Access and Supervision

[jose_alberto]

I have the following questions:

At times the proxy does not load a Web page or take long to solve.
But if the frame automatic configuration option (IE) my users navigate seamlessly.
a) As I can see the system log to know what is happening?

b) I can access Putty (ssh) to CacheGuard?

c) I have the version 1.1.2 and apply the patches?

Waiting for your help.

[david]

Dear Jose

To answer you questions:

- You can use SSH (putty or any other SSH client) to remotely access to the CG CLI (Command Line Interface). But in order to have access via SSH you need to enable the ssh administration option using the following commands:

Code: Select all

admin ssh on
apply force

- You will also need to grant access to your remote administrator by adding his/her IP address to the list of allowed administrators. To do so please use the following commands:

Code: Select all

access admin add <your-remote-ip>
apply force

- The Web page loading problem you encounter can't be resolved by upgrading to the latest version (which is NG v1.1.4 at the time of writing) as this version resolves other issues but not yours. I rather think that your issue may come from an IP misconfiguration or an issue related to CG cabling. I suggest that you check the following:

• - Your screen shots show that your CG internal IP address is 192.168.15.12: please make ensure that this IP address is not used by other machines in your LAN (CG IP addresses should be static. Reserve them on your DHCP server to avoid any collisions).
  
  - The internal NIC of CG should be connected to your LAN (192.168.15.0/24 ?). By default the internal NIC is eth0.
  
  - the external NIC of CG should be connected to your Internet Router (WAN). By default the external NIC is eth1.

To audit your logs in real time first you need to activate the access logging and then activate the Web auditing module to audit your logs. Please use the following commands:

Code: Select all

mode log on
log type web on
admin waudit on
apply force

After having performed those commands you can have access to the Web Audit page at https://<your-ineternal-cg-ip-address>:8091 (8091 is the default port). In your case it should be https://192.168.15.12:8091.

Anyway it's always better to upgrade to the latest version. To do so please refer to the following pages:
- http://www.cacheguard.net/doc/command/system.html
- http://www.cacheguard.net/doc/guide/os.html#patch

you can find patches at: http://www.cacheguard.net/cacheguard-patch.html.

To upgrade from 1.1.2 to 1.1.4 you should successively upgrade to 1.1.3 and then from 1.1.3 to 1.1.4.

Of course you can perform all commands above at one time as follows:

Code: Select all

admin ssh on
admin waudit on
mode log on
log type web on
access admin add <your-remote-ip>
apply force

Let me know whether my answers have helped.

Best Regards,

[miguelp]

Hello David,
I'm in the latest version, and command:

Code: Select all

log web on

does not exist.
I can't also connect to port 9091.
Thanks,
Miguel

[david]

Hello Miguel

You are right as the correct command that activates the access logging is:

Code: Select all

log type web on
apply

Could you connect to the port 9090?

I rectified my previous post by replacing "log web on" by "log type web on".

Best Regards,
David

[miguelp]

Hello David,
Now that command works.
But I still cannot connect to port 9090 or 9091. Only to 8090 as usual.
Any ideas ?
Thanks,
Miguel

[david]

Hi Miguel

Again I did a mistake and wasn't clear enough; sorry for the inconvenience. Actually the right port to use depends on your configuration. Use the following command to display the Web auditing port:

Code: Select all

port waudit

By default it should be 8091. I rectified my initial post to reflect this change.

Please use the Web auditing module as a debugging tool and not as a monitoring system as it may expose your system/appliance to some threats. Please disable it once you finish to trace/debug your system.

Best Regards,

[miguelp]

Hello David,
Thanks! Now it works! Nice tool.
Would it be possible to add a monitoring category related to LDAP / Policy?

That it shows which filters were TRUE (Example IP/ LDAP query etc./Time) and based on that which Policy was selected.
Cheers,
Miguel

[david]

Hello

I'm happy to hear that
I'll add the improvement you suggested to our todo list and may develop it one day. Thanks for the idea.

Best Regards,

[jose_alberto]

David thank you very much for your answers, please one more question. In that place I see my current version and patch CacheGuardh? I did not find the commands.

waiting for your help, thank you.

[david]

Dear Jose

I wrote in an earlier post the following :

Anyway it's always better to upgrade to the latest version. To do so please refer to the following pages:
- http://www.cacheguard.net/doc/command/system.html
- http://www.cacheguard.net/doc/guide/os.html#patch...

Was the documentation helpful? I would appreciate it if you could give me your feedback.

In your case you need to upgrade from 1.1.2 to 1.1.3 and then from 1.1.3 to 1.1.4.

So you need to download the 1.1.3 and 1.1.4 patches at http://www.cacheguard.net/cacheguard-patch.html (download the 32 or 64 bits patches according to the CPU architecture of your CacheGuard appliance).

You will first need to download those patch files and place them on your own trusted file server (FTP or TFTP). Then you can download them (one at a time) from your trusted file server to your CG. Assuming that you use a TFTP server which has the 192.168.15.1 IP address and you want to patch a 64 bits machine you need to use the following commands:

To add the 192.168.15.1 to the list of trusted file servers (if it's not yet done):

Code: Select all

access file add 192.168.15.1
apply

Wait for the termination of the command apply and then (to upgrade to 1.1.3):

Code: Select all

system patch tftp 192.168.15.1 CacheGuard-NG-64-1.1.3-patch.cgp
apply
 

Wait for the termination of the command apply and then (to upgrade to 1.1.4):

Code: Select all

system patch tftp 192.168.15.1 CacheGuard-NG-64-1.1.4-patch.cgp
apply
 

Please let me know if you have any other questions.

Best Regards,