Administrative features
In this section, the administrative features of the Exinda SD-WANSoftware-Defined Wide Area Network are described.
The Exinda SD-WANWide Area Network Management Interface can be configured so that it can be accessed only with the entry of a username and password. With the default factory settings, entry of a password is not required.
The Exinda SD-WAN Management Interface password can be configured on the Admin tab so that it would require a password to access it.
To configure the feature:
- Go to the Admin tab.
- Click the status under Web Interface Password and set it to Enabled. The default username is admin.
- Set the password by entering it in the Web Interface Password field. Type in the password twice to ensure it is accurately recorded, then click Apply.
Configuration of this feature causes the Exinda SD-WAN to restart.
This feature allows restricting the access to the Exinda SD-WAN Management Interface to only the IPs provided in this field. For example, if the administrator for the device wants to access the device remotely from the IPInternet protocol 76.211.117.87, the Web Allow IPs field can be configured accordingly, which would restrict the access to the Exinda SD-WAN Management Interface to only this particular IP.
The LANLocal area network user interface defines the protocol used to access the Exinda SD-WAN Management Interface from the LAN side. By default this would be set to HTTP.
The Exinda SD-WAN Management Interface can be configured so that it can be accessed externally from the internet via the Exinda SD-WAN WAN ports. To enable this feature, go to the Admin tab and click on the status indicator of the WAN HTTP Port entry in the displayed status table. The pop-up window allows configuration of the feature. If the feature is enabled, a port number must be specified.
If the feature is enabled, the Exinda SD-WAN Management Interface can be remotely accessed from the internet through any of the public IP addresses for the Exinda SD-WAN. These public IP addresses can be obtained from the External IP column in the WAN status table on the Home tab of the Exinda SD-WAN Management Interface. The URL through which the Exinda SD-WAN Management Interface can be accessed is given by the external IP address appended with the assigned port number. For example, if one of the external IP addresses for the Exinda SD-WAN is 76.211.117.87 and the Remote Web Interface is enabled through port 8080, then the Exinda SD-WAN Management Interface can be accessed through the URL http://76.211.117.87:8080.
If Pass Through mode is enabled on WAN interface 1, the Exinda SD-WAN Management Interface can be accessed externally from the internet through the IP address of the router/firewall that is connected to the LAN port of the Exinda SD-WAN. For example, if the IP address of this router is 76.37.181.2 and the WAN HTTP Port is accessed through port 8080, then the Exinda SD-WAN Management Interface can be externally accessed through the URL http://76.37.181.2:8080. Note that in this example from a host on the LAN of the Exinda SD-WAN, packets addressed to 76.37.181.2 are forwarded to the router/firewall and not the Exinda SD-WAN. To access the Exinda SD-WAN Management Interface from the Exinda SD-WAN LAN, the Exinda SD-WAN LAN address should be used (for example, the default Exinda SD-WAN LAN address 192.168.254.99).
If the WAN HTTP Port is enabled, then it is highly recommended that a web interface password be configured to prevent unauthorized access to the Exinda SD-WAN from the public Internet.
The WAN HTTPS Port 8081 allows remote access of the Exinda SD-WAN Management Interface by using HTTPS. The URL through which the Exinda SD-WAN Management Interface can be accessed is given by the external IP address appended with the assigned port number. For example, if one of the external IP addresses for the Exinda SD-WAN is 76.211.117.87 and the Remote Web Interface is enabled through port 8081, then the Exinda SD-WAN Management Interface can be accessed through the URL http://76.211.117.87:8081.
If Pass Through mode is enabled on WAN interface 1, the Exinda SD-WAN Management Interface can be accessed externally from the Internet through the IP address of the router/firewall connected to the LAN port of the Exinda SD-WAN. For example, if the IP address of this router is 76.37.181.2 and the WAN HTTP Port is accessed through port 8081, then the Exinda SD-WAN Management Interface can be externally accessed through the URL http://76.37.181.2:8081. Note that in this example from a host on the LAN of the Exinda SD-WAN, packets addressed to 76.37.181.2 is forwarded to the router/firewall and not the Exinda SD-WAN. To access the Exinda SD-WAN Management Interface from the Exinda SD-WAN LAN, the Exinda SD-WAN LAN address should be used (e.g. the default Exinda SD-WAN LAN address 192.168.254.99).
The Exinda SD-WAN has a maintenance mode for remote troubleshooting by GFI Support. This allows external access to the Exinda SD-WAN by GFI Support over the internet. Normally this mode should be disabled, and it is disabled in the default factory settings.
To configure the feature:
- Go to the Admin tab.
- Click the status for Maintenance Mode, then set it to Disabled or Enabled. This generates a pop-up window to prompt the user to configure the feature.
- Click Apply to make the changes.
The Exinda SD-WAN has an option to configure VRRPVirtual Router Redundancy Protocol (Virtual Router Redundancy Protocol), which is designed to increase the availability of the default gateway-servicing hosts on the same subnet. By default this feature is disabled but can be enabled on the Admin tab.
VRRP mode can be configured to be either as master or slave depending on which physical router is doing the actual routing. In case of failure of the master router, the slave router which was configured as a virtual router automatically replaces it. VRRP ID is the Virtual Router Identifier (VRIDVirtual Router Identifier), which uniquely identifies each virtual router in the subnet. This is a configurable item in the range 1-255 (decimal) and has no default value.
VRRP Priority is an 8-bit unsigned integer field with higher value indicating higher priority. The master should be given the highest priority. Care should be taken in configuring this field as the master should always be given highest priority compared to the slaves or this could cause instability in the network. Virtual IP is the IP address of the Exinda SD-WAN device depending on which interface is connected to the subnet.
Here is an example setup:
Enabling force VLL reroutes break connections through the box when a path through the VLL is established. This ensures the connections, when re-established, is routed through the VLL.
The Exinda SD-WAN supports sending of email alarms to a specified address when a serious event occurs. A “serious” event is defined by a WAN interface going down or coming back up without manually enabling or disabling the WAN interface.
To configure email alarms:
- Go to the Admin tab.
- Click the status for Mail Notification, which is either Disabled or Enabled.
- Enter the email address and the IP address of the SMTPSimple Mail Transfer Protocol server in the pop-up window to receive the alarms. Typically, this is the SMTP server on the Exinda SD-WAN LAN.
In order to test the configuration, a WAN interface can be manually brought down and up again by disconnecting the cable from an active WAN interface which triggers an email alarm to be sent to the designated address and server.
The Exinda SD-WAN has a built in SNMPSimple Network Management Protocol (Simple Network Management Protocol) agent running on the device which can be accessed by any SNMP browser or SNMP client application. The Exinda SD-WAN supports MIB2 (RFC 1213) management information base (MIBManagement Information Base). You can enable the SNMP feature on the Admin tab.
Asynchronous notification by using SNMP traps for WAN links getting Connected and Disconnected can also be pushed to a Trap server IP .
By using external SNMP management and graphing tools you can retrieve interface statistics from the GFI Exinda SD-WAN device. The following is an example graph for one of the WAN statistics using MRTG grapher:
Note that any host on the Exinda SD-WAN LAN can access the SNMP interface. For external network access to the SNMP interface the Exinda SD-WAN firewall needs to be configured to allow SNMP traffic from the outside that uses port 161. To do this, go to the Firewall tab in the Exinda SD-WAN Management Interface and add a rule that permits inbound traffic on port 161 for UDPUser Datagram Protocol protocol. In rare cases it may be necessary to also add a rule that permits inbound traffic on port 161 for TCPTransmission Control Protocol protocol.
If this option is disabled, if your DHCPDynamic Host Configuration Protocol server fails to provide DNSDomain Name Server servers the device attempts to re-DHCP onto the network. This handles cases where the DHCP server is in a bad state, but can prevent accessing an unconfigured server to configure it.