Multi network interface version of Exium’s Cyber Gateway supports Firewall replacement (or overlay) and Zero-Trust Secure Private Access (SPA) use cases.
Click on Gateways in the left menu bar → Add Gateway
Select Gateway Type as Multi Interface. Fill in the details and add Gateway.
Name - You may change the name of the CGW
Admin Notifications Email - Provide email ID which will receive alerts/notifications related to CGW
High Availability (HA) - Please select ‘Yes’ if CGW to be deployed in High Availability mode. 2 Ubuntu VMs or Orange Pi boxes or any other 2 quantity of recommended hardware needed for HA setup
LAN Configuration
Multiple LAN subnets - Leave it to No if single LAN interface is present
NAT on LAN -Default NATing is done on LAN interface, if you don't want NAT on LAN interface, you can make it “no”
LAN Subnet - Enter LAN subnet (for eg. 10.10.10.0/24). This will be added as Trustpath automatically to Gateway, so no need to add this as Trustpath again. VERY IMPORTANT: This is the subnet that will be behind the gateway (i.e. plugged into the LAN port of the gateway) that you want remote users to be able to access. This is NOT the subnet that the WAN port of the gateway is on.
LAN Gateway - Specify IP address of the Gateway which will be used by the devices behind CGW in LAN subnet specified in above parameter. Any one IP from range .251 to .254 part of LAN subnet will be available to be used for LAN Gateway IP. For e.g. if LAN subnet is 10.10.10.0/24 then you can use any one IP from list 10.10.10.251 / 10.10.10.252 / 10.10.10.253 / 10.10.10.254. Configured Gateway IP will be installed on the CGW machine, so make sure it is not conflicting in network.
Next HOP GW for LAN - Provide gateway for LAN traffic. It is required when LAN traffic has to send all traffic to an IP which handles communication with actual core LAN network.
VLAN Configuration - Select Yes if CGW needs to support VLAN network segments
If Yes is selected, please specify VLAN IDs and VLAN subnets. By default, IP .251 of provided VLAN subnet will be used as Gateway of VLAN segment and it will be installed on the CGW machine.
Inter VLAN Communication - Select Yes, if inter VLAN communication should be allowed
DHCP
DHCP server - Select Yes, if DHCP IP assignment should happen from CGW.
If selected Yes, DHCP server will be started for LAN as well as VLAN network segments
Range - This is for DHCP starting IP and end IP , for /24 network default is 2 and 250. That indicates IPs from x.x.x.2 to x.x.x.250 will be allocated by DHCP server.
Above all standard parameters are required for CGW Multi Interface deployment.
Following are other advanced configurations
SDWAN
WAN Configuration - Static IP address along with their default gateway can be configured. Mostly it is required when existing Firewalls are replaced with CGW and ISP provided public IP and gateway need to configured on CGW node directly
WAN IP(Primary) - Specify IP with subnet for Primary CGW node
WAN Gateway(Primary) - Specify gateway IP without subnet for Primary CGW nod
In case High Availability and WAN static IP is enabled, Secondary Node configuration needs to be added
WAN IP(Secondary) - Specify IP with subnet for Secondary CGW node
WAN Gateway(Secondary) - Specify gateway IP without subnet for Secondary CGW node
LAN Vulnerability scan - Select Yes to enable LAN vulnerability scan
Packet Capture - Select Yes to enable packet capture modules in CyberGateway. Once this is enabled from admin console, you can do packet capture on CGW as needed
SSH over WAN - SSH is Blocked on WAN Interface as default security configuration for Cyber Gateway. You can allow SSH on WAN interface on Public by selecting Yes
Network Access control (NAC) - Select Yes to enable Network Access Control
Access CGW UI at http://LAN_Gateway_IP/. DNS Server , Webmin will have default login/password. You can see them by clicking on “Credentials” highlighted in Home Page screenshot.