CacheGuard-OS
User's Guide - Version UF-2.2.2
General Modes
CacheGuard appliance is an integrated appliance that Secures and Optimises the internet traffic by providing a whole range of features. To get a perfectly optimised appliance configuration, it is recommended that you activate features that you actually need and deactivate all others. But if needed, it is possible to activate all available features at the same time on the same appliance and all activated features would work seamlessly and efficiently together.
The mode command allows you to activate or deactivate different features called modes. For almost all modes, there is a command with the same name that allows you to configure that mode. For instance, the embedded firewall can be activated by using the mode firewall on command and the firewall can be configured using the firewall command. We can distinguish two groups of modes: network modes and function modes. Sections below give you a brief description of all avaialble modes. Note that the apply command must be invoked after activating or deactivating a mode.
Network Modes
This section gives a brief description of all network modes. Available network modes operate at the (TCP/UDP) IP level and are as follows:
DHCP server
CacheGuard appliance can provide dynamic IP addresses to connected devices ;integrates a DHCP server to dynamically deliver IP . To activate the DHCP server use the
mode dhcp on command. You can configure the DHCP server using the
dhcp command. That commands allows you the define dynamic IP ranges and, if needed, reserve IP addresses for your devices.
Caching DNS
CacheGuard appliance integrates a caching only Domain Name Server that can be used by all other integrated services but also external clients. To activate the integrated DNS server and make it available to be used by external clients, use the following commands:
- dns raz
- dns add localhost
- mode dns on
High Availability
Two or more CacheGuard appliances can be implemented in a HA (High Availability) mode by using the VRRP protocol. In addition, network interfaces (
external,
internal...) of a CacheGuard appliance can be associated to more than a physical network interface to offer link resiliency. To activate the HA mode, use the
mode ha on command. Once the HA mode is activated, you must use the
vrrp command to associate one or more VRRP IP addresses to at least one network interface. To associate more than a physical network interface to a network interface use the
link command.
Passive FTP
By default, CacheGuard appliance uses the passive FTP protocol to initiate FTP sessions with external FTP servers. To use the active FTP mode, you must deactivate the passive FTP mode. To deactivate the passive FTP mode, use the
mode ftppassive on command. Please note that switching between the passive and active FTP modes is done globally (you can't select the FTP mode for particular FTP session).
Quality of Service
CacheGuard appliance can shape and schedule the network traffic to offer QoS (Quality of Service) to your users an applications. Using the QoS manager in a CacheGuard appliance allows you to reserve the required network bandwidth for your most critical applications. To activate the QoS mode, use the
mode qos on command. Then, you can use the
qos command to configure the traffic shaping at your conveniences. All traffic destined to services (proxy, antivirus...) running on the appliance itself as well as the traffic that is only routed via the appliance are handled by the QoS manager.
Network Router
CacheGuard appliance can act as a network router supporting static routes and multi gateways configuration. Use the
mode router on command to activate the router mode. To configure the routing, use the
ip route command.
Source NAT
CacheGuard appliance can NAT (Network Address Translation) the source IP address of all outgoing traffic via its external network interface with its own external IP address. This mode is called snat (for source NAT) and you can activate it using the
mode snat on command.
Transparent Web
CacheGuard appliance can be transparently implemented in a network to intercept Web traffic in order to be managed (cached, filtered...). In a transparent implementation, there is no need to configure Web browsers to use CacheGuard appliance as a Web proxy. The easiest way to transparently implement a CacheGuard appliance in a network is to use it as the default gateway to the internet. This mode is called tweb (or transparent) and can be activated by using the
mode tweb on (or
mode transparent on) command. The
transparent (or
tweb) command can then be used to selectively intercept Web traffic.
As HTTP is increasingly being replaced by HTTPS on the Web, the power of the transparent mode is considerably reduced. But fortunately CacheGuard appliance can also be configured to intercept HTTPS traffic. The transparent interception of HTTPS traffic is called the sslmediate mode and is described in the Function Modes section below. The sslmediate mode is considered as a function mode rather than a network mode as its implementation requires to deal with SSL CA certificates in addition to the network configuration.
Transparent Web SNAT
In transparent mode (
tweb is activated), intercepted Web traffic can preserve their real IP addresses or be Source NATed with the CacheGuard appliance external IP address. The
tnat (transparent NAT) mode allows you to activate (
on) source IP address NATing of transparently intercepted Web traffic. The
tnat mode is activated by default. To deactivate it, use the command
mode tnat off. Please note that when the
tnat is deactivated, routed Web traffic should not be asymmetric against CacheGuard appliance (ie. all incoming and outgoing Web traffic exchanged with Web clients should be routed from the same CacheGuard appliance network interface).
Tagged VLANs
CacheGuard appliance supports 802.1q VLAN (Virtual LAN) tagging on its internal network interface to secure and isolate predefined functional traffic (
admin,
web,
rweb...). To activate the VLAN mode, use the
mode vlan on command. Once the VLAN mode is activated, you must use the
vlan and
ip commands to define VLANs and affect IP addresses to them.
If you activate both the web and rweb modes at the same time on the same appliance and in your configuration your CacheGuard appliance SSL offloads HTTPS traffic destined to your Web applications (network traffic between CacheGuard and real Web servers are unencrypted), you would probably need to use a distinct VLAN for the rweb traffic type. Refer to the rweb command to know how to configure the rweb mode for SSL offloading.
Function Modes
This section gives a brief description of all function modes. Available function modes operate at the application level and are as follows:
Anonymous Browsing
CacheGuard appliance can alter some HTTP headers to make anonymous Web requests. To activate the anonymous browsing mode, use the
mode anonymous on command. Please note that activating this mode can result in being bannded by some websites and thus it is recommendend to let this mode deactivated.
Antivirus
CacheGuard appliance embeds an antivirus that blocks malware (viruses, trojans and worms) in Web traffic destined to Web clients (humans or machines) as well as to Web servers. The antivirus can also be used as service by external systems such as an MTA (Mail Transfer Agent). To activate the antivirus use the
mode antivirus on command. The
antivirus command can be used to configure the antivirus.
Web Authentication
The embedded Web proxy in CacheGuard appliance can be configured to request LDAP or Kerberos servers to authenticate Web clients before granting them access to the Web (or Web servers in reverse mode). To activate the authentication mode, use the
mode authenticate on command. You must then use the
authenticate command to configure the authentication.
Statefull Firewall
CacheGuard appliance integrates a stateful firewall that allows you to control the routed network traffic based on its source and/or destination IP addresses and used protocol. In addition, the firewall allows you to NAT the source and/or destination IP of a network traffic. To activate the firewall mode, use the
mode firewall on command. The firewall can be configured using the
firewall command.
Forwarding Web Proxy
CacheGuard appliance integrates a forwarding Web proxy that allows you to do not expose your users directly to the internet. To activate the forwarding Web proxy mode, use the
mode web on command. The Web proxy combined with other modes such as, but not limited to, the firewall, antivirus, URL guarding and Web caching allows you to offer a high level of security and network traffic optimisation to your users.
HTTP Compression
CacheGuard appliance can compress in real time textual contents in Web traffic such as, but not limited to, HTML, CSS and JavaScript contents to save your network bandwidth usage. Use the
mode compress on command to activate the HTTP compression.
OCSP Responder
CacheGuard appliance can act as an OCSP responder to check the revocation status of certificates that are signed by its own CA certificate. To activate the OCSP responder, use the
mode ocsp on command. If your CacheGuard configuration uses certificates that are signed with its CA certificate, the activation of the embedded OCSP responder can be very useful. Signed certificates can be used by services such as the IPsec VPN server or the reverse Web proxy. You can use the
tls command to configure the OCSP responder.
Reverse Web Proxy
CacheGuard appliance integrates a reverse Web proxy that allows you to do not expose your Web servers directly to the internet. To activate the reverse Web proxy mode, use the
mode rweb on command. The reverse Web proxy combined with other modes such as, but not limited to, the firewall, antivirus, WAF and Web caching allows you to publish Web applications with a high level of security and network traffic optimisation. Use the
rweb command to configure the reverse proxy.
SSL Mediation
CacheGuard appliance can act as an SSL mediator between Web clients (humans or machines) and HTTPS Web servers located on the internet (in the external zone). When the SSL mediation mode is activated, the HTTPS traffic destined to Web clients is decrypted and then re-encrypted before being sent to Web clients. The SSL mediation allows the appliance to inspect HTTPS traffic in order to block malware or cache clean contents. To activate the SSL mediation mode, use the
mode sslmediate on command. The SSL mediation mode require that Web clients trust the CacheGuard appliance CA certificate. To manage the CacheGuard appliance CA certificate, use the
tls command. To configure the SSL mediation, use the
sslmediate command.
Traffic Logging
CacheGuard appliance can log allowed Web traffic as well as blocked (Web or non Web) traffic. The logging gives you visibility into traffic exchanged with or via the appliance. To activate the traffic logging, use the
mode log on command. You have the possibility to select which type of traffic should be logged. Logs are stored locally and can also be send in real time to remote syslog servers. Use the
log command to configure the traffic logging.
URL Guarding
CacheGuard appliance can act as a URL filter/guard that allows you to restrict the Web usage in your organisation. With the help of the URL guarding you can block the access to categories of websites such as, but not limited to, adult, gambling, hacking and advertisement. To activate the URL guarding mode use the
mode guard on command. URL guarding is based on lists of URLS (blacklists or white lists) that you can manage using the
urllist command. Use the
guard command to configure the URL guarding.
IPsec VPN
CacheGuard appliance embeds an IPsec VPN server that can be configured in site to site (inter site) or remote access mode. The IPsec VPN server combined with the forwarding or reverse Web proxy allows you to implement configurations in which Web clients and/or Web servers communicate with the appliance using secure VPN tunnels. To activate the IPsec VPN server, use the
mode vpnipsec on command. Use the
vpnipsec command to configure the IPsec VPN server.
Web Application Firewall
CacheGuard appliance integrates a WAF (Web Application Firewall) to protect Web applications against content attacks such as, but not limited to, XSS (cross site scripting), SQL injection and remote code execution. In addition, the WAF can block unwanted Web requests based on IP or country reputation. To activate the WAF, use the
mode waf on command in conjunction with the
mode rweb on command (the WAF can only operate when the reverse Web proxy is activated). To configure the WAF, use the
waf command.
Web Caching
CacheGuard appliance can cache the Web traffic to save your network bandwidth and in some environments accelerate the Web browsing. To activate the Web caching, use the
mode cache on command. To configure the Web caching, use the
cache command.