notifications.
To start the event notification functionality, click on the grey switch Disabled and wait a few seconds.
The options available are the following, grouped in Email settings and SMS settings.
- Use default email settings
Tick the checkbox to use the default e-mail address, otherwise a few more options to configure the SMTP server options will appear.
- Email sender address
The e-mail address that appear as the sender of the e-mail.
- Email recipient address
The e-mail address to which the e-mail will be delivered.
- Use smarthost for email delivery
Tick the checkbox to configure the smarthost to be used for delivering the notification e-mail.
While the SMTP proxy supports encryption, when an external smarthost is used as SMTP Proxy, neither the SSL/TLS nor the STARTTLS protocols can be used.
- Smarthost address
The URL or IP address of the smarthost.
- Smarthost port
The port on which the smarthost listens to.
- Connection security
Choose from the drop-down menu which type of security can be used: None, STARTTLS, or SSL/TLS.
- Smarthost requires authentication
Tick the checkbox if the smarthost requires credentials to send email. The next two option will appear.
- Smarthost username
The username to be used to authenticate with the smarthost.
- Smarthost password
The password associated with the username supplied in the previous option. A click on the checkbox on the right-hand side will show the password.
- Authentication method
Select which method the smart host shall use to authenticate the user.
The next two options are used to configure notification by SMS. SMS bundles can be added in the SMS section, System ‣ Event notification ‣ SMS.
- Destination phone number country prefix
The country code to which the phone number belongs to.
- Destination phone number
The actual phone number to which the SMS will be sent..
This page shows a list of all the events that can produce a notification message and allows to configure the actions to be done when each of the events takes place. Right above the list there is a small navigation bar and a search field: The latter can be used to filter only the relevant items.
If SMS notification is active and the hostname of the 4i Edge X is very long, it can happen that the SMS will not be able to report the entire notification message, because the message will be trimmed to ca. 157-159 characters. If this is the case, we suggest to also activate e-mail notification.
The list contains six columns:
- Event ID
The 8-digit ID ABBCCCCD code of the event. See ref:below <eventid> for more information about the IDs.
A short description of the event.
A ticked checkbox means that an e-mail is sent when the event takes place.
A ticked checkbox means that an SMS is sent when the event takes place.
The script that is executed when the event occurs.
The only action available is to modify the corresponding event.
When modifying an event, a new panel appears above the list with the following configuration options displayed.
- Event ID and Description
These are the identifier of the event and are automatically generated by the system, so they can not be modified.
- Send email for this event
By ticking this checkbox, an e-mail will be sent upon the occurrence of the event.
- Send SMS for this event
By ticking this checkbox, an SMS will be sent upon the occurrence of the event.
- Run custom script for this event
By choosing this option, a custom script will be executed when the event takes palce, rather than sending an SMS or an e-mail. The script must have already been uploaded to the 4i Edge X -see the Scripts page for more information. By ticking the checkbox, a drop-down menu appears on the right-hand side.
- Custom script to run
Choose the script to be associated to the event from this drop-down-menu.
At least one script must have been uploaded in order to be able to associate it to the event. See section Scripts below.
Event ID explained
Each event that takes place on the 4i Edge X is assigned a unique, 8-digit code, A-BB-CCCC-D built from the following four fields:
A represents the layer number, i.e., the system’s component in which the event has taken place:
1 = kernel
2 = system
3 = services
4 = configuration
5 = GUI
BB is the module number
CCCC is a sequential number assigned to the event
D is the severity of the event, i.e., the degree of badness of the event. The lower the number, the worst the severity:
0 : critical event
1 : an error
4 : a warning
6 : a recovery from a bad state
8 : an informational message.
The following table shows the list of all the IDs that correspond to an event. Note that, depending on the type of appliance, some event may not be occur on the 4i Edge X (e.g., on appliances without RAID controllers, events 10100011, 10100026, and 10100038 will never occur).
One device of the RAID array failed.
The rebuild of RAID array has completed.
Start recovery of RAID array.
One uplink has gone online.
One uplink has gone offline.
The system has started.
The system has shut down.
The system is rebooting.
All uplinks have gone offline.
All uplinks are online.
An uplink is dead.
An uplink turned back alive.
An SSH user has successfully logged in from a remote location.
An SSH user failed to log in from a remote location.
A disk is getting full.
An user has failed to log in to the management interface.
The number of available SMS is low
There is no SMS left
Digital Input Rising Trigger on an input
Digital Input Falling Trigger on an input
OpenVPN client opened tunnel on an interface
OpenVPN client closed tunnel on an interface
An OpenVPN user failed a login failed
An IPsec/Xauth use failed to login
An L2TP user failed to login
An Open VPN user has logged in successfully
An IPsec/Xauth user has logged in successfully
An L2TP user has logged in successfully
An Openvpn user has logged out
An IPsec/Xauth user has logged out
The system upgrade has completed successfully.
The system upgrade has failed.
There are system updates available.
The remote access to support user has been revoked.
The remote access to support users has been granted.
The access for support user has been extended until …
Besides for event notifications, SMS are used by the hotspot, to activate accounts or tickets. Bundles can be purchased from Endian S.r.l., Italy and added here to the 4i Edge X.
This box is divided into two parts: at the top there it is possible to add SMS bundles, while at the bottom some information about the SMS contingent is displayed.
- Enter Activation Code …
To add a new SMS bundle, it must be first purchased on the Endian Network, after which an activation code will be generated. This activation code must be supplied in this textbox.
After supplying a valid activation code, clicking on this button will add an SMS contingent that will be used for sending the notifications.
- Available SMS
The number of SMS that are at disposal.
- Reserved SMS
The number of SMS that have already been used, but not yet delivered to the recipient. This event may occur for example if the recipient was not reachable.
Besides sending an e-mail or an SMS, a third option allows to upload and execute a Python scripts right after an event occurs on the 4i Edge X. In this page it is possible to upload and to associate Python scripts to the various events, more precisely, to each event can be assigned one Python script.
At the bottom appears a table of the scripts already uploaded, which is initially empty and shows about each script the name, description and the available actions.
On top of the table, a click on the Add new script button allows to upload a Python script on the 4i Edge X. Uploaded script must follow some guidelines, see below for more. The following options are available.
The name given to the script.
An optional description of the script, like e.g., its purpose.
The available actions for each script.
Requirements for the Python scripts.
Python scripts that shall run on the 4i Edge X must follow a few design guidelines to ensure the proper interaction with the system, which can be summarised as follows.
The script must be importable. In other words, the script can use other Python modules installed on the system, but can not rely on Python modules which are not present on the system
The script must implement a class called ScriptEvent.
A method called process must be implemented in the ScriptEvent Class. This method is the one that will be invoked when the event to which it is associated to takes place.
The process method must accept the **kwargs parameter, that is, it must accept a dictionary of key : value parameters.
An example script that satisfies the above requirements -and therefore can be uploaded to the 4i Edge X is the following one.
import time class ScriptEvent(object): def __init__(self): self.filename = "/tmp/fubar" def process(self, **kwargs): open(self.filename, "a").write("Hello world, it is now %s\n" % time.time())
The Endian code documentation, useful to write own scripts will soon be available.
In this page it is possible to submit support requests for assistance to the Endian support, provided that the system has a valid and maintenance subscription and is registered to the Endian Network.
The page is divided in two boxes with different purposes: The first one contains a link to open the support’s home page, while in the second one it is possible to allow the support team to access to the 4i Edge X using SSH and HTTPS.
Visit Support Web Site
If the 4i Edge X has not been registered to Endian Network, or its maintenance has expired, no support can be supplied by Endian, and this box will display the following message:
Currently no running maintenance available. To access support, register with Endian Network first
If the system is not registered, support request can be made to one of the several forums or mailing lists mentioned in the Endian web sites section.
With a valid maintenance subscription, this box contains one option.
- Please visit our Support Web Site
By clicking on this link, a new tab in the browser will open, where it is possible to find directions on how to fill in an assistance request to the support team.
Access for the Endian Support Team
Optionally, access to the firewall can be grant via SSH, a secure, encrypted connection that allows a member of the support staff to log in to the 4i Edge X, verify its configuration and inspect it to find out where the problem lies. The box contains an informative message, the status of the access, which is either DENIED or a date like Mon, 20 May 2019 12:12:18. When the status is DENIED a button appears at the bottom of the box:
- Allow access
Clicked on this button to grant 4 days of access to the 4i Edge X to the support team.
When the support team access is allowed, a new message appears under the status message: Access allowed until: followed by the date and time when access to the 4i Edge X will be revoked. Moreover, there are two buttons at the bottom of the box.
- Deny access
Immediately revoke the grant to access the 4i Edge X.
- Extend access for 4 more days
If the support team needs more time to inspect the 4i Edge X, a click on this button extends the access grant by four more days.
When enabled, the support team’s public SSH key is copied to the system and access is granted to them via that key. The support team will not authenticate with username/password to the 4i Edge X. The root password of the 4i Edge X is never disclosed in any way to the support team.
The management of the software updates is done from here. It is possible at any time to manually check for available updated packages, or to schedule a periodic check.
In this page there are two boxes: One with the current status of the system and one to schedule a routine check for updates.
The Status box informs whether the system needs updates or not. In the former case, a list of available packages is presented, while in the latter a message like the following one is shown.
These options are available:
- Check for new updates
A manual check for updated packages is started, and any upgradable package found is listed here. Individual packages can be chosen from the list and installed.
In order to check for updates, a valid maintenance is required, otherwise no update will show up, even if available.
- Start update process NOW
The update process is launched: The system downloads the updated packages which are then installed, replacing the old ones.
When an upgrade process ends, there is the possibility that the 4i Edge X needs to be rebooted, for example when a new kernel is installed; this will be shown by a message dialog that appears on the GUI, and with a text message shown upon logging in from either the serial console or SSH.
When this message appears, please reboot the appliance as soon as possible, to avoid possible malfunctioning.
IP addresses and ports needed to communicate with Endian Network
While connected to the internet, the 4i Edge X needs access to the Endian Network, to carry out several tasks and provide additional services:
To synchronise the system’s information with Endian Network.
To allow remote access to the owner, to the reseller, or to the support team for configuration of services, troubleshooting, and problem resolution.
To allow the purchase of SMS, that can be used for example with the Event notifications.
Special firewall rules allow traffic to flow to the required IP addresses; however, if there is another device in front of the 4i Edge X that blocks traffic, also on this device the access to those IP addresses must be allowed. The updated list of Endian Network IPs can be seen under Firewall ‣ Outgoing traffic ‣ System rules.
If the 4i Edge X has been purchased with a maintenance package, it can be registered and connected to the Endian Network, the Endian solution that allows a company an easy and centralised monitoring, managing, and upgrading of all its registered systems.
Many functionalities of the 4i Edge X (e.g., access for the support team, SMS notification, and so on) require that the appliance be registered to the Endian Network.
If the system has not yet been registered or if the maintenance has expired, this page shows only a form that must be filled in order to register the appliance.
Why is the registration to Endian Network important?
A system must be registered within twenty (20) days from the purchase of the activation code, otherwise no support can be supplied.
If case thirty days have passed, while the 4i Edge X will continue to work and offer the services that have already been configured, access from Endian Network, GUI, SSH and serial console will be forbidden. This means that no support can be provided on the 4i Edge X, since the support team has no possibilities to connect to it. Moreover, updated can no longer be installed.
To regain complete access to the 4i Edge X, a new activation code or maintenance renewal must be purchased.
Available options for Endian Network are organised into two page, namely Subscription and Remote Access.
This page shows a summary of all the information about the registration status of the 4i Edge X. If the firewall has not yet been registered to the Endian Network, the registration form is shown, that must be filled in before submitting the request for registration. After the registration has been completed, the page will contain three boxes.
Register your Endian 4i Edge X
In order to subscribe the 4i Edge X, it is necessary to have a valid account on Endian Network, that can be created by clicking on the link at the beginning of the box.
The following options are available.
Account and system information
The username on Endian Network to register the 4i Edge X.
The password associated to the username.
- Activation Code
The activation code required to register the 4i Edge X.
On hardware appliance, the activation code is printed on either the box or the appliance itself, or both.
- System name
The name given to the system, that will appear on Endian Network as well.
The name of the company which owns the 4i Edge X.
- Sender email address
The e-mail of the registrant.
The country in which the 4i Edge X is located
This section contains the license agreement, that must be accepted for a successful registration.
The following boxes appear only after a successful registration of the 4i Edge X.
Here are shown basic information about the 4i Edge X: Serial number, activation code, model of the appliance, and the maintenance package chosen.
This product is registered
A summary of the system information recorded on Endian Network: the System name, the organisation for which the 4i Edge X is registered, system ID, and the date of the last update, that is, the date when the 4i Edge X was registered.
Your Activation Keys
To receive updates from and to participate in the Endian Network, at least one valid, not expired activation key is required. There is a key for each channel, but typically just one or two, shown with its expiry date and the days of maintenance left.
An expired key is shown by its channel name stricken-through and by the expired string in the corresponding Days left column. This happens usually for optional channels.
The Remote Access page allows to choose whether the 4i Edge X can be reached through the Endian Network and by which protocol. To allow access, click on the Disabled button on the top of the page, that will turn green, and two access options will appear.
- Enable HTTPS access …
Allow the 4i Edge X to be reached via the web interface.
- Enable SSH Access …
Allow to login via a secure shell to the 4i Edge X. Activating this option automatically activates the SSH access.
A step-by-step lesson to register the 4i Edge X to the Endian Network is available in this article.
New in version 5.0.5.
Changed in version 5.1: Renamed from Connect to Switchboard.
In this page it is possible to connect and register a 4i Edge X to a Switchboard instance using the plug and connect procedure.
This functionality is not yet available on all Endian appliances.
Requirements to use this functionality.
In order for a 4i Edge X to be eligible to be connected to the Switchboard, a few requirements must be satisfied:
The network configuration has been completed and the zones have been configured. This is important since it is not possible to change the 4i Edge X's network topology after registration.
The 4i Edge X has not yet been registered to Endian Network. If it already was, its registration must be deleted this can be carried out from the CLI by using the following command: en-client -x.
There must be a working uplink and the 4i Edge X must be able to connect to the Internet and with Endian Network.
Port TCP 443 (i.e., HTTPS) of the 4i Edge X must be able to freely access the Internet, because the Switchboard will connect to that port to complete the registration.
If the 4i Edge X satisfies these conditions, it will be possible to start the procedure.
The plug and connect procedure can be carried out from the web console, by choosing option 6 and following the instructions.
The first time this page is accessed, it contains a few data and two options.
- Activation Code
Enter a valid Activation Code. then press on Next >> to register the 4i Edge X to the Switchboard.
Once done, the page will change and show the Activation code and the claim period, that is, the date and hour until which the plug and connect procedure must be carried out to successfully connect the 4i Edge X.
The following options are present here.
- Extend claim period
By clicking on this button, the claim period will be extended for 24 hours.
- Set custom registry
By clicking on this button, the IP address of FQDN of the Switchboard can be specified.
This option can be used only if the 4i Edge X should be registered to an own instance of the Switchboard.
At this point, it is possible to claim the 4i Edge X from the Switchboard and allow its remote management. When also this step has been completed, the 4i Edge X will also be registered to Endian Network (and reachable from it) and on this page a few information are shown:
The message You are connected to the Switchboard.
Switchboard instance. The name given to the Switchboard on which the 4i Edge X has been claimed.
Gateway name. The name of the 4i Edge X as registered on the Switchboard.
On our portal there are howtos available that describe in details the plug and connect and claim procedures.
Changed in version 5.1: This section was previously known as Passwords.
In this page it is possible to create new users that can access EMI and initially contains a table which lists only the admin user, which can neither be disabled, nor deleted.
New accounts for web users can be created by clicking on the Add web frontend user link above the table. In the panel that opens, the following options can be configured.
The username of the account, which is case-sensitive and must be unique.
A description of the user.
- Password, Confirm Password
The password assigned to the user.
Passwords need to be at least 6 characters long; good passwords should be at least 8 characters long and include letters, numbers, and special characters like e.g., $ % @ !.
- GUI Profile
Choose from the drop-down menu which Profile to assign to the new user. There is currently only one profile available, which gives access to all the GUI.
Tick the checkbox to allow the user to access EMI.
The web console provides an applet which emulates a terminal within the browser window, that serves as a CLI to carry out administrative tasks.
The functionalities of the web console are the same found upon logging in via serial console or SSH. On the bottom left of the applet, a message shows the status of the console: Connected or Disconnected. It is possible to exit at any time by typing exit in the console and then pressing Enter on the keyboard, like in any normal console.
When disconnected, click again on the Web console sub-menu item to reconnect. On the bottom right of the applet, two hyperlinks show up:
- Enable virtual keyboard
When clicking on this link, a keyboard applet appears below the console, that can be used to type and execute commands by clicking the mouse on the various keys.
When the web console status is disconnected (i.e., when you issue the exit command), this applet does not communicate with the console.
- Disable input
This link toggles the possibility to send input from the keyboard to the web console.
This option has no effect on the virtual keyboard.
This screens allows to enable remote SSH access to the 4i Edge X, which is disabled by default. Access using SSH proves useful in several scenarios: necessity to control log files, troubleshooting, manual editing of configuration files, and in general is reserved for advanced tasks, like the customisation of services or the implementation of a workaround for an existing bug, and so on.
If it is the first time that the SSH service is activated, it will take a few moment before the start of the SSH server, since new SSH host keys must be generated.
Example SYS-1 - Traffic Tunnelling over SSH.
Assume that a service such as telnet (or any other service that can be tunneled through SSH) is running on a computer inside the GREEN zone, say port 23 on host myhost with IP address 10.0.0.20. To setup a SSH tunnel through the 4i Edge X to access the service securely from outside the LAN, i.e., from the RED zone. While GREEN access from the RED interface is in general not recommended, it might prove useful in some cases, for example during the testing phase of a service.
Enable SSH and make sure the host can be accessed, i.e., configure the firewall in Menubar ‣ Firewall ‣ System access for myhost to be reachable from the outside.
From an external system connect to the 4i Edge X using the command ssh -N -f -L 12345:10.0.0.20:23 root@appliance where
-Ntells SSH not to execute commands, but just to forward traffic,
-fmakes SSH run in the background and
-L 12345:10.0.0.20:23maps the external system’s port 12345 to port 23 on myhost, as it can be seen from the 4i Edge X.
The SSH tunnel from port 12345 of the external system to port 23 on myhost is now established. On the external system now it suffices to telnet to port 12345 on localhost to reach myhost.
This page is initially empty, after the SSH access is activated by clicking on the grey switch, two boxes are shown in the page: Secure Shell Options and SSH host keys.
When the SSH service is started, the following configuration options are displayed:
Secure Shell Options
- Allow password based authentication
Permit logins using password authentication.
- Allow TCP forwarding
When this option is ticked, other protocols can be tunneled through SSH. See Example SYS-1 for a sample use case.
- Allow public key based authentication
Logins with public keys are allowed. The public keys of the clients that can login using key authentication must be added to the file
The SSH access is automatically activated when at least one of the following options is true:
Endian support team access is allowed in Menubar ‣ System ‣ Support.
SSH access from Endian Network is enabled in Menubar ‣ System ‣ Endian Network ‣ Remote Access.
SSH host keys
At the bottom of the page, a table shows the three host keys that were generated at the first start. For each key, it is shown the file that contains it, its fingerprint, and its size in bits.
In this section it is possible to create new backups of the current 4i Edge X status and configuration or restore an existing backup when needed. Backups are saved locally on the 4i Edge X or on a USB stick, and can be downloaded to a workstation. Optionally, especially if confidential information is stored on the 4i Edge X (like e.g., personal data or certificates used in VPN), the backup archive can be encrypted using a GPG key.
It is suggested to keep a copy of the backups in a safe location.
Whenever an USB stick is plugged in into the 4i Edge X, it is automatically detected and mounted. In this case, a few additional USB-related options are displayed throughout the page.
Here it is also possible to reset the configuration to factory defaults, to create fully automated backups, and to carry out various other backups-related tasks.
This section is organised into two pages, Backup and Scheduled backups: The former is used to manage manual backups, while the latter to set up automatic backups.
In the Backup page there are three boxes: Backups, Encrypt backup archives, and Factory defaults.
Changed in version 6.0: the Import backup functionality has been incorporated in the Backups box.
In the first box, a table shows the backups stored on the 4i Edge X, both manually and scheduled ones. If a USB stick is connected to the 4i Edge X, also backups stored on it are displayed.
For each item it is shown:
The creation date
The content included in the backup. Each letter correspond to a different element of the, see below for more details.
A remark. The string “Auto - backup before upgrade” means that an automatic backup has been made before a package or system upgrade.
The available actions, which include the Import backup functionality
Contents of the backups
The content of each backup is marked by at least one of the following letters or symbols, corresponding to the option(s) specified during its creation:
Archive. The backup contains archived log files.
Cron. The backup has been created automatically by a scheduled backup job.
Database dumps. The backup contains a database dump.
Encrypted. The backup file is encrypted.
Hardware. Information about the appliance’s hardware is included.
Log files. The backup contains today’s log files.
Settings. The backup contains the configurations and settings.
USB. The backup has been saved to a USB stick.
! (Error). Something did not succeed while sending the backup file by email.
Above the table, a click on one of the two buttons Create a new backup and Upload a backup will allow to carry out these two tasks.
Create new backup
This section appears after a click on the Create a new backup button.
In this box it is possible to select which data to include in the backup: The letter in parenthesis corresponds to those listed above.
- Include configuration (S)
The backup contains all the configuration settings, including all the changes and customisation done so far, or, in other words, all the content of the
- Include database dumps (D)
The content of the database will also be backed up.
The database dumps may contain sensitive data, so whenever a backup contains a database dump, make sure that it is stored in a safe place and possibly GPG-encrypted.
- Include log files (L)
Include the current log files (e.g.,
/var/log/messages), but not log files of the previous days.
- Include log archives (A)
Include also older log files that have been rotated, and are stored under the
/var/log/archive/directory. Backups created with this option may become very big after some time.
A comment about the backup, that will appear in the Remark column of the table. Hence, it should be meaningful enough to allow a quick recall of the content.
- Create backup on USB Stick
Store the backup on the plugged in USB stick.
This option is only available if an USB stick is plugged in the 4i Edge X and it has been correctly mounted.
Backup on USB sticks are stored under the
/mnt/usbstick/efw-backupsdirectory. For any backup stored on the USB stick, a symlink will be created under the
/var/backups/directory. If the USB stick containing the backups is removed from the 4i Edge X, they will still show up in the list, but will not be accessible.
At least one of the checkboxes must be ticked to create a new backup. After clicking on the Create backup button, the files required by the backup are gathered and assembled into the archive. After a few minutes, depending on what has been included in the backup, the new backup appears in the list. The end of the backup process is marked by a yellow callout that appears above the box, showing the message Backup archive created successfully.
The format and name of the backup files.
Backup files are created as tar.gz archives, using standard Linux’s tools tar and gzip. The files stored in the archive can be extracted using the tar zxf archivename.tar.gz or tar vzxf archivename.tar.gz to see all the file processed and extracted and see some informative message on the screen the v option meaning verbose. The name of the backup file is created to be unique and it conveys the maximum information possible about its content, therefore it can become quite a long string, like e.g., backup-20130208093337-myappliance.mydomain-settings-db-logs-logarchive.tar.gz, in which 20130208093337 is the timestamp of the backup’s creation, in the form YYYYMMDDHHMMSS -in this example, 8th of February 2013 at 9:33:37 AM. This choice allows the backups to be lexicographically ordered from the oldest one to the most recent one; myappliance.mydomain are the 4i Edge X's hostname and domainname as set in the Configuration Wizard, and settings-db-logs-logarchive represent the content of the backup. In this case it is a full backup, since all four parts appear in the name. For example, a backup containing only settings and logs will be identified by the string settings-logs.
Import a backup Archive
This section appears after a click on the Upload a backup button.
In order to import a backup on the 4i Edge X, it is necessary to supply the following information.
A comment that will appear alongside
Click on the Choose File button to upload a file containing the backup.
A click on the Upload will start the upload process.
It is not possible to import encrypted backups on the 4i Edge X: Any encrypted backup must be decripted before being uploaded.
Encrypt backup archives
The second box in the page allows to encrypt all the future backups by providing a GPG public key. Click on the Disabled button to activate the functionality. The first time it is started, only one option shows up:
- Import GPG public key:
Select the GPG public key by clicking on Choose file to upload the key file from the local file system, then click on the Upload button underneath.
- Encrypt backup archives
Tick the checkbox if the archives should be encrypted. This option applies to both manual and scheduled backups.
Once a key has been uploaded and the Encrypt backup archives option is ticked, information about the key will be shown above the options, like in the following example:
The following GPG public key will be used to encrypt the backup archives: pub 1024R/00000000 2010-10-10 [expires: 2020-10-09] Key fingerprint = 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 uid Jane Doe <email@example.com> sub 1024R/00000001 2010-10-10 [expires: 2020-10-10]
It is a good practice to encrypt a backup archive whenever it contains sensible data, like for example the hotspot’s users data and billing information.
The fourth box allows to wipe out all configurations and settings done so far and reboot the system with the default configuration. This result is achieved by clicking on the only option available:
- Factory defaults
A click on this button will start the factory default process: A backup copy of the current settings is created and immediately after the 4i Edge X is rebooted and brought back to the factory defaults, including its default IP address, 192.168.0.15.
Since this potentially is a quite dangerous option, a pop-up window will ask for confirmation before starting the process. After clicking on OK, the process starts and can not be interrupted.
Here it is possible to configure automated backups of the system
scheduled automatic backups
To enable automatic backups, click on the disabled: button. The following options will appear.
- Keep # of archives
Choose from the drop-down how many backups to keep on the 4i Edge X (from 2 up to 10, but they can be exported to save space).
- Schedule for automatic backups
The frequency between backups, either hourly, daily, weekly, or monthly.
- Include …
A check on each of these option will include in the scheduled backup the corresponding configuration or data. These are the same seen in the Backups box
Scheduled backups will always be stored on the 4i Edge X.
Send backups via email
In this box the system can be configured to send the backups by e-mail. To enable the functionality, click on the disabled: button. The following options will appear.
Backups sent by e-mail will not contain the log archives, because their size might be so large to prevent a correct delivery of the email.
The following otpions are available.
- Recipient email address
The e-mail address to which to send the e-mail with the backup.
- Sender email address
The e-mail address that will appear as the sender’s e-mail address, which proves useful when backups should appear to have been sent from a special address (say, firstname.lastname@example.org), and must be provided if the domain or hostname are not resolvable by the DNS.
- Smarthost address
The address of a smarthost to be used to send the e-mails, which is needed in case the outgoing e-mails should not be sent directly by the 4i Edge X, but from a different SMTP server.
A guide to create a backup on a USB stick.
In this page it is possible to either reboot or shutdown the 4i Edge X, by clicking on the Reboot or the Shutdown button respectively.
When clicking either of the buttons, a dialog will open, asking for confirmation. Click on Confirm to really reboot or shutdown the appliance or on Cancel to close the dialog.
During a reboot, the message Reboot in progress will be shown and after a short period (usually under a minute), it will be possible to continue to use the GUI without a new authentication.
This section displays the license agreement between Endian and the owner of the 4i Edge X.
After an upgrade, if the license agreement changes, at the first login it is necessary to accept the new license agreement before accessing the upgraded system and being allowed to use the 4i Edge X