As previously mentioned, the gateway supports a single context named "default". When you are working in this context, you can configure system-wide protocols and services, such as NTP, SSH, and syslog.

Configuring NTP

The Network Time Protocol assists the gateway's internal clock to keep time based on the user-chosen NTP server list. To configure the NTP client on the gateway, you must perform the following commands, one for enabling NTP on the gateway, and the other for specifying the NTP server to run. Use these templates:

% set system ntp enable <true/false> 
% set system ntp ntp-server <num> address <host_name/IP_address>
BASH
OptionDescription
enable true/false

True: Enable the NTP client.

False: Disable the NTP client. This is necessary to set the date and time manually. (See Configuring the clock and timezone for the gateway.)

ntp-server numNumber of the server (1, 2, or 3).
address hostHost name or IP address of the designated server.


Example:

% set system ntp enable true 
% set system ntp ntp-server 1 address 0.pool.ntp.org 
% commit
BASH


Configuring SSH

The Secure Shell can be configured to establish a secure shell to another device. To configure SSH for the management port of the gateway, use these two command lines as a template:

% set system ssh port <num> enable <true/false> 
% set system ssh ssh-listen-address <IP_address>
BASH
OptionDescription
enable true/false

True: Enable the SSH client.

False: Disable the SSH client.

port numPort for the SSH daemon. If none is specified, use the default for the protocol.
ssh-listen-address IP-addressIP address/name to listen for sshd connections.

Note: If you set the ssh-listen-address with an incorrect IP address or number, the gateway locks you out of using SSH to communicate with the gateway. Consequently, you can only access the gateway through its serial console port.

Example:

% set system ssh port 22 enable true 
% set system ssh ssh-listen-address 192.168.38.2
% commit
BASH


Configuring HTTPS

The gateway control channel runs over the the HTTPS protocol. Administrators can configure the security level of the HTTPS used by the gateway. By default, the gateway uses TLS 1.2 with a secure subset of cryptographic ciphers for maximum security, but administrators can also configure a more compatible set of pre-configured ciphers, or a custom set of ciphers.

OptionDescription
secure

Default. A secure set of ciphers. Note there is no RSA present.

EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH 

compatible

These are the settings used in pre-3.14.0 versions of the gateway.

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-S
HA256:DHE-DSS-AES128-GCM-SHA256: kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA: DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-
SHA256: AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256: AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA: !aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH: !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DE
S-CBC3-SHA:!KRB5-DES-CBC3-SHA

custom

To allow for complete control over the ciphers used in the gateway control channel, administrators can configure custom cipher strings. Set the security-level to "custom" and the custom-cipher-string to the desired set of ciphers, as shown in the example below. These strings are validated using OpenSSL's parsing routines.

See https://www.openssl.org/docs/man1.0.2/apps/ciphers.html for more details on the format of these cipher strings.

To set a permissive set of ciphers compatible with older browsers:

% set system https security-level compatible
% commit 
BASH


To set a set of reasonable defaults:

% set system https security-level secure
% commit 
BASH


To configure custom ciphers:

% set system https security-level custom
% set system https custom-cipher-string ECDHE-ECDSA-AES128-GCM-SHA256
% commit 
BASH


Configuring syslog

The gateway provides support for syslog in several ways:

  • Logging syslog messages
  • Making syslog traffic secure
  • Sending a specific facility code for all syslog messages
  • SNMP notifications (see Configuring SNMP notifications)

Logging Syslog messages

Syslog can be configured to log messages by using this template:

% set system syslog enable <true/false> 
% set system syslog syslog-server <list-id> address <ip-address/host-name> port <num> proto <udp/tcp/secure-tcp/relp>
BASH

Where:

  • enable: Whether to enable the Syslog service.
  • syslog-server: Which syslog server to modify (server is identified by its assigned "unsigned integer").
  • address: The IP-address of the syslog server 
  • port: The number of the port for the syslog server. If none specified, use default for the protocol.
  • proto: The protocol to use for transmitting the log messages from and to syslog. Valid values:
    • udp
    • tcp
    • secure-tcp (not supported for SNMP)
    • relp (not supported for SNMP)

Example

% set system syslog enable true 
% set system syslog syslog-server 1 address 192.168.4.0 port 514 proto udp 
% commit
BASH


Making Syslog traffic secure

If you need to transmit log messages securely from the gateway to syslog, you must use the Secure Syslog protocol. In combination with the Transport Layer Security (TLS), Secure Syslog encrypts and signs communication between the gateway and the syslog server.

To enable Secure Syslog traffic, you must configure two elements:

  • Set the protocol for the Secure Syslog server with this CLI command:

    % set system syslog syslog-server <unsigned_integer> address <IP_address_or_name> proto secure-tcp
    BASH

    Where secure-tcp is the value for the Secure Syslog protocol.

  • Set the parameters for the Secure Syslog protocol with this CLI command:

    % set system syslog syslog-server <unsigned_integer> secure-syslog <parameter_for_Secure_Syslog_protocol>
    BASH


    Where secure-syslog is the container for the parameters that belong to the Secure Syslog protocol.

    There are two valid parameter values for the secure-syslog container:

    • trusted-certificate-pem: The BASE64-encoded certificate authority data used to authenticate the remote syslog server.

    • trusted-common-name: The expected common name (CN) that will be matched against the certificate presented by the server. If unspecified, the secure syslog implementation will use the 'address' property of the syslog-server instance. Valid values include the wildcard character. For example, if the CN of the certificate contained foo.bar.com, then *.bar.com would be a match for the trusted-common-name parameter.

Restrictions on Secure Syslog Server

The gateway syslog implementation allows you to configure only one Secure Syslog server (proto=secure-tcp). The other restriction is when a Secure Syslog server is configured on the gateway, no other 'tcp' servers can be configured. However, there is no restriction on how many other 'udp' servers can still be configured.

Example

The following example illustrates how to configure a Secure Syslog server with a trusted certificate for authenticating a remote syslog server:

% set system syslog syslog-server 1 address syslog.company.com proto secure-tcp 
% set system syslog syslog-server 1 secure-syslog trusted-certificate-pem 
Enter/paste Base64 PEM data. Enter Ctl-D to complete.
BASH

Certificate contents

-----BEGIN CERTIFICATE----- 
MIIDMTCCApqgAwIBAgIJAJcpmAURTJ9lMA0GCSqGSIb3DQEBBQUAMG8xCzAJBgNV 
BAYTAlVTMRYwFAYDVQQIEw1FeGFtcGxlIFN0YXRlMRUwEwYDVQQHEwxFeGFtcGxl 
IENpdHkxGDAWBgNVBAoTD0V4YW1wbGUgQ29tcGFueTEXMBUGA1UEAxMOY2EuZXhh 
bXBsZS5jb20wHhcNMTQwNjE3MTU1MzM5WhcNMjQwNjE0MTU1MzM5WjBvMQswCQYD 
VQQGEwJVUzEWMBQGA1UECBMNRXhhbXBsZSBTdGF0ZTEVMBMGA1UEBxMMRXhhbXBs 
ZSBDaXR5MRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxFzAVBgNVBAMTDmNhLmV4 
YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4O9KZAi2TS+9M 
sEEB07WPIpHFkJCWcbm6UNeZhL1CWaFuwY3HN8T2vbsYp5k5KZNwRik37FObzdot 
M/Qmc5ZJb3MOKTiEP9Mw//RgK47WPR2tRK6SkmyAZ9uffOCS1aXAE3WfKEkBDBNw 
xFLOTm8k5KvSQlE2+nxsc5I4orLw2wIDAQABo4HUMIHRMB0GA1UdDgQWBBQUwmIu 
jVqwBS5WWcll9wbtoJf+FTCBoQYDVR0jBIGZMIGWgBQUwmIujVqwBS5WWcll9wbt 
oJf+FaFzpHEwbzELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDUV4YW1wbGUgU3RhdGUx 
FTATBgNVBAcTDEV4YW1wbGUgQ2l0eTEYMBYGA1UEChMPRXhhbXBsZSBDb21wYW55 
MRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbYIJAJcpmAURTJ9lMAwGA1UdEwQFMAMB 
Af8wDQYJKoZIhvcNAQEFBQADgYEAhB4XJUGgXIWwF3n++xBccEApCKn5bf3e4PMm 
8sPMzMIrnoM4vfa2DjOwQKLIvC2PHSx8N8BBSxexaCruksHCeVr/pi+72erIVaYX 
erNjviZaBLfJ9/17ff3PxQDGSbgTdccNhOK3DtXn0ZEXq0vPJldQDrTuEwejqC50
U3o6aXE= 
-----END CERTIFICATE-----
BASH


Sending syslog messages with a specific facility code

If you need the gateway to send a syslog messages using a specific facility code, you configure the facility-name parameter. The value of this parameter specifies the facility code that will be used when the gateway generates syslog messages. This is the template for the command:

% set system syslog facility-name localx  
% commit
BASH


Where localx is the name that indicates the specific remote syslog server for the gateway to send syslog messages to. Valid values are local0 through local7 and user.

For additional details about facility values, see RFC5424 (http://tools.ietf.org/html/rfc5424).

On this page