When configuring a profile for Edge access, you must make sure to select the appropriate option for Support access, Console access, USB port access, SNMP access, and Local Web UI access under Firewall settings to make the Edge more secure. This will prevent any malicious user from accessing the Edge.

By default, Support access, Console access, SNMP access, and Local Web UI access are deactivated for security reasons.

Power-on Self-Test

In the 5.1.0 release, a power-on self-test is performed after the SD-WAN Orchestrator is powered on or rebooted to verify the software author and to guarantee that critical files and code have not been alerted or corrupted. Use cases for this feature include Common Criteria Requirements and Medium to high-risk deployments (Finance, Government, etc.).
Note: The Power-on Self-test feature is deactivated by default. (A warning message displays on the console, an event is generated, and the Power-on Self-test continues.
The Power on Self-test feature is comprised of the following checks when the SD-WAN Orchestrator is powered-on or rebooted:
  • Software Integrity test: Critical system files are identified and signed at build time. The integrity of the signatures is verified. This process uses cryptographic signatures to validate authenticity and integrity.
  • Known Answer test of Cryptographic modules: Cryptographic modules, such as Openssl, will run Known answer tests and verify they all pass.
  • Test of Entropy source: The Random number generation capability of the entropy source is verified.
Note: The Power-on Self-test will indicate a Pass/Fail result. The system will continue to bring up the remaining applications only if the Power-on Self-test has passed. If the Power-on Self-test fails, error messages will display indicating where the test failed, and the system boot-up sequence will stop.

The following files are signed and verified during the power-on and reboot process:

  • Edges (All files under):
    • /opt/vc/bin
    • /opt/vc/sbin
    • /opt/vc/lib
    • /bin
    • /sbin
    • /lib
    • /usr/bin
    • /usr/sbin
    • /usr/lib
    • /vmlinuz
    • /etc/init.d
  • SD-WAN Orchestrator and SD-WAN Gateway
    Note: For the following modules, the integrity check runs in ENFORCED mode and will cause a boot FAIL if they cannot be verified.
    • SD-WAN Gateway - Package names are stored in: /opt/vc/etc/post/vcg_critical_packages.in
      • Gateway Critical Modules
        • gatewayd.*:all
        • libssl1.0.0:.*:amd64
        • libssl1.1:.*:amd64
        • openssl:.*:all
        • python-openssl:.*:all
    • SD-WAN Orchestrator - Package names are stored in /opt/vc/etc/post/vco_critical_packages.in
      • SD-WAN Orchestrator Critical Modules:
        • libssl1.0.0:.*:amd64
        • ibssl1.1:.*:amd64
        • openssl:.*:all
        • vco-backend:.*:all
        • vco-cws-service:.*:all
        • vco-dr:.*:all
        • vco-new-ui:.*:all
        • vco-nginx-apigw:.*:all
        • vco-nginx-common:.*:all
        • vco-nginx-i18n:.*:all
        • vco-nginx-portal:.*:all
        • vco-nginx-reporting:.*:all
        • vco-nginx-sdwan-api:.*:all
        • vco-nginx-upload:.*:all
        • vco-node-common:.*:all
        • vco-portal:.*:all
        • vco-sdwan-api:.*:all
        • vco-tools:.*:all
        • vco-ui:.*:all
        • vco-ztnad-service:.*:all
        • nodejs:.*:all
        • vc-fips-common:.*:all
        • vc-fips-complaint:.*:all
        • vc-fips-strict:.*:all
        • openssh-client:.*:all
        • openssh-server:.*:all
        • linux-base:.*:all
        • linux-firmware:.*:all
        • linux-tools-common:.*:all
        • libselinux1:.*:amd64
        • linux-base:.*:all
        • linux-firmware:.*:all
        • linux-libc-dev:.*:amd64
        • util-linux:.*:amd64
        • linux-tools-common:.*:all
        • linux-(aws|azure|generic)-headers-.*:.*:all
        • linux-(aws|azure|generic)-tools-.*:.*:amd64
        • linux-headers-.*-(aws|azure|generic):.*:amd64
        • linux-headers-(aws|azure|generic)-lts-.*:.*:amd64
        • linux-image-unsigned-.*-(aws|azure|generic):.*:amd64
        • linux-image-unsigned-(aws|azure|generic)-lts-.*:.*:amd64
        • linux-modules-.*-(aws|azure|generic):.*:amd64
        • linux-tools-.*-(aws|azure|generic):.*:amd64
        • linux-tools-(aws|azure|generic)-lts-.*:amd64

Procedure

To configure Edge access for profiles, perform the following steps:

Procedure

  1. From the SD-WAN Orchestrator, go to Configure > Profiles > Firewall. The Firewall page appears.

  2. Under Edge Access area, you can configure device access using the following options:
    Field Description
    Support Access

    Select Allow the following IPs if you want to explicitly specify the IP addresses from where you can SSH into this Edge. You can enter both IPv4 and IPv6 addresses separated by comma (,).

    By default, Deny All is selected.
    Console Access Select Allow to activate Edge access through Physical Console (Serial Port or Video Graphics Array (VGA) Port). By default, Deny is selected and Console login is deactivated after Edge activation.
    Note: Whenever the console access setting is changed from Allow to Deny or vice-versa, the Edge must be rebooted manually.
    Enforce Power-on Self-test When Enabled is selected, a failed Power-on Self-test deactivates the Edge. To recover the Edge, it must be factory reset and re-activated. NOTE: This feature is supported in the 5.1.0 release and later.
    USB Port Access

    Select Allow to activate and select Deny to deactivate the USB port access on Edges.

    This option is available only for Edge models 510 and 6x0.

    Note: Whenever the USB port access setting is changed from Allow to Deny or vice-versa, you must reboot the Edge manually if you have access to the Edge and if the Edge is in a remote site, restart the Edge using SD-WAN Orchestrator. For instructions, refer to Remote Actions.
    SNMP Access Allows Edge access from routed interfaces/WAN through SNMP. Select one of the following options:
    • Deny All - By default, SNMP access is deactivated for all devices connected to an Edge.
    • Allow All LAN - Allows SNMP access for all devices connected to the Edge through a LAN network.
    • Allow the following IPs - Allows you to explicitly specify the IP addresses from where you can access the Edge through SNMP. The IP addresses must be separated by comma (,).
    Local Web UI Access Allows Edge access from routed interfaces/WAN through a Local Web UI. Select one of the following options:
    • Deny All - By default, Local Web UI access is deactivated for all devices connected to an Edge.
    • Allow All LAN - Allows Local Web UI access for all devices connected to the Edge through a LAN network.
    • Allow the following IPs - Allows you to explicitly specify the IP addresses from where you can access the Edge through Local Web UI. The IP addresses must be separated by comma (,).
    Local Web UI Port Number Enter the port number of the local Web UI from where you can access the Edge.
  3. Click Save Changes.

What to do next

If you want to override the Edge access settings for a specific Edge, use Enable Edge Override option available on the Edge Firewall page. For related information, see Configure Firewall for Edges