Introduction
UTM Offload enables some security and threat protection features (IPS, IP Reputation, Malware Protection, and URL Filtering) to be offloaded to a secondary physical or virtual machine that is automatically managed by the AR4050S.
UTM Offload can up to double WAN connection throughput when using these features for real-time threat protection.
Security features are configured as normal on the AR4050S device, but whenever UTM Offload is enabled, the following advanced threat protection features are all offloaded, if they are configured:
To see more on configuring protect features see Advanced Network Protection Feature Overview Guide
-
IPS
-
IP Reputation
-
Malware Protection
-
URL Filtering
The AR4050S automatically manages the offload device for you. You don’t need to configure the offload device, as configuration and the status of all features is presented the same whether offloaded or not.
Setting up UTM Offload
These are the steps required to set up UTM Offload.
-
Purchase, download, and install the UTM Offload license on the AR4050S
-
Purchase, download, and install the security and threat protection license on the AR4050S
-
Enable UTM Offload on the AR4050S (the forwarding device)
-
Set up the offload device
Purchasing, downloading, and installing the UTM Offload license
security and threat protection features license is require on the AR4050S. For information on purchasing, downloading, and installing license, see the Licensing Feature Overview Guide
Enabling UTM Offload on the AR4050S
To enable UTM Offload on the AR4050S, you must have a direct Ethernet connection between the offload device and the AR4050S, i.e. from the Gigabit eth1 or eth2 port on the AR4050S to an Ethernet port on the offload device. The Ethernet connection must support a MTU of 1582 or higher. For more detail, see "Setting up the offload device" section below.
As an example, to enable UTM Offload and configure interface eth2 and subnet 192.168.100.0/24 to boot and communicate with, and manage the offload device, use the following commands:
You only require an UTM Offload subscription license on the AR4050S, you do not need a license on the offload device.
awplus> enable
awplus# configure terminal
awplus(config)# utm-offload interface eth2 subnet 192.168.100.0/24
To disable UTM Offload, use the following command:
awplus>enable
awplus(config)# no utm-offload
Configuration notes
The MTU of the UTM Offload device interface is set to 1582 to support the overhead required for the standard Ethernet frames. You can not change this setting.
When configured, the interface of the forwarding device, which connects to the UTM Offload device, is automatically assigned an IP address which is the lowest usable address in the subnet. The interface is reserved for communication with the UTM Offload device and you should not manually configure this interface. The configured IP subnet used for UTM Offload is visible in the show utm-offload command, However the assigned IP address is not visible.
awplus#show utm-offload
Status: Enabled (Booted)
Interface: eth2
Subnet: 192.168.100.0/24
Resource update interval: 1 hour
The AR4050S manages the offload device and offloads traffic automatically.
Setting up the offload device
The offload device can be any physical computer or virtual machine (VM). To use the UTM Offload feature, there must be a direct Ethernet connection from the forwarding device (AR4050S) to the offload device. The offload device must be configured to PXE boot (network boot) from the forwarding device.
Virtual machine: This article will cover the physical computer setup. For instructions on setting up a virtual machine as an offload device, see Configuring UTM Offload on VMware ESXi Server.
Physical computer: If you want to set up a physical computer as an offload device, then the computer must:
• Have a serial port, even if nothing is connected to that serial port.
• The SATA controller (which the SATA drive connects to) needs to support AHCI
• Have a direct Ethernet connection between itself and the AR4050S, i.e. from the Gigabit eth1 or eth2 port on the AR4050S to an Ethernet port on the offload device. The Ethernet connection must support a MTU of 1582 or higher.
• Be configured to network boot from the AR4050S. This will usually be done by changing the BIOS settings on the offload device and enabling PXE boot.
-
PXE boot does not currently support IPv6, therefore the Ethernet interface used for offloading is configured with IPv4.
-
The PC vendors website will have information about how to enable PXE boot. For example, to enable PXE Boot for Intel Desktop Boards, see Intel Support.
Specifications
The offload device must have the following minimum specifications:
UTM Offload Device Specifications
|
■ Multi-core 64-bit x86 processors
|
■ i5 CPU with 4 cores and 2.3-2.8GHz clock speed
|
■ 2GB of RAM
|
■ 4GB of Flash/HDD
|
■ VMware ESXi Hypervisor 6.x (Note: VMware is the only supported hypervisor if UTM Offload is not run directly on the offload device.)
|
■ A network card (NIC). Supported models: ■ Intel e1000 ■ Intel e1000e ■ Intel igb ■ VMware vmxnet3
|
■ At least one non USB storage device
|
■ On-board serial port.
|
■ Storage devices: Devices that support AHCI mode. ■ If using a SATA HDD, the SATA controller (which the SATA drive connects to) needs to support AHCI
|
About the Offload Image
The Allied Telesis Next Generation Firewall Appliance (AFA) software release is the image that is automatically downloaded and installed into the UTM Offload device.
The offload image is downloaded from the Update Server by the forwarding device and used to network boot the offload device. The forwarding device automatically downloads a compatible offload image version from the Update Server. Offload image version numbering aligns with other AlliedWare Plus software versions.
For example, an AR4050S running 5.4.8-1.1 downloads the 5.4.8-1.1 version of the AFA image. This process is automatically managed by the Update Server which ensures the correct version is offered to the AR4050S. You do not have to worry about getting the right version of AFA image to match your AlliedWare Plus software release. It is not possible for the forwarding device to boot the offload device with the wrong release.
Checking for image updates on the offload device
New offload device images are automatically downloaded by the forwarding device when detected.
The default interval used to detect offload image updates is 60 minutes. You can manually change this setting.
For example:
To change the time interval to 12 hours, use the following commands:
awplus# configure terminal
awplus(config)# utm-offload update interval hours 12
The utm-offload update-interval command parameters
awplus# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
awplus(config)# utm-offload update-interval?
days Interval in days
hours Interval in hours
minutes Interval in minutes
never Never update the resource
weeks Interval in weeks
awplus(config)# utm-offload update-interval hours 12
The offload device image is downloaded from the resource server. The offload resource is tied to the release of software that the AR4050S is running. For more information on the AlliedWare Plus Update Manager, see Update Manger Feature Overview and Configuration Guide.
Note: Configuring the update interval to never and upgrading the forwarding device to a later release without using the command update “afa_offload now” may result in the offload device not working.
Configuring Firewall and NAT allowing UTM Offload on the AR4050S
The following is a simple configuration for firewall and NAT allowing UTM Offload.
Configuration notes
-
Rule 30 will allow the device to access the Update Manager.
-
You need to configure a DNS Server address to allow communication with the update manager.
-
The offload device synchronizes the time from the forwarding device.
-
This ensures log messages are correctly time-stamped. Therefore, NTP is configured on the forwarding device (AR4050S)
Example:
zone private
network lan
ip subnet 192.168.10.0/24 interface vlan1
network offload
ip subnet 192.168.100.0/24 interface eth2
!
zone public
network all
ip subnet 0.0.0.0/0 interface eth1
host router
ip address dynamic interface eth1
!
firewall
rule 10 permit any from private to private
rule 20 permit any from private to public
rule 30 permit any from public.all.router to public
protect
!
nat
rule 10 masq any from private to public
enable
!
ntp server <URL>
!
utm-offload interface eth2 subnet 192.168.100.0/24
!
ip name-server
!
interface vlan1 ip address 192.168.10.1/24
!
interface eth1 ip address dhcp
!
UTM Offload Logging
The following UTM Offload items are logged:
-
Change in state of the offload device.
-
Communication failure between the AR4050S and the offload device.
-
Existing UTM feature log messages appear in the AR4050S log transparently.
-
Other general log messages generated by the offload device appear in the AR4050S log transparently.
-
Messages from the offload device appearing in the AR4050S log have the offload device's IP address, the timestamp for when the message was generated and the string "offload" inserted.
When the AR4050S detects the offload device is no longer present it will:
-
Output a log.
-
Stop sending packets to the offload device for processing
-
Install a rule to block traffic from being forwarded across the forwarding device (this allows management of the forwarding device to continue, but continues to protect the user).
Checking the UTM offload status
To see the status of the offload device, use the command:
awplus# show utm-offload
Output from show utm-offload
awplus#show utm-offload
Status: Enabled (Booted)
Interface: eth2
Subnet: 192.168.100.0/24
Resource update interval: 1 hour
To see the resources running on the offload device, use the command:
awplus#show resource
--------------------------------------------------------------------------------
Resource Name Status Version Interval Last Download
Next Download Check
--------------------------------------------------------------------------------
webgui Sleeping - never None
N/A
afa_offload Sleeping afa_offload_5.4.9-1.6_v1
1 None
hour Fri 18 Jun 2021 09:09:41
iprep_et_rules Sleeping iprep_et_rules_v17004
1 Fri 18 Jun 2021 07:13:35
hour Fri 18 Jun 2021 09:13:33
av_kaspersky_stream Sleeping av_kaspersky_stream_a_v14709
1 Thu 17 Jun 2021 19:13:40
hour Fri 18 Jun 2021 09:13:33
awplus# sh ip-reputation
Status: Enabled (Active)
Events: 0
Provider: Proofpoint
Resource version: iprep_et_rules_v17004
Entry count: 35986
Status: Enabled
Resource update interval: 1 hour
awplus# sh malware-protection
Status: Enabled (Active)
Events: 0
Provider: Kaspersky
Resource version: av_kaspersky_stream_a_v14708
Resource update interval: 1 hour