CacheGuard-OS
User's Guide - Version UF-2.2.2

Configuration Management

A CacheGuard appliance is configured and administrated using online commands or the Web administration GUI. There are mainly two types of commands: commands with an immediate action and configuration commands. A CacheGuard configuration is represented by a set of configuration commands invoked with adequate arguments.

Configuration commands can be invoked with or without arguments. Without any arguments, a configuration commands normally displays the related configuration to that command. Invoked with one or more arguments, a command normally modifies the configuration. For instance, the ip command invoked without any arguments, display all IP addresses associated to network interfaces while invoked with a network interface name, an IP address and a mask, it modifies the IP address associated to that network interface. For instance, the "ip external 192.168.22.254 255.255.255.0" command set the IP address associated to the "external" network interface to 192.168.22.254 255.255.255.0.

Invoked without any arguments, the conf command allows you to display the list of all configuration commands and their associated arguments that form a configuration. With CacheGuard-OS, there is always a current (or running) configuration and a new configuration. The new configuration may be the same as or different than the current configuration. If a configuration command is invoked with arguments that modify the current configuration, the new and current configuration will differ. It is important to note that invoking configuration commands has no immediate impact on the running configuration.

To activate a new configuration, or in other words to replace the running configuration by a new configuration, the apply command should be invoked. You can use the conf diff command to compare the new configuration against the running configuration and display the difference between them.

Command Arguments

There are 4 types of command arguments:

• Scalar arguments like an IP address
• Keyword arguments like external
• Boolean parameters (allowed values are on and off)
• List arguments like a list of static IP routes

A boolean is normally used to activated (value on) or deactivate (value off) a sub configuration state. For instance, the mode cache on command allows you to activate the Web caching. A list argument is manipulated using the following keyword arguments:

• add: adds an element to the end of a list.
• insert: inserts an element at before a given element in a list.
• del: delete an element form a list.
• raz: erases (empties) the list.

For instance, the ip route add 10.0.10.0 255.255.255.0 192.168.60.254 command, adds a route to the 10.0.10.0 255.255.255.0 via the 192.168.60.254 gateway, to the list of static routes; the ip route del 10.0.10.0 255.255.255.0 192.168.60.254 command, removes that route, and the ip route raz removes all routes from the list of static routes.

Applying a Configuration

With CacheGuard-OS, there is always a current (or running) configuration and a new configuration. To activate the new configuration the apply command should be invoked. The apply operation is a background job that can take from seconds to minutes according to the nature of the new configuration to apply and the performances of the machine on which CacheGuard-OS is running. The apply report command allows you to get the state execution report of the latest apply operation. If after having made a new configuration, you decide to abandon it, you can use the cancel command. The cancel command can't be invoked when an apply operation is running. To cancel a running apply operation, you can use the apply cancel command.

The new configuration to apply is a set of commands that should form a consistent configuration. In other words, commands in a configuration should be compatible with each other. For instance you can’t activate (or apply) a configuration that specifies a static route via a gateway that is not in the broadcast domain of a connected network interface. The apply command is responsible of the integrity and consistency of configurations. If the new configuration to apply is inconsistent, the apply command reject that configuration and the apply operation would not start and instead, a list of integrity errors is displayed.

Load & Save a Configuration

The current or new configuration can be saved on a file server (FTP, TFTP...). Note that only trusted file servers are allowed to exchange files with a CacheGuard appliance. That's why it is necessary to trust a file server before being able to save a configuration on it. You must use the access command to add a file server to the list of trusted file servers. For instance, to trust the TFTP file server having the 172.18.2.1 IP address to exchange files via the internal network interface, use the following commands:

• access file add internal 172.18.2.1
• apply

Once the apply operation is finished, you can save the current configuration in a file named cacheguard.conf on that server by using the conf save tftp 172.18.2.1 cacheguard.conf command. The saved file will contain a list of configuration commands. The saved configuration file can be loaded at any time into the system using the conf load tftp 172.18.2.1 cacheguard.conf command. Please note that the apply command is not included in the saved file and should be manually invoked afterwards.

The configuration which is the object of this documentation section, is also called the logical configuration as the real operational configuration may contain additional data/files such as, but not limited to, SSL certificates, custom WAF rules and SSH public keys. To save all related data to a configuration in separated files on a file server, you must use the file command. For instance, to save all data related to a configuration in a folder named "CGFiles" on a TFTP file server having the 172.18.2.1 IP address, use the file save tftp172.18.2.1 CGFiles command. To reload those files back into the system, use the file load tftp 172.18.2.1 CGFiles command.