Wedge Absolute Real-time Protection™

Training Module F – Deployment & Configuration

August, 2019
Outline
Part I - Deployment
• System Deployment
• High Availability Deployment

Part II – Initial Configuration

• Hardware Appliance
• Virtual Machine
• System Initial Configuration

Part III – Advanced Configuration

• Alerts Configuration
• Log Display for Third-Party Security Systems
• Integration with Third-Party Network Monitoring Systems

Wedge Networks, Inc. Confidential -2-

PART I - DEPLOYMENT
SYSTEM DEPLOYMENT

Wedge Networks, Inc. Confidential -3-

 Bridge Mode
This is a L2 transparent configuration connected in line with all traffic passing
through WedgeARP.
The INGRESS and EGRESS interfaces use separate physical ports. It inspects
and forwards all packets. The forwarded traffic will keep the original MAC
address.

Internet
Unprotected
Egress

Ingress

Protected

Wedge Networks, Inc. Confidential -4-

4
 Router/Proxy Mode
This mode is out-of-line with network traffic. WedgeARP must be specified as
a next hop in the network routing for the protected traffic. Use this mode
when you require the INGRESS (protected network) and the EGRESS (external
network) interfaces on different networks and when using the same physical
port.
In router mode, WedgeARP can act as an explicit proxy for HTTP clients, such
as web browsers. Each browser must be configured with this device’s IP
address as an HTTP proxy.

Internet Unprotected

Ingress

Protected

Wedge Networks, Inc. Confidential -5-

5
 Restricted Auto-Route Mode
Restricted Auto-Route (RAR) is an additional feature that can be enabled in two
interface router mode. RAR has the advantage that static routes do not have to
be added for each network configured to route through the WedgeARP device.
In this mode, all traffic that is received on the ingress interface should be routed
out the egress interface to the configured egress gateway. Also, all traffic that is
received on the egress interface should be routed out the ingress interface to
the configured ingress gateway. To satisfy the two requirements above, an
ingress gateway and egress gateway must be configured.
Gateway
Router

Internet Unprotected

Egress

Ingress
Protected

Wedge Networks, Inc. Confidential -6-

6
 ICAP Mode
Internet Content Adaptation Protocol, or ICAP, is a lightweight HTTP based
protocol designed to off-load responsibility for specific content handling to
dedicated servers. ICAP is generally used in proxy servers to integrate with third
party products like anti-virus software, malicious content scanners, and URL filters.
If a network already has a web proxy that supports ICAP, WedgeARP functions can
be added to the list of services available to this proxy.
WedgeARP will work in router mode in order to support ICAP deployment.

Internet Unprotected

Client

Ingress

Client
HTTP
Proxy
Wedge Networks, Inc. Confidential -7-

7
 WCCP Mode
Web Cache Communication Protocol (WCCP) is a Cisco-developed content-
routing protocol that provides a mechanism to redirect traffic flows in real-
time. It has built-in load balancing, scaling, fault tolerance, and service-
assurance mechanisms. If a network router can act as a WCCP server,
WedgeARP functions can be added out-of-line from the data traffic by placing
the WedgeARP in the network, and by configuring it to register itself as a
WCCP client offering a service.
WedgeARP will work in router mode in order to support WCCP deployment.

Internet Unprotected

Client

Switch
Ingress w/WCCP
GRE
Tunnel Client

Wedge Networks, Inc. Confidential -8-

8
 DCI TAP Mode
Full TAP mode is supported for HTTP, SMTP, POP3 and IMAP protocols in addition
to the DPI engine.
This network infrastructure mirrors client/server traffic to WedgeARP. The packets
are processed by the DPI engine, while in parallel, the TAP cluster will re-assemble
the network streams for processing by the DCI engine. Malware events may be
detected but not blocked in this configuration, and events are recorded in
WedgeIQ.
Network Traffic Network Traffic

Switch
Corporate
Internet Network

Mirrored Traffic
Ingress
Control Port

Wedge Networks, Inc. Confidential -9-

9
 DPI Web Filter in TAP-WF Mode
(Two-Interfaced Router)

In this mode, WedgeARP receives mirrored traffic from a network device.

HTTP packets are scanned by the DPI engine looking for URL, DLP or WebFilter
policy matches. If a match is detected, WedgeARP will send a TCP reset packet
to the destination IP from the Egress port to block the request.

Network Traffic Network Traffic

Switch
Corporate
Internet Network

Mirrored Traffic
Reset/Redirect URL

Ingress

Control Port
Egress

Wedge Networks, Inc. Confidential -10-

 DPI Web Filter in TAP-WF Mode
(One-Interface Bridge)
When setting up TAP-WF in bridge mode, the RST packet or Redirect URL will
be sent to the client/user via a bridge device interface instead of the egress
port. It will need to add a static route to the client/user network using the CLI,
if it is not directly connecting to the WedgeARP appliance, and enable ICMP
reply.
Network Traffic Network Traffic

Switch
Corporate
Internet Network

Reset/Redirect URL
Mirrored Traffic
Ingress
Control Port
X
Egress

Wedge Networks, Inc. Confidential -11-

 Multi-site Deployment
The multi-site deployment mode has the following features:
• Single and central WedgeIQ instance.
• Multiple WedgeOS instances that are distributed across infrastructure or site boundaries.
• IPv4 communication is required between the WedgeIQ instance and WedgeOS instances
for synchronization of operational and policy details and for collection of scan results.
• Communication and network visibility between the WedgeIQ and WedgeOS instances
must be limited to these components and the network operator.

Zone 1
Primary
Zone
Public
Network

Zone 2

Wedge Networks, Inc. Confidential -12-

12
Network Integration with Divert Mode
WedgeARP supports network integration with DPI engines that selectively divert
traffic to a network entity, where the DPI engine expects the diverted network entity
to return responses via a MAC address re-write.
An example of this operations is in Sandvine’s PTS Half-Divert Mode. The internet side
traffic from WedgeARP is not IP transparent, as the WedgeARP IP is substituted for
the original client IP. However, the interaction is transparent from the client.

Traffic Redirecting
Device

Ingress
Switch
Internet
Egress

Wedge Networks, Inc. Confidential -13-

13
 Hairpin Support
East-West traffic scanning Internet Gateway
Router

Avoids sending the same

connection to the WedgeARP
proxy if it has already been seen
on another input interface. This
works with different VLAN tags Switch
for the network zones.
Hairpin Traffic

Users Zone X Users Zone Y Servers Zone

Wedge Networks, Inc. Confidential -14-

14
PART I - DEPLOYMENT
HIGH AVAILABILITY DEPLOYMENT

Wedge Networks, Inc. Confidential -15-

WedgeARP High Availability

WedgeARP High Availability is designed for redundancy and failover purposes. It supports multiple deployment
modes as listed below. Users can choose suitable HA deployment modes according to their own network
topology.

1. Bridge Mode HA
2. Router Mode HA
3. LACP-based Bridge Mode HA (HA Bond mode)
4. LACP-based Bridge Mode Load Balance HA
5. Dual Interface Router Mode Load Balance HA
6. WCCP Cluster HA
Bridge Mode HA
WedgeARP bridge mode HA (RSTP) uses the Rapid Spanning Tree Protocol (RSTP). With RSTP, a cluster of
WedgeARP systems can be deployed in a redundant parallel bridging scenario with one WedgeARP system
handling traffic management in Active mode, with the others, waiting to take over in case of a failure in the
active machine, in Stand By mode.

Control
192.168.30.1

Egress Ingress

Internal
192.168.10.2 Network
192.168.10.0/24

Firewall Switch Egress Switch

Ingress
192.168.10.1
192.168.10.3

Control
192.168.30.2

Wedge Networks, Inc. Confidential -17-

Bridge Mode HA
Configuration
To account for this, the EGRESS cable on the
WedgeARP’s second network interface must be
physically moved to the fourth network interface
when HA is enabled. This avoids network LAN bypass
to defeat the purpose of having a standby WedgeARP
available.

1. In WedgeOS management console, go to System >

HA Mode
2. Select Enable High Availability Mode, de-
select Enable HA Mode.
3. Select a value for the Bridge Priority. The priority
value can be between 0 and 8, with 0 being the
highest priority (active).
4. Click Update to activate the HA enabling.

Wedge Networks, Inc. Confidential -18-

 Router Mode HA
WedgeARP Router mode (single leg) HA uses a heartbeat-based solution similar to the Virtual Router
Redundancy Protocol (VRRP), it works by assigning a Virtual IP Address to the active device, and, if that device
becomes unavailable, the Virtual IP Address is assigned to another device, ensuring continuous service.
The WedgeARP devices are deployed in a cluster of redundant router nodes with one device handling traffic
management in Active mode, with the others, waiting to take over in case of a failure in the active machine, in
Stand By mode.
Router

Internal
Firewall
Network
192.168.10.1
192.168.10.0/24

Ingress Ingress
Virtual IP
192.168.10.2 192.168.10.3
192.168.10.4

Control Control
192.168.30.2 192.168.30.3

192.168.30.1

Wedge Networks, Inc. Confidential -19-

Router Mode HA
Configuration

1. Ensure that the Control Port is configured in System >

Network.
2. Select System > HA Mode > Enable High Availability Mode.
3. Specify the Virtual IP Address. This address must be the
same on both WedgeARP devices operating in HA mode.
4. If the EGRESS port is enabled and is servicing a second
network, specify the second Virtual IP Address and
netmask. This address must be different from the INGRESS
address.
5. Add in a set of network entities, usually including a router,
to the Ping Group. This group is used to decide if a failover
should happen.
6. Specify a Shared Secret or a password for the nodes to
communicate with each other.
7. Click Update to activate the changes.

Wedge Networks, Inc. Confidential -20-

 LACP-based Bridge Mode HA (HA Bond Mode)
The WedgeARP appliance can be deployed in bridge high availability mode with LACP (Link Aggregation Control Protocol) link
bonding (HA Bond mode) used for supporting multiple links for redundancy and failover purpose. In HA Bond mode, two WARP
systems are used for Active/Standby redundancy HA. One WedgeARP system performs as Primary Node, and the other
(Secondary Node) waiting to take over in case of a failure with the active instance.

To account for this, the ingress and egress interfaces should work in link bonding mode. Also, a heartbeat cable link between
two WedgeARP hosts is required. The management port of both WedgeARPs must be enabled and within the same network.

Egress Ingress

Internal
Internet LACP 802.3ad Heartbeat LACP 802.3ad

vPC
Network

Firewall Egress Ingress Switch

Wedge Networks, Inc. Confidential -21-

LACP-based Bridge Mode HA (HA Bond Mode)
Order of Starting HA Bond Mode
In WedgeARP, WedgeOS HA and WedgeIQ HA are enabled independently. Please configure and enable the WedgeARP HA Bond Mode (as a whole) in
the following sequence.

Wedge Networks, Inc. Confidential -22-

LACP-base Bridge Mode HA (HA Bond Mode)
Configuration
Configuring the Secondary Node:
Before configuring the HA Bond Mode, make sure that the HA link cable
between the active WedgeARP and the standby WedgeARP is
connected.
1. Go to the standby WedgeARP terminal UI, select High Availability.
2. Select Secondary Node for the standby WedgeARP.
3. Press Save to initialize the HA mode.

4. Go to WedgeOS Settings, Select physical interfaces for the

ingress bond and the egress bond.
5. Select 802.3ad (LACP).
6. Press Save.

Wedge Networks, Inc. Confidential -23-

LACP-base Bridge Mode HA (HA Bond Mode)
Configuration (Cont’d)

Configure the HA link on the Secondary Node:

1. After the initialization, go to Select Heartbeat interface and

press enter.
2. Select a network interface for the HA link.

Note: This interface is not an Ingress or Egress

Interface. Its whole purpose is to allow heartbeats and
data Replication between WARP HA appliances.

Wedge Networks, Inc. Confidential -24-

LACP-base Bridge Mode HA (HA Bond Mode)
Configuration (Cont’d)

Configuring the Primary Node:

Please repeat the same steps above for the active WedgeARP by selecting it as Primary Node. You will see the Heartbeat interface
state shows up on both the Primary and Secondary nodes. This is a prerequisite to enable HA.

Wedge Networks, Inc. Confidential -25-

LACP-base Bridge Mode HA (HA Bond Mode)
Configuration (cont’d)

Enable HA Mode on the Secondary Node

1. In the terminal UI of Secondary Node, go to High

Availability > Setup WedgeOS HA Mode.
2. Select Enable HA Mode.
3. Set a Shared Secret.
4. Press Save to enable WedgeOS HA Mode.

5. Go to High Availability > Setup WedgeIQ HA Mode.

6. Select Enable HA Mode.
7. Set a Shared Secret.
8. Press Save to enable WedgeIQ HA Mode.

Wedge Networks, Inc. Confidential -26-

LACP-base Bridge Mode HA (HA Bond Mode)
Configuration (cont’d)

Enable HA Mode on the Primary Node:

Please repeat the same steps above Primary Node. After enabling the HA Mode on both nodes, the database replication will start.
After that, the HA Bond Mode will be up and running. You can check the status for both WedgeOS HA and WedgeIQ HA.

WedgeOS HA WedgeIQ HA

Wedge Networks, Inc. Confidential -27-

LACP-based Bridge Mode Load Balance HA
WedgeARP supports the LACP-based load balancing which can be used for Active/Active redundancy HA. In this HA deployment, two
WedgeARAPs work in bridge mode with link bonding on ingress and egress to support dual active links redundancy.
LACP Load Balancing
• LACP Load Balancing Incoming Traffic Outgoing Traffic
o Layer 2 frames are balanced among WARP devices based
on destination and source IP addresses. LACP LACP
• Transparent Layer 2
o The system can be connected between existing devices
PO 1 PO 2 PO 1 PO 2
transparently.
o Virtually no configuration required on existing devices Switch 1 ISL Switch 2
• Configurable
o Bypass can be enable if PO 10 PO 20 PO 10 PO 20

✓ N WOSs are disabled LACP LACP LACP LACP

✓ N Port/Links are disabled
• VLAN Tags
o 802.1q Support
o Frames can be tagged or untagged Bond0 Bond1 Bond0 Bond1

o No VLAN translation is required

WedgeOS™️ 1 - Bridge WedgeOS™️ 2 - Bridge
WedgeARP™️ Active/Active Cluster

Wedge Networks, Inc. Confidential

-28-
Dual Interface Router Mode Load Balance HA
WedgeARP Dual Interface Router mode HA distributes network traffic to two or multiple WedgeARPs via a load balancer for redundancy and failover
purpose. With working in Dual Interface Router mode, WedgeARP’s ingress port is in the same subnet as the load balancer to receive the allocated
traffic. Its egress port is in a separate subnet and set the default gateway for Internet-bound traffic.

192.168.6.123
192.168.4.1 192.168.3.21

192.168.6.1 192.168.3.1
192.168.4.254
192.168.3.200 Internet

192.168.5.1
192.168.4.200
192.168.5.234

192.168.4.2 192.168.3.22

192.168.4.132

Wedge Networks, Inc. Confidential

-29-
Dual Interface Router Mode Load Balance HA
Configuration

1. Go to WedgeOS management console, select

System > Network.
2. Check router mode and Enable router mode
egress port.
3. Enter IP address for both ingress and egress.
4. Check Enable IP address transparency

Set Static Routes for internal core traffic via CLI

Wedge Networks, Inc. Confidential

-30-
WCCP Cluster HA
This HA deployment supports multiple WedgeARPs in a WCCP (Web Cache Communication Protocol) cluster to provide load balancing, redundancy, and
failover. WedgeARP does not work in-line with traffic in the WCCP cluster, So, even if all WedgeARP fails, traffic will automatically pass through the
WCCP-enabled router/switch and the network will not be interrupted. If one WedgeARP in the WCCP cluster fails, others will fail over.

Internet

WCCP Redirect on eth1:

IP WCCP 160 redirect in Default Gateway sends all
traffic back to Router
IF: eth1
Router – International Link

IF: VLAN25 VLAN25 INGRESS

IF: eth2 192.168.25.2/24
192.168.25.1/24

WCCP Redirect on eth0:

IP WCCP 160 redirect in

WedgeOS™️ Appliance WedgeOS™️ Virtual Machine

Internet Switch - Xtream

WedgeOS™️ (Router L3 Transparent)

PBR redirects “interested” traffic to WedgeOS™️.
WedgeOS™️ proxy traffic with L3 transparency

Wedge Networks, Inc. Confidential

-31-
WCCP Cluster HA
Configuration

WedgeARP Configuration:

• Set route mode and enable IP address

transparency.
• Set ingress IP address with the same VLAN as
WCCP Redirect on eth1:
the router International Link. IP WCCP 160 redirect in
Default Gateway sends all
• Set default gateway back to the router. traffic back to Router
IF: eth1
Router – International Link

Router Configuration: IF: eth2

IF: VLAN25 VLAN25 INGRESS
192.168.25.1/24 192.168.25.2/24

• Assign International Link subnet to the same WCCP Redirect on eth0:

IP WCCP 160 redirect in
VLAN as the WedgeARP ingress.
WedgeOS™️ Appliance
• “Interested” traffic is defined in WCCP Service
Group:
60- DST port=25, 160-SRC port =25
• Use ACL to filter out “interested” traffic to and
from the 192.168.10.0/24:
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
ip wccp 60 redirect-list 100
access-list 101 permit ip any 192.168.10.0 0.0.0.255
ip wccp 160 redirect-list 101
Enabling Configuration Sync for High
Availability
In HA mode, enabling configuration sync is recommended. WedgeARP can automatically synchronize changed settings and can ensure
that no difference in service is visible and that no additional configuration changes are required if failover occurs. The control port
must be configured to enable sync.

To enable Configuration Sync:

1. Select System > HA Mode > Enable Configuration Sync.

2. Enter an appropriate Broadcast Port or use the default.

This port is used for broadcast of synchronization change
events.

3. Enter an appropriate Sync Port or use the default. This

port is used to communicate the updated configuration
data to synchronize.

4. Connect the control port interfaces on each device in HA

mode to the same control network.

5. Click Update.

Wedge Networks, Inc. Confidential

-33-
PART 2 – INITIAL CONFIGURATION
HARDWARE APPLIANCE

Wedge Networks, Inc. Confidential -34-

 Hardware Appliance Diagram
Control network
Management port

Egress
WedgeIQ
OVS Wedge Service Conductor
Data Path

WedgeOS

Ingress
Event router
Terminal
user
interface
KVM LXD

Ubuntu
Wedge NDP platform
Wedge Networks, Inc. Confidential -35-
Hardware Appliance Cabling
1. Plug in the power cable.

2. Plug in the keyboard and monitor.

Keyboard Monitor
(USB) (VGA)

Wedge Networks, Inc. Confidential -36-

 Hardware Appliance Cabling (cont'd)
3. Connect a computer with an internet browser to the INGRESS port.

4. Connect the network to the EGRESS port.

Default management
interface

5. Press the power button.

Wedge Networks, Inc. Confidential -37-

Login to the Terminal User Interface
After the appliance powers on, a login screen is prompted.
Enter the default credentials, username: sysadmin, password: changeme

Use the left, right, up, and down arrow keys on the keyboard and press Enter when you make a selection.
Use the space bar on your keyboard to select a checkbox.
Wedge Networks, Inc. Confidential -38-
Management Settings

Can modify which physical

interface is used for the
MGMT Network

Can choose DHCP or Static IP

modes and configure the
Static IP, Mask, and Gateway.

If available configure the local

DNS and Search Domains. If
not then simply leave as
default.

Wedge Networks, Inc. Confidential -39-

WedgeOS Settings

Can modify which physical

interface is used for the
Ingress and Egress Networks.

Can choose Bridge, Router, or

TAP mode. At this stage of the
deployment it is advised to
leave the system in Bridge
Mode.

The remaining options here

are for advanced
configurations that will not be
covered yet.

Wedge Networks, Inc. Confidential -40-

Changing the WedgeARP System Password

Wedge Networks, Inc. Confidential -41-

PART 2 – INITIAL CONFIGURATION
VIRTUAL MACHINE

Wedge Networks, Inc. Confidential -42-

 Deploy WedgeARP VM
1. Typically, WedgeARP VM contains one WedgeIQ instance and multiple WedgeOS instances. They are deployed
either on a virtual appliance, a VM platform, or a virtualized cloud platform as security VMs. The deployment
procedure depends on the virtualization environment you have.
2. WedgeOS instances are typically connected to a data network. All deployed WedgeOS instances should be
registered with a WedgeIQ instance.
3. The WedgeARP VM packages are provided in OVA files (WedgeOS.ova and WedgeIQ.ova.)

Virtualization Platform

Data Subnet

Ingress

Gateway Egress
Internet WedgeOS
(Scanning)
Gateway
Control Mgmt. Subnet

WedgeIQ
(Policy & Reporting)

Wedge Networks, Inc. Confidential -43-

Configuring the WedgeOS Instance –
Control Port
1. Log in to the WedgeOS virtual machine with username admin and password
admin.
2. From the admin command-line interface, enter the following commands to
enable the control interface:

net inet set control <ip> netmask <netmask>

net inet enable control
net gateway set <gateway IP address>
net dns server add <dns IP address>

net inet show

net gateway show
The current IP address settings are displayed.
Wedge Networks, Inc. Confidential -44-
Configuring the WedgeOS Instance –
Bridge Mode
1. Log in to the WedgeOS virtual machine with username admin and password admin.
2. From the admin command-line interface, enter the following commands:
net inet set device <IP> netmask <netmask>
net gateway set <gateway IP>
net dns server add <IP>
net inet show
net gateway show

3. Set transparency
net transparency enable ip
net transparency enable mac
net transparency enable route
Wedge Networks, Inc. Confidential -45-
Configuring the WedgeOS Instance –
Route Mode
1. Log in to the WedgeOS virtual machine with username admin and password admin.
2. From the admin command-line interface, enter the following commands:
net inet set device <IP> netmask <netmask>
net gateway set <gateway IP>
net mode set router
net dns server add <IP>
net inet show
net gateway show

Wedge Networks, Inc. Confidential -46-

Configuring the WedgeOS Instance – TAP
Mode
1. Log in to the WedgeOS virtual machine with username admin and password admin.
2. From the admin command-line interface, enter the following commands:
net inet set device <IP> netmask <netmask>
net mode set tap
net dns server add <IP>
net inet show
net gateway show

Wedge Networks, Inc. Confidential -47-

Obtaining the WedgeIQ Instance’s IP Address

1. Log in to the WedgeIQ virtual machine with username ubuntu and password
changeme.

2. Run the ifconfig eth0 command to check the IP address of the WedgeIQ virtual
machine. DHCP is used by default. To change the WedgeIQ to a static IP, modify the
/etc/network/interfaces file accordingly.

3. Leave the console open if you intend to run the resize script (next steps)

Wedge Networks, Inc. Confidential -48-

Running the WedgeIQ VM Resize Script

The WedgeIQ virtual machine is initially set to 16GB in size and allows for an increase
to the necessary size requirements for the deployment as defined in the system
requirements.

If the virtual machine is set up with a different disk size, the resize script will need to
be run. Perform the following steps.

1. Log in to the WedgeIQ virtual machine with username ubuntu and password
changeme.

Wedge Networks, Inc. Confidential -49-

Running the WedgeIQ VM Resize Script (cont'd)
2. Run the following commands.

$cd /usr/share/wiq_installer/scripts
$sudo bash ./configure_vm.sh resize-vm

3. Enter y when you are prompted with the following message:

This will now extend partition number <PARTITION_NUMBER> on disk using start
sector <SECTOR_NUMBER>. Are you sure? [y/N]

The virtual machine will reboot with the increased disk size.

Wedge Networks, Inc. Confidential -50-

PART 2 – INITIAL CONFIGURATION
SYSTEM INITIAL CONFIGURATION

Wedge Networks, Inc. Confidential -51-

Accessing WedgeIQ
1. Navigate to the IP address for your system:
• For an appliance this is the appliance IP
• For VMs this will be the IQ VM IP

2. Enter admin as the username and changeme as password.

3. Click Login.

Wedge Networks, Inc. Confidential -52-

Registering WedgeOS in WedgeIQ
For WedgeARP VM, WedgeOS instances should be registered with a WedgeIQ instance.

1. Navigate to Security Operations > Policy Management

2. Under Registered Security Instances, click +.
3. In the Add Security Instance window, enter the hostname or IP address of the WedgeOS control or
management interface. Click Save.

Once the WedgeOS is registered, the WedgeOS syslog is also configured automatically.

Wedge Networks, Inc. Confidential -53-

Confirming WedgeOS Registration
1. Navigate to System Operations > System Health

2. Check to make sure the Status of the WedgeOS is OK

Wedge Networks, Inc. Confidential -54-

License Configuration
In the WedgeIQ Web UI, navigate to System Operations > Settings > License.

Activating a license key requires an internet connection.

Wedge Networks, Inc. Confidential -55-

Accessing WedgeOS
1. From WedgeIQ select System Operations >
System Health.
2. Select a WedgeOS instance.
3. Click Go to WedgeOS.

Wedge Networks, Inc. Confidential -56-

 Configuring Event Archiving
1. Navigate to System > Event Archive.
2. Select Enable Event Archiving.

3. For Receiver Server URL enter

http://[WIQ_IP]:8080/emonitor/rest/event/archive where
[WIQ_IP] is the WedgeIQ IP address
and click Save.
Wedge Networks, Inc. Confidential -57-
Configuring Scanned Ports
System > Protocol Setup > Ports
Add or Edit existing protocol scanning
ports as necessary.
If you plan to scan SSL ensure that
the appropriate SSL ports are
configured per protocol.

Note: You cannot delete the last

remaining port for any protocol.

Protocol TLS Port

HTTP 443

SMTP 587

IMAP 993

POP 995

Wedge Networks, Inc. Confidential -58-

SSL/TLS Interception

• WedgeARP acts as the server to the requesting client and as the client to the destination server, in effect creating two separate, secure
connections.
• The request from the client is intercepted and WedgeARP makes the request to the destination server on behalf of the client. Upon receipt of the
server certificate, WedgeARP determines whether the server is trusted based upon its own internal CA (certification authority) trust certificate
store.
• If the server can be trusted, WedgeARP completes the connection to the remote server and presents its own signed certificate to the client,
creating a second secure connection between the client and WedgeARP.
Setup SSL/TLS Scanning
Certificate Management
If uploading an existing organization Certificate, a key file is also required. Located in System > SSL/TLS

Wedge Networks, Inc. Confidential -60-

Setup SSL/TLS Scanning
Certificate Management

If a Certificate is generated on the WedgeARP it will need to be saved,

downloaded, and distributed. Also located in System > SSL/TLS

Wedge Networks, Inc. Confidential -61-

Setup SSL/TLS Scanning
SSL Policies

You must now create an SSL

Policy to use the desired
Cert for a specific IP or
subnet

Define the IP or
subnet for the policy
*this policy is not bidirectional*

Choose Signing
(Dynamic)

Select the Cert to be

used

Clicking Add will create

a new policy below.
Setup SSL/TLS Scanning
Installing Wedge SSL Cert (1)

Upon first exposure to the certificate provided by WedgeARP,

a warning will typically appear in the client, such as a web
browser, indicating that the certificate is self-signed and not
signed by a CA that is trusted by default by the client.

To prevent this message from appearing, all users must

import the uploaded CA certificate from WedgeARP by using
the linked alias in the list of certificates.

Double click cert to install it.

Setup SSL/TLS Scanning
Installing Wedge SSL Cert (2)

Choose the local machine, not

only user.
Setup SSL/TLS Scanning
Installing Wedge SSL Cert (3)

Choose the location, browse to

Trusted Root.
Setup SSL/TLS Scanning
Installing Wedge SSL Cert (4)

Finish the Cert installation

PART 3 – ADVANCED CONFIGURATION
ALERTS CONFIGURATION

Wedge Networks, Inc. Confidential -67-

Email Notifications
To setup email notifications, go to WedgeOS > System > Notification.

What Alerts to
notify

SMTP Email
Server settings

Email Alert
details

Wedge Networks, Inc. Confidential -68-

SNMP Configuration
WedgeOS > System > SNMP

Responds to
SNMP
commands and
send traps

Traps to send

MIB file

Wedge Networks, Inc. Confidential -69-

SNMP Communities

Community
and
Network
definition
from which
requests
can be
made

Wedge Networks, Inc. Confidential -70-

SNMP Trap Sinks

Trap Sink
configuration.

Community list
populated from
defined
communities.

Wedge Networks, Inc. Confidential -71-

PART 3 – ADVANCED CONFIGURATION
LOG DISPLAY FOR THIRD-PARTY SYSTEMS

Wedge Networks, Inc. Confidential -72-

Displaying Third-Party Logs
• WedgeARP can be configured to display logs from another security device
• Logs must contain a device identifier or a tag
• Steps to add third-party logs into WedgeARP:
– Create configuration files so that WedgeARP can interpret the third-party logs.
– Copy the schema file, configuration files into the corresponding directories.
– Restart logstash service.
– Set the remote logging of your security device to the WARP IP.
– Restart the rsyslog service.
– Create the visualization.

Wedge Networks, Inc. Confidential -73-

Sample Configuration Files
Sample log line:
Aug 8 02:36:19 wedge APPACTION HTTP VIRUS
Sample input file:
input { file{ path => "/var/log/wedge/scanning.log" stat_interval => 1 } }
Sample type file:
filter { grok { break_on_match => true patterns_dir => [ "/etc/logstash/patterns.d" ] match => [ "message",
"%{WEDGE_ACTION_PREFIX}" ] add_tag => "wedgeos" } }
Sample schema file:
STR_APPACTION APPACTION
W_DATE (?:%{SYSLOGTIMESTAMP}|%{TIMESTAMP_ISO8601})
W_TIMESTAMP %{W_DATE:timestamp}
W_LOGHOST %{HOSTNAME:loghost}
W_APPACTION %{STR_APPACTION:appaction}
W_PROTO %{WORD:protocol}
W_REASON%{WORD:reason}
#The first fields of message to identify type
WEDGE_ACTION_PREFIX %{W_TIMESTAMP} %{W_LOGHOST} %{W_APPACTION} %{GREEDYDATA:remainder}
#The fields that follow
WEDGE_MSG_APPACTION %{W_PROTO} %{W_REASON}
Sample filter file:
filter { if "wedgeos" in [tags] { grok { break_on_match => true patterns_dir => [ "/etc/logstash/patterns.d" ] match => [
"remainder", "%{WEDGE_MSG_APPACTION}" ] } }
Sample output file:
output { if ("wedgeos" in [tags]){ elasticsearch { hosts => [ "127.0.0.1" ] workers => 2 index => "logstash- %{+YYYY.MM.dd}"
} }}

Wedge Networks, Inc. Confidential -74-

Steps for Configuration
1. Create the following configuration files (see the examples on previous slide):
•Input: This file contains the input log file from rsyslog.
•Type: This file matches the log line or message to a known prefix which must contain the tag.
•Schema: This file contains the schema or patterns on how to analyze and store data.
•Filter: This file contains the schema to process based on the type tag.
•Output: This file specifies the elastic search index that is used to store data.

2. Install schema file to the patterns directory:

•cp schema.cfg /etc/logstash/patterns.d/

3. Install the rest of configuration files to the wedge.d directory:

•cp *.conf /etc/logstash/wedge.d/

4. Restart logstash:
•sudo service logstash restart

5. Set remote logging of your security device to the WedgeARP IP address on port 514:
•Open the /etc/rsyslog.d/50-default.conf file of your device.
•Add the following line with the WedgeIQ IP address :
•*.* @@1.2.3.4
•Restart the rsyslog service with the following command:
•sudo service rsyslogd restart

6. Add Visuals:
•Create the visualization.

Wedge Networks, Inc. Confidential -75-

Log Interpretation Example
STR_APPACTION APPACTION
STR_APPSCAN APPSCAN

W_DATE (?:%{SYSLOGTIMESTAMP}|%{TIMESTAMP_ISO8601})
W_TIMESTAMP %{W_DATE:timestamp}
W_LOGHOST %{HOSTNAME:loghost}
W_APP %{WORD:app}
W_APPACTION %{STR_APPACTION:appaction}
W_APPSCAN %{STR_APPSCAN:appscan}
W_PROTO %{WORD:protocol}
W_UID %{QUOTEDSTRING:userid}
W_GID %{QUOTEDSTRING:groupid}
W_SIP %{IP:srcip}
W_DIP %{IP:dstip}
W_ACTION %{WORD:action}
W_REASON %{WORD:reason}
W_UNUSED %{QUOTEDSTRING}
W_DINFO %{QUOTEDSTRING:dstinfo}
W_SINFO %{QUOTEDSTRING:srcinfo}
W_SUBJECT %{QUOTEDSTRING:subject}
W_DETAIL %{QUOTEDSTRING:detail}
W_POLICYTAG %{QUOTEDSTRING:wptag}
W_HASH %{QUOTEDSTRING:sha1hash}
W_EVENT_SOURCE "%{IP:eventsource}"

#The first fields of message to identify type

WEDGE_SCAN_PREFIX %{W_TIMESTAMP} %{W_LOGHOST} %{W_APP} %{W_APPSCAN} %{GREEDYDATA:remainder}
WEDGE_ACTION_PREFIX %{W_TIMESTAMP} %{W_LOGHOST} %{W_APP} %{W_APPACTION} %{GREEDYDATA:remainder}

#The fields that follow

WEDGE_MSG_APPSCAN %{W_PROTO} %{W_UID} %{W_GID} %{W_SIP} %{W_DIP} %{W_DINFO} %{W_SINFO} ?(%{W_POLICYTAG}?) ?(%{W_HASH}?) ?(%{W _EVENT_SOURCE}?)
WEDGE_MSG_APPACTION %{W_PROTO} %{W_UID} %{W_GID} %{W_SIP} %{W_DIP} %{W_ACTION} %{W_REASON} %{W_UNUSED} %{W_DINFO} %{W_SINFO} %{W_SUBJECT} %{W_DETAIL} ?(%{W_POLICYTAG}?)
?(%{W_HASH}?) ?(%{W_EVENT_SOURCE}?)

Wedge Networks, Inc. Confidential -76-

PART 3 – ADVANCED CONFIGURATION
INTEGRATION WITH THIRD-PARTY NETWORK
MONITORING SYSTEMS

Wedge Networks, Inc. Confidential -77-

WedgeARP Syslog Export
WedgeARP’s syslogs are from all connected WedgeOS instances. You can export WedgeARP’s syslogs to the
third-party remote host. Go to WedgeIQ > System Settings > Logging
Press Add New
button to add a new
syslog server host
which will receive
syslog stream.

Enter a new
syslog server host
IP address and
port , press the
green button to
add it.

Wedge Networks, Inc. Confidential -79-

WedgeARP Logging Format
Description
The standard WedgeARP logging format is as follows:

<timestamp> <hostname> WedgeOS <event> <data>

• timestamp: the date and time of the event, according to the system clock
• hostname: the host name assigned to WedgeOS on the WedgeOS > System >
Settings console page
• event: the WedgeOS event that generated this log message,
o APPSCAN – Event generated by an application scanning operation
o APPACTION – Action taken by a WedgeOS scanning event.
o APPEVENT - Event generated by a WedgeOS application’s normal operation,
such as system and process status
o APPERROR – Error caused by a WedgeOS application level exception
o APPCHANGE – Configuration changes done through the web console or the
CLI
• data: the event-specific message fields

Wedge Networks, Inc. Confidential -80-

WedgeARP Logging Format
AppScan
APPSCAN – Event generated by an application scanning operation. Data fields for this
event are
Field Name Description Possible Values Applicable to Policies
protocol Protocol scanner that HTTP, HTTPS, POP3, SMTP, All
generated this event SMTPTLS, IMAP, FTP,
UNDEFINED
user ID An ID from a directory Empty if there is no All
service mapped to the matching user ID for the IP
requesting client’s IP address
address
source IP address IP address of the requesting All
client
destination IP address IP address of the requested All
host
destination info The requested URL, or email HTTP, Mail
recipients
source info Email from address Mail

Wedge Networks, Inc. Confidential -81-

WedgeARP Logging Format
AppAction
APPACTION – Action taken by a WedgeOS scanning event. Data fields for this event are:
Fi eld Name Des cription Pos s ible Values Appl icable to Policies
protocol Protocol scanner that generated this event HTTP, HTTPS, POP3, SMTP, SMTPTLS, Al l
IMAP, FTP, UNDEFINED

user ID An ID from a directory s ervi ce mapped to Empty i f there is no matching user ID for Al l
the requesting cl ient’s IP a ddress the IP a ddress

source IP address IP a ddress of the requesting cl ient Al l

destination IP address IP a ddress of the requested host Al l

action Acti on ta ken on event DETECTED, BLOCKED, WARNED Al l

reason VIRUS, SPAM, KEYWORD, URL, WEBFILTER, Al l

OVERSIZE, AIAV, MAAV

content type The content type of the data Any MIME type Al l

destination info The requested URL, POP a ccount name, or Al l

ema il recipients

source info Ema i l from a ddress HTTP, Ma i l

subject Subject line from the email Ma i l
detail Pol i cy-specific data Vi rus name, keyword/URL matched, spam Al l
s core, WebFilter category etc.

Wedge Networks, Inc. Confidential -82-

WedgeARP Logging Format
AppEvent/Error/Change

APPEVENT - Event generated by a WedgeOS application’s normal operation, such as

system and process status
APPERROR – Error caused by a WedgeOS application level exception
APPCHANGE – Configuration changes done through the web console or the CLI

These last three event types have the same fields:

Field Name Description Possible Values Applicable to Policies

log level Message log level as listed DEBUG, DETAIL, INFO, All
on System > Logging Setup WARN, ERROR, FATAL
Message Description of the event or All
error

Wedge Networks, Inc. Confidential -83-

WedgeARP Logging Format
Examples

Example of log messages for a blocked URL:

Dec 20 14:15:26 warsaw WedgeOS APPSCAN HTTP ""
192.168.0.133 74.125.19.104 "www.google.ca/" ""
Dec 20 14:27:27 warsaw WedgeOS APPACTION HTTP ""
192.168.0.133 64.236.16.20 BLOCKED URL ""
"www.cnn.com/" "" "" www.cnn.com/

Example of log message for a blocked virus:

Dec 20 14:28:46 warsaw WedgeOS APPACTION HTTP
192.168.0.133 203.70.84.28 BLOCKED VIRUS ""
"dl2.vx.netlux.org/dl/vir/Virus.ASP.Silly.a.zip" ""
"""Virus.ASP.Silly.a"

Wedge Networks, Inc. Confidential -84-

 Thank You
“Wedge Networks offers a multi-tenanted
SDN and NFV orchestrated solution that
provides deep packet inspection and deep ”Wedge… technology will deliver the
“The most promising solution…has been
content inspection in conjunction with more advanced virtualized network security
proposed by Wedge Networks…to adopt the
than a dozen security VNFs for CSPs, large capabilities necessary to satisfy the
SDN principle and consider the traffic flow as
enterprises and vertical markets. automation, scalability and robustness of the
a virtual network… and so define a distinct
‘security layer’…” Third Network”
…all should consider Wedge Networks for - Nan Chen, MEF President
end-to-end service control across multiple
networks.”

85

Wedge Networks, Inc. Confidential -85-