Skip to main content

Operations and Maintenance

Gatekeeper Configuration UI

To open the Gatekeeper Configuration UI:

  1. Navigate to the Gatekeepers page.
  2. Click the Actions (three‑dot) menu for the target Gatekeeper or HA group.
  3. Select "Configure".

Use this UI to view the current configuration of the Gatekeeper or HA group and make changes directly from the console.

Note: When Gatekeepers are part of an HA group, the "Configure" option appears only on the HA group row—not on the individual Gatekeeper rows.

Tabs available in the Configuration UI:

  1. General — Status, location, HA mode, VRRP
  2. Security — Device management, identification, vulnerabilities
  3. Network — Addressing (DHCP/Static/Mixed) and interfaces
  4. Gatekeeper — HA membership, rename gatekeepers, WAN, LAN/VLAN IPs
  5. Advanced — Proxy, debug logs, asymmetric mode, fail‑open, pruning disconnected devices

General

This tab contains the fundamental settings for a Gatekeeper or High Availability (HA) group.

  1. Configuration Status

    • Synchronized: The UI configuration is in sync with the device.
    • In Progress: A configuration push to the device is underway.
    • Failed: The device is out of sync with the UI (e.g., invalid configuration, connectivity issues).

  2. Location

    • Label used to categorize the Gatekeeper.

  3. HA Group Name

    • Visible only when High Availability is enabled; shows the name of the HA group.

  4. Standalone / High Availability

    • See the "Gatekeeper High Availability" documentation for details.

  5. Active-Active / Active-Standby

    • Available only when HA is enabled. See "Gatekeeper High Availability" documentation for mode behavior.

  6. VRRP Password

    • Enter an 8‑digit password for VRRP authentication.

  7. VRRP Router ID

    • Enter a value from 1–255. This must be unique across the other HA groups in your network.

  8. VRRP Auth Mode

    • Authentication Header: Uses IP Authentication Header for integrity/peer authentication.
    • Simple / Password: Uses Simple/plain-text for integrity/peer authentication.

Security

  1. Device Management

    • All Devices: Manage all devices discovered on the LAN/VLAN.
    • Selected Devices Only: Manage only the devices you explicitly select.

  2. Device Identification

    • Enable to probe devices and identify type, vendor and other metadata.

  3. Protocols to Support

    • Visible only when Device Identification is enabled. Select the protocols to use for device probing.

  4. Vulnerability Detection

    • Enable to identify device vulnerabilities.

Network

  1. Addressing Mode: Static / DHCP / Mixed

DHCP Mode

Use when devices in the LAN/VLAN obtain IPs via DHCP.

  • Server mode: The Gatekeeper acts as the DHCP server for the LAN/VLAN. Provide the lease duration.
  • Relay mode: The Gatekeeper relays to an existing DHCP server in the network. Provide the DHCP server IP.

Static Mode

Use when devices in the LAN/VLAN are statically addressed. Gateway IP should be set to the LAN Virtual IP of the gatekeeper appliance. The netmask should be set to /32 or 255.255.255.255 in the devices network settings. Select the Device Identifier:

  • MAC Address: Identify devices by MAC address only.
  • MAC and IP Address: Identify devices by both MAC and IP address.

Mixed Mode

Use when the LAN/VLAN contains both static and DHCP clients. DHCP clients receive addresses from the configured DHCP settings.

  1. Interfaces

Choose LAN or VLAN based on where the devices to be managed reside.

  • Virtual IP: Visible when HA is enabled. Shared IP used by the active appliance for WAN and LAN/VLAN, respectively.
  • MTU: Maximum transmission unit for WAN and LAN/VLAN. Default is 1500.
  • Gateway Address: Default gateway for the WAN interface.
  • DNS Servers: DNS resolver IPs for the WAN interface.

Gatekeeper

This tab lists all Gatekeepers in the HA group. In Standalone mode, only the single Gatekeeper is shown.

Add Gatekeeper: Available only when High Availability is enabled; adds a new member to the HA group.

Use the three‑dot menu on a Gatekeeper tile to rename it; the new name becomes the device hostname.

Use the expand arrow next to the three‑dot menu to view or edit WAN and LAN/VLAN IP addresses.

Advanced

This tab provides advanced and optional settings.

  1. Use Proxy

    • Enable to route platform connectivity through a proxy. Provide protocol, proxy IP/Domain, port, and credentials if required.

  2. Debug Logs

    • Enable to capture more verbose logs for troubleshooting Gatekeeper behavior.

  3. Asymmetric Mode

    • Enables the gatekeeper to use different paths for incoming and outgoing traffic to optimize performance and redundancy.

  4. Fail Open

    • If all Gatekeepers in the HA group fail, allow the switch to take over forwarding (traffic continues without Gatekeeper) ensuring minimal disruption.

  5. Prune Disconnected Devices

    • Enable to automatically prune disconnected devices after a configurable threshold (in days).

Progressive Enforcement

ColorTokens recommends a progressive enforcement methodology to implement policy changes. All policy enforcement actions should first be tested in a development or testing environment before being deployed in production. The ColorTokens Xshield Console supports key features like Test Mode, Traffic Visualizer, and Dashboard Summaries, which facilitate validation of enforcement actions before rollout. The suggested approach involves the following phases: Incremental Focus on Key Services

  • Secure High-Risk Ports First: Begin with mission-critical or commonly exploited services such as RDP or SSH. Permit inbound connections only from trusted sources like jumpboxes or bastion hosts.
  • Monitor Before Enforcing: Deploy policies in "monitor-only" or "test" mode. Log and analyze unexpected traffic before switching to an enforcement (deny) mode.
  • Start with Known, Approved Ports: After securing high-risk services, apply policies to other known and approved ports. This significantly reduces the attack surface and prevents unauthorized services or C2 (command and control) channels from operating on unused ports.
  • Close Inactive Ports: Identify and block open ports that are not being actively used. This minimizes overlooked entry points and enhances the security posture. Iterative Expansion
  • Apply Enterprise-Wide Templates: Define baseline policies aligned with Zero Trust principles and organizational security standards (e.g., “All Windows Servers”). This ensures consistency and reduces misconfigurations.
  • Segment Granularly: Use broader templates (e.g., “All Windows Servers”) as a base, then refine for subsets like “Production Windows Servers” to apply stricter controls.
  • Refine Regularly: Continuously audit and update policies by removing outdated or unused rules. This keeps the environment secure, lean, and compliant with evolving best practices.

Cross-Functional Alignment

  • Collaborate Early: Security, networking, product, QA, and application teams should collaborate early to align expectations and streamline implementation.
  • Establish Short Feedback Loops: Conduct frequent reviews to validate effectiveness, adjust misconfigurations, and plan next steps.

Implementation Approach

  • Initiate a Pilot Program: Select a limited set of critical assets or a small network segment. Enforce clearly defined rules, validate outcomes, and gather feedback.
  • Scale Gradually: Once pilot environments are stable, expand to other segments. Incorporate lessons learned to refine templates and policies.
  • Automate and Integrate: Use centralized platforms to ensure consistency and align deployments with Agile workflows.

Policy Testing and Validation

The structured approach to policy enforcement includes:

  • Incremental Rollout: Gradually apply policies to minimize disruption and monitor for stability.
  • Simulation and Visualization: Use the ColorTokens Visualizer and Test Mode to preview policy effects, verify legitimate traffic flows, and ensure they're preserved.
  • Change Approval Workflows: Establish formal workflows where application owners request access or changes to traffic flows. This serves both operational control and compliance documentation purposes.
  • Rollback and Backup Mechanisms: Use templates to simplify policy rollback. If needed, reverting a template reverts the associated policies, ensuring quick recovery.

Policy Management

Best Practices

Effective policy management requires a foundational architecture of tags, templates, networks, and segments:

  • Tag Rules: Automatically categorize assets based on attributes like location, application, or environment. Custom tags can be created for additional flexibility.
  • Named Networks: Define collections of critical resources (e.g., Active Directory, backup servers) using IP ranges or subnets. These facilitate simplified visualization and traffic control.
  • Templates: Build modular templates to define allowed or blocked ports, protocols, and services. Templates can be layered for incremental enforcement.
  • Segments: Group devices logically using tagging criteria. This enables dynamic policy enforcement: when new devices are tagged, they are automatically assigned to the appropriate segment with the right traffic controls. • Segments: Group devices logically using tagging criteria. This enables dynamic policy enforcement: when new devices are tagged, they are automatically assigned to the appropriate segment with the right traffic controls. Following these practices enables scalable, adaptive, and compliant policy enforcement.

Breach Response Support for Gatekeeper Assets

Overview

This release extends Breach Response capabilities to Gatekeeper-managed assets, enabling operators to rapidly contain or harden these assets during security incidents. Gatekeepers can now participate in Breach Response Levels (Red, Orange, Yellow, or custom-defined) and enforce the corresponding isolation or restriction policies based on assigned templates.

Key Highlights

  • Gatekeeper assets can now receive and enforce Breach Response templates.
  • Supports all Breach Response Levels for consistent containment behavior.
  • Enables rapid isolation or hardening of Gatekeeper-protected environments.
  • Aligns Gatekeeper behavior with existing endpoint and server Breach Response workflows.

Customer Value

  • Unified containment strategy across both Gatekeeper and agent-managed assets.
  • Faster, more reliable response during potential breach events.
  • Reduced lateral movement risk by extending dynamic isolation to network entry points.
  • Improves overall Zero Trust resilience and incident response readiness.

Training

CT Training Courses

ColorTokens provides structured training to ensure security operations personnel can effectively manage and operate CT solutions. Programs include:

  • Deployment Training: Instructor-led sessions during system installation, focusing on setup and configuration.
  • Policy Management Workshops: Interactive sessions covering policy creation, testing, enforcement, and monitoring.
  • Ongoing Education: Continuous access to updated training resources, including documentation, webinars, and knowledge base articles.

Ongoing Sustainment

To support long-term success and operational continuity, ColorTokens offers:

  • Regular Software Updates: Updates released periodically to enhance features and patch security issues.
  • Technical Support Services: Access to expert support for troubleshooting and system optimization.
  • Extended Warranty and Maintenance Plans: Available to ensure hardware durability and long-term coverage for mission-critical environments. For further assistance, please refer to official ColorTokens documentation or contact the support team.