Centrally Managing Gaia Device Settings

In This Section: Overview of Gaia Central Management Managing Gaia in SmartDashboard Cloning Groups

Overview of Gaia Central Management

R77 SmartDashboard introduces a new Gateways view that lets you:

• Centrally configure network topology:
  • IPv4 and IPv6 addresses
  • IPv4 and IPv6 static routes
• Centrally configure device settings for these network services:
  • DNS
  • NTP
  • Proxy server
• Do Backup and Restore operations

  A compressed .tgz backup file captures the Gaia OS configuration and the firewall database.

• Do maintenance operations:
  • By opening the WebUI or command shell from SmartDashboard
  • By fetching settings from the device, or by pushing settings to the device
• Examine recent tasks:

  The Recent Tasks tab, located in the bottom section of SmartDashboard, shows recent Gaia Security Gateway management tasks done using SmartDashboard.

• Run command line scripts on the gateway

  Output from the commands shows in the Recent Tasks window. Double-click the task to see the complete output.

• Receive notification on local device configuration changes

  The Status column in the Gateways view indicates changes in the device configuration

• Implement configuration changes without a full policy install (Push Settings to Device action)
• Automate the configuration of Cloning Groups and synchronization between the members

Enabling Central Device Management

To enable central device management:

1. Open SmartDashboard > Global Properties > SmartDashboard Customization.
2. In the Central Device Management area, select Enable Central Device Management.
3. Restart SmartDashboard.
4. In the Gateways view, select a Gaia gateway.
5. Click Actions > Maintenance > Fetch Settings from Device.

   Open the gateway Properties window.

   Below Topology:

   • there are pages for IPv4 and IPv6 static routes
   • A new page for Network Services

Note:

• If you enable Central Device Management and then try to install a policy on a ClusterXL or VRRP Cluster (or push the settings) the policy install will fail. The members of the ClusterXL or VRRP cluster must be made members of a Gaia Cloning Group.
• Central Device Management actions are only available for R77 (and higher) Gaia gateways.
• SmartDashboard administrators with:
  • Full Read/Write permissions can run all Central Device Management Actions
  • Read/Write permissions on the objects database can run:
    • Backup (but not restore)
    • Push settings to device
    • Fetch settings from device

For more on creating Gaia Cloning Groups, see the R77 Gaia Administration Guide.

The Gaia Gateways View

From the Firewall tab > Gateways view, you can:

• Create and configure Security Gateways for all supported platforms
• Edit gateway properties
• Run scripts
• Do Backup and Restore operations
• Do maintenance actions

The Gateways view has configurable Display Columns:

Display Column	Shows
General	Gateway name Status IP Address Version OS Hardware type CPU Usage Last task done in SmartDashboard
Network Services	Gateway name Primary Secondary and Tertiary DNS addresses DNS suffix NTP server IP address NTP version Proxy server
Monitoring	Gateway name Number of new connections per second Number of concurrent connections Throughput per second in bytes Number of accepted packets per second Number dropped packets per second Number of rejected packets per second
Device info	Gateway name Status IP Address Version OS Hardware type CPU Usage Uptime Free memory (in Gigabytes) Total memory (in Gigabytes) Free disk space (in Gigabytes) Total disk space (in Gigabytes)

Managing Gaia in SmartDashboard

After enabling Central management, Gaia gateways can be more effectively managed through SmartDashboard.

Running Command Scripts

One Time scripts

You can manually enter and run a command line script on the selected Gaia Security Gateways. This feature is useful for scripts that you do not have to run on a regular basis.

To run a one time script:

1. Right-click the Security Gateway.
2. Select Scripts > Run One Time Script.
3. The Run One Time Script window opens

   You can:

   • Enter the command in the Script Body text box and specify script arguments, or
   • Load the complete command from a text file

     Note:

     • By default, the maximum size of a script is: 8kb.
     • This value can be changed in Global Properties > SmartDashboard Customization > Advanced Configuration > Configure > Central Device Management.
4. Click Run.

   The output from the script shows in the Recent Tasks tab > Details column.

   • Double-clicking the task shows the output in a larger window
   • You can also right-click the task, and select View, and then Copy to Clipboard

   Note:

   • The Run One Time Script window does not support interactive or continuous scripts. To run interactive or continuous scripts, open a command shell.
   • If the gateways are not part of a Cloning Group, you can run a script on multiple gateways at the same time.

Run Repository Script

You can run a predefined script from a repository.

To run a Repository script:

1. Right-click the Security Gateway.
2. Select Scripts > Run Repository Script.
3. The Select Script window opens

   You can:

   • Select a script from the drop-down box, or click New to create a new script for the repository.
   • Enter script arguments

   Note: The Select Script window does not support interactive or continuous scripts. To run interactive or continuous scripts, open a command shell.

4. Click Run.

   The output from the script shows in the Recent Tasks tab > Details column.

   • Placing the mouse in the Details column shows the output in a larger window
   • You can also right-click, and select View, or Copy to Clipboard

Manage repository scripts

You can create new scripts, edit or delete scripts from the script repository.

To manage scripts:

1. Right-click the Security Gateway.
2. Select Scripts > Manage Script Repository
3. The Manage Scripts window opens

Note: You can also run and manage scripts by clicking Scripts in the Gateways view.

Backup and Restore

These options let you:

• Back up the Gaia OS configuration and the firewall database to a compressed file
• Restore the Gaia OS configuration and the firewall database from a compressed file

To back up a configuration:

1. Right-click the Security Gateway.
2. Select Backup and Restore > Backup.

   The Backup window opens.

3. Select the backup location.

   The backup location can be on the local gateway or a remote server.

   If the location is a remote server, enter the:

   • IP address
   • Transfer protocol
   • Authentication credentials - username and password
   • Path to a backup directory. The path must start and end with (/).

   For example: /ftproot/backup/

   Or just (/) for the root directory of the server.

4. Click OK.

   The status of the Backup operation shows in Recent Tasks.

   When the task is complete, double-click the entry to see the file path and name of the backup file.

   Note: This name is necessary to do a system restore.

   To backup multiple Security Gateways, select them in the Gateways view and click Actions > Backup and Restore > Backup.

To restore a configuration:

1. Select Backup and Restore > Restore.

   The Restore window opens.

2. In the Restore File text box, enter the name of the backup file.

   If you cannot find the name of the file in Recent Tasks, or did not save the file name after completing the backup process:

   1. Right-click the Security Gateway.
   2. Select Maintenance > Open Shell.
   3. On the gateway, run the clish command: show backup logs.
   4. Find the name of the compressed backup file.

      The file will be named according to this convention:

      backup_<name of gateway object>_<date of backup>.tgz

3. Specify if the file is on the local gateway or remote backup server.

   If the location is a remote server, enter the:

   • IP address
   • Transfer protocol
   • Authentication credentials
   • Path to a backup directory. The path must start and end with (/).

     For example: /ftproot/backup/

     Or just (/) for the root directory of the server.

4. Click OK.
   • Connectivity to the gateway is lost
   • The gateway automatically reboots
5. Install a policy.

   The status of the restore operation shows in Recent Tasks.

Maintenance

Maintenance has four options:

• Open Shell
• Open WebUI
• Fetch settings from device
• Push settings to device

You can select them from the right-click menu of a gateway, or from the Actions button.

Open Shell

From SmartDashboard, you can open a command line window on the gateway.

To open a command line window on the gateway:

1. Right-click the Security Gateway.
2. Select Maintenance > Open Shell.

   A command line window opens.

   • You are logged in as Gaia admin user with superuser permissions
   • The Open Shell uses public key authentication

Open WebUI

From SmartDashboard, you can open a gateway WebUI.

To open a gateway WebUI:

1. Right-click the Security Gateway.
2. Select Maintenance > Open WebUI

   The WebUI opens in the default browser.

   The URL is taken from the Gateway Properties > Platform Portal page.

Fetch Settings from Device

Settings on the device can be changed through the WebUI or by opening the Gaia command shell, clish. After settings have been changed on the device, a mismatch exists between the actual device settings and those shown in SmartDashboard. The Status column in the Gateways view shows one of these messages:

Status Message	Meaning
OK	The settings shown in SmartDashboard match those of the device.
SIC not established	No Secure Internal Communication between the management and the Security Gateway.
Disconnected	No connection between the Security Management and the gateway
Local Change Detected	Device settings have been changed through the WebUI or command shell (clish). To update SmartDashboard, fetch settings from the device. For more about the change, see the SmartView Tracker audit log.
Device Settings Conflict	Device settings changed simultaneously in SmartDashboard and WebUI/ clish. If you fetch settings from device, device settings overwrite SmartDashboard settings If you push settings to device, SmartDashboard settings overwrite settings on the device
No license	No License or License Expired. See SmartView Monitor for more details.
Policy is Not installed
Attention	See SmartView Monitor for more details.
Above Threshold	See SmartView Monitor for more details.
Refreshing...
Waiting...

To update the settings shown in SmartDashboard:

1. In the Gateway view, select the gateway.
2. Click Actions > Maintenance > Fetch settings from device.

   The settings fetched are:

   • Interface IP Addresses
   • IPv4 and IPv6 static routes
   • NTP and DNS settings
   • Proxy settings

   The status of the fetch operation shows in Recent Tasks.

3. Reapply the required changes.
4. Install a policy.

Note: You must run Fetch settings from device after creating a new Gaia gateway from the Gateways view.

Push Settings to device

Settings configured in SmartDashboard can be transferred to the Gaia device by:

• Installing a policy

  The recommended method.

• Pushing the settings to the device

  An advanced option that only installs device settings, not the full security policy. This is useful for changing DNS or NTP server settings without the overhead of a full policy install. Only the configuration changes are pushed.

  Note: If you change an IP interface address, do a full policy install rather than push the settings to the device.

To push settings to the device:

1. In the Gateways view, select the gateway.
2. Click Actions > Maintenance > Push settings to device.

   The settings pushed are:

   • Interface IP Addresses
   • IPv4 and IPv6 static routes
   • NTP and DNS settings
   • Proxy settings

The status of the push operation shows in Recent Tasks.

Managing Clusters (ClusterXL or VRRP)

The Central Device Management Actions that you can run on a Gaia gateway can also be run on a Gaia cluster, but with these differences:

Action	On a gateway	On a cluster object in SmartDashboard
Backup	Backs up the Gaia OS configuration and the firewall database to a compressed file	This option is: Disabled on a cluster object Available only on member objects
Restore	Restores the Gaia OS configuration and the firewall database from a compressed file	This option is: Disabled on a cluster object Available only on member objects
Fetch settings from device	Gets these settings from the device: Interface IP Addresses IPv4 and IPv6 static routes NTP and DNS settings Proxy settings	This option is: Enabled on a cluster object Disabled on member objects
Push settings to device	Pushes these settings to the device: Interface IP Addresses IPv4 and IPv6 static routes NTP and DNS settings Proxy settings	This option is: Enabled on a cluster object, but does not push IP interface addresses. Disabled on member objects

Cloning Groups

Gaia Cloning Groups let you manage multiple Gaia devices from the Gateways view in SmartDashboard.

A Cloning Group is a collection of Gaia gateways that share the same OS configuration and settings for a set of shared features. DNS or ARP are examples of shared features. OS configuration and the configuration of shared features is automatically synchronized between the member gateways.

To run Central Device Management Actions on a cluster (ClusterXL or VRRP), you must first configure the cluster as a Gaia Cloning Group.

This table summarizes the relation between the Gaia Cloning Group feature and SmartDashboard Central Device Management capabilities:

SmartDashboard object type	When Central Device Management enabled	When Central Device Management disabled
Single gateway object	Do not add gateways to a Cloning Group if you want to run Central Device Management Actions on them.	In the WebUI or through clish, optionally configure a Cloning Group to manage Gaia features across several gateways.
Cluster Object	Members must be part of the same Cloning Group	In the WebUI or through clish, optionally configure a Cloning Group to manage Gaia features across several gateways.

Important: When managing a cluster, a matching Cloning Group must be defined consisting of the exact same members as the cluster. Do not add other gateways.

For more on creating Gaia Cloning Groups, see the R77 Gaia Administration Guide.