This section describes the fields in the System Settings tab.
Add/Edit Appliance
Name
The name of this appliance as it will appear in the Admin UI. Ensure each appliance has a unique identity within the Collective and that it can be resolved by all other peers in the Collective (see appliance-to-appliance communications). Please pay careful attention to this when using Controllers where there are specific requirements. For details about certificate renewal, see Managing Appliances > Certificate Renewal.
Settings
Automatic Hostname/IP Assignment
The Hostname/IP will be automatically assigned using the Cloud provider's metadata.
NOTE
This can only be used with AWS, Azure, GCP, and OpenStack.
Appliance Hostname/IP
This is the appliance's hostname - only use fully qualified domain names or IPv4 / IPv6 address.
NOTE
You cannot change the hostname of a Controller which is part of a multi-Controller group.
Interfaces
Configure the network interfaces in the appliance, add one entry for each that you want to use. For instance, if you are using a 4 port NIC, you should configure eth0 to eth3. You can specify IPv4 and IPv6 address format for each interface. When DHCP is used, then some DHCP options are enabled by default.
When using DHCP - only the first interface configured is allowed to use the DHCP options. This is done to prevent any conflicts that might result. This is likely to mean that you will need to add routes to the default Gateway and local network separately. To find the IP addresses of an appliance that is using DHCP, click on its status in the dashboard.
When using Static addresses - there is the option to associate multiple sequential IP aliases to the SNAT pool. This feature will allow more internal connections to be established than the usual 65535 limit on a single IP address. Refer to Routing Client traffic for more details.
eth0 interface is enabled by default. You might want to add another, if for instance you require a management interface on the appliance.
Field | Example |
|---|---|
Enabled | active or not |
Interface Name | eth0 |
MTU | Allows alternative settings which might be required for some networks. When the value is removed the MTU will be set to 1500 unless the DHCP option for MTU has been enabled. Irrespective of this setting, 1500 is the maximum MTU that is supported for the tunneled traffic. |
IPv4 Static Address Enter an IPv4 address and subnet mask. If multiple IP aliases are being used, you can add this IP to the SNAT pool. | |
Address | 192.168.0.2 (sequential IP addresses must be used when assigning them to the SNAT pool) |
Netmask Length | 24 |
SNAT Pool | add this IP to the SNAT pool used for (protected) host connections |
Enable IPv4 DHCP Check this to enable DHCP for IPv4 and add required configurations | |
DNS | provide DNS (set by default) |
Default Gateway | provide default gateway (set by default) |
NTP | If set to true, the DHCP client will ask for and/or use the provided NTP servers. |
MTU | If set to true, the DHCP client will ask for and/or use the provided MTU value to set on the NIC. |
IPv6 Static Address Enter an IPv6 address and subnet mask. If multiple IP aliases are being used, you can add this IP to the SNAT pool. | |
Address | fe80::206:1bff:fec1:624c (sequential IP addresses must be used when assigning them to the SNAT pool) |
Netmask Length | 64 |
SNAT Pool | add this IP to the SNAT pool used for (protected) host connections |
Enable IPv6 DHCP Check this to enable DHCP for IPv6 and add required configurations | |
DNS | provide DNS (set by default) |
NTP | If set to true, the DHCP client will ask for and/or use the provided NTP servers. |
MTU | If set to true, the DHCP client will ask for and/or use the provided MTU value to set on the NIC. |
Routes
Static routes for sending packets to destinations which do not match any of the subnets assigned to any interface above.
The DHCP configuration (above) may apply the Default Route (if Default Gateway is enabled). Any DHCP route will always be applied first (unless the 60 second time out is reached).
The static routes are applied in the order shown. So starting from A, in order to reach C, which is only reachable from the intermediate network B - you should have the routes in the following order:
route B via A
route C via B
The order can be changed using the up and down arrows shown against each route when you hover over it.
Field | Example |
|---|---|
Address | 192.168.2.0 (IPv4 or IPv6 host or network address) |
Netmask Length | 24 (set to 32 (IPv4) or 128 (IPv6) for single host) |
Gateway | 192.168.1.1 (OPTIONAL: IP address to router) |
Network Interface | eth1 (OPTIONAL: Interface to route packet to) |
|
|
Address | 0.0.0.0 (Default route) |
Netmask Length | 0 |
Gateway | 19.80.3.1 (IP address of default gateway) |
Network Interface |
|
DNS Servers
DNS servers to be used internally by the appliance. Not normally used by , which are configured in Sites>Name Resolvers. However it will be used to resolve Entitlement Actions when:
DNS has not been configured for the Site.
A resource name returns a hostname (rather than an IP address), such as with AWS load-balancers.
For more information on how Entitlement Actions are resolved please refer to DNS and name resolving.
NOTE
This might not need to be configured if using the DHCP DNS option in System>Appliances>System Settings>Interfaces
NTP Server
Configure one or more NTP servers for time synchronisation unless included in DHCP options.
NOTE
Accurate time is vital for the correct operation of the system. Always check the Dashboard to make sure there are no NTP errors reported.
Hostname
Hostname or IP address of the NTP server.
Configure NTP Authenticated Time Service
Appgate SDP supports the use of NTP Authenticated Time Service allowing the NTP client to verify that the server is known and trusted.
Symmetric Key Type
Enable NTP authentication by choosing one of the supported algorithms.
Keyno
Enter the key number you have been given; between 1 and 65535.
Key
Enter the key value you have been given; the key is case-sensitive.
SSH Server
Check to allow administrators to sign-in to the appliance using SSH.
Password Authentication
Check to allow administrators to use password authentication for SSH. If disabled, SSH keys must be used to sign-in to the appliance. For details of how to add SSH keys to an appliance please refer to System Security Best Practice.
Port
The default is port 22.
Allowed Sources (through appliance firewall)
To allow inbound traffic, the requesting IP address must match at least one of these source addresses. By default, the list contains 2 entries: address (0.0.0.0) and netmask 0 & address :: and netmask 0.
If the list is empty, no connections are allowed.
If an entry contains address, netmask and interface, then both subnet and interface must match.
If an entry only contains address and netmask, then only subnet needs to match.
If an entry only contains interface, then only the interface must match.
Example:
Address | (OPTIONAL: IPv4 or IPv6 address of host or subnet to allow) |
Netmask Length | (OPTIONAL: Netmask, set to 32 (IPv4) or 128 (IPv6) for single host) |
Interface | (OPTIONAL: ethX, only allow connections through this interface) |