The System Menu¶
In this page you find:
The System menu provides several information about the Connect Switchboard and its status, and allows to define the network setup and some access modalities (e.g., via SSH or for the Endian support).
The sub-menu on the left-hand side contains the following items, which allow for some basic administration tasks and to monitor the running activities of the Connect Switchboard.
Dashboard–overview of the system and of the connections status.
Settings–various settings related to common items used throughout the GUI.
Updates–management of system updates.
Support–support request form.
Endian Network–Endian Network registration information.
Passwords–set system passwords.
Web console–a console shell on the browser.
SSH access–enable/configure SSH access to the Connect Switchboard.
Backup–backup or restore Connect Switchboard settings as well as reset to factory defaults.
Shutdown–shutdown or reboot the Connect Switchboard.
License Agreement–a copy of the User License Agreement.
The remainder of this section will describe the various parts that compose the System menu items.
The Dashboard is the default landing page, the one that is displayed upon every login. It encompasses several boxes (“plugins”) organised in two columns that provide a complete overview of the running system and of its status and health. The top of each box reports the name of the box, and a click on the reload icon on the right-hand side of the title bar immediately reloads the information in the plugin, which are nonetheless updated at regular intervals.
The available plugins and the information they display are described next.
General Information Plugin
It shows several information about the installed system. It usually presents the hostname and domainname of the Connect Switchboard in the title.
Hostname: The hostname and domain name
Appliance: The appliance type.
Version: The version of the firmware.
Uptime: The time since the last reboot.
Update status: A message depending on the Connect Switchboard status:
UP TO DATE. No updates are available.
UPDATE REQUIRED. New packages can be installed: A click on the message leads to the Updates page where it is possible to review the list of new packages.
PLEASE REGISTER. The system has not yet been registered to Endian Network: Go to the Endian Network page on the Connect Switchboard (System ‣ Endian Network), in which to compile a form to complete the registration.
Maintenance: The remaining days of validity of the maintenance support, or the NOT REGISTERED string.
Support access: Whether the support team can access the Connect Switchboard or not. In the former case, it is also shown the date until the access is granted.
Support access can be enabled or disabled under System ‣ Support.
Network Interfaces Plugin
It shows information about the network interfaces of the firewall and the traffic. The upper part of this plugin shows several data about the network interfaces of the Connect Switchboard: Their name, type, link (Up if a connection is established, Down otherwise), and the In- and Outgoing traffic. The latter two data are updated in real-time.
When ticking the checkbox near the device name, that device is shown in the graphs underneath. The devices’ name is coloured according to the zone they serve.
The lower part of the plugin contains two charts: The first one shows the incoming traffic, while the second one the outgoing traffic.
The traffic of each interface is coloured according to the zone it belongs to; Bridges built on one device are shown in the same colour as the device. and different interfaces belonging to the same bridge are shown with a different shade of colour.
Like the traffic data in the upper part, both charts are updated in real-time.
Up to six interfaces can be selected and shown in the charts.
This plugin carries information about events recorded by some of the services installed on the Connect Switchboard and their actual status. Active services are marked with the RUNNING message, with the STOPPED otherwise. For each running service is shown a summary of the tasks accomplished during the last hour and the last day.
Hence, if some number in the summaries sounds strange or not common compared to the normal activities (e.g., the IDS has detected some attack), the logs can be controlled to search for some useful message that has been recorded.
The only supported service on the Connect Switchboard is:
Intrusion Detection: The number of attacks logged by snort.
Inactive services are marked with the STOPPED message.
This plugin shows information about the memory usage of the Connect Switchboard, taken from the free -m Linux command’s output. It features the usage of Total, Free, Cached, and Buffers memory.
The linux memory management is clearly described in this page.
This plugin shows a table detailing the uplinks’ connection status. For each defined uplink are shown name, IP address, and uptime. A coloured dot on the left of the name shows the status of the uplink.
Signature updates plugin
This plugin shows the signatures downloaded on the Connect Switchboard and the date of the last update. If no service has ever started, that uses signatures, the table will be empty.
If for one uplink the option Disable signature updates if uplink is online is active (see Network ‣ Uplinks), signatures will not be downloaded.
CPU Load Plugin
This plugin shows the load of each core of the CPU.
CPU x: The load of the CPU, where x represents the CPU number, for those appliance that have more than one CPU.
It shows information about each partition mounted on the Connect Switchboard, which is provided graphically, with a small bar and percentage of used space, and in numbers, with the used and total space used.
A partition on the hard disk (e.g., main disk, data disk, and especially /var/log) must never be filled up more than 95% or more, as this can cause service disruption and data loss.
There are a few suggestions to free space on filled up partitions in this guide on Endian help portal.
This page contains settings that are used in other parts of EMI. The configuration options available here were spread across different other pages in the GUI.
Here it is possible to modify the name of the Connect Switchboard.
The hostname of the Connect Switchboard.
- Display hostname in window title.
When activated by ticking the checkbox, this option displays the hostname of the Connect Switchboard in the browser’s window title,
The hostname is set during the Configuration Wizard and can be changed by either a factory reset, of from the CLI using the netwizard command.
- Domain name
The name of the local domain of which the Connect Switchboard will be part.
This page contains options about the language and the time zone.
- Select your language
Select from the drop-down menu which language to be used for the web interface (including section names, labels, and so on).
Supported languages are: English, German, Italian, Simplified Chinese, Japanese, Portuguese, Russian, Spanish, and Turkish.
The timezone is normally selected during the initial setup, but it can be changed by choosing a new one from the drop-down menu.
Adjust time manually
In this panel there is the possibility to manually change the system time. While this is usually not recommended or not necessary, this action is the only possibility to synchronise the system clock when it is way off the real time.
Indeed, automatic synchronisation using time servers is not done instantly, but the clock is slowed down or sped up a bit to recover and align to the correct time. If however the discrepancy between the system clock and the time servers is significantly large, the ntp daemon will not be able to recover. Therefore, manual synchronisation represents the only solution to immediately correct and synchronise the time of the Connect Switchboard's clock to the correct time.
Some service (for example, the connection to an external LDAP server to authenticate VPN users) might not work if the clock is not synchronised.
To manually change the time and date, provide In the textfields that appear in this box the correct Year, Month, Day, Hours, and Minutes, then click on the Set time button.
Do not mind about the seconds: After the manual set up of the time, the ntp daemon will take charge of aligning the system’s time to the time server’s time.
Here it is possible to configure a SMTP mail server that will deliver the e-mails sent by the Connect Switchboard, typically from the notification service. The following options are available.
- Email sender address
The address that will appear as the sender of the e-mail.
- Email recipient address for notifications
The address to which the e-mail will be sent.
- SMTP address
The IP address or domain name of the SMTP server.
- SMTP port
The port on which the SMTP server runs.
- Connection security
Choose from the drop-down menu which type of security is required by the connection, either STARTTLS or SSL/TLS.
- SMTP server required authentication
Tick the checkbox if authentication is required on the server side. The next three options appear
The username needed to authenticate on the SMTP server.
The password needed to authenticate on the SMTP server.
- Authentication method
The authentication methods required by the SMTP server: PLAIN, LOGIN, CRAM-MD5, and DIGEST-MD5 are supported. Multiple methods can be chosen by ticking the checkboxes in the multiselect drop-down menu.
- Test email recipient address
After values for the above options have been provided, verify their correctness by providing a valid e-mail address to which a test e-mail will be sent. Click on Send test email when done. If the test e-mail is delivered correctly, it is possible to save the settings.
The settings in this box concern the upstream proxy, if there is one between the Connect Switchboard and the Internet: in this case, click on the Disabled switch to activate the functionality, then fill in the next options accordingly.
The IP address of the upstream proxy server.
The port on which the proxy service runs on the server.
- Proxy server requires authentication
Tick the checkbox if authentication is needed on the the upstream proxy. The next two options will appear.
The username to connect to the proxy server, if needed.
The password to connect to the proxy server, if needed.
Here it will possible to manage the HTTPS certificate used to access EMI, the web interface of the Connect Switchboard.
- Certificate configuration
This drop-down menu is used to select the method of creation of a new certificate. The available options are:
When a certificate has been chosen, below the Certificate configuration drop-down menu appear the name of the currently used certificate and thelink. The latter will show all information about the certificate when clicked.
Whenever some critical event takes place on the Connect Switchboard (e.g., a partition is filling up, someone accesses it via SSH or HTTPS, or there are updates available), the event notification functionality allows to be immediately informed by e-mail or SMS. It is also possible to associate a python script to each event, to take immediate actions as a consequence of the event.
The configuration options for this functionality are grouped into four pages: Settings, Events, SMS, and Scripts.
This page contains the basic options to configure the E-mail and SMS settings to send the notifications.
To start the event notification functionality, click on the grey switch Disabled and wait a few seconds.
The options available are the following, grouped in Email settings and SMS settings.
- Use default email settings
Tick the checkbox to use the default e-mail address, otherwise a few more options to configure the SMTP server options will appear.
- Email sender address
The e-mail address that appear as the sender of the e-mail.
- Email recipient address
The e-mail address to which the e-mail will be delivered.
- Use smarthost for email delivery
Tick the checkbox to configure the smarthost to be used for delivering the notification e-mail.
While the SMTP proxy supports encryption, when an external smarthost is used as SMTP Proxy, neither the SSL/TLS nor the STARTTLS protocols can be used.
- Smarthost address
The URL or IP address of the smarthost.
- Smarthost port
The port on which the smarthost listens to.
- Connection security
Choose from the drop-down menu which type of security can be used: None, STARTTLS, or SSL/TLS.
- Smarthost requires authentication
Tick the checkbox if the smarthost requires credentials to send email. The next two option will appear.
- Smarthost username
The username to be used to authenticate with the smarthost.
- Smarthost password
The password associated with the username supplied in the previous option. A click on the checkbox on the right-hand side will show the password.
- Authentication method
Select which method the smart host shall use to authenticate the user.
The next two options are used to configure notification by SMS. SMS bundles can be added in the SMS section, System ‣ Event notification ‣ SMS.
- Destination phone number country prefix
The country code to which the phone number belongs to.
- Destination phone number
The actual phone number to which the SMS will be sent..
This page shows a list of all the events that can produce a notification message and allows to configure the actions to be done when each of the events takes place. Right above the list there is a small navigation bar and a search field: The latter can be used to filter only the relevant items.
If SMS notification is active and the hostname of the Connect Switchboard is very long, it can happen that the SMS will not be able to report the entire notification message, because the message will be trimmed to ca. 157-159 characters. If this is the case, we suggest to also activate e-mail notification.
The list contains six columns:
- Event ID
The 8-digit ID ABBCCCCD code of the event. See ref:below <eventid> for more information about the IDs.
A short description of the event.
A ticked checkbox means that an e-mail is sent when the event takes place.
A ticked checkbox means that an SMS is sent when the event takes place.
The script that is executed when the event occurs.
The only action available is to modify the corresponding event.
When modifying an event, a new panel appears above the list with the following configuration options displayed.
- Event ID and Description
These are the identifier of the event and are automatically generated by the system, so they can not be modified.
- Send email for this event
By ticking this checkbox, an e-mail will be sent upon the occurrence of the event.
- Send SMS for this event
By ticking this checkbox, an SMS will be sent upon the occurrence of the event.
- Run custom script for this event
By choosing this option, a custom script will be executed when the event takes palce, rather than sending an SMS or an e-mail. The script must have already been uploaded to the Connect Switchboard -see the Scripts page for more information. By ticking the checkbox, a drop-down menu appears on the right-hand side.
- Custom script to run
Choose the script to be associated to the event from this drop-down-menu.
At least one script must have been uploaded in order to be able to associate it to the event. See section Scripts below.
Event ID explained
Each event that takes place on the Connect Switchboard is assigned a unique, 8-digit code, A-BB-CCCC-D built from the following four fields:
A represents the layer number, i.e., the system’s component in which the event has taken place:
1 = kernel
2 = system
3 = services
4 = configuration
5 = GUI
BB is the module number
CCCC is a sequential number assigned to the event
D is the severity of the event, i.e., the degree of badness of the event. The lower the number, the worst the severity:
0 : critical event
1 : an error
4 : a warning
6 : a recovery from a bad state
8 : an informational message.
The following table shows the list of all the IDs that correspond to an event. Note that, depending on the type of appliance, some event may not be occur on the Connect Switchboard (e.g., on appliances without RAID controllers, events 10100011, 10100026, and 10100038 will never occur).
One device of the RAID array failed.
The rebuild of RAID array has completed.
Start recovery of RAID array.
One uplink has gone online.
One uplink has gone offline.
The system has started.
The system has shut down.
The system is rebooting.
All uplinks have gone offline.
All uplinks are online.
An uplink is dead.
An uplink turned back alive.
An SSH user has successfully logged in from a remote location.
An SSH user failed to log in from a remote location.
A disk is getting full.
An user has failed to log in to the management interface.
The number of available SMS is low
There is no SMS left
Digital Input Rising Trigger on an input
Digital Input Falling Trigger on an input
OpenVPN client opened tunnel on an interface
OpenVPN client closed tunnel on an interface
An OpenVPN user failed a login failed
An IPsec/Xauth use failed to login
An L2TP user failed to login
An Open VPN user has logged in successfully
An IPsec/Xauth user has logged in successfully
An L2TP user has logged in successfully
An Openvpn user has logged out
An IPsec/Xauth user has logged out
The system upgrade has completed successfully.
The system upgrade has failed.
There are system updates available.
The remote access to support user has been revoked.
The remote access to support users has been granted.
The access for support user has been extended until …
Besides for event notifications, SMS are used by the hotspot, to activate accounts or tickets. Bundles can be purchased from Endian S.r.l., Italy and added here to the Connect Switchboard.
This box is divided into two parts: at the top there it is possible to add SMS bundles, while at the bottom some information about the SMS contingent is displayed.
- Enter Activation Code …
To add a new SMS bundle, it must be first purchased on the Endian Network, after which an activation code will be generated. This activation code must be supplied in this textbox.
After supplying a valid activation code, clicking on this button will add an SMS contingent that will be used for sending the notifications.
- Available SMS
The number of SMS that are at disposal.
- Reserved SMS
The number of SMS that have already been used, but not yet delivered to the recipient. This event may occur for example if the recipient was not reachable.
Besides sending an e-mail or an SMS, a third option allows to upload and execute a Python scripts right after an event occurs on the Connect Switchboard. In this page it is possible to upload and to associate Python scripts to the various events, more precisely, to each event can be assigned one Python script.
At the bottom appears a table of the scripts already uploaded, which is initially empty and shows about each script the name, description and the available actions.
On top of the table, a click on the Add new script button allows to upload a Python script on the Connect Switchboard. Uploaded script must follow some guidelines, see below for more. The following options are available.
The name given to the script.
An optional description of the script, like e.g., its purpose.
The available actions for each script.
Requirements for the Python scripts.
Python scripts that shall run on the Connect Switchboard must follow a few design guidelines to ensure the proper interaction with the system, which can be summarised as follows.
The script must be importable. In other words, the script can use other Python modules installed on the system, but can not rely on Python modules which are not present on the system
The script must implement a class called ScriptEvent.
A method called process must be implemented in the ScriptEvent Class. This method is the one that will be invoked when the event to which it is associated to takes place.
The process method must accept the **kwargs parameter, that is, it must accept a dictionary of key : value parameters.
An example script that satisfies the above requirements -and therefore can be uploaded to the Connect Switchboard is the following one.
import time class ScriptEvent(object): def __init__(self): self.filename = "/tmp/fubar" def process(self, **kwargs): open(self.filename, "a").write("Hello world, it is now %s\n" % time.time())
The Endian code documentation, useful to write own scripts will soon be available.
In this page it is possible to submit support requests for assistance to the Endian support, provided that the system has a valid and maintenance subscription and is registered to the Endian Network.
The page is divided in two boxes with different purposes: The first one contains a link to open the support’s home page, while in the second one it is possible to allow the support team to access to the Connect Switchboard using SSH and HTTPS.
Visit Support Web Site
If the Connect Switchboard has not been registered to Endian Network, or its maintenance has expired, no support can be supplied by Endian, and this box will display the following message:
Currently no running maintenance available. To access support, register with Endian Network first
If the system is not registered, support request can be made to one of the several forums or mailing lists mentioned in the Endian web sites section.
With a valid maintenance subscription, this box contains one option.
- Please visit our Support Web Site
By clicking on this link, a new tab in the browser will open, where it is possible to find directions on how to fill in an assistance request to the support team.
Access for the Endian Support Team
Optionally, access to the firewall can be grant via SSH, a secure, encrypted connection that allows a member of the support staff to log in to the Connect Switchboard, verify its configuration and inspect it to find out where the problem lies. The box contains an informative message, the status of the access, which is either DENIED or a date like Mon, 20 May 2019 12:12:18. When the status is DENIED a button appears at the bottom of the box:
- Allow access
Clicked on this button to grant 4 days of access to the Connect Switchboard to the support team.
When the support team access is allowed, a new message appears under the status message: Access allowed until: followed by the date and time when access to the Connect Switchboard will be revoked. Moreover, there are two buttons at the bottom of the box.
- Deny access
Immediately revoke the grant to access the Connect Switchboard.
- Extend access for 4 more days
If the support team needs more time to inspect the Connect Switchboard, a click on this button extends the access grant by four more days.
When enabled, the support team’s public SSH key is copied to the system and access is granted to them via that key. The support team will not authenticate with username/password to the Connect Switchboard. The root password of the Connect Switchboard is never disclosed in any way to the support team.
The management of the software updates is done from here. It is possible at any time to manually check for available updated packages, or to schedule a periodic check.
In this page there are two boxes: One with the current status of the system and one to schedule a routine check for updates.
The Status box informs whether the system needs updates or not. In the former case, a list of available packages is presented, while in the latter a message like the following one is shown.
These options are available:
- Check for new updates
A manual check for updated packages is started, and any upgradable package found is listed here. Individual packages can be chosen from the list and installed.
In order to check for updates, a valid maintenance is required, otherwise no update will show up, even if available.
- Start update process NOW
The update process is launched: The system downloads the updated packages which are then installed, replacing the old ones.
When an upgrade process ends, there is the possibility that the Connect Switchboard needs to be rebooted, for example when a new kernel is installed; this will be shown by a message dialog that appears on the GUI, and with a text message shown upon logging in from either the serial console or SSH.
When this message appears, please reboot the appliance as soon as possible, to avoid possible malfunctioning.
IP addresses and ports needed to communicate with Endian Network
While connected to the internet, the Connect Switchboard needs access to the Endian Network, to carry out several tasks and provide additional services:
To synchronise the system’s information with Endian Network.
To allow remote access to the owner, to the reseller, or to the support team for configuration of services, troubleshooting, and problem resolution.
To allow the purchase of SMS, that can be used for example with the Event notifications.
Special firewall rules allow traffic to flow to the required IP addresses; however, if there is another device in front of the Connect Switchboard that blocks traffic, also on this device the access to those IP addresses must be allowed. The updated list of Endian Network IPs can be seen under Firewall ‣ Outgoing traffic ‣ System rules.
If the Connect Switchboard has been purchased with a maintenance package, it can be registered and connected to the Endian Network, the Endian solution that allows a company an easy and centralised monitoring, managing, and upgrading of all its registered systems.
Many functionalities of the Connect Switchboard (e.g., access for the support team, SMS notification, and so on) require that the appliance be registered to the Endian Network.
If the system has not yet been registered or if the maintenance has expired, this page shows only a form that must be filled in order to register the appliance.
Why is the registration to Endian Network important?
A system must be registered within twenty (20) days from the purchase of the activation code, otherwise no support can be supplied.
If case thirty days have passed, while the Connect Switchboard will continue to work and offer the services that have already been configured, access from Endian Network, GUI, SSH and serial console will be forbidden. This means that no support can be provided on the Connect Switchboard, since the support team has no possibilities to connect to it. Moreover, updated can no longer be installed.
To regain complete access to the Connect Switchboard, a new activation code or maintenance renewal must be purchased.
Available options for Endian Network are organised into two page, namely Subscription and Remote Access.
This page shows a summary of all the information about the registration status of the Connect Switchboard. If the firewall has not yet been registered to the Endian Network, the registration form is shown, that must be filled in before submitting the request for registration. After the registration has been completed, the page will contain three boxes.
Register your Endian Connect Switchboard
In order to subscribe the Connect Switchboard, it is necessary to have a valid account on Endian Network, that can be created by clicking on the link at the beginning of the box.
The following options are available.
Account and system information
The username on Endian Network to register the Connect Switchboard.
The password associated to the username.
- Activation Code
The activation code required to register the Connect Switchboard.
On hardware appliance, the activation code is printed on either the box or the appliance itself, or both.
- System name
The name given to the system, that will appear on Endian Network as well.
The name of the company which owns the Connect Switchboard.
- Sender email address
The e-mail of the registrant.
The country in which the Connect Switchboard is located
This section contains the license agreement, that must be accepted for a successful registration.
The following boxes appear only after a successful registration of the Connect Switchboard.
Here are shown basic information about the Connect Switchboard: Serial number, activation code, model of the appliance, and the maintenance package chosen.
This product is registered
A summary of the system information recorded on Endian Network: the System name, the organisation for which the Connect Switchboard is registered, system ID, and the date of the last update, that is, the date when the Connect Switchboard was registered.
Your Activation Keys
To receive updates from and to participate in the Endian Network, at least one valid, not expired activation key is required. There is a key for each channel, but typically just one or two, shown with its expiry date and the days of maintenance left.
An expired key is shown by its channel name stricken-through and by the expired string in the corresponding Days left column. This happens usually for optional channels.
The Remote Access page allows to choose whether the Connect Switchboard can be reached through the Endian Network and by which protocol. To allow access, click on the Disabled button on the top of the page, that will turn green, and two access options will appear.
- Enable HTTPS access …
Allow the Connect Switchboard to be reached via the web interface.
- Enable SSH Access …
Allow to login via a secure shell to the Connect Switchboard. Activating this option automatically activates the SSH access.
A step-by-step lesson to register the Connect Switchboard to the Endian Network is available in this article.
In this page it is possible to create new users that can access EMI and initially contains a table which lists only the admin user, which can neither be disabled, nor deleted.
New accounts for web users can be created by clicking on the Add web frontend user link above the table. In the panel that opens, the following options can be configured.
The username of the account, which is case-sensitive and must be unique.
A description of the user.
- Password, Confirm Password
The password assigned to the user.
Passwords need to be at least 6 characters long; good passwords should be at least 8 characters long and include letters, numbers, and special characters like e.g., $ % @ !.
- GUI Profile
Choose from the drop-down menu which Profile to assign to the new user. There is currently only one profile available, which gives access to all the GUI.
Tick the checkbox to allow the user to access EMI.
The web console provides an applet which emulates a terminal within the browser window, that serves as a CLI to carry out administrative tasks.
The functionalities of the web console are the same found upon logging in via serial console or SSH. On the bottom left of the applet, a message shows the status of the console: Connected or Disconnected. It is possible to exit at any time by typing exit in the console and then pressing Enter on the keyboard, like in any normal console.
When disconnected, click again on the Web console sub-menu item to reconnect. On the bottom right of the applet, two hyperlinks show up:
- Enable virtual keyboard
When clicking on this link, a keyboard applet appears below the console, that can be used to type and execute commands by clicking the mouse on the various keys.
When the web console status is disconnected (i.e., when you issue the exit command), this applet does not communicate with the console.
- Disable input
This link toggles the possibility to send input from the keyboard to the web console.
This option has no effect on the virtual keyboard.
This screens allows to enable remote SSH access to the Connect Switchboard, which is disabled by default. Access using SSH proves useful in several scenarios: necessity to control log files, troubleshooting, manual editing of configuration files, and in general is reserved for advanced tasks, like the customisation of services or the implementation of a workaround for an existing bug, and so on.
If it is the first time that the SSH service is activated, it will take a few moment before the start of the SSH server, since new SSH host keys must be generated.
Example SYS-1 - Traffic Tunnelling over SSH.
Assume that a service such as telnet (or any other service that can be tunneled through SSH) is running on a computer inside the GREEN zone, say port 23 on host myhost with IP address 10.0.0.20. To setup a SSH tunnel through the Connect Switchboard to access the service securely from outside the LAN, i.e., from the RED zone. While GREEN access from the RED interface is in general not recommended, it might prove useful in some cases, for example during the testing phase of a service.
Enable SSH and make sure the host can be accessed, i.e., configure the firewall in Menubar ‣ Firewall ‣ System access for myhost to be reachable from the outside.
From an external system connect to the Connect Switchboard using the command ssh -N -f -L 12345:10.0.0.20:23 root@appliance where
-Ntells SSH not to execute commands, but just to forward traffic,
-fmakes SSH run in the background and
-L 12345:10.0.0.20:23maps the external system’s port 12345 to port 23 on myhost, as it can be seen from the Connect Switchboard.
The SSH tunnel from port 12345 of the external system to port 23 on myhost is now established. On the external system now it suffices to telnet to port 12345 on localhost to reach myhost.
This page is initially empty, after the SSH access is activated by clicking on the grey switch, two boxes are shown in the page: Secure Shell Options and SSH host keys.
When the SSH service is started, the following configuration options are displayed:
Secure Shell Options
- Allow password based authentication
Permit logins using password authentication.
- Allow TCP forwarding
When this option is ticked, other protocols can be tunneled through SSH. See Example SYS-1 for a sample use case.
- Allow public key based authentication
Logins with public keys are allowed. The public keys of the clients that can login using key authentication must be added to the file
The SSH access is automatically activated when at least one of the following options is true:
Endian support team access is allowed in Menubar ‣ System ‣ Support.
SSH access from Endian Network is enabled in Menubar ‣ System ‣ Endian Network ‣ Remote Access.
SSH host keys
At the bottom of the page, a table shows the three host keys that were generated at the first start. For each key, it is shown the file that contains it, its fingerprint, and its size in bits.
In this section it is possible to create new backups of the current Connect Switchboard status and configuration or restore an existing backup when needed. Backups are saved locally on the Connect Switchboard or on a USB stick, and can be downloaded to a workstation. Optionally, especially if confidential information is stored on the Connect Switchboard (like e.g., personal data or certificates used in VPN), the backup archive can be encrypted using a GPG key.
It is suggested to keep a copy of the backups in a safe location.
Whenever an USB stick is plugged in into the Connect Switchboard, it is automatically detected and mounted. In this case, a few additional USB-related options are displayed throughout the page.
Here it is also possible to reset the configuration to factory defaults, to create fully automated backups, and to carry out various other backups-related tasks.
This section is organised into two pages, Backup and Scheduled backups: The former is used to manage manual backups, while the latter to set up automatic backups.
In the Backup page there are three boxes: Backups, Encrypt backup archives, and Factory defaults.
In the first box, a table shows the backups stored on the Connect Switchboard, both manually and scheduled ones. If a USB stick is connected to the Connect Switchboard, also backups stored on it are displayed.
For each item it is shown:
The creation date
The content included in the backup. Each letter correspond to a different element of the, see below for more details.
A remark. The string “Auto - backup before upgrade” means that an automatic backup has been made before a package or system upgrade.
The available actions, which include the Import backup functionality
Contents of the backups
The content of each backup is marked by at least one of the following letters or symbols, corresponding to the option(s) specified during its creation:
Archive. The backup contains archived log files.
Cron. The backup has been created automatically by a scheduled backup job.
Database dumps. The backup contains a database dump.
Encrypted. The backup file is encrypted.
Hardware. Information about the appliance’s hardware is included.
Log files. The backup contains today’s log files.
Settings. The backup contains the configurations and settings.
USB. The backup has been saved to a USB stick.
! (Error). Something did not succeed while sending the backup file by email.
Above the table, a click on one of the two buttons Create a new backup and Upload a backup will allow to carry out these two tasks.
Create new backup
This section appears after a click on the Create a new backup button.
In this box it is possible to select which data to include in the backup: The letter in parenthesis corresponds to those listed above.
- Include configuration (S)
The backup contains all the configuration settings, including all the changes and customisation done so far, or, in other words, all the content of the
- Include database dumps (D)
The content of the database will also be backed up.
The database dumps may contain sensitive data, so whenever a backup contains a database dump, make sure that it is stored in a safe place and possibly GPG-encrypted.
- Include log files (L)
Include the current log files (e.g.,
/var/log/messages), but not log files of the previous days.
- Include log archives (A)
Include also older log files that have been rotated, and are stored under the
/var/log/archive/directory. Backups created with this option may become very big after some time.
- Include hardware data (H)
Include data about the appliance’s hardware. It is needed when restoring a backup on an appliance of the same type, while this information should not be included when the backup is imported into a different appliance’s model (e.g., from a Mercury to a Macro).
This option does not appear on Virtual and Software appliances.
A comment about the backup, that will appear in the Remark column of the table. Hence, it should be meaningful enough to allow a quick recall of the content.
- Create backup on USB Stick
Store the backup on the plugged in USB stick.
This option is only available if an USB stick is plugged in the Connect Switchboard and it has been correctly mounted.
Backup on USB sticks are stored under the
/mnt/usbstick/efw-backupsdirectory. For any backup stored on the USB stick, a symlink will be created under the
/var/backups/directory. If the USB stick containing the backups is removed from the Connect Switchboard, they will still show up in the list, but will not be accessible.
At least one of the checkboxes must be ticked to create a new backup. After clicking on the Create backup button, the files required by the backup are gathered and assembled into the archive. After a few minutes, depending on what has been included in the backup, the new backup appears in the list. The end of the backup process is marked by a yellow callout that appears above the box, showing the message Backup archive created successfully.
The format and name of the backup files.
Backup files are created as tar.gz archives, using standard Linux’s tools tar and gzip. The files stored in the archive can be extracted using the tar zxf archivename.tar.gz or tar vzxf archivename.tar.gz to see all the file processed and extracted and see some informative message on the screen the v option meaning verbose. The name of the backup file is created to be unique and it conveys the maximum information possible about its content, therefore it can become quite a long string, like e.g., backup-20130208093337-myappliance.mydomain-settings-db-logs-logarchive.tar.gz, in which 20130208093337 is the timestamp of the backup’s creation, in the form YYYYMMDDHHMMSS -in this example, 8th of February 2013 at 9:33:37 AM. This choice allows the backups to be lexicographically ordered from the oldest one to the most recent one; myappliance.mydomain are the Connect Switchboard's hostname and domainname as set in the Configuration Wizard, and settings-db-logs-logarchive represent the content of the backup. In this case it is a full backup, since all four parts appear in the name. For example, a backup containing only settings and logs will be identified by the string settings-logs.
Import a backup Archive
This section appears after a click on the Upload a backup button.
In order to import a backup on the Connect Switchboard, it is necessary to supply the following information.
A comment that will appear alongside
Click on the Choose File button to upload a file containing the backup.
A click on the Upload will start the upload process.
It is not possible to import encrypted backups on the Connect Switchboard: Any encrypted backup must be decripted before being uploaded.
Encrypt backup archives
The second box in the page allows to encrypt all the future backups by providing a GPG public key. Click on the Disabled button to activate the functionality. The first time it is started, only one option shows up:
- Import GPG public key:
Select the GPG public key by clicking on Choose file to upload the key file from the local file system, then click on the Upload button underneath.
- Encrypt backup archives
Tick the checkbox if the archives should be encrypted. This option applies to both manual and scheduled backups.
Once a key has been uploaded and the Encrypt backup archives option is ticked, information about the key will be shown above the options, like in the following example:
The following GPG public key will be used to encrypt the backup archives: pub 1024R/00000000 2010-10-10 [expires: 2020-10-09] Key fingerprint = 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 uid Jane Doe <firstname.lastname@example.org> sub 1024R/00000001 2010-10-10 [expires: 2020-10-10]
It is a good practice to encrypt a backup archive whenever it contains sensible data, like for example the hotspot’s users data and billing information.
The fourth box allows to wipe out all configurations and settings done so far and reboot the system with the default configuration. This result is achieved by clicking on the only option available:
- Factory defaults
A click on this button will start the factory default process: A backup copy of the current settings is created and immediately after the Connect Switchboard is rebooted and brought back to the factory defaults, including its default IP address, 192.168.0.15.
Since this potentially is a quite dangerous option, a pop-up window will ask for confirmation before starting the process. After clicking on OK, the process starts and can not be interrupted.
Here it is possible to configure automated backups of the system
scheduled automatic backups
To enable automatic backups, click on the disabled: button. The following options will appear.
- Keep # of archives
Choose from the drop-down how many backups to keep on the Connect Switchboard (from 2 up to 10, but they can be exported to save space).
- Schedule for automatic backups
The frequency between backups, either hourly, daily, weekly, or monthly.
- Include …
A check on each of these option will include in the scheduled backup the corresponding configuration or data. These are the same seen in the Backups box
Scheduled backups will always be stored on the Connect Switchboard.
Send backups via email
In this box the system can be configured to send the backups by e-mail. To enable the functionality, click on the disabled: button. The following options will appear.
Backups sent by e-mail will not contain the log archives, because their size might be so large to prevent a correct delivery of the email.
The following otpions are available.
- Recipient email address
The e-mail address to which to send the e-mail with the backup.
- Sender email address
The e-mail address that will appear as the sender’s e-mail address, which proves useful when backups should appear to have been sent from a special address (say, email@example.com), and must be provided if the domain or hostname are not resolvable by the DNS.
- Smarthost address
The address of a smarthost to be used to send the e-mails, which is needed in case the outgoing e-mails should not be sent directly by the Connect Switchboard, but from a different SMTP server.
A guide to create a backup on a USB stick.
In this page it is possible to either reboot or shutdown the Connect Switchboard, by clicking on the Reboot or the Shutdown button respectively.
When clicking either of the buttons, a dialog will open, asking for confirmation. Click on Confirm to really reboot or shutdown the appliance or on Cancel to close the dialog.
During a reboot, the message Reboot in progress will be shown and after a short period (usually under a minute), it will be possible to continue to use the GUI without a new authentication.
This section displays the license agreement between Endian and the owner of the Connect Switchboard.
After an upgrade, if the license agreement changes, at the first login it is necessary to accept the new license agreement before accessing the upgraded system and being allowed to use the Connect Switchboard