This section describes the fields in the System Settings tab of the Add Appliance page. See the Functions and Miscellaneous sections for descriptions of fields in those tabs.
Configuring System Settings
To configure the System Settings for an appliance, complete the following fields:
Name. The name of this appliance as it will appear in the admin UI. Ensure each appliance has a unique identity within the Collective and that it can be resolved by all other peers in the Collective (see appliance-to-appliance communications). Please pay careful attention to this when using Controllers where there are specific requirements. For details about certificate renewal, see Managing Appliances > Certificate Renewal.
Notes. Optional. Enter any notes for the appliance.
Tags. Click +Add to add tags to the appliance.
Automatic Hostname/IP Assignment. The hostname/IP will be automatically assigned using the cloud provider's metadata.
NOTE
This can only be used with AWS, Azure, GCP, and OpenStack.
Appliance Hostname/IP. This is the appliance's hostname. Use only fully-qualified domain names or IPv4/IPv6 addresses.
NOTE
You cannot change the hostname of a Controller that is part of a multi-Controller group.
Interfaces. Configure the network interfaces in the appliance, add one entry for each that you want to use. For instance, if you are using a four-port NIC, you should configure
eth0toeth3. You can specify IPv4 and IPv6 address format for each interface. When DHCP is used, then some DHCP options are enabled by default.Configure Interface. Select +Add to open the Interface window.
When using DHCP, only the first interface configured is allowed to use the DHCP options. This is done to prevent any conflicts that might result. This is likely to mean that you will need to add routes to the default Gateway and local network separately. To find the IP addresses of an appliance that is using DHCP, click on its status in the dashboard.
When using static addresses - there is the option to associate multiple sequential IP aliases to the SNAT pool. This feature allows more internal connections to be established than the usual 65535 limit on a single IP address. Refer to Routing client traffic for more details.
The eth0 interface is enabled by default. You might want to add another if you require a management interface on the appliance.
Complete the fields in the following table to configure the interface:
Field | Example |
|---|---|
Enabled | active or not |
Interface Name | eth0 |
MTU | Allows alternative settings which might be required for some networks. When the value is removed the MTU will be set to 1500 unless the DHCP option for MTU has been enabled. Irrespective of this setting, 1500 is the maximum MTU that is supported for the tunneled traffic. |
IPv4 Static Address Enter an IPv4 address and subnet mask. If multiple IP aliases are being used, you can add this IP to the SNAT pool. | |
Address | 192.168.0.2 (sequential IP addresses must be used when assigning them to the SNAT pool) |
Netmask Length | 24 |
SNAT Pool | add this IP to the SNAT pool used for (protected) host connections |
Enable IPv4 DHCP Check this to enable DHCP for IPv4 and add required configurations | |
DNS | provide DNS (set by default) |
Default Gateway | provide default Gateway (set by default) |
NTP | If set to true, the DHCP client will ask for and/or use the provided NTP servers. |
MTU | If set to true, the DHCP client will ask for and/or use the provided MTU value to set on the NIC. |
IPv6 Static Address Enter an IPv6 address and subnet mask. If multiple IP aliases are being used, you can add this IP to the SNAT pool. | |
Address | fe80::206:1bff:fec1:624c (sequential IP addresses must be used when assigning them to the SNAT pool) |
Netmask Length | 64 |
SNAT Pool | add this IP to the SNAT pool used for (protected) host connections |
Enable IPv6 DHCP Check this to enable DHCP for IPv6 and add required configurations | |
DNS | provide DNS (set by default) |
NTP | If set to true, the DHCP client will ask for and/or use the provided NTP servers. |
MTU | If set to true, the DHCP client will ask for and/or use the provided MTU value to set on the NIC. |
Routes. Static routes for sending packets to destinations which do not match any of the subnets assigned to any interface above.
Configure Routes. Select +Add to open the Route window.
The DHCP configuration (above) may apply the Default Route (if Default Gateway is enabled). Any DHCP route will always be applied first (unless the 60 second time out is reached).
Static routes are applied in the order shown. So starting from A, to reach C—which is only reachable from the intermediate network B—you should have the routes in the following order:
route B via A
route C via B
The order can be changed using the up and down arrows shown against each route when you hover over it.
Complete the fields in the following table to configure the route:
Field | Example |
|---|---|
Address | 192.168.2.0 (IPv4 or IPv6 host or network address) |
Netmask Length | 24 (set to 32 (IPv4) or 128 (IPv6) for single host) |
Gateway | 192.168.1.1 (OPTIONAL: IP address to router) |
Network Interface | eth1 (OPTIONAL: Interface to route packet to) |
|
|
Address | 0.0.0.0 (Default route) |
Netmask Length | 0 |
Gateway | 19.80.3.1 (IP address of default Gateway) |
Network Interface |
|
DNS Servers. DNS servers to be used internally by the appliance. Not normally used by entitlements, which are configured in Sites > Name Resolvers. However it will be used to resolve entitlement actions when:
DNS has not been configured for the Site.
A resource name returns a hostname (rather than an IP address), such as with AWS load-balancers.
For more information on how entitlement actions are resolved please refer to DNS and name resolving.
NOTE
This might not need to be configured if using the DHCP DNS option in System Settings.
NTP Server. Configure one or more NTP servers for time synchronization unless included in DHCP options.
Hostname. Hostname or IP address of the NTP server.
Configure NTP Authenticated Time Service. AppGate ZTNA supports the use of NTP Authenticated Time Service allowing the NTP client to verify that the server is known and trusted.
Symmetric Key Type. Enable NTP authentication by choosing one of the supported algorithms.
Keyno. Enter the key number you have been given; between 1 and 65535.
Key. Enter the key value you have been given; the key is case-sensitive.
NOTE
Accurate time is vital for the correct operation of the system. Always check the Dashboard to make sure there are no NTP errors reported.
SSH Server. Check to allow administrators to sign in to the appliance using SSH.
Password Authentication. Check to allow administrators to use password authentication for SSH. If disabled, SSH keys must be used to sign in to the appliance. For details of how to add SSH keys to an appliance, refer to System Security Best Practice.
Port. The default is port 22.
Allowed Sources (through appliance firewall). To allow inbound traffic, the requesting IP address must match at least one of these source addresses. By default, the list contains two entries: address (0.0.0.0) and netmask 0 & address :: and netmask 0.
If the list is empty, no connections are allowed.
If an entry contains address, netmask, and interface, then both subnet and interface must match.
If an entry only contains address and netmask, then only subnet needs to match.
If an entry only contains interface, then only the interface must match.
Example:
Address | (OPTIONAL: IPv4 or IPv6 address of host or subnet to allow) |
Netmask Length | (OPTIONAL: Netmask, set to 32 (IPv4) or 128 (IPv6) for single host) |
Interface | (OPTIONAL: ethX, only allow connections through this interface) |