Documentation

Everything you need to deploy, configure and operate MetaWiFi Aegis.

System requirements

MetaWiFi Aegis runs as a self-contained on-prem appliance. Choose the tier that matches your environment size.

ResourceSmall (up to 150 devices)Medium (up to 500 devices)Large (up to 2 000 devices)
CPU4 vCPU4–8 vCPU12+ vCPU
Memory8 GB RAM16 GB RAM32 GB RAM
Disk100 GB SSD250 GB SSD500 GB NVMe SSD
Data retention90 days180 days365 days
Network accessReachable from monitored devices; outbound internet for license validation
Device definition: A monitored device is a network infrastructure component such as a switch, router or wireless LAN controller (WLC). Access points are not counted individually.

Supported platforms

MetaWiFi Aegis supports Cisco switching and wireless, Fortinet firewalls and F5 load balancers. The table below lists which platforms are currently supported. Support is extended with each release — check this page for the latest status.

Wired — Cisco Catalyst switching

PlatformStatusNotes
Cisco Catalyst 9000 series
9200, 9300, 9400, 9500, 9600
Supported Full SNMP polling, interface, environment and stack monitoring
Cisco Catalyst 2960-X / 2960-XR Supported End-of-life platform. Fully supported for existing deployments.
Other 2960 variants
2960, 2960-S, 2960-Plus
Not yet supported Planned for a future release

Wireless — Cisco controllers

PlatformStatusNotes
Cisco WLC (AireOS) Not supported AireOS-based controllers are not supported
Cisco Catalyst 9800 (IOS-XE WLC) Supported Full wireless visibility via REST API

Fabric — Cisco ACI

PlatformStatusNotes
Cisco ACI / APIC Supported Fabric health, tenants and endpoints via APIC REST API. Firmware 5.x and later.

Firewalls

PlatformStatusNotes
Fortinet FortiGate Supported Interface stats, HA state and system health via SNMP

Load balancers

PlatformStatusNotes
F5 BIG-IP Supported Virtual server state, pool member health and system metrics via SNMP
Not sure if your platform is supported? Contact us — we can confirm compatibility or provide a roadmap estimate.

Deploy via OVA

The OVA is a pre-built virtual appliance that can be imported directly into VMware vSphere, ESXi, Workstation or Proxmox. No operating system installation is required.

  1. Download the OVA
    Download the latest .ova file from aegis.metawifi.nl/download/aegis-appliance.ova.
  2. Import into your hypervisor
    In vSphere or ESXi: File → Deploy OVF Template and follow the wizard. In Proxmox: use the Import from OVF/OVA option under your storage node.
  3. Configure resources
    Before powering on, verify the VM is assigned at least 2 vCPU and 8 GB RAM. Increase disk size if your environment requires more retention.
  4. Power on and complete setup
    On first boot the setup wizard starts automatically. Follow the steps in First boot.
Default login — username: metawifi / password: metawifi. Change the password after first login.

Physical appliance

MetaWiFi Aegis is also available as a pre-configured physical appliance — rack-mounted hardware with the software pre-installed and ready to deploy.

The appliance ships with all required services configured. Connect it to your network, power it on, and follow the First boot steps. A license is ordered separately and activated via Admin → License.

To order an appliance, use the contact form and select Appliance — physical hardware unit.

Prerequisites

Before deploying Aegis, verify the following network conditions are in place. Aegis must be able to reach your monitored devices, and your devices must be able to reach Aegis for telemetry delivery.

Reachability from Aegis to devices

ProtocolPortDirectionPurpose
ICMPAegis → devicesDevice availability and latency checks
SSHTCP 22Aegis → devicesOnboarding: read-only audit or automated config push
SNMPUDP 161Aegis → devicesPolling metrics, interfaces, environment
HTTPSTCP 443Aegis → WLC / APICWireless controller and ACI API polling

Reachability from devices to Aegis

ProtocolPortDirectionPurpose
SNMP TrapUDP 162Devices → AegisReal-time event delivery (optional)
SyslogUDP 514Devices → AegisLog-based telemetry (optional)
gRPC (Telemetry)TCP 57500Devices → AegisCisco streaming telemetry dial-out (Catalyst / WLC)
ORB relayTCP 8095ORB agents → AegisORB agent telemetry forwarding

Dashboard access

ProtocolPortDirectionPurpose
HTTP / HTTPSTCP 80 / 443Browser → AegisDashboard access
HTTPSTCP 443Aegis → internetLicense validation
ICMP is required. Aegis uses ping to determine device availability before polling. If ICMP is blocked between Aegis and a device, that device will show as unreachable regardless of SNMP configuration.

First boot

When Aegis starts for the first time, a setup wizard guides you through the initial configuration. The wizard runs in the browser — open the dashboard using the IP address of the server or VM.

  1. Set an admin password
    Choose a secure password for the admin account.
  2. Configure your organisation name
    This is displayed in the dashboard header and reports.
  3. Enter your network polling settings
    Provide the IP address ranges or specific devices you want Aegis to poll. See Network & polling for details.
  4. Set up HTTPS (recommended)
    If your server has a public domain name, HTTPS can be configured directly from the admin panel under Admin → Settings → HTTPS.
  5. Activate your license
    Go to Admin → License and enter your license key. See License activation.

License activation

Aegis requires a license key to operate beyond the free tier. License keys are entered and managed via Admin → License in the dashboard.

Trial license

A 30-day trial license key is available immediately at aegis.metawifi.nl/license. It gives full access to all features for 30 days. No credit card required.

PRO license

After purchasing a PRO license you will receive your license key by email. Enter it in Admin → License and click Activate. The dashboard will confirm the tier and device limit immediately.

License validation requires outbound internet access from the Aegis server. Validation happens at activation and periodically in the background.

Network & polling

Aegis polls your network devices to collect telemetry. All polling happens from the Aegis server — no agents are installed on the monitored devices.

Supported protocols

  • SNMP v2c / v3 — switches and routers
  • Cisco WLC API — wireless LAN controllers
  • Cisco ACI REST API — ACI fabric environments (optional)
  • SSH — device onboarding and automated configuration push (optional)

Poll intervals

Aegis uses different collection methods and intervals depending on the data type and platform.

Data typePlatformMethodInterval
Health, interfaces & environment Switches (SNMP) Aegis polls device 60 seconds
Bandwidth & traffic counters Switches (SNMP) Aegis polls device 5 minutes
Telemetry Switches Device pushes to Aegis 30 seconds
Controllers, APs & clients Cisco WLC (9800) Aegis polls WLC API 60 seconds
Fabric health, tenants & endpoints Cisco ACI / APIC Aegis polls APIC API 60 seconds (configurable)
Telemetry push (30s) gives faster state updates than SNMP polling (60s). For time-sensitive alerting on switches, ensure SNMP and telemetry configuration is in place. See SSH access for automated onboarding of these settings.

Polling targets are added under Admin → Add / Discover — onboard an individual device, or scan an IP range or subnet to discover multiple switches at once. See Adding devices. Global SNMP credentials are configured under Admin → Settings → SNMP Configuration (see Before you onboard); individual devices can override them in their own form. Poll intervals can be tuned under Admin → Advanced.

Users & access

Aegis uses role-based access control (RBAC) to manage who can view and change what in the dashboard.

The local install user

During installation, a local system user is created automatically. This user serves as a fallback login — it is used to access the dashboard when no other user accounts have been created yet. Once you create your first dashboard user via Admin → Users, the install user is no longer shown in the user list and is not used for normal login.

Keep the install user credentials secure. They can be used to regain access if all dashboard users are lost.

User groups

GroupAccess level
Admin Full access — dashboards, alerts, admin panel, users, license, integrations, updates and settings
Monitor Read-only access to dashboards and alerts. No access to admin panel or settings.

Users are created and managed in Admin → Users. Assign the Monitor group to operators who only need visibility, and the Admin group to users who manage the platform.

SSH access

Aegis can connect to your network devices over SSH for onboarding purposes. SSH credentials are configured in Admin → Settings → SSH and applied per device or subnet.

Read-only SSH

In read-only mode Aegis connects to devices to audit the current configuration — for example, to verify which SNMP community strings are active or to check the existing telemetry configuration. No changes are made to the device.

Read/write SSH (onboarding)

In read/write mode Aegis can push configuration to devices automatically during onboarding. This includes:

  • SNMP community string configuration
  • Telemetry configuration (streaming telemetry towards the Aegis platform)

This allows you to onboard a new device in a single step without manually logging into each switch or router. Aegis generates a change preview before applying anything — you confirm before the push is executed.

Read/write SSH requires a privileged account on the target device (typically enable-level access on Cisco IOS). Use a dedicated monitoring account with the minimum required privilege level. All SSH sessions are initiated from the Aegis server — no inbound SSH to Aegis is required.

Before you onboard

Get started by filling in a few global settings before you onboard your first device. These live under Admin → Settings and are reused for every device you add, so configuring them once up front turns onboarding into a single confirmation step instead of re-entering details each time.

SettingNeeded before onboarding?Why it matters
SNMP Configuration Required The SNMPv3 credential set Aegis provisions on each switch and then uses to poll it. Switch onboarding is blocked until the allowed-source list is set.
Telemetry Receiver Required Where Catalyst 9000 switches and the 9800 WLC stream gRPC telemetry. Set it before onboarding any telemetry-capable device so the pushed subscription points at the right address.
SSH Credentials Optional Used to push configuration during onboarding. Set them globally for one-step bulk onboarding, or leave them blank and enter one-off credentials in the onboarding form instead.

1. SNMP Configuration — required

Configured under Admin → Settings → SNMP Configuration. Switches are always SNMPv3: Aegis creates this user on each switch during onboarding (authPriv) and then uses it to poll. Firewalls and load balancers inherit the same v3 set unless you give them their own credentials later.

FieldDescription
SNMP User / Group / ViewNames of the SNMPv3 user, group and view Aegis creates on the switch (defaults: AEGIS / AEGIS-GRP / AEGIS-VIEW).
ACL NameName of the access list applied to the SNMP user on the switch.
Allowed sourcesComma-separated wildcard entries (e.g. 10.2.65.0 0.0.0.255). Must include the Aegis server's IP or subnet — each entry becomes a permit in the SNMP ACL.
Auth protocol + passwordSNMPv3 authentication — SHA, SHA-256 or MD5.
Priv protocol + passwordSNMPv3 privacy / encryption — AES-128, AES-256 or DES.
Allowed sources is mandatory. If the list is empty, Aegis refuses to onboard the switch — pushing an ACL with no permit entries would lock SNMP out entirely (implicit deny-all). Always include the Aegis server's IP or subnet.

2. Telemetry Receiver — required for streaming telemetry

Configured under Admin → Settings → Telemetry Receiver. Catalyst 9000 switches and the Catalyst 9800 WLC stream gRPC telemetry to Aegis (faster than SNMP polling — see Network & polling). Set the receiver before onboarding these devices so the subscription Aegis pushes points at the right address. Legacy SNMP-only switches do not use this.

FieldDescription
Receiver host / IPThe Aegis server address devices stream to. Must be reachable from your devices on TCP 57500 — see Prerequisites.
PortgRPC telemetry port (default 57500).
Receiver nameName used in the telemetry receiver protocol <name> config on the switch (e.g. METAWIFI_RECEIVER).
WLC receiver IP / portLeave blank to reuse the switch receiver. Set only if WLCs must stream to a different address than switches.
Default management interfaceInterface whose IP becomes the gRPC source-address in the pushed subscription (e.g. Loopback0, Vlan1). Can be overridden per switch during onboarding.

3. SSH Credentials — optional

Configured under Admin → Settings → SSH Credentials. SSH is how Aegis pushes configuration during onboarding (the SNMP user, telemetry subscriptions). You do not have to set this globally — you can leave the fields blank and type one-off credentials into the onboarding form, where they are used only for that session and never stored. Set them globally when you want to onboard many devices in one step without re-typing. See SSH access for the read-only vs read/write distinction.

AccountAccess neededUsed for
Switch SSHWrite / enablePushes the SNMPv3 user (and telemetry config) onto switches during onboarding.
WLC SSHRead-onlyCatalyst 9800 discovery and the telemetry subscription push.
Telemetry SSHWritePushes MDT telemetry subscriptions. Falls back to Switch SSH when left blank.
Discover Topology SSHRead-onlyCDP/LLDP topology discovery and subnet scans. Falls back to Switch SSH when left blank.
DNS domain suffix (optional)Appended to bare hostnames for all SSH connections. No effect when an IP address is already known.
With SNMP (and Telemetry, if you run Catalyst 9000 / 9800) in place, you are ready to add your first device.

Adding devices

All device management lives under Admin → Add / Discover. From here you can onboard individual devices, run a subnet scan, or review and remove existing inventory.

Add Switch

Aegis connects to the switch over SSH, reads the platform type (show version), and automatically decides whether to configure streaming telemetry (Catalyst 9000) or SNMP polling only (legacy platforms).

  1. Enter the switch hostname or IP and the site name it belongs to.
  2. Optionally specify the management interface for telemetry (e.g. Loopback0). Leave blank to use the global default.
  3. Enter SSH credentials, or leave blank to use the saved Switch SSH account (Admin → Settings → SSH).
  4. Click Discover device. Aegis pings port 22, identifies the platform, and presents a confirmation card.
  5. Confirm to onboard — Aegis pushes the SNMP and/or telemetry configuration and adds the switch to the inventory.
SSH write access is required for switch onboarding — Aegis pushes SNMPv3 credentials and (for 9k) telemetry destination configuration. Use a dedicated account with enable-level privilege.

Add WLC

Onboards a Cisco Catalyst 9800 Wireless LAN Controller. Aegis registers the WLC in the inventory and optionally pushes the streaming telemetry subscription via SSH so wireless metrics start flowing immediately.

  1. Enter the WLC IP, short name, site/group, and optionally the uplink switch IP.
  2. Enable Push telemetry config via SSH (recommended) to have Aegis configure the telemetry subscription automatically.
  3. Enter SSH credentials, or leave blank to use the saved WLC SSH account (read-only is sufficient for WLC).
  4. Click Add WLC.

Add Firewall

Monitors FortiGate firewalls via SNMP. No SSH access to the firewall is required. The firewall must be configured to accept SNMP queries from the Aegis IP.

  1. Enter the firewall name, IP address, site, and (optionally) model and maximum session capacity.
  2. Select the SNMP version — v2c (community string) or v3 (user/auth/priv).
  3. For v3: fill in the credentials, or leave the fields empty to inherit the global Firewall SNMP credential set (Admin → Settings → SNMP).
  4. Use Test SNMP to verify connectivity before saving.
  5. Click Save firewall. The firewall appears on the Wired page under its assigned site.

Add Load Balancer

Monitors F5 BIG-IP load balancers via SNMP. VIP status, concurrent connections, and SNAT pool statistics are collected every poll cycle. No SSH access is required.

  1. Enter the load balancer name, IP address, and site.
  2. Select SNMP v2c or v3 and provide credentials (or inherit from the global LB SNMP credential set).
  3. Use Test SNMP to verify, then click Save load balancer.

Discover Multiple Switches

Scans an IP range or subnet and identifies reachable network devices in one pass. Useful when onboarding a new site with many switches.

  1. Enter the site name and (optionally) the management interface for telemetry switches.
  2. Provide SSH credentials, or leave blank to use the saved Switch SSH account.
  3. Choose IP Range (start–end) or Subnet (network/CIDR) and click Scan.
  4. Aegis probes each address for SSH reachability, identifies the platform, and lists the results.
  5. Click Onboard on each discovered device to add it — or onboard all with a single click if the button is present.
Scan time scales with the range size — a /24 subnet may take up to 30 seconds. Devices that are reachable but where SSH authentication fails are still listed so you can add them manually.

Managed Devices

The Managed Devices accordion shows the full inventory: SNMP/Telemetry switches, WLCs, firewalls, and load balancers. From here you can edit device settings or remove a device from monitoring.

Site overview

The dashboard opens on the Site overview — a health-based view of all monitored sites. Each site shows an overall health percentage, active alert count and a quick summary of wired and wireless status.

Sites are automatically grouped based on your polling configuration. A site's health score is derived from the combined state of all monitored devices at that location. Click a site tile to drill into device-level detail.

Health scoring

  • Green (≥ 90%) — all devices operating normally
  • Yellow (70–89%) — minor issues detected, services unaffected
  • Red (< 70%) — significant issues requiring attention

Wireless monitoring

The wireless section provides visibility into your Cisco wireless infrastructure. It is organised around the controller (WLC) as the top-level object.

  • Controllers — operational state, firmware version, client load
  • Access points — per-AP health, uptime, channel and client counts
  • Clients — connected clients per SSID and AP
  • SSIDs — distribution across APs and client load

Access points are not individually licensed — only the WLC counts as a monitored device.

Wired monitoring

The wired section covers switches and uplinks across all monitored sites.

  • Switch health — CPU, memory, temperature and power supply state
  • Uplinks — traffic, errors and operational state
  • Stack members — per-member state in stacked switch environments
  • Environment — fan and temperature sensor readings where available

Alerts

Aegis continuously evaluates collected telemetry and generates alerts when thresholds are exceeded or operational state changes are detected. Alerts are visible on the site overview and in the Alerts tab within each site.

Alerts are classified as Critical, Warning or Info. Critical alerts affect the site health score. Alerts resolve automatically when the underlying condition clears.

When a device is itself offline, Aegis raises a single device offline alert and suppresses its dependent alerts — uplink and backbone interfaces, access points, and environmental readings. The device being unreachable is the root cause, so the downstream alerts would only be redundant noise.

To escalate alerts to an on-call tool, see SIGNL4 integration.

Cisco ACI

MetaWiFi Aegis can connect to a Cisco APIC to pull fabric health, tenant and endpoint data into the dashboard. ACI integration is optional and configured separately from standard SNMP polling.

  1. Go to Admin → Integrations → ACI
    Enter the APIC hostname or IP address, and the credentials for a read-only monitoring account.
  2. Test the connection
    Use the Test connection button to verify Aegis can reach the APIC.
  3. Save and enable
    Once the connection is confirmed, save the settings. ACI data will appear in the dashboard within a few minutes.
Aegis uses a read-only API connection to the APIC. No configuration changes are made to the fabric. Supported: APIC firmware 5.x and later.

SIGNL4 alerting

SIGNL4 is a mobile alerting and on-call scheduling platform. Aegis can escalate alerts to SIGNL4 for mobile notification, acknowledgement tracking and escalation workflows.

  1. Create a SIGNL4 team
    Sign up at signl4.com and create a team. Copy your team's webhook URL from the SIGNL4 portal.
  2. Go to Admin → Integrations → SIGNL4
    Paste the webhook URL, then set your daytime window and timezone. Which devices escalate, and when, is controlled per device with tags — see Alert escalation below.
  3. Test the integration
    Use the Send test alert button to verify delivery to your SIGNL4 team.

For detailed control over which alerts are escalated, see Alert escalation.

Alert escalation

Aegis does not escalate every alert — it applies escalation logic before sending anything to SIGNL4. This keeps your on-call team focused on actionable incidents and prevents alert fatigue.

Severity levels

Every condition Aegis detects is classified by severity. All severities are always visible on the dashboard; only some are eligible to escalate to your on-call team via SIGNL4.

SeverityMeaningCan escalate to SIGNL4?
CriticalService impact or device failure — requires immediate attentionYes — while the device's tag window is active
WarningDegraded state or threshold exceeded — monitor closelyOnly when the tag enables daytime/custom warnings
InfoInformational events and state changesNo — dashboard only

Per-device escalation & tags

Escalation to SIGNL4 is opt-in per device. A device with no tag is still fully monitored on the dashboard, but never escalates to on-call. To enable escalation, group devices with a tag (Admin → Integrations → SIGNL4 → Tags) and give the tag an alert window that decides when its Critical alerts escalate.

Alert windowCriticals escalateWarnings can be enabled?
Always24/7
Daytime onlyDuring the configured daytime window (default 08:00–17:00)Yes — during daytime
Out of hours onlyOutside the daytime window
Custom windowInside a time range you define (e.g. 17:00–22:00; may span midnight)Yes — inside the range
NeverNever

For the Daytime only and Custom windows, a per-tag “Also escalate Warnings” toggle additionally escalates Warning-level alerts — but only while that window is active. Criticals always follow the window regardless of the toggle. A tag can also carry a team / filter keyword so different device groups reach the right SIGNL4 responders. If a Warning that was already sent later escalates to Critical, Aegis re-escalates so the incident is never understated.

Example: exam-hall access switches that only matter in the evening — tag them with a Custom window of 17:00–22:00 and enable warnings. They escalate (Critical and Warning) during those hours and stay silent the rest of the day, while still being fully visible on the dashboard.

Alert payload

Every alert escalated to SIGNL4 includes:

  • Site — the site name where the alert originated
  • Device — hostname or IP address of the affected device
  • Alert type — category of the alert (e.g. CPU high, uplink down, AP offline)
  • Severity — Critical, Warning or Info
  • Timestamp — when the alert was first detected
  • Description — human-readable explanation of what triggered the alert

Auto-resolve

When the condition that triggered an alert clears, Aegis automatically sends a resolve signal to SIGNL4. The corresponding incident in SIGNL4 is closed without manual intervention.

Maintenance suppression

Alerts from devices or sites that are in a planned maintenance window are automatically suppressed — they will not be escalated to SIGNL4 for the duration of the window. This prevents false on-call notifications during scheduled work.

Suppressed alerts are still recorded in the Aegis alert log. They become visible again after the maintenance window ends.

Planned maintenance

Scheduled maintenance windows tell Aegis that a device or site is intentionally offline or being worked on. During a maintenance window, alerts are suppressed and the affected device or site is visually marked on the main dashboard so operators know the degraded state is expected.

Maintenance scope

ScopeEffect
Site level All devices within the site are put into maintenance. The site tile on the main page shows a maintenance badge. No alerts are escalated for any device in that site.
Device level Only the selected device is put into maintenance. Other devices in the same site continue to alert normally. The device is marked in the site detail view.

Scheduling a maintenance window

  1. Navigate to the site or device
    From the main dashboard, click a site tile to open the site detail view. To schedule maintenance for a specific device, click the device within the site.
  2. Open the maintenance panel
    Click the Maintenance button in the site or device header.
  3. Set the duration
    Choose a preset duration (30 min, 1 hour, 2 hours, 4 hours, 8 hours) or set a custom start and end time. Maintenance windows can span multiple days for extended work.
  4. Add an optional note
    A short description of the planned work — visible to other operators on the dashboard.
  5. Confirm
    The window is activated immediately or at the scheduled start time.

Main dashboard display

The main dashboard always shows the current maintenance state at a glance:

  • Active maintenance — sites and devices currently in a maintenance window are shown with a maintenance badge. Their health score is greyed out and alerts are suppressed.
  • Planned maintenance — upcoming windows scheduled for the next 24 hours are listed in the maintenance overview panel on the main page, so the team knows what is coming.

Ending maintenance early

If the work finishes before the window expires, maintenance can be ended manually. Navigate back to the site or device and click End maintenance. Normal polling and alert escalation resume immediately.

Tip: Always schedule a maintenance window before starting planned work on a device. This prevents unnecessary on-call notifications and keeps the alert history clean.

Updates

MetaWiFi Aegis checks for updates automatically. When a new version is available, a notification appears in the admin panel.

  1. Go to Admin → Update
    The current version and latest available version are shown here.
  2. Click Update
    Aegis triggers the update process in the background. Services restart automatically once the update is complete. This typically takes 2–5 minutes.
  3. Verify
    After the update completes the dashboard reloads and shows the new version number.
Updates do not affect your configuration, license key, collected data or custom settings. All data is preserved across updates.

Backup & restore

Aegis stores everything locally — configuration, collected telemetry, license state and integration settings. There is no external cloud dependency. Backups are your responsibility and should be scheduled regularly.

What is stored

DataContents
ConfigurationAdmin credentials, polling targets, SNMP settings, HTTPS certificates, integration settings
TelemetryAll collected metrics and time-series data — site health history, device counters, alert history
LicenseActivated license key and validation state
UsersDashboard user accounts and group assignments

Backup via the dashboard

The easiest way to back up your Aegis instance is directly from the admin panel — no SSH or command-line access required.

  1. Go to Admin → Backup
    This section shows the current backup status, the last successful backup timestamp, and available restore points.
  2. Create a backup
    Click Create backup now. Aegis creates a snapshot of all configuration, user accounts, license state and integration settings. The backup is stored locally on the server and listed with a date and size.
  3. Download the backup
    Click Download next to a backup entry to save the .tar.gz archive to your local machine. Store it on a NAS, network share or cloud storage for offsite retention.
  4. Schedule automatic backups
    Enable Scheduled backups under Admin → Backup → Schedule. Choose a daily or weekly interval and optionally set a retention period (e.g. keep the last 7 backups). Aegis handles the rest automatically.
Tip: Enable scheduled backups and download a copy to offsite storage after each major configuration change — for example after onboarding new devices or changing integration settings.

Storage location (advanced)

All Aegis data is stored under a single directory on the server:

/opt/metawifi-aegis/

This applies to all deployments. Backing up this directory is sufficient for a full recovery. For scripted or infrastructure-level backups, this is the path to target.

VM snapshot (OVA deployments)

For virtual machine deployments, a hypervisor-level snapshot captures the full disk state including the OS, services and all data. This is the most complete form of backup for OVA installs.

  • VMware / vSphere: right-click the VM → Snapshots → Take Snapshot. Schedule via vSphere Data Protection or your backup solution.
  • Proxmox: use the Backup tab on the VM → Backup Now, or configure a scheduled backup job under Datacenter → Backup.

CLI backup

You can back up the data directory directly from the command line. Stop Aegis services first to ensure data consistency.

sudo systemctl stop metawifi
sudo tar -czf aegis-backup-$(date +%Y%m%d).tar.gz /opt/metawifi-aegis
sudo systemctl start metawifi

Copy the resulting .tar.gz file to a remote location (NAS, S3, SFTP, etc.). To automate this with a cron job, add the following to sudo crontab -e:

0 2 * * * systemctl stop metawifi && tar -czf /var/backups/aegis/aegis-$(date +\%Y\%m\%d).tar.gz /opt/metawifi-aegis && systemctl start metawifi && find /var/backups/aegis -name "aegis-*.tar.gz" -mtime +7 -delete

This runs every night at 02:00, keeps the last 7 daily backups and removes older archives automatically. Create the backup directory first: sudo mkdir -p /var/backups/aegis

Restore

To restore from a backup taken via the dashboard, go to Admin → Backup on a running Aegis instance, click Restore and upload the .tar.gz file. Aegis will apply the backup and restart automatically.

To restore from a CLI or VM-level backup to a fresh installation:

  1. Deploy a fresh Aegis instance
    Deploy a fresh Aegis instance via OVA. Do not complete the setup wizard yet.
  2. Stop services
    sudo systemctl stop metawifi
  3. Restore the data directory
    sudo rm -rf /opt/metawifi-aegis
    sudo tar -xzf aegis-backup-YYYYMMDD.tar.gz -C /
  4. Start services
    sudo systemctl start metawifi
    The dashboard is available at the server's IP address with all data and settings restored.
After restoring to a new server with a different IP address, update your HTTPS settings in Admin → Settings → HTTPS if a domain and certificate were configured on the original server.

Security hardening

Aegis ships with a set of security defaults that cover the most common hardening requirements, including NIS2-aligned controls for network monitoring infrastructure. This section explains what is enforced automatically and what you can configure.

HTTPS & TLS

Aegis serves its dashboard over HTTP by default. Enable HTTPS under Admin → HTTPS to terminate TLS at the built-in nginx reverse proxy.

SettingWhere to configureNotes
Enable HTTPS Admin → HTTPS → Enable Requires a certificate. Self-signed, uploaded, or Let's Encrypt.
Redirect HTTP → HTTPS Admin → HTTPS → Redirect HTTP Returns 301 for all plain-HTTP requests once enabled.
Let's Encrypt certificate Admin → HTTPS → Let's Encrypt Port 80 must be reachable from the internet. Auto-renewal runs via certbot.
Self-signed certificate Admin → HTTPS → Self-signed Good for internal use. Browsers will show a warning.
Upload your own certificate Admin → HTTPS → Upload Accepts PEM-encoded cert + key files.
Once HTTPS is enabled, Aegis automatically adds an Strict-Transport-Security (HSTS) header with a 1-year max-age to all responses. This instructs browsers to only connect over HTTPS going forward.

Session cookies

Aegis uses a server-side session cookie to maintain login state. The cookie security attributes adapt automatically to whether HTTPS is active.

AttributeValueEffect
HttpOnly Always on Prevents JavaScript from reading the session cookie — blocks XSS-based session theft.
SameSite=Lax Always on Blocks cross-site request forgery (CSRF) on navigation requests.
Secure When HTTPS is active Set only on HTTPS connections so the cookie is never sent over plain HTTP. Aegis detects the actual request scheme at runtime — toggling HTTPS on or off via Admin takes effect immediately without a restart.
If you see a browser warning "Cookie rejected because a non-HTTPS cookie can't be set as Secure", it means HTTPS is enabled in the Aegis config but the current request arrived over HTTP (e.g. you accessed the IP directly, bypassing nginx). Access the dashboard through the HTTPS URL, or disable the Secure flag by turning off HTTPS in Admin → HTTPS.

Content Security Policy

All Aegis responses include a Content-Security-Policy header that restricts what resources the browser is allowed to load.

DirectiveAllowed sources
default-src'self'
script-src'self' 'unsafe-inline' + jsDelivr CDN
style-src'self' 'unsafe-inline' + Google Fonts + jsDelivr CDN
connect-src'self' + WebSocket (ws: / wss:)
img-src'self' data: blob:
object-src'none' — plugins blocked entirely
frame-ancestors'none' — embedding blocked (also enforced by X-Frame-Options: DENY)
The connect-src 'self' directive covers the same origin as the page. If you see a CSP violation for an API call to http:// while the page is on https://, this is a mixed-content issue: the request is leaving via HTTP while the page is HTTPS. Enable HTTP → HTTPS redirect in Admin → HTTPS to ensure all traffic uses HTTPS consistently.

Additional security headers

HeaderValue
X-Frame-OptionsDENY
X-Content-Type-Optionsnosniff
Referrer-Policystrict-origin-when-cross-origin
Strict-Transport-Securitymax-age=31536000; includeSubDomains (HTTPS only)

Rate limiting

The login endpoint is rate-limited to 5 attempts per minute per IP address. After exceeding the limit, further login attempts are rejected with HTTP 429 until the window resets. This applies to both local and LDAP authentication.

NIS2 alignment

Aegis includes a number of controls that support NIS2 compliance for network monitoring infrastructure:

  • Audit logging — all logins, configuration changes and device management actions are logged with timestamp, user, IP, action and result. Accessible under Admin → Audit.
  • Role-based access control — Admin and Viewer roles limit who can change configuration versus who can only view dashboards.
  • LDAP / Active Directory integration — centrally managed identities, group-based access and no local password sprawl.
  • HTTPS encryption in transit — all dashboard traffic can be encrypted end-to-end with TLS.
  • Encrypted configuration backups — scheduled backups can be AES-encrypted with a password before being written to the backup directory.
  • Minimal exposure — no SSH inbound to Aegis required, no cloud dependency, no telemetry sent externally.