System Information
Administration > Software > Upgrade > System Information
You can manage system information with templates except for Deployment Mode, which is an appliance-specific configuration. To change the Deployment Mode for an appliance, navigate to Configuration > Networking > Deployment.
When you click the edit icon next to a specific appliance, the System Information dialog box opens. The System Information dialog box features two subtabs: System Summary and System Settings, which are described in the following information.
System Summary
| Property Key | Description |
|---|---|
| Appliance Key | Orchestrator assigns and uses this key to identify the appliance. |
| Platform | The underlying cloud platform on which the EdgeConnect appliance runs, such as Amazon EC2, Azure, Google Cloud, or VMware. |
| Uptime | The time elapsed since the appliance became operational and available. |
| Active Release | Specifies the software release the appliance is running. |
| Appliance ID | The unique identifier for the appliance. |
| Discovery Method | Specifies how Orchestrator discovered the appliance: PORTAL: Orchestrator discovered the appliance through the portal account. MANUAL: The appliance was added manually. APPLIANCE: The Orchestrator IP address was added to the appliance. Portal was not involved. |
| Connection Type | The method that Orchestrator uses to communicate with the appliance. Options are WEBSOCKET, PORTAL, and HTTP. |
| Appliance Model | Specifies if the appliance is an EC, EC-V, NX, VX, or VRX model. |
| HW Revision | The hardware number and revision number of the appliance (for example, 208001009006 Rev 76564). |
| BIOS Version | The version of BIOS firmware that the appliance is using. |
| Serial Number | The serial number of the appliance. |
| SKU | The stock keeping unit (SKU) identifier for the appliance. |
| System Bandwidth | The total outbound bandwidth, determined by appliance model or license. |
| Mode | Specifies the deployment mode of the appliance: Server, Router, or Bridge. |
System Settings
| Property Key | Description |
|---|---|
| Model | Specifies if the appliance is an EC, EC-V, NX, VX, or VRX model. |
| HW Revision | The hardware number and revision number of the appliance. For example, 208001009006 Rev 76564. |
| Serial | The serial number of the appliance. |
| SKU | The stock keeping unit (SKU) identifier for the appliance. |
| Site/Cluster name | Orchestrator will not build tunnels between appliances with the same user-assigned Site/Cluster name. For more information about Site/Cluster names, see Clusters. |
| Hub site? | Specifies if the appliance has been assigned the role of Hub in Orchestrator. |
| Contact name | The name of the person to contact within your organization (optional). |
| Contact email | The email address of the person to contact within your organization (optional). |
| Location | The physical location of the appliance, optionally specified during appliance setup. |
| Region | A user-assigned name that is created for segmenting topologies and streamlining the number of tunnels created. When regions contain at least one hub, you can choose to connect regions through hubs only. |
| IP header compression | IP header compression reduces the size of IP packet headers in order to optimize bandwidth usage, improve data transmission efficiency, and reduce latency in network communication. It is particularly useful in environments with bandwidth constraints, such as wireless networks, low-speed links, and mobile networks. |
| IP ID auto optimization | Enables any IP flow to automatically identify the outbound tunnel and gain optimization benefits. Enabling this option reduces the number of required static routing rules (route map policies). |
| TCP auto optimization | Enables any TCP flow to automatically identify the outbound tunnel and gain optimization benefits. Enabling this option reduces the number of required static routing rules (route map policies). |
| Flows and tunnel failure | If there are parallel tunnels and one fails, Dynamic Path Control determines where to send the flows. There are three options: fail-stick: When the failed tunnel comes back up, the flows do not return to the original tunnel. They stay where they are. fail-back: When the failed tunnel comes back up, the flows return to the original tunnel. disable: When the original tunnel fails, the flows are not routed to another tunnel. |
| Encrypt data on disk | Enables encryption of all the cached data on the disks. Disabling this option is not recommended. |
| Configured media type | There are two options, ram and disk (VX) or ram only (VRX). This can be changed for special circumstances if support recommends it. |
| Media type | Specifies the actual type of media being used. |
| Shell access status | Specifies the current shell access policy for EdgeConnect appliances. Open Shell Access: Full access is granted to the underlying Linux operating system shell. Secure Shell Access: Access is denied to the shell, but Support can grant access. Contact Support for assistance. You cannot change this setting to Open Shell Access. Disabled Shell Access: Access permanently denied to the shell. You cannot change this setting to Open Shell Access or Secure Shell Access. This setting is managed on the Advanced Security Settings page (Configuration > Overlays & Security > Security > Advanced Security Settings). Changes to this setting affect all appliances in your network. |
| Excess flow policy | Specifies what happens to flows when the appliance reaches its maximum capacity for optimizing flows. The default is to bypass flows. Or you can choose to drop the packets. |
| SSL optimization for non-IPSec tunnels | Specifies whether the appliance should perform SSL optimization when the outbound tunnel for SSL packets is not encrypted. For example, a GRE or UDP tunnel. To enable Network Memory for encrypted SSL-based applications, you must provision server certificates in Orchestrator. This activity can apply to the entire distributed network of EdgeConnect appliances or to a specified group of appliances. |
| Bridge loop test | This is only valid for virtual appliances. When enabled, the appliance can detect bridge loops. If it detects a loop, the appliance stops forwarding traffic and raises an alarm. Appliance alarms include recommended actions. |
| Enable IGMP snooping | IGMP snooping is a common Layer 2 LAN optimization that filters the transmit of multicast frames only to ports where multicast streams have been detected. Disabling this feature floods multicast packets to all ports. IGMP snooping is recommended and enabled by default. |
| Auto flow re-classify | Specifies how often to do a policy lookup. The default is 60 seconds. Shortening this interval can increase the workload on an EdgeConnect to complete tasks such as VRRP convergence. |
| IPSec UDP port | Specifies the port that Orchestrator uses to build IPSec UDP tunnels. If the field is blank, Orchestrator uses the default. |
| Enable/disable default DNS lookup | Cloud portal name lookup through default DNS (8.8.8.8) can be enabled or disabled through the System Information tab for appliances. |
| Enable HTTP/HTTPS snooping | Enables a more granular application classification of HTTP/HTTPS traffic by inspecting the HTTP/HTTPS header, specifically the Host field. Enable is the default setting. |
| Quiescent tunnel keep alive time | Specifies the rate at which to send keep alive packets after a tunnel has become idle (quiescent mode). The default is 60 seconds. |
| UDP flow timeout | Specifies how long to keep the UDP session open after traffic stops flowing. The default is 120 seconds (2 minutes). |
| Non-accelerated TCP flow timeout | Specifies how long to keep the TCP session open after traffic stops flowing. The default is 1800 seconds (30 minutes). |
| Maximum TCP MSS | Maximum Segment Size. The default value is 1328 bytes. This ensures that packets are not dropped for being too large. You can adjust the value (500 to 9000) to lower the MSS of of a packet, if your environment requires a lower size. |
| NAT-T keep alive time | If a device is behind a NAT, this specifies the rate at which to send keep alive packets between hosts to keep the mappings in the NAT device intact. |
| Tunnel alarm aggregation threshold | Specifies the number of alarms to allow before alerting the tunnel alarm. |
| Maintain end-to-end overlay mapping | Enforces the same overlay to be used end-to-end when traffic is forwarded on multiple nodes. |
| IP directed broadcast | Allows an entire network to receive data that only the target subnet initially receives. |
| Allow WAN to WAN routing | Redirects inbound WAN traffic back to the WAN. |
| Allow Unknown Destination Role | Indicates whether to allow unknown destination roles. |
| Stateful-SNAT exceptions | The name of the address group configured for Stateful-SNAT exceptions (for example, Stateful-SNAT-Exceptions). To set up this address group, see Disable Stateful+SNAT Processing for Selected LAN-side Subnets below. |
Disable Stateful+SNAT Processing for Selected LAN-side Subnets
Most internet providers require that flows originate from the WAN-side IP address assigned to the appliance. When Stateful+SNAT is configured on a WAN-side interface, all traffic that leaves the interface will be Source NATed to the IP address of the WAN-side interface.
In certain situations, you want the original LAN-side IP address to be seen by the upstream network. You can use the Stateful-SNAT exceptions feature to avoid Source NATing for specific IP addresses or subnets.
Considerations:
-
Stateful-SNAT exceptions apply only to appliances with firewall mode set to “Stateful+SNAT”.
-
Exceptions apply only to outbound flows destined to external addresses.
-
Inbound flows initiated from the WAN side toward IP addresses within the address group rely on existing inbound port-forwarding functionality.
-
SNAT exceptions apply to the default segment only, not VRF SNAT.
-
This feature does not support IPv6 because the address groups feature does not support IPv6.
-
The Stateful-SNAT-exceptions feature works for directly connected WAN-side labels. Labels configured on the other side of an EdgeHA link are not supported.
You can use the System template to set up Stateful-SNAT exceptions for all appliances or the System Information dialog box for individual appliances. To set up exceptions for all appliances, see System Template.
To set up Stateful-SNAT exceptions for individual appliances:
-
Create an address group for all public IP space (subnets) used by your network across all branches, as follows:
-
Navigate to Configuration > Templates & Policies > ACLs > Address Groups.
The Address Groups tab opens.
-
Click Add Group.
The Add Address Group dialog box opens.
-
In the Group name field, enter an appropriate name for the Stateful-SNAT exceptions (for example, Stateful-SNAT-Exceptions).
-
In the IPs to include and IPs to exclude fields, enter IP addresses/masks to include/exclude individually or IP prefixes to include/exclude multiple addresses at once, as appropriate. Use commas to separate entries.
-
If desired, use the Comment field to state the purpose of this address group.
-
Click Add.
-
-
In the Stateful-SNAT Exceptions field on the System Settings page of the System Information dialog box, enter the name of the address group you created for Stateful-SNAT exceptions, and then click Save.