Allied Telesis Support Portal

How to configure UTM Offload on AT AR4050S on Alliedware Plus.

How to configure UTM Offload on AT Routers?

Introduction

UTM Offload enables some security and threat protection features (IPS, IP Reputation, Malware Protection, and URL Filtering) to be offloaded to a secondary physical or virtual machine that is automatically managed by the AR4050S.


UTM Offload can up to double WAN connection throughput when using these features for real-time threat protection.
Security features are configured as normal on the AR4050S device, but whenever UTM Offload is enabled, the following advanced threat protection features are all offloaded, if they are configured:
To see more on configuring protect features see Advanced Network Protection Feature Overview Guide

  • IPS                 

  • IP Reputation

  • Malware Protection

  • URL Filtering


The AR4050S automatically manages the offload device for you. You don’t need to configure the offload device, as configuration and the status of all features is presented the same whether offloaded or not.
 

Setting up UTM Offload

These are the steps required to set up UTM Offload.

  • Purchase, download, and install the UTM Offload license on the AR4050S

  • Purchase, download, and install the security and threat protection license on the AR4050S

  • Enable UTM Offload on the AR4050S (the forwarding device)

  • Set up the offload device
     

Purchasing, downloading, and installing the UTM Offload license

security and threat protection features license is require on the AR4050S.  For information on purchasing, downloading, and installing license, see the Licensing Feature Overview Guide
 

Enabling UTM Offload on the AR4050S

To enable UTM Offload on the AR4050S, you must have a direct Ethernet connection between the offload device and the AR4050S, i.e. from the Gigabit eth1 or eth2 port on the AR4050S to an Ethernet port on the offload device. The Ethernet connection must support a MTU of 1582 or higher. For more detail, see "Setting up the offload device" section below.

As an example, to enable UTM Offload and configure interface eth2 and subnet 192.168.100.0/24 to boot and communicate with, and manage the offload device, use the following commands:

You only require an UTM Offload subscription license on the AR4050S, you do not need a license on the offload device.  

awplus> enable
awplus# configure terminal
awplus(config)# utm-offload interface eth2 subnet 192.168.100.0/24


To disable UTM Offload, use the following command:

awplus>enable
awplus(config)# no utm-offload


Configuration notes
The MTU of the UTM Offload device interface is set to 1582 to support the overhead required for the standard Ethernet frames. You can not change this setting.

When configured, the interface of the forwarding device, which connects to the UTM Offload device, is automatically assigned an IP address which is the lowest usable address in the subnet. The interface is reserved for communication with the UTM Offload device and you should not manually configure this interface. The configured IP subnet used for UTM Offload is visible in the show utm-offload command, However the assigned IP address is not visible.

awplus#show utm-offload  
Status: Enabled (Booted)  
Interface: eth2  
Subnet: 192.168.100.0/24  
Resource update interval: 1 hour 


The AR4050S manages the offload device and offloads traffic automatically.
 

Setting up the offload device

The offload device can be any physical computer or virtual machine (VM). To use the UTM Offload feature, there must be a direct Ethernet connection from the forwarding device (AR4050S) to the offload device. The offload device must be configured to PXE boot (network boot) from the forwarding device. 

Virtual machine: This article will cover the physical computer setup. For instructions on setting up a virtual machine as an offload device, see Configuring UTM Offload on VMware ESXi Server

Physical computer: If you want to set up a physical computer as an offload device, then the computer must:
•    Have a serial port, even if nothing is connected to that serial port.
•    T​​​​​he SATA controller (which the SATA drive connects to) needs to support AHCI
•    Have a direct Ethernet connection between itself and the AR4050S, i.e. from the Gigabit eth1 or eth2 port on the AR4050S to an Ethernet port on the offload device. The Ethernet connection must support a MTU of 1582 or higher.
•    Be configured to network boot from the AR4050S. This will usually be done by changing the BIOS settings on the offload device and enabling PXE boot.

  • PXE boot does not currently support IPv6, therefore the Ethernet interface used for offloading is configured with IPv4.

  • The PC vendors website will have information about how to enable PXE boot. For example, to enable PXE Boot for Intel Desktop Boards, see Intel Support.
     

Specifications 

The offload device must have the following minimum specifications: 

UTM Offload Device Specifications

■ Multi-core 64-bit x86 processors

■ i5 CPU with 4 cores and 2.3-2.8GHz clock speed

■ 2GB of RAM

■ 4GB of Flash/HDD

■ VMware ESXi Hypervisor 6.x 
    (Note: VMware is the only supported hypervisor if UTM Offload is not run directly on the offload device.)

■ A network card (NIC). Supported models:  
    ■ Intel e1000 
    ■ Intel e1000e 
    ■ Intel igb 
    ■ VMware vmxnet3

■ At least one non USB storage device

■ On-board serial port.

■ Storage devices: Devices that support AHCI mode. 
    ■ If using a SATA HDD, the SATA controller (which the SATA drive connects to) needs to support AHCI

 

About the Offload Image 

The Allied Telesis Next Generation Firewall Appliance (AFA) software release is the image that is automatically downloaded and installed into the UTM Offload device. 
The offload image is downloaded from the Update Server by the forwarding device and used to network boot the offload device. The forwarding device automatically downloads a compatible offload image version from the Update Server. Offload image version numbering aligns with other AlliedWare Plus software versions. 
For example, an AR4050S running 5.4.8-1.1 downloads the 5.4.8-1.1 version of the AFA image. This process is automatically managed by the Update Server which ensures the correct version is offered to the AR4050S. You do not have to worry about getting the right version of AFA image to match your AlliedWare Plus software release. It is not possible for the forwarding device to boot the offload device with the wrong release. 

Checking for image updates on the offload device 
New offload device images are automatically downloaded by the forwarding device when detected. 
The default interval used to detect offload image updates is 60 minutes. You can manually change this setting.
For example: 
To change the time interval to 12 hours, use the following commands: 

awplus# configure terminal 
awplus(config)# utm-offload update interval hours 12

The utm-offload update-interval command parameters 

awplus# configure terminal 
Enter configuration commands, one per line. End with CNTL/Z. 
awplus(config)# utm-offload update-interval? 
days         Interval in days 
hours        Interval in hours 
minutes      Interval in minutes 
never        Never update the resource 
weeks        Interval in weeks 
awplus(config)# utm-offload update-interval hours 12

The offload device image is downloaded from the resource server. The offload resource is tied to the release of software that the AR4050S is running. For more information on the AlliedWare Plus Update Manager, see Update Manger Feature Overview and Configuration Guide

Note: Configuring the update interval to never and upgrading the forwarding device to a later release without using the command update “afa_offload now” may result in the offload device not working.

Configuring Firewall and NAT allowing UTM Offload on the AR4050S 
The following is a simple configuration for firewall and NAT allowing UTM Offload. 
 

Configuration notes

  • Rule 30 will allow the device to access the Update Manager.

  • You need to configure a DNS Server address to allow communication with the update manager.

  • The offload device synchronizes the time from the forwarding device.

  • This ensures log messages are correctly time-stamped. Therefore, NTP is configured on the forwarding device (AR4050S)


Example:

zone private 
    network lan 
    ip subnet 192.168.10.0/24 interface vlan1 
network offload 
    ip subnet 192.168.100.0/24 interface eth2 
! 
zone public 
    network all 
      ip subnet 0.0.0.0/0 interface eth1 
    host router 
      ip address dynamic interface eth1 
!
 firewall 
    rule 10 permit any from private to private 
    rule 20 permit any from private to public 
    rule 30 permit any from public.all.router to public 
    protect
! 
nat 
rule 10 masq any from private to public 
enable 
! 
ntp server <URL>
! 
utm-offload interface eth2 subnet 192.168.100.0/24 
! 
ip name-server 
! 
interface vlan1 ip address 192.168.10.1/24 
! 
interface eth1 ip address dhcp 
!

 

UTM Offload Logging 

The following UTM Offload items are logged:

  • Change in state of the offload device.

  • Communication failure between the AR4050S and the offload device.

  • Existing UTM feature log messages appear in the AR4050S log transparently.

  • Other general log messages generated by the offload device appear in the AR4050S log transparently.

  • ​Messages from the offload device appearing in the AR4050S log have the offload device's IP address, the timestamp for when the message was generated and the string "offload" inserted. 

When the AR4050S detects the offload device is no longer present it will: 

  • Output a log.

  • Stop sending packets to the offload device for processing

  • Install a rule to block traffic from being forwarded across the forwarding device (this allows management of the forwarding device to continue, but continues to protect the user).


Checking the UTM offload status 
To see the status of the offload device, use the command: 

awplus# show utm-offload

Output from show utm-offload

awplus#show utm-offload 
Status: Enabled (Booted) 
Interface: eth2 
Subnet: 192.168.100.0/24 
Resource update interval: 1 hour 


To see the resources running on the offload device, use the command:

awplus#show resource 
--------------------------------------------------------------------------------
Resource Name          Status       Version   Interval  Last Download
                                                        Next Download Check
--------------------------------------------------------------------------------
webgui                 Sleeping     -         never     None
                                                        N/A
afa_offload            Sleeping     afa_offload_5.4.9-1.6_v1
                                              1         None
                                              hour      Fri 18 Jun 2021 09:09:41
iprep_et_rules         Sleeping     iprep_et_rules_v17004
                                              1         Fri 18 Jun 2021 07:13:35
                                              hour      Fri 18 Jun 2021 09:13:33
av_kaspersky_stream    Sleeping     av_kaspersky_stream_a_v14709
                                              1         Thu 17 Jun 2021 19:13:40
                                              hour      Fri 18 Jun 2021 09:13:33

awplus# sh ip-reputation
Status:      Enabled (Active)
Events:      0
Provider:    Proofpoint
    Resource version: iprep_et_rules_v17004
    Entry count:      35986
    Status:           Enabled
Resource update interval: 1 hour


awplus# sh malware-protection
Status:      Enabled (Active)
Events:      0
Provider:    Kaspersky
Resource version:         av_kaspersky_stream_a_v14708
Resource update interval: 1 hour