CacheGuard-OS
User's Guide - Version UF-2.3.6

Configuration Management

A CacheGuard appliance is configured and administrated using online commands or the Web Administration GUI. There are primarily two types of commands: commands with an immediate effect and configuration commands. A CacheGuard configuration is represented by a set of configuration commands invoked with the appropriate arguments.

Configuration commands can be invoked with or without arguments. Without any arguments, a configuration command normally displays the configuration information related to that command. When invoked with one or more arguments, the command usually modifies the configuration. For example, the ip command, when invoked without arguments, displays all IP addresses associated with network interfaces. When invoked with a network interface name, an IP address, and a subnet mask, it modifies the IP address associated with that interface. For instance, the "ip external 192.168.22.254 255.255.255.0" command sets the IP address associated with the "external" network interface to 192.168.22.254 255.255.255.0.

Invoked without any arguments, the conf command displays the list of all configuration commands and their associated arguments that form the configuration. In CacheGuard-OS, there is always a current (or running) configuration and a new configuration. The new configuration may be identical to or different from the current configuration. If a configuration command is invoked with arguments that modify the current configuration, the new and current configurations will differ. It is important to note that invoking configuration commands does not immediately affect the running configuration.

To activate a new configuration, or in other words to replace the running configuration with a new one, the apply command must be invoked. You can use the conf diff command to compare the new configuration with the running configuration and display their differences.

Command Arguments

There are four types of command arguments:

• Scalar arguments (for example, an IP address)
• Keyword arguments (for example, external)
• Boolean parameters (valid values are on and off)
• List arguments (for example, a list of static IP routes)

A Boolean parameter is typically used to activate (on) or deactivate (off) a sub-configuration state. For example, the mode cache on command activates Web caching. A list argument is managed using the following keyword arguments:

• add: adds an element to the end of a list.
• insert: inserts an element before a specified element in a list.
• del: deletes an element from a list.
• raz: clears (empties) the list.

For example, the ip route add 10.0.10.0 255.255.255.0 192.168.60.254 command adds a route to 10.0.10.0 255.255.255.0 via the 192.168.60.254 gateway to the list of static routes. The ip route del 10.0.10.0 255.255.255.0 192.168.60.254 command removes that route, and the ip route raz command removes all routes from the list of static routes.

Applying a Configuration

In CacheGuard-OS, there is always a current (or running) configuration and a new configuration. To activate the new configuration, the apply command must be invoked. The apply operation is a background process that may take from a few seconds to several minutes, depending on the nature of the new configuration and the performance of the machine running CacheGuard-OS. The apply report command allows you to obtain an execution report of the most recent apply operation. If, after making a new configuration, you decide to discard it, use the cancel command. The cancel command cannot be invoked while an apply operation is running. To cancel an ongoing apply operation, use the apply cancel command.

The new configuration to be applied is a set of commands that must form a consistent configuration. In other words, commands in a configuration must be compatible with one another. For example, you cannot activate (or apply) a configuration that specifies a static route via a gateway that is not within the broadcast domain of a connected network interface. The apply command is responsible for ensuring the integrity and consistency of configurations. If the new configuration is inconsistent, the apply command rejects it, the apply operation does not start, and a list of integrity errors is displayed.

Load and Save a Configuration

The current or new configuration can be saved on a file server (FTP, TFTP, etc.). Only trusted file servers are permitted to exchange files with a CacheGuard appliance. Therefore, it is necessary to trust a file server before saving a configuration on it. You must use the access command to add a file server to the list of trusted file servers. For example, to trust a TFTP file server with the IP address 172.18.2.1 for file exchange via the internal network interface, use the following commands:

• access file add internal 172.18.2.1
• apply

Once the apply operation is complete, you can save the current configuration to a file named cacheguard.conf on that server using the conf save tftp 172.18.2.1 cacheguard.conf command. The saved file will contain a list of configuration commands. The configuration file can be reloaded into the system at any time using the conf load tftp 172.18.2.1 cacheguard.conf command. Please note that the apply command is not included in the saved file and must be manually executed afterwards.

The configuration discussed in this section is also known as the logical configuration, as the real operational configuration may include additional data or files such as SSL certificates, custom WAF rules, and SSH public keys. To save all related data to a configuration in separate files on a file server, use the file command. For example, to save all data related to a configuration in a folder named "CGFiles" on a TFTP file server with the IP address 172.18.2.1, use the file save tftp 172.18.2.1 CGFiles command. To reload those files back into the system, use the file load tftp 172.18.2.1 CGFiles command.