cOS Core 14.00 FAQ

Last modified on 27 Apr, 2022. Revision 26

This knowledge base article contains Frequently Asked Questions related to the 32-bit (x86) and 64-bit versions (ARMv8 and x86_64) of cOS Core 14.00

FAQs
Related articles

Up to date for	cOS Core 14.00.00
Supported since	cOS Core 14.00.00
Status	OK

FAQs

What appliances will be supported to run cOS Core 14.00?

The following existing models will support cOS Core 14.00

Clavister NetWall E10
Clavister NetWall E20
Clavister NetWall E80
Clavister NetWall W20
Clavister NetWall W30
Clavister NetWall W40
Clavister NetWall W50
Virtual Appliances running the 32-bit image (VMware, Hyper-V, KVM).

The new appliances introduced 2021 will only support cOS Core 14.00 or later:

Clavister NetWall 110
Clavister NetWall 140
Clavister NetWall 510
Clavister NetWall 550
Clavister NetWall 6200
Clavister NetWall 6600
Virtual Appliances running the 64-bit image (VMware, KVM).

Any appliance that is released after the release of cOS Core 14.00 will ONLY support cOS Core 14.00 or later.

Why will the new appliances only support cOS Core 14.00?

The new appliances will use a 64-bit version of cOS Core, this version is not possible to to downgrade to older versions as they are only available in 32-bit versions.

Is it difficult to upgrade from cOS Core 13.00 to 14.00?

No, it’s done in the same way as from 12.00 to 13.00 or upgrading from cOS Core 13.00.07 to 13.00.08. Remember to read the release notes for any version specific information.

Can the E or W-series appliances be upgraded to the 64-bit version of cOS Core 14.00?

No, appliances running the 32-bit firmware will not be possible to upgrade to the 64-bit version of cOS Core, also there is no real benefit as the E and W-series appliances are optimized for the 32-bit firmware.

What is the benefit of moving to 64-bit on the new appliances?

There are a number of benefits, mainly the possibility to use more memory, but also leverage new hardware features that is not available when using 32-bit.

Will there be differences between 32-bit and 64-bit cOS Core 14.00?

There is no visible difference between the two versions, except that the 64-bit version will be able to use more memory. Over a longer time period there might be diverging feature set on old appliances (running 32-bit) and new appliances (running 64-bit), where some features requiring 64-bit processing will only be available on newer appliances. But as long as possible Clavister will try to keep feature parity. There was a similar situtaion with cOS Core 12.00 where some features did not work on IXP-based platforms (Clavister E5 and E7) due to hardware limitations.

Is it complex to migrate from from a 32-bit appliances to a 64-bit appliance?

No, it’s not complex at all, it’s as easy as it was upgrading from Clavister E7 to Clavister NetWall E80.

How many vCPUs and memory does the different Virtual Appliances support?

	32-bit Image (x86)	64-bit Image (x86_64)	64-bit Image (ARMv8)	Comment
Number of vCPU Supported
1 vCPU				32-bit image: The image will run in interrupt mode. 64-bit image: The image can run in either interrupt mode or polling mode (See below for details)
2 vCPU				The image will run in polling mode.
3 vCPU				The image will run in polling mode and use one vCPU for interface offloading.
Recommended Memory
Min	512 MB	1 GB	1 GB	cOS Core and run with less memory if needed, but this is the recommended minimum for normal operation.
Max	4 GB	16 GB	16 GB

What is the difference between interrupt and polling mode in Virtual Appliances?

The main difference between interrupt and polling is that in interrupt, the device notifies the CPU that it requires attention while, in polling, the CPU continuously checks the status of the devices to find whether they require attention. In brief, an interrupt is asynchronous whereas polling is synchronous. This means that when running polling mode the CPU load on the VM will always be 100%.

What are the criterias to run interrupt mode using 1 CPU Core on a 64 bit image?

Below is a small list of the requirements in order to run interrupt mode on 64 bit.

A Virtual system.
Only 1 CPU core allocated (so no poll-cores enabled).
Advanced setting->Misc->"Interface Interrupt mode" must be set to Auto (default).
The VIRT-IO interface driver is NOT used.
- Note: Interrupt mode is currently verified to work with the E1000E driver for VMware. Mixing e.g. VIRT-IO and E1000E will cause it to fall back to polling mode.

Which Virtual Appliance Image should I choose, 32-bit or 64-bit Virtual Appliance?

This depends on your need, if you need many small firewalls, using as little resources as possible you should select the 32-bit image, if you need high performance the 64-bit image with multiple vCPUs are abetter choice.

How to approach FTPS (without opening too many ports)
22 Sep, 2021 core ftps sftp

IP blocked by IP reputation & IP reputation mechanics
8 Mar, 2021 core ipreputation

Configuring multiple networks behind the same interface
25 Mar, 2021 core arp routing

How do I disable IP Reputation?
9 Mar, 2021 core

Configuring public certificates in NetWall firewalls
5 Apr, 2022 core certificate oneconnect ipsec vpn

Configure the Android OpenConnect client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect android core

Why does WireShark say that SNMPv3 traps sent from cOS Core are "snmpV2-trap"?
8 Sep, 2020 snmp core wireshark

Swapping NetWall Ethernet interfaces using "Set interface Ethernet"
30 Mar, 2022 core ethernet netwall coscore

Certificate problem using SSL VPN together with MacOS version 11.1 and up
2 Feb, 2021 core sslvpn macos certificate

Server cluster generates UnsolicitedARPReplies in log (Gratuitous/GARP)
19 Feb, 2021 core arp

Using PCAP packet capture in cOS Core
21 Jun, 2021 core cli pcap netwall pcapdump

Adjusting advanced cluster settings on larger installations
13 Jan, 2021 core ha cluster

Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing

HA: disallowed_on_sync_iface log events with rule=HA_RestrictSyncIf for Reverse ARP, RARP, and IGMP
8 Sep, 2020 vmware log ha rarp arp core

A trusted webpage blocked by IP reputation
22 Jan, 2021 core ipreputation

Placing HA cluster nodes in different physical locations
15 Apr, 2021 core brokenlink cluster

Using "all-nets" as source/destination network in IPsec tunnels
17 Jun, 2021 core ipsec routing

Gratuitous ARP and the CLI command "ifstat -restart <iface>"
16 Feb, 2021 core arp garp

Could not open outbound connection?
9 Mar, 2021 core ping connections

Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core

Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp

Using /31 network masks in cOS Core (RFC-3021)
11 Apr, 2022 core routing management

Can blacklist timeouts (TTL,lifetime) for "Scanner Protection" or "Botnet Blocking" be changed or increased?
8 Sep, 2020 core ipreputation blacklist threatprevention

LogOpenFails and no_new_conn_for_this_packet log events.
23 Jun, 2021 core connections

Device initiated InControl management of NetWall HA clusters with a single public IP
31 Mar, 2022 incontrol core netcon netwall ha cluster coscore

Installing a SECaaS License on Virtual NetWall Firewalls
13 May, 2022 core license

Using Multicast DNS with cOS Core
24 May, 2021 core howto mdns multicast transparentmode airprint igmp dns

Solving HA nodes both going active/inactive at the same time
21 Apr, 2021 core cluster ha

IPsec license usage calculation
14 Apr, 2021 core license ipsec

Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access

Example setup script for x86 cOS Core under KVM
26 May, 2021 kvm core arm x86

Is it possible to change the Ethernet Ringsize buffers on Hyper-V?
25 Jan, 2022 core ethernet settings

Packet drops due to TCP Sequence numbers ("tcp_seqno_too_high" or "tcp_seqno_too_low")
6 Jul, 2021 core stream tcpsequence sequence stateless

Clavister SFP/SFP+ module compatibility
11 Apr, 2021 core sfp gbic hardware

How do i set up a OneConnect VPN tunnel in cOS core
10 Mar, 2021 core oneconnect

How to adjust RX and TX ring sizes (queue lengths) of Ethernet interfaces
28 Oct, 2020 core howto ethernet packetloss cpu

Running cOS Core 14.00 on M1 based Apple Devices with QEMU
24 Nov, 2021 core arm kvm

Using Stateless Policies in cOS Core
16 Jun, 2021 core stateless rules netwall

Using Clavister OneConnect Classic SSL VPN client towards the OneConnect server
29 Jun, 2021 core oneconnect

Forward traffic to a second ISP using Virtual Routing or Policy Based Routing
23 Jun, 2021 howto core pbr routing netwall isp

NetWall virtual firewall creation under KVM on ARM
20 May, 2021 kvm core arm coscore netwall

Allowing Traceroute to and through cOS Core
15 Jan, 2021 core behaviour icmp ping traceroute

"Disabling IPsec tunnel..." warning when deploying a configuration change
30 Nov, 2020 core ipsec license memory

The meaning of the "Default_Access_Rule" log entry
25 Jan, 2021 brokenlink core arp log routing

How to setup a simple cloud-init environment for testing
30 Nov, 2020 howto core cloud-init dhcp

Protecting against the Apache Log4j exploit
15 Dec, 2021 core idp ipreputation log4j

What is a "zombie" connection?
24 Mar, 2021 core connections

Assigning additional IPs to cOS Core Ethernet interfaces
7 May, 2021 core ethernet vlan arp garp

Allowing Path MTU discovery in cOS Core
9 Jul, 2021 core mtu netwall mtudiscovery

Freeing up more memory in the Firewall
18 Feb, 2021 core connections ipsec memory

Is Statless (FwdFast) faster than a normal IP policy?
27 Jan, 2021 core stateless routing brokenlink

Configure the OpenConnect-GUI client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect macos windows linux core

How to disable the read-only flag for InControl inherited objects
8 Jul, 2021 incontrol domains core

Tagsarm x86 core