USB First Time Config using autoconf.clish files - How it is written

G_W_Albrecht — Mon, 12 Feb 2018 09:06:23 GMT

Here i talk about writing autoconf.clish files to configure SMB units; this articles first and second parts can be found here :

USB First Time Config using autoconf.clish files - How it works

USB First Time Config using autoconf.clish files - How to use them

---------------------

Now we will look at the details of the autoconfig.clish, mixing the file with the corresponding log messages in italics. We can define the unit name first:

set hostname GW_620
Could not set hostname hostname: Device name can only contain [A-F], [0-9] and '-' characters

The name is wrong, so we have to use a – instead to make it work:

set hostname GW-620

The First Time Wizard at this point lets you set the country also, but that is possible in CLISH only using the wlan settings; if not using wlan we could issue:

set wlan radio country australia
set wlan disable
# set Time sever settings

The last line is a comment – use the # to structure, comment and explain the file !

set time-zone GMT+01:00(Amsterdam/Berlin/Bern/Rome/Stockholm/Vienna) 
Wed Oct 8 08:57:00 GMT+0100 2014
set ntp server primary x.x.x.x
set ntp active on
Wed Oct 8 08:57:00 GMT+0100 2014
set ntp interval 1

After setting the time zone, the estimated current date and time is displayed. The same is done after setting the NTP Server to on:

# set admin access
set user admin type admin password VeryGoodPassWord
set admin-access web-access-port 4434 allowed-ipv4-addresses any
Changing the access policy - This might block your access to the appliance (although your current session will be retained)
set admin-access interfaces any access allow

Here, admin password is set – better for security is to set the password-hash instead:

set user admin type admin password-hash $1$CTnQg69e$dwMJPcrB27XnAXUckPW7N0

Now we set the ISP connection:

# set WAN internet connection and GW
add internet-connection interface WAN type static ipv4-address x.x.x.x subnet-mask 255.255.255.0 default-gw y.y.y.y conn-test-timeout 0
Skipped connection test

The connection test will try to reach the ISP, if using value zero, the connection test is skipped, otherwise, the value is the time limit in seconds.

# set DNS
set dns primary ipv4-address x.x.x.x
set dns secondary ipv4-address y.y.y.y
set dns tertiary ipv4-address 8.8.8.8

After setting the DNS servers, we define the internal networks:

# set internal networks and dhcp
set dhcp server interface LAN1_Switch disable
set interface LAN1_Switch ipv4-address 192.168.x.1 subnet-mask 255.255.255.0
set dhcp server interface LAN1_Switch include-ip-pool 192.168.x.1-192.168.x.254
set dhcp server interface LAN1_Switch enable
#set DMZ
set dhcp server interface DMZ disable
set interface DMZ ipv4-address 192.168.y.1 subnet-mask 255.255.255.0

Now we define the WLAN network:

# set WLAN
set wlan ssid MyWLAN
set interface MyWLAN ipv4-address 192.168.z.1 subnet-mask 255.255.255.0
set dhcp server interface MyWLAN include-ip-pool 192.168.z.1-192.168.z.254
set wlan radio country australia
set wlan radio operation-mode 11ng channel auto
set wlan security-type WPA2
set wlan wpa-auth-type password VeryGoodPassWord
set wlan enable

Finally, let us load the units license from UserCenter:

# get the license from UserCenter: 
fetch license usercenter

Other configuration steps can be constructed from CLISH commands. As this procedure works for 1100 and 600 appliances, it also works for centrally managed 1100 units. Management server would be configured there as follows:

# set Management Server IP and SIC to fetch certificate and policy:
set sic_init password VeryGoodPassWord
fetch certificate mgmt-ipv4-address x.x.x.x gateway-name GW-1100
fetch policy mgmt-ipv4-address x.x.x.x

With centrally managed 1100 units, the log server is defined in the policy. If a 600 device should log to a CP Log server, this can only be configured in WebGUI or bash, as there are no CLISH commands for log server configuration.

After the above autoclish has finished, FW Blade is on with “Hide internal networks behind the Gateway's external IP address” enabled and User Awareness is on but not configured, but all other blades are set off. Other Blades, WebServer or Rules configuration is available in CLISH:

# enable TP Blades:
set antispam mode on detection_method content-based log log spam_content_action block flag_subject_stamp spam
set threat-prevention ips policy mode "on"
set threat-prevention anti-virus policy mode "on"
set threat-prevention anti-bot policy mode "on"

But it is often necessary to configure locally managed 1400/1100/1200R/700/600 appliances using the WebGUI. E.g. when configuring:

set fw policy mode "strict"

this will add a rule for traffic between LAN networks (in WebGUI standard mode: Allow traffic between internal networks). To remove it, you can only use the WebGUI: Set to standard mode, then to strict again and the rule has vanished...

topic USB First Time Config using autoconf.clish files - How it is written in Spark Firewall (SMB)

USB First Time Config using autoconf.clish files - How it is written