What is CSPN?
CSPN stands for Clavister Service Provisioning Network and is a number of servers placed around the world in order to offer customers low latency access to a server close to where the firewall is located. Currently we have servers in Sweden, Japan, Singapore, USA and France.
The two main purposes of the CSPN servers is the following:
- cOS Core will routinely contact the CSPN servers for license verification.
- This depends a bit on the license model and not all license types perform this action.
- cOS Core will contact CSPN and check if there is a new database (or make an information request) for some of the functions/features that is used. A few examples would be: Intrusion Detection (IDP), Anti-Virus, IP reputation and Web Content Filtering.
cOS Core will also send anonymous optional diagnostic data to the CSPN network. For more information / details please see the admin guide, the section is called “Diagnostics and Improvements”.
How does cOS Core and cOS Stream connect to CSPN?
Both cOS Core and cOS Stream will first make a DNS query towards update3.clavister.com in order to get the CSPN server list and once that is done they can/will use the following ports and protocols to perform various tasks and updates.
- License verification : TCP port 80
- Web Content Filtering : TCP port 9998
- IP Reputation : TCP port 9999 and TCP port 443
- Anti-Virus and IDP databases : TCP port 80
But isn’t port 80 unencrypted?
The protocol used is HTTP, but all content is encrypted.
Which ports needs to be opened on equipment placed in front of the firewalls (such as a NAT device with port restrictions)?
See previous reply as these are the ports that needs to be opened in order for the firewall to connect to CSPN. An additional port that is very important to allow is TCP/UDP port 53 as that is used to make DNS queries. If a device in front of the Firewall blocks DNS queries, the entire connection to CSPN would fail.
Which server will be chosen as the primary?
Once the firewall has completed the DNS query and received the server list, it will poll each server in order to determine the latency. The server with the lowest latency will be chosen as the primary. This poll will be run at certain intervals again at a later stage in order to see if the primary, secondary etc. server list needs an update. If the previous primary server has high latency for whatever reason, a new server will be chosen as the new primary.
Will the DNS name update/change in the future?
At this time (November 2022) there are no plans to change the current DNS (which is update3.clavister.com).
What happens if the firewall is unable to resolve DNS?
If the firewall is unable to resolve DNS the communication to CSPN will fail. The firewall would then be unable to download new updates for Anti-Virus, IDP, queries for WCF and IP reputation. These functions / features will either not work at all or the databases will stagnate over time causing them to be out of date / old.
The most *critical * impact would be that the online license verification (for SecAAS / MSSP) licenses will fail and if enough time has passed without access to CSPN (~14 days) the firewall would enter reduced mode which would cause big network disturbances. So it is very important to make sure that the firewall can reach CSPN for these types of licenses (which would be the vast majority of all licenses being sold since the beginning of 2022).
Can we see the server(s) status in the firewall somehow?
In cOS Core this can be viewed using the CLI command “Updatecenter -servers”.
Related articles
2 May, 2023 core rules schedule applicationcontrol
27 Mar, 2023 applicationcontrol core