The Device UI performs the following verification:
- Verify the IP address of the on-prem host
- Verify DNS
- Verify the DHCP connection
- Verify IP
- Verify NTP connectivity
- Verify access to the Cloud Services Portal
- Validate time is synchronized
- Perform explicit proxy test
- Verify Docker rules
- Verify Docker Bridge settings
- Verify Kubernetes Bridge settings
- Verify join token
After the Device UI completes the verification, it displays the results and status in the following sections: Network, HTTP(S) Proxy, NTP, Docker, Join Token, and Cloud Connectivity. For information about the verification results, see 54140400.
Accessing the Device UI
- Open a browser window.
Launch the Device UI by entering the IP address of the on-prem host in this format:
https://<Host IP address>
If there was no DHCP server available in your network and you did not configure a static IP when you initially set up your on-prem host, the host will fall back to the default IP address 192.168.1.2.
- Enter the following local access credentials:
- Username: Enter "admin" as the login user name for the on-prem host.
- Password: Enter the last eight digits (the last four octets) of the serial number for the on-prem host. For physical on-prem hosts, you can get the serial number through the Cloud Services Portal. The serial number is also printed on the physical appliance itself and is available through the appliance console (if you connect the appliance to a monitor). For virtual hosts, you can get the serial number when you connect to the virtual console.
Viewing Device Status and Configuration
When you launch the Device UI, it displays the overall configuration status in the left panel and the configuration details in the right panel (Configuration panel).
In the left panel, you can identify the overall status for each configuration component through the following status icons:
- = The service is running properly and connectivity is good. No corrective action is required.
- = The service has not been started and no connectivity has been established. Configure the service if necessary.
- = The service or connectivity failed. Take corrective actions by modifying the configuration.
In the Configuration panel, you can view the overall status for each connectivity as well as each individual component, as follows:
- = The service, connection, and settings have been verified and functioning properly.
- = The service or connection has not started yet.
- = The service, connection, and/or settings failed. Take corrective actions by modifying the configuration.
- = No configuration has been set for this service, therefore, no verification is done until you set up the necessary configuration.
In the Configuration panel, the Device UI displays detailed information about the networking and service configurations. You can view the current configuration and connectivity of your on-prem host and fix any problematic areas, if applicable.
- You must enable local access on the on-prem host before you can make configuration changes to the following settings. For information about local access, see Managing Local Access for On-Prem Hosts.
- If you update any configuration on an on-prem host that has a connection issue with BloxOne Cloud and has a secondary interface configured, the secondary interface could be removed from the on-prem host.
Your on-prem host must have internet access in order to establish connectivity to the Cloud Services Portal.
Select one of the following to set up the network configuration:
IPv4 Network Mode: Select one of the following for your IPv4 network:
- DHCP: If your network contains a DHCP server, select DHCP to automatically receive a dynamic IPv4 address for the on-prem host.
- Static: If you want to assign a specific IPv4 address to your on-prem host, select Static to manually configure the IPv4 address, netmask or CIDR, and the default gateway for the on-prem host.
IPv6 Network Mode: Select one of the following for your IPv6 network:
- DHCP: If your network contains a DHCP server, select DHCP to automatically receive a dynamic IPv6 address for the on-prem host.
- RA: Select this to use router advertisements in your IPv6 network. The on-prem host auto-generates a link-local address to communicate with other hosts or neighbors on the same network.
- Auto Select: Select this to allow the system to select the best way to obtain an IPv6 address for the on-prem host.
- Static: If you want to assign a specific IPv6 address to your on-prem host, select Static to manually configure the IPv6 address, CIDR, and the default gateway for the on-prem host.
DNS Resolvers: You can configure specific DNS resolver(s) that your on-prem host uses to resolve DNS requests. For multiple resolvers, enter the IP addresses separated by commas (,).
Advanced Settings: Expand this section to configure IPv4 and IPv6 MTU (Maximum Transmission Unit) for your network path:
- Disable Path MTU Discovery: Toggle to enable or disable path MTU discovery. Path MTU discovery is used to determine the MTU size to avoid IP fragmentation. Path MTU discovery is enabled by default.
- IPv4 MTU Settings: Enter the maximum transmission unit for your IPv4 network, which is the size of the largest protocol data unit that can be communicated in a single network layer transaction. Valid values are from 1280 to 9000. For dual stack configuration, valid values are from 1280 to 9000. The default value is 1500.
- IPv6 MTU Settings: Enter the maximum transmission unit for your IPv6 network, which is the size of the largest protocol data unit that can be communicated in a single network layer transaction. Valid values are from 1280 to 9000. The default value is 1500.
The system validates the IP address, DHCP connection, and the DNS service, and the Device UI displays the current status of each component.
Based on your business needs, you may need to configure an HTTP or HTTPS proxy server to handle HTTP(S) requests from clients over the LAN or Internet.
Enter the HTTP or HTTPS proxy in this format: http(s)://[username:password@]<proxy domain>:<proxy port>
- username and password = The credential you use to log in to the proxy.
- proxy domain = The domain name of the proxy.
- proxy port = The port number you use to access the proxy.
You can set up specific NTP server(s) with which your appliance synchronizes time. If you have not configured any NTP server or local DNS resolver, the appliance uses the Ubuntu NTP server (ntp.ubuntu.org or ubuntu.pool.ntp.org) and Threat Defense Cloud DNS (IP: 220.127.116.11). Note that the communication to these services does not go through the HTTPS proxy, and you must ensure that the NTP port (UDP 123) and the DNS port (TCP/UDP 53) are opened on your firewall.
To configure NTP server(s), enter the IP address(es) or FQDN(s) of the NTP servers, separated by commas (,).
If your network service is deployed in a Docker container, you must complete the Docker configurations so your appliance can communicate with your network.
To configure Docker, enter the Docker bridge IP address and its netmask.
You can use an IP address for the Docker Bridge in a network no larger than a /24 subnet.
Kubernetes Bridge Settings
You can configure the Kubernetes Bridge settings in this section. If the network CIDRs are not configured, the Kubernetes Bridge uses the default IP of 10.42.0.0/16 for the cluster CIDR and 10.43.0.0/16 for the service CIDR. The system conduct a health check on the setting and displays OK if the settings are valid.
The Authentication section indicates whether the connection of your on-prem host to the Cloud Services Portal using the join token or serial number is successful or not. A join token is a special-purpose secret used to authenticate an on-prem host to automatically associate itself with its corresponding user account and establish a connection to the Cloud Services Portal. You must first create a join token through the Cloud Services Portal, and then assign the token to the corresponding host.
The Device UI displays the join token and serial number of the on-prem host in this section. If authentication failed, you can verify the join token and correct in the join token field. If the authentication failed due to an incorrect serial number, you can modify the serial number in the Cloud Services Portal. Note that the serial number displayed here is automatically populated from the information you provided either via the Cloud Services Portal. You cannot modify the serial number here.
The Cloud Connectivity status shows you whether your on-prem host has successfully established a connection to the Cloud Services Portal. If the connectivity status is "Failed," check all failed services and take corrective actions.
This page has no comments.