General Services Sub-Tab Configuration

Updated on 22 Jan 2025
7 Minutes to read

Print
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

General security service settings are configured on this page. It is recommended to prepare a document that defines how the company security requirements are implemented with the device security settings. To configure general services:

Log in the Nodegrid Web UI.
Go to Security :: Services :: General Services.
Configure the settings as described in the following sections.

ZPE Cloud section(cloud-based management platform for Nodegrid products):

Setting	Description	Default
Enable ZPE Cloud	Select Enable ZPE Cloud checkbox (Nodegrid NSR, GSR, BSR, LSR, HSR - default: enabled. Nodegrid Serial Console - default: disabled). When Once enabled you can access this device from the ZPE cloud.	Nodegrid NSR, GSR, BSR, LSR, HSR: Enabled Nodegrid Serial Console: Disabled
ZPE Cloud URL	This is a read-only field, that automatically populates the URL to the ZPE cloud.	N/A
Enable Remote Access	Check this field to remotely access the device, this is useful when you want to take the backup of the data.	Disabled
Enable File Protection (Optional)	If enabled, file transfer requires an authentication hash based on this password to validate file integrity and origin. The field is disabled by default. If enabled, enter Passcode and Confirm Passcode.	Disabled
Enable File Encryption	On the File Encryption Mode menu (select one): Encryption by Passcode radio button. Enter the Encryption Passcode and Confirm the Encryption Passcode. Encryption by an Asymmetric Key radio button. Select Encryption with Base64 checkbox.	Disabled

Active Services

Setting	Description	Default
System Profile	The default profile is populated in the System Profile.	Out of Band
Enable detection of USB devices	Detects if any USB is attached to the device.	Enabled
Enable RPC	Enable if you want to request services from other programs on a different machine in a network.	Disabled
Enable gRPC	Enables gRPC service. Specify the gRPC Port (default: 4830).	Disabled
Enable FTP Service	Enables FTP service for file transfers.	Disabled
Enable SNMP Service	Enables SNMP for network management.	Enabled
Enable Telnet Service to Nodegrid	Allows Telnet access to Nodegrid. Specify the Telnet TCP Port (default: 23).	Disabled
Enable Telnet Service to Managed Devices	Allows Telnet access to managed devices.	Disabled
Enable ICMP echo reply	Enables ICMP echo reply for network diagnostics.	Enabled
Enable ICMP secure redirects	Enables secure redirects for ICMP.	Enabled
Enable USB over IP	Enables USB over IP protocol.	Disabled
Enable Search Engine	Enables the device’s search engine. Optionally, enable Dashboards.	Enabled
Enable Telegraf	Enables Telegraf service for data collection.	Disabled
Enable Services Status Page	Provides a status page at `<NG URL>/services/status` to determine functioning services.	Enabled
Enable reboot on Services Status Page	Allows device reboot via the services status page.	Enabled
Enable keepalived	Maintains a keepalive session for the Nodegrid device, ensuring it starts during system reboot. You can also enable the keepalived setting via the CLI by entering the following command: `[admin@nodegrid services]# set enable_keepalived=yes`	Disabled

Virtualization Services

Setting	Description	Default
Enable Docker	When you enable the field, the Docker directory location drop-down list is displayed. It lists all the suitable locations to which the Docker daemon and its files can be moved and lists any disk or partition that is formatted and mounted. The Default option points to the primary disk location; /var/lib. If there is not enough space in the selected folder, an error is displayed: If there is an existing folder called Docker, an error is displayed:	Enabled
Enable Qemu/KVM	Enables Qemu/KVM virtualization.	Enabled
Enable VMware Manager	Enables VMware Manager for virtualization management.	Enabled
Cluster TCP Port	Specify the Cluster TCP Port (default: 9966).	9966
Enable Automatic Cluster Enrollment	Enables automatic enrollment for clusters.	Disabled
Search Engine TCP Port	Specify the Search Engine TCP Port (default: 9300).	9300
Enable VM Serial access	Enables serial port for virtual machine access.
VM Serial Port vMotion timeout(s)	Specify the VM Serial Port (default: 9977). Configures the vMotion timeout for virtualization tasks.	9977 300
VM Serial Port vMotion timeout(s)		9977 300
Enable Zero Touch Provisioning	Enables ZTP for the device.	Enabled
Enable Bluetooth	Enables Bluetooth access to the Nodegrid device. NOTE: Completely enables/disables Bluetooth on the device. When enabled, tethers the network connection via Bluetooth to the device without any configuration. This tethers the network connection via Bluetooth to be the first device deployed on the network. This temporary connection reaches ZPE Cloud to download its full configuration.	Disabled
Display name Enable Bluetooth Discoverable mode	This name is displayed on other devices paired with this device via Bluetooth. Enables discovery and pairing of this device to an external device. This tethers the network connection via Bluetooth to be the first device deployed on the network. This temporary connection reaches ZPE Cloud to download its full configuration. When a connection is established to a trusted device, this discoverable mode can be disabled to ensure other devices cannot pair with this device.	<ProductName_SerialNumber>
Display name Enable Bluetooth Discoverable mode		Disabled
Enable PXE (Preboot eXecution Environment)	Enables boot a software image retrieved at boot time from a network server.	Enabled
Block Host with multiple authentication failures	Blocks hosts when authentication fails multiple times. Period Host will stay blocked (min) (default: 10). Enter Timeframe to monitor authentication fails (min) (default: 10). The number of authentication fails to block the host (default: 5). Whitelisted IP Addresses (comma-separated).	Disabled
Allow root console access	Provides administrators the ability to control access to the primary console interface, which includes both the Console Serial Port and the Video VGA/HDMI and USB Keyboard ports. To allow root console access, select both Enable console access and Allow root console access fields. When you disable the console access: Critical system components such as Console Live system authentication, Bootloaders, and root console access are not accessible anymore. BIOS settings are accessible, to make it inaccessible use the Password protected boot feature. Unchecking Allow root console access disables access to the root users as well and they will encounter a login incorrect error message as shown in the following example. `login: root Login incorrect nodegrid login: Event Notification from nodegrid. Reported on 2024-04-17T11:51:04z. Event ID 202: User authentication failed. User: root on 'ttyS0'.` System Console Events is turned off. Note: It's crucial to carefully consider the implications of disabling the main console port. This action may impact low-level maintenance tasks that necessitate direct access to the system. Make sure to evaluate your specific requirements for maintenance and security before disabling Console Access.	Enabled

Manage devices

Setting	Description	Default
Device access is enforced via user group authorization	Enables users to only access devices listed in the user's authorization groups. If not enabled, all enrolled devices are available).	Disabled
Enable the Autodiscovery	Enables autodiscovery of the devices when connected to the network.	Enabled

FIPS

Setting

Description

Default

Enable FIPS 140-3

Enabling FIPS 140-3 on a Nodegrid device ensures FIPS compliance, limiting cryptographic services to the FIPS provider for the applications that rely on OpenSSL for these services.

Network services and ports that rely on OpenSSL for cryptographic services will be FIPS 140-3 compliant when enabled, including:
- HTTPS (TCP port 443)
- SSH client and server (TCP port 22)
- SNMP (TCP port 161)
- Cluster (TCP port 9966)
  For a more detailed list, refer to the FIPS 140-3 status page (Click on the FIPS 140-3 button on the top right of the web UI).
  NOTE
  Enabling or disabling FIPS 140-3 requires the Nodegrid device to be rebooted for all changes to take effect.
In the user interface, the Banner (right side) shows FIPS 140-3 is active.
Click the FIPS 140-3 button to display the status.
You may also verify that FIPS is enabled from the root shell using the following command:
root@nodegrid:~# openssl list -providers Providers: base name: OpenSSL Base Provider version: 3.0.12 status: active fips name: OpenSSL FIPS Provider version: 3.0.10 status: active

Enabled

SSH

Setting	Description	Default
SSH allow root access	Enter SSH TCP Port (default: 22). Enter SSH Ciphers (comma-separated) (default: blank). Enter SSH MACs (comma-separated) (default: blank). Enter SSH Kex Algorithms (comma-separated) (default: blank).	Disabled

Web Service

Setting	Description	Default
Enable HTTP access	Enables the HTTP access to the managed device.	Enabled, 80
Enable HTTPS access	Enables the HTTPs access to the managed device.	Enabled, 443
Enable HTTP/S File Repository	Enables HTTP/S file repository to store the software images. NOTE When enabled, allows public access to files stored in the File Manager/datastore folder. Users can access files via a direct URL, formatted as https://<Nodegrid URL>/datastore/<filename.ext>. For enhanced security, the file's exact path must be specified. To safeguard the system, operations such as "list," "edit," and "post" commands are disabled, preventing unauthorized modifications or directory browsing. You can enable access to the Web UI using the CLI. To do this, access the Console and run the following commands. This method is useful if a user gets locked out of the Web UI and when HTTP and HTTPS are disabled. `cd/settings/services enable_http_access = yes http_port = 80 enable_https_access = yes http_port = 443 redirect_http_to_https = no commit`	Disabled

FRR

Setting	Description	Default
Enable BGP	Activates Border Gateway Protocol (BGP) to manage routing between autonomous systems.	Enabled
Enable OSPFv2	Enables OSPFv2 for IPv4 routing in dynamic network environments.	Disabled
Enable OSPFv3	Activates OSPFv3 to support IPv6 routing capabilities.	Disabled
Enable RIP	Turns on the Routing Information Protocol (RIP) for simple, distance-vector-based routing.	Disabled
Enable VRRP	Enables Virtual Router Redundancy Protocol (VRRP) to provide router failover and redundancy.	Disabled

Cryptographic Protocols

Setting	Description	Default
TLSv1.3	Activates support for the TLS 1.3 protocol for secure communications.	Enabled
TLSv1.2	Enables support for the TLS 1.2 protocol for backward compatibility.	Enabled
TLSv1.1	Allows the use of TLS 1.1 protocol, but it is disabled by default for security reasons.	Disabled
TLSv1	Enables TLS 1.0 protocol, disabled by default due to known vulnerabilities.	Disabled
Cipher Suite Level	High: Sets the cipher suite level to prioritize maximum security, using the most robust algorithms. Medium: Balances security and compatibility, selecting moderately strong ciphers. Low: Allows weaker ciphers for broader compatibility but reduced security. Custom: Enables a customizable dialog where you can specify a tailored cipher suite configuration.	Medium

Saving the Configuration

Click Save. ZPE Cloud ensures all deployment activity is done at the device location.

Was this article helpful?

What's Next

Intrusion Prevention sub-tab

Table of contents