General Services Sub-Tab Configuration

  • Updated on Jan 24, 2025
  • Published on Jan 22, 2025
  • 7 minute(s) read

General security service settings are configured on this page. It is recommended to prepare a document that defines how the company security requirements are implemented with the device security settings. To configure general services:

  1. Log in the Nodegrid Web UI.

  2. Go to Security :: Services :: General Services.

  3. Configure the settings as described in the following sections.

ZPE Cloud section(cloud-based management platform for Nodegrid products):

Setting

Description

Default

Enable ZPE Cloud

Select Enable ZPE Cloud checkbox (Nodegrid NSR, GSR, BSR, LSR, HSR - default: enabled. Nodegrid Serial Console - default: disabled). When Once enabled you can access this device from the ZPE cloud.

Nodegrid NSR, GSR, BSR, LSR, HSR: Enabled
Nodegrid Serial Console: Disabled

ZPE Cloud URL

This is a read-only field, that automatically populates the URL to the ZPE cloud.

N/A

Enable Remote Access

Check this field to remotely access the device, this is useful when you want to take the backup of the data.

Disabled

Enable File Protection (Optional)

If enabled, file transfer requires an authentication hash based on this password to validate file integrity and origin. The field is disabled by default. If enabled, enter Passcode and Confirm Passcode.

Disabled

Enable File Encryption

On the File Encryption Mode menu (select one):

  • Encryption by Passcode radio button. Enter the Encryption Passcode and Confirm the Encryption Passcode.

  • Encryption by an Asymmetric Key radio button. Select Encryption with Base64 checkbox.  

Disabled

Active Services

Setting

Description

Default

System Profile

The default profile is populated in the System Profile.

Out of Band

Enable detection of USB devices

Detects if any USB is attached to the device.

Enabled

Enable RPC

Enable if you want to request services from other programs on a different machine in a network.

Disabled

Enable gRPC

Enables gRPC service. Specify the gRPC Port (default: 4830).

Disabled

Enable FTP Service

Enables FTP service for file transfers.

Disabled

Enable SNMP Service

Enables SNMP for network management.

Enabled

Enable Telnet Service to Nodegrid

Allows Telnet access to Nodegrid. Specify the Telnet TCP Port (default: 23).

Disabled

Enable Telnet Service to Managed Devices

Allows Telnet access to managed devices.

Disabled

Enable ICMP echo reply

Enables ICMP echo reply for network diagnostics.

Enabled

Enable ICMP secure redirects

Enables secure redirects for ICMP.

Enabled

Enable USB over IP

Enables USB over IP protocol.

Disabled

Enable Search Engine

Enables the device’s search engine. Optionally, enable Dashboards.

Enabled

Enable Telegraf

Enables Telegraf service for data collection.

Disabled

Enable Services Status Page

Provides a status page at `<NG URL>/services/status` to determine functioning services.

Enabled

Enable reboot on Services Status Page

Allows device reboot via the services status page.

Enabled

Enable keepalived

Maintains a keepalive session for the Nodegrid device, ensuring it starts during system reboot.

 You can also enable the keepalived setting via the CLI by entering the following command:

[admin@nodegrid services]# set enable_keepalived=yes

Disabled

Virtualization Services

Setting

Description

Default

Enable Docker

When you enable the field, the Docker directory location drop-down list is displayed. It lists all the suitable locations to which the Docker daemon and its files can be moved and lists any disk or partition that is formatted and mounted. The Default option points to the primary disk location;   /var/lib.

If there is not enough space in the selected folder, an error is displayed:  

If there is an existing folder called Docker, an error is displayed:  

Enabled

Enable Qemu/KVM

Enables Qemu/KVM virtualization.

Enabled

Enable VMware Manager

Enables VMware Manager for virtualization management.

Enabled

Cluster TCP Port

Specify the Cluster TCP Port (default: 9966).

9966

Enable Automatic Cluster Enrollment

Enables automatic enrollment for clusters.

Disabled

Search Engine TCP Port

Specify the Search Engine TCP Port (default: 9300).

9300

Enable VM Serial access

Enables serial port for virtual machine access.

  • VM Serial Port

  • vMotion timeout(s)

  • Specify the VM Serial Port (default: 9977).

  • Configures the vMotion timeout for virtualization tasks.

  • 9977

  • 300

Enable Zero Touch Provisioning

Enables ZTP for the device.

Enabled

Enable Bluetooth

Enables Bluetooth access to the Nodegrid device.

NOTE:

Completely enables/disables Bluetooth on the device. When enabled, tethers the network connection via Bluetooth to the device without any configuration. This tethers the network connection via Bluetooth to be the first device deployed on the network. This temporary connection reaches ZPE Cloud to download its full configuration.

Disabled

  • Display name

  • Enable Bluetooth Discoverable mode 

  • This name is displayed on other devices paired with this device via Bluetooth.

  • Enables discovery and pairing of this device to an external device. This tethers the network connection via Bluetooth to be the first device deployed on the network. This temporary connection reaches ZPE Cloud to download its full configuration. When a connection is established to a trusted device, this discoverable mode can be disabled to ensure other devices cannot pair with this device.

<ProductName_SerialNumber>

Disabled

Enable PXE (Preboot eXecution Environment)

Enables boot a software image retrieved at boot time from a network server.

Enabled

Block Host with multiple authentication failures

Blocks hosts when authentication fails multiple times.

  • Period Host will stay blocked (min) (default: 10).

  • Enter Timeframe to monitor authentication fails (min) (default: 10).

  • The number of authentication fails to block the host (default: 5).

  • Whitelisted IP Addresses (comma-separated).

Disabled

Allow root console access

Provides administrators the ability to control access to the primary console interface, which includes both the Console Serial Port and the Video VGA/HDMI and USB Keyboard ports.
To allow root console access, select both Enable console access and Allow root console access fields.
When you disable the console access:

  1. Critical system components such as Console Live system authentication, Bootloaders, and root console access are not accessible anymore.

  2. BIOS settings are accessible, to make it inaccessible use the Password protected boot feature.

  3. Unchecking Allow root console access disables access to the root users as well and they will encounter a login incorrect error message as shown in the following example.

    login: root

Login incorrect
nodegrid login: Event Notification from nodegrid. 
Reported on 2024-04-17T11:51:04z. 
Event ID 202: User authentication failed. User: root on 'ttyS0'.


    System Console Events is turned off.

    Note:

    It's crucial to carefully consider the implications of disabling the main console port. This action may impact low-level maintenance tasks that necessitate direct access to the system. Make sure to evaluate your specific requirements for maintenance and security before disabling Console Access.

Enabled

Manage devices

Setting

Description

Default

Device access is enforced via user group authorization

Enables users to only access devices listed in the user's authorization groups. If not enabled, all enrolled devices are available).

Disabled

Enable the Autodiscovery

Enables autodiscovery of the devices when connected to the network.

Enabled

FIPS

Setting

Description

Default

Enable FIPS 140-3

Enabling FIPS 140-3 on a Nodegrid device ensures FIPS compliance, limiting cryptographic services to the FIPS provider for the applications that rely on OpenSSL for these services.

  1. Network services and ports that rely on OpenSSL for cryptographic services will be FIPS 140-3 compliant when enabled, including:

    • HTTPS (TCP port 443)

    • SSH client and server (TCP port 22)

    • SNMP (TCP port 161)

    • Cluster (TCP port 9966)

      For a more detailed list, refer to the FIPS 140-3 status page (Click on the FIPS 140-3 button on the top right of the web UI).

      NOTE

      Enabling or disabling FIPS 140-3 requires the Nodegrid device to be rebooted for all changes to take effect.

  2. In the user interface, the Banner (right side) shows FIPS 140-3 is active.  

  3. Click the FIPS 140-3  button to display the status.

  4. You may also verify that FIPS is enabled from the root shell using the following command:

    root@nodegrid:~# openssl list -providers Providers:   base     name: OpenSSL Base Provider     version: 3.0.12     status: active   fips     name: OpenSSL FIPS Provider     version: 3.0.10     status: active

Enabled

SSH

Setting

Description

Default

SSH allow root access

  • Enter SSH TCP Port (default: 22).

  • Enter SSH Ciphers (comma-separated) (default: blank).

  • Enter SSH MACs (comma-separated) (default: blank).

  • Enter SSH Kex Algorithms (comma-separated) (default: blank).

Disabled

Web Service

Setting

Description

Default

Enable HTTP access

Enables the HTTP access to the managed device.

Enabled, 80

Enable HTTPS access

Enables the HTTPs access to the managed device.

Enabled, 443

Enable HTTP/S File Repository

Enables HTTP/S file repository to store the software images.

NOTE

When enabled, allows public access to files stored in the File Manager/datastore folder. Users can access files via a direct URL, formatted as https://<Nodegrid URL>/datastore/<filename.ext>. The file's exact path must be specified. Operations such as "list," "edit," and "post" commands are disabled.

You can enable access to the Web UI using the CLI. To do this, access the Console and run the following commands. This method is useful if a user gets locked out of the Web UI and when HTTP and HTTPS are disabled.

cd/settings/services
enable_http_access = yes
http_port = 80
enable_https_access = yes
http_port = 443
redirect_http_to_https = no
commit

Disabled

FRR

Setting

Description

Default

Enable BGP

Activates Border Gateway Protocol (BGP) to manage routing between autonomous systems.

Enabled

Enable OSPFv2

Enables OSPFv2 for IPv4 routing in dynamic network environments.

Disabled

Enable OSPFv3

Activates OSPFv3 to support IPv6 routing capabilities.

Disabled

Enable RIP

Turns on the Routing Information Protocol (RIP) for simple, distance-vector-based routing.

Disabled

Enable VRRP

Enables Virtual Router Redundancy Protocol (VRRP) to provide router failover and redundancy.

Disabled

Cryptographic Protocols

Setting

Description

Default

TLSv1.3

Activates support for the TLS 1.3 protocol for secure communications.

Enabled

TLSv1.2

Enables support for the TLS 1.2 protocol for backward compatibility.

Enabled

TLSv1.1

Allows the use of TLS 1.1 protocol, but it is disabled by default for security reasons.

Disabled

TLSv1

Enables TLS 1.0 protocol, disabled by default due to known vulnerabilities.

Disabled

Cipher Suite Level 

  • High: Sets the cipher suite level to prioritize maximum security, using the most robust algorithms.

  • Medium: Balances security and compatibility, selecting moderately strong ciphers.

  • Low: Allows weaker ciphers for broader compatibility but reduced security.

  • Custom: Enables a customizable dialog where you can specify a tailored cipher suite configuration.

Medium

Saving the Configuration

Click Save. ZPE Cloud ensures all deployment activity is done at the device location.