Documentation
Everything you need to deploy, configure and operate MetaWiFi Aegis.
System requirements
MetaWiFi Aegis runs as a self-contained on-prem appliance. Choose the tier that matches your environment size.
| Resource | Small (up to 150 devices) | Medium (up to 500 devices) | Large (up to 2 000 devices) |
|---|---|---|---|
| CPU | 4 vCPU | 4–8 vCPU | 12+ vCPU |
| Memory | 8 GB RAM | 16 GB RAM | 32 GB RAM |
| Disk | 100 GB SSD | 250 GB SSD | 500 GB NVMe SSD |
| Data retention | 90 days | 180 days | 365 days |
| Network access | Reachable from monitored devices; outbound internet for license validation | ||
Supported platforms
MetaWiFi Aegis supports Cisco switching and wireless, Fortinet firewalls and F5 load balancers. The table below lists which platforms are currently supported. Support is extended with each release — check this page for the latest status.
Wired — Cisco Catalyst switching
| Platform | Status | Notes |
|---|---|---|
| Cisco Catalyst 9000 series 9200, 9300, 9400, 9500, 9600 |
Supported | Full SNMP polling, interface, environment and stack monitoring |
| Cisco Catalyst 2960-X / 2960-XR | Supported | End-of-life platform. Fully supported for existing deployments. |
| Other 2960 variants 2960, 2960-S, 2960-Plus |
Not yet supported | Planned for a future release |
Wireless — Cisco controllers
| Platform | Status | Notes |
|---|---|---|
| Cisco WLC (AireOS) | Not supported | AireOS-based controllers are not supported |
| Cisco Catalyst 9800 (IOS-XE WLC) | Supported | Full wireless visibility via REST API |
Fabric — Cisco ACI
| Platform | Status | Notes |
|---|---|---|
| Cisco ACI / APIC | Supported | Fabric health, tenants and endpoints via APIC REST API. Firmware 5.x and later. |
Firewalls
| Platform | Status | Notes |
|---|---|---|
| Fortinet FortiGate | Supported | Interface stats, HA state and system health via SNMP |
Load balancers
| Platform | Status | Notes |
|---|---|---|
| F5 BIG-IP | Supported | Virtual server state, pool member health and system metrics via SNMP |
Deploy via OVA
The OVA is a pre-built virtual appliance that can be imported directly into VMware vSphere, ESXi, Workstation or Proxmox. No operating system installation is required.
-
Download the OVA
Download the latest.ovafile from aegis.metawifi.nl/download/aegis-appliance.ova. -
Import into your hypervisor
In vSphere or ESXi: File → Deploy OVF Template and follow the wizard. In Proxmox: use the Import from OVF/OVA option under your storage node. -
Configure resources
Before powering on, verify the VM is assigned at least 2 vCPU and 8 GB RAM. Increase disk size if your environment requires more retention. -
Power on and complete setup
On first boot the setup wizard starts automatically. Follow the steps in First boot.
metawifi / password: metawifi.
Change the password after first login.
Physical appliance
MetaWiFi Aegis is also available as a pre-configured physical appliance — rack-mounted hardware with the software pre-installed and ready to deploy.
The appliance ships with all required services configured. Connect it to your network, power it on, and follow the First boot steps. A license is ordered separately and activated via Admin → License.
To order an appliance, use the contact form and select Appliance — physical hardware unit.
Prerequisites
Before deploying Aegis, verify the following network conditions are in place. Aegis must be able to reach your monitored devices, and your devices must be able to reach Aegis for telemetry delivery.
Reachability from Aegis to devices
| Protocol | Port | Direction | Purpose |
|---|---|---|---|
| ICMP | — | Aegis → devices | Device availability and latency checks |
| SSH | TCP 22 | Aegis → devices | Onboarding: read-only audit or automated config push |
| SNMP | UDP 161 | Aegis → devices | Polling metrics, interfaces, environment |
| HTTPS | TCP 443 | Aegis → WLC / APIC | Wireless controller and ACI API polling |
Reachability from devices to Aegis
| Protocol | Port | Direction | Purpose |
|---|---|---|---|
| SNMP Trap | UDP 162 | Devices → Aegis | Real-time event delivery (optional) |
| Syslog | UDP 514 | Devices → Aegis | Log-based telemetry (optional) |
| gRPC (Telemetry) | TCP 57500 | Devices → Aegis | Cisco streaming telemetry dial-out (Catalyst / WLC) |
| ORB relay | TCP 8095 | ORB agents → Aegis | ORB agent telemetry forwarding |
Dashboard access
| Protocol | Port | Direction | Purpose |
|---|---|---|---|
| HTTP / HTTPS | TCP 80 / 443 | Browser → Aegis | Dashboard access |
| HTTPS | TCP 443 | Aegis → internet | License validation |
First boot
When Aegis starts for the first time, a setup wizard guides you through the initial configuration. The wizard runs in the browser — open the dashboard using the IP address of the server or VM.
- Set an admin password
Choose a secure password for the admin account. - Configure your organisation name
This is displayed in the dashboard header and reports. - Enter your network polling settings
Provide the IP address ranges or specific devices you want Aegis to poll. See Network & polling for details. - Set up HTTPS (recommended)
If your server has a public domain name, HTTPS can be configured directly from the admin panel under Admin → Settings → HTTPS. - Activate your license
Go to Admin → License and enter your license key. See License activation.
License activation
Aegis requires a license key to operate beyond the free tier. License keys are entered and managed via Admin → License in the dashboard.
Trial license
A 30-day trial license key is available immediately at aegis.metawifi.nl/license. It gives full access to all features for 30 days. No credit card required.
PRO license
After purchasing a PRO license you will receive your license key by email. Enter it in Admin → License and click Activate. The dashboard will confirm the tier and device limit immediately.
Network & polling
Aegis polls your network devices to collect telemetry. All polling happens from the Aegis server — no agents are installed on the monitored devices.
Supported protocols
- SNMP v2c / v3 — switches and routers
- Cisco WLC API — wireless LAN controllers
- Cisco ACI REST API — ACI fabric environments (optional)
- SSH — device onboarding and automated configuration push (optional)
Poll intervals
Aegis uses different collection methods and intervals depending on the data type and platform.
| Data type | Platform | Method | Interval |
|---|---|---|---|
| Health, interfaces & environment | Switches (SNMP) | Aegis polls device | 60 seconds |
| Bandwidth & traffic counters | Switches (SNMP) | Aegis polls device | 5 minutes |
| Telemetry | Switches | Device pushes to Aegis | 30 seconds |
| Controllers, APs & clients | Cisco WLC (9800) | Aegis polls WLC API | 60 seconds |
| Fabric health, tenants & endpoints | Cisco ACI / APIC | Aegis polls APIC API | 60 seconds (configurable) |
Polling targets are added under Admin → Add / Discover — onboard an individual device, or scan an IP range or subnet to discover multiple switches at once. See Adding devices. Global SNMP credentials are configured under Admin → Settings → SNMP Configuration (see Before you onboard); individual devices can override them in their own form. Poll intervals can be tuned under Admin → Advanced.
Users & access
Aegis uses role-based access control (RBAC) to manage who can view and change what in the dashboard.
The local install user
During installation, a local system user is created automatically. This user serves as a fallback login — it is used to access the dashboard when no other user accounts have been created yet. Once you create your first dashboard user via Admin → Users, the install user is no longer shown in the user list and is not used for normal login.
User groups
| Group | Access level |
|---|---|
| Admin | Full access — dashboards, alerts, admin panel, users, license, integrations, updates and settings |
| Monitor | Read-only access to dashboards and alerts. No access to admin panel or settings. |
Users are created and managed in Admin → Users. Assign the Monitor group to operators who only need visibility, and the Admin group to users who manage the platform.
SSH access
Aegis can connect to your network devices over SSH for onboarding purposes. SSH credentials are configured in Admin → Settings → SSH and applied per device or subnet.
Read-only SSH
In read-only mode Aegis connects to devices to audit the current configuration — for example, to verify which SNMP community strings are active or to check the existing telemetry configuration. No changes are made to the device.
Read/write SSH (onboarding)
In read/write mode Aegis can push configuration to devices automatically during onboarding. This includes:
- SNMP community string configuration
- Telemetry configuration (streaming telemetry towards the Aegis platform)
This allows you to onboard a new device in a single step without manually logging into each switch or router. Aegis generates a change preview before applying anything — you confirm before the push is executed.
Before you onboard
Get started by filling in a few global settings before you onboard your first device. These live under Admin → Settings and are reused for every device you add, so configuring them once up front turns onboarding into a single confirmation step instead of re-entering details each time.
| Setting | Needed before onboarding? | Why it matters |
|---|---|---|
| SNMP Configuration | Required | The SNMPv3 credential set Aegis provisions on each switch and then uses to poll it. Switch onboarding is blocked until the allowed-source list is set. |
| Telemetry Receiver | Required | Where Catalyst 9000 switches and the 9800 WLC stream gRPC telemetry. Set it before onboarding any telemetry-capable device so the pushed subscription points at the right address. |
| SSH Credentials | Optional | Used to push configuration during onboarding. Set them globally for one-step bulk onboarding, or leave them blank and enter one-off credentials in the onboarding form instead. |
1. SNMP Configuration — required
Configured under Admin → Settings → SNMP Configuration. Switches are always SNMPv3: Aegis creates this user on each switch during onboarding (authPriv) and then uses it to poll. Firewalls and load balancers inherit the same v3 set unless you give them their own credentials later.
| Field | Description |
|---|---|
| SNMP User / Group / View | Names of the SNMPv3 user, group and view Aegis creates on the switch (defaults: AEGIS / AEGIS-GRP / AEGIS-VIEW). |
| ACL Name | Name of the access list applied to the SNMP user on the switch. |
| Allowed sources | Comma-separated wildcard entries (e.g. 10.2.65.0 0.0.0.255). Must include the Aegis server's IP or subnet — each entry becomes a permit in the SNMP ACL. |
| Auth protocol + password | SNMPv3 authentication — SHA, SHA-256 or MD5. |
| Priv protocol + password | SNMPv3 privacy / encryption — AES-128, AES-256 or DES. |
2. Telemetry Receiver — required for streaming telemetry
Configured under Admin → Settings → Telemetry Receiver. Catalyst 9000 switches and the Catalyst 9800 WLC stream gRPC telemetry to Aegis (faster than SNMP polling — see Network & polling). Set the receiver before onboarding these devices so the subscription Aegis pushes points at the right address. Legacy SNMP-only switches do not use this.
| Field | Description |
|---|---|
| Receiver host / IP | The Aegis server address devices stream to. Must be reachable from your devices on TCP 57500 — see Prerequisites. |
| Port | gRPC telemetry port (default 57500). |
| Receiver name | Name used in the telemetry receiver protocol <name> config on the switch (e.g. METAWIFI_RECEIVER). |
| WLC receiver IP / port | Leave blank to reuse the switch receiver. Set only if WLCs must stream to a different address than switches. |
| Default management interface | Interface whose IP becomes the gRPC source-address in the pushed subscription (e.g. Loopback0, Vlan1). Can be overridden per switch during onboarding. |
3. SSH Credentials — optional
Configured under Admin → Settings → SSH Credentials. SSH is how Aegis pushes configuration during onboarding (the SNMP user, telemetry subscriptions). You do not have to set this globally — you can leave the fields blank and type one-off credentials into the onboarding form, where they are used only for that session and never stored. Set them globally when you want to onboard many devices in one step without re-typing. See SSH access for the read-only vs read/write distinction.
| Account | Access needed | Used for |
|---|---|---|
| Switch SSH | Write / enable | Pushes the SNMPv3 user (and telemetry config) onto switches during onboarding. |
| WLC SSH | Read-only | Catalyst 9800 discovery and the telemetry subscription push. |
| Telemetry SSH | Write | Pushes MDT telemetry subscriptions. Falls back to Switch SSH when left blank. |
| Discover Topology SSH | Read-only | CDP/LLDP topology discovery and subnet scans. Falls back to Switch SSH when left blank. |
| DNS domain suffix (optional) | — | Appended to bare hostnames for all SSH connections. No effect when an IP address is already known. |
Adding devices
All device management lives under Admin → Add / Discover. From here you can onboard individual devices, run a subnet scan, or review and remove existing inventory.
Add Switch
Aegis connects to the switch over SSH, reads the platform type (show version), and automatically
decides whether to configure streaming telemetry (Catalyst 9000) or SNMP polling only (legacy platforms).
- Enter the switch hostname or IP and the site name it belongs to.
- Optionally specify the management interface for telemetry (e.g.
Loopback0). Leave blank to use the global default. - Enter SSH credentials, or leave blank to use the saved Switch SSH account (Admin → Settings → SSH).
- Click Discover device. Aegis pings port 22, identifies the platform, and presents a confirmation card.
- Confirm to onboard — Aegis pushes the SNMP and/or telemetry configuration and adds the switch to the inventory.
Add WLC
Onboards a Cisco Catalyst 9800 Wireless LAN Controller. Aegis registers the WLC in the inventory and optionally pushes the streaming telemetry subscription via SSH so wireless metrics start flowing immediately.
- Enter the WLC IP, short name, site/group, and optionally the uplink switch IP.
- Enable Push telemetry config via SSH (recommended) to have Aegis configure the telemetry subscription automatically.
- Enter SSH credentials, or leave blank to use the saved WLC SSH account (read-only is sufficient for WLC).
- Click Add WLC.
Add Firewall
Monitors FortiGate firewalls via SNMP. No SSH access to the firewall is required. The firewall must be configured to accept SNMP queries from the Aegis IP.
- Enter the firewall name, IP address, site, and (optionally) model and maximum session capacity.
- Select the SNMP version — v2c (community string) or v3 (user/auth/priv).
- For v3: fill in the credentials, or leave the fields empty to inherit the global Firewall SNMP credential set (Admin → Settings → SNMP).
- Use Test SNMP to verify connectivity before saving.
- Click Save firewall. The firewall appears on the Wired page under its assigned site.
Add Load Balancer
Monitors F5 BIG-IP load balancers via SNMP. VIP status, concurrent connections, and SNAT pool statistics are collected every poll cycle. No SSH access is required.
- Enter the load balancer name, IP address, and site.
- Select SNMP v2c or v3 and provide credentials (or inherit from the global LB SNMP credential set).
- Use Test SNMP to verify, then click Save load balancer.
Discover Multiple Switches
Scans an IP range or subnet and identifies reachable network devices in one pass. Useful when onboarding a new site with many switches.
- Enter the site name and (optionally) the management interface for telemetry switches.
- Provide SSH credentials, or leave blank to use the saved Switch SSH account.
- Choose IP Range (start–end) or Subnet (network/CIDR) and click Scan.
- Aegis probes each address for SSH reachability, identifies the platform, and lists the results.
- Click Onboard on each discovered device to add it — or onboard all with a single click if the button is present.
Managed Devices
The Managed Devices accordion shows the full inventory: SNMP/Telemetry switches, WLCs, firewalls, and load balancers. From here you can edit device settings or remove a device from monitoring.
Site overview
The dashboard opens on the Site overview — a health-based view of all monitored sites. Each site shows an overall health percentage, active alert count and a quick summary of wired and wireless status.
Sites are automatically grouped based on your polling configuration. A site's health score is derived from the combined state of all monitored devices at that location. Click a site tile to drill into device-level detail.
Health scoring
- Green (≥ 90%) — all devices operating normally
- Yellow (70–89%) — minor issues detected, services unaffected
- Red (< 70%) — significant issues requiring attention
Wireless monitoring
The wireless section provides visibility into your Cisco wireless infrastructure. It is organised around the controller (WLC) as the top-level object.
- Controllers — operational state, firmware version, client load
- Access points — per-AP health, uptime, channel and client counts
- Clients — connected clients per SSID and AP
- SSIDs — distribution across APs and client load
Access points are not individually licensed — only the WLC counts as a monitored device.
Wired monitoring
The wired section covers switches and uplinks across all monitored sites.
- Switch health — CPU, memory, temperature and power supply state
- Uplinks — traffic, errors and operational state
- Stack members — per-member state in stacked switch environments
- Environment — fan and temperature sensor readings where available
Uplink rules
By default, Aegis identifies uplink interfaces on 2960X switches using a
Te* name heuristic. For all other platforms — and when you want
precise control — you can define uplink rules that map a
hostname pattern to an explicit list of interface names.
Rules are configured in Admin → Settings → Uplink Rules. Each rule has two required fields and two optional ones:
| Field | Required | Description |
|---|---|---|
| Pattern | Yes | Case-insensitive substring matched against the switch hostname. For example -bn- matches sw-bn-core-01. |
| Interfaces | Yes | Comma-separated list of interface names that count as uplinks for matching switches. You can enter the full name (FortyGigabitEthernet1/0/10) or Cisco shorthand (Fo1/0/10, Te1/1/1) — entries are expanded to their full canonical form and de-duplicated when saved. |
| Model pattern | No | Additional substring match against the switch model string. Useful when the same hostname convention is used across different hardware generations. |
| Comment | No | Free-text label for your own reference — not used by the system. |
Matching behaviour
- A rule matches when all present fields match — if both Pattern and Model pattern are set, both must match.
- Multiple rules can match the same switch. The most specific match wins — the rule with the longest combined Pattern + Model pattern takes precedence. For example a specific
wg-acti-en-06rule overrides a generic-en-rule for that switch. Only when several matching rules are equally specific are their interface lists combined (union). - When no rule matches, Aegis falls back to the built-in
Te*heuristic for 2960X switches. - Changes take effect within 30 seconds — no restart required.
Fo1/0/10, Te1/1/1) or
full form (FortyGigabitEthernet1/0/10) — Aegis normalizes them to the full
canonical name when you save, so both forms of the same port are stored only once.
To check the names a switch uses, run show interfaces status.
Alerts
Aegis continuously evaluates collected telemetry and generates alerts when thresholds are exceeded or operational state changes are detected. Alerts are visible on the site overview and in the Alerts tab within each site.
Alerts are classified as Critical, Warning or Info. Critical alerts affect the site health score. Alerts resolve automatically when the underlying condition clears.
When a device is itself offline, Aegis raises a single device offline alert and suppresses its dependent alerts — uplink and backbone interfaces, access points, and environmental readings. The device being unreachable is the root cause, so the downstream alerts would only be redundant noise.
To escalate alerts to an on-call tool, see SIGNL4 integration.
Cisco ACI
MetaWiFi Aegis can connect to a Cisco APIC to pull fabric health, tenant and endpoint data into the dashboard. ACI integration is optional and configured separately from standard SNMP polling.
-
Go to Admin → Integrations → ACI
Enter the APIC hostname or IP address, and the credentials for a read-only monitoring account. -
Test the connection
Use the Test connection button to verify Aegis can reach the APIC. -
Save and enable
Once the connection is confirmed, save the settings. ACI data will appear in the dashboard within a few minutes.
SIGNL4 alerting
SIGNL4 is a mobile alerting and on-call scheduling platform. Aegis can escalate alerts to SIGNL4 for mobile notification, acknowledgement tracking and escalation workflows.
-
Create a SIGNL4 team
Sign up at signl4.com and create a team. Copy your team's webhook URL from the SIGNL4 portal. -
Go to Admin → Integrations → SIGNL4
Paste the webhook URL, then set your daytime window and timezone. Which devices escalate, and when, is controlled per device with tags — see Alert escalation below. -
Test the integration
Use the Send test alert button to verify delivery to your SIGNL4 team.
For detailed control over which alerts are escalated, see Alert escalation.
Alert escalation
Aegis does not escalate every alert — it applies escalation logic before sending anything to SIGNL4. This keeps your on-call team focused on actionable incidents and prevents alert fatigue.
Severity levels
Every condition Aegis detects is classified by severity. All severities are always visible on the dashboard; only some are eligible to escalate to your on-call team via SIGNL4.
| Severity | Meaning | Can escalate to SIGNL4? |
|---|---|---|
| Critical | Service impact or device failure — requires immediate attention | Yes — while the device's tag window is active |
| Warning | Degraded state or threshold exceeded — monitor closely | Only when the tag enables daytime/custom warnings |
| Info | Informational events and state changes | No — dashboard only |
Per-device escalation & tags
Escalation to SIGNL4 is opt-in per device. A device with no tag is still fully monitored on the dashboard, but never escalates to on-call. To enable escalation, group devices with a tag (Admin → Integrations → SIGNL4 → Tags) and give the tag an alert window that decides when its Critical alerts escalate.
| Alert window | Criticals escalate | Warnings can be enabled? |
|---|---|---|
| Always | 24/7 | — |
| Daytime only | During the configured daytime window (default 08:00–17:00) | Yes — during daytime |
| Out of hours only | Outside the daytime window | — |
| Custom window | Inside a time range you define (e.g. 17:00–22:00; may span midnight) | Yes — inside the range |
| Never | Never | — |
For the Daytime only and Custom windows, a per-tag “Also escalate Warnings” toggle additionally escalates Warning-level alerts — but only while that window is active. Criticals always follow the window regardless of the toggle. A tag can also carry a team / filter keyword so different device groups reach the right SIGNL4 responders. If a Warning that was already sent later escalates to Critical, Aegis re-escalates so the incident is never understated.
Alert payload
Every alert escalated to SIGNL4 includes:
- Site — the site name where the alert originated
- Device — hostname or IP address of the affected device
- Alert type — category of the alert (e.g. CPU high, uplink down, AP offline)
- Severity — Critical, Warning or Info
- Timestamp — when the alert was first detected
- Description — human-readable explanation of what triggered the alert
Auto-resolve
When the condition that triggered an alert clears, Aegis automatically sends a resolve signal to SIGNL4. The corresponding incident in SIGNL4 is closed without manual intervention.
Maintenance suppression
Alerts from devices or sites that are in a planned maintenance window are automatically suppressed — they will not be escalated to SIGNL4 for the duration of the window. This prevents false on-call notifications during scheduled work.
Planned maintenance
Scheduled maintenance windows tell Aegis that a device or site is intentionally offline or being worked on. During a maintenance window, alerts are suppressed and the affected device or site is visually marked on the main dashboard so operators know the degraded state is expected.
Maintenance scope
| Scope | Effect |
|---|---|
| Site level | All devices within the site are put into maintenance. The site tile on the main page shows a maintenance badge. No alerts are escalated for any device in that site. |
| Device level | Only the selected device is put into maintenance. Other devices in the same site continue to alert normally. The device is marked in the site detail view. |
Scheduling a maintenance window
-
Navigate to the site or device
From the main dashboard, click a site tile to open the site detail view. To schedule maintenance for a specific device, click the device within the site. -
Open the maintenance panel
Click the Maintenance button in the site or device header. -
Set the duration
Choose a preset duration (30 min, 1 hour, 2 hours, 4 hours, 8 hours) or set a custom start and end time. Maintenance windows can span multiple days for extended work. -
Add an optional note
A short description of the planned work — visible to other operators on the dashboard. -
Confirm
The window is activated immediately or at the scheduled start time.
Main dashboard display
The main dashboard always shows the current maintenance state at a glance:
- Active maintenance — sites and devices currently in a maintenance window are shown with a maintenance badge. Their health score is greyed out and alerts are suppressed.
- Planned maintenance — upcoming windows scheduled for the next 24 hours are listed in the maintenance overview panel on the main page, so the team knows what is coming.
Ending maintenance early
If the work finishes before the window expires, maintenance can be ended manually. Navigate back to the site or device and click End maintenance. Normal polling and alert escalation resume immediately.
Updates
MetaWiFi Aegis checks for updates automatically. When a new version is available, a notification appears in the admin panel.
-
Go to Admin → Update
The current version and latest available version are shown here. -
Click Update
Aegis triggers the update process in the background. Services restart automatically once the update is complete. This typically takes 2–5 minutes. -
Verify
After the update completes the dashboard reloads and shows the new version number.
Backup & restore
Aegis stores everything locally — configuration, collected telemetry, license state and integration settings. There is no external cloud dependency. Backups are your responsibility and should be scheduled regularly.
What is stored
| Data | Contents |
|---|---|
| Configuration | Admin credentials, polling targets, SNMP settings, HTTPS certificates, integration settings |
| Telemetry | All collected metrics and time-series data — site health history, device counters, alert history |
| License | Activated license key and validation state |
| Users | Dashboard user accounts and group assignments |
Backup via the dashboard
The easiest way to back up your Aegis instance is directly from the admin panel — no SSH or command-line access required.
-
Go to Admin → Backup
This section shows the current backup status, the last successful backup timestamp, and available restore points. -
Create a backup
Click Create backup now. Aegis creates a snapshot of all configuration, user accounts, license state and integration settings. The backup is stored locally on the server and listed with a date and size. -
Download the backup
Click Download next to a backup entry to save the.tar.gzarchive to your local machine. Store it on a NAS, network share or cloud storage for offsite retention. -
Schedule automatic backups
Enable Scheduled backups under Admin → Backup → Schedule. Choose a daily or weekly interval and optionally set a retention period (e.g. keep the last 7 backups). Aegis handles the rest automatically.
Storage location (advanced)
All Aegis data is stored under a single directory on the server:
/opt/metawifi-aegis/
This applies to all deployments. Backing up this directory is sufficient for a full recovery. For scripted or infrastructure-level backups, this is the path to target.
VM snapshot (OVA deployments)
For virtual machine deployments, a hypervisor-level snapshot captures the full disk state including the OS, services and all data. This is the most complete form of backup for OVA installs.
- VMware / vSphere: right-click the VM → Snapshots → Take Snapshot. Schedule via vSphere Data Protection or your backup solution.
- Proxmox: use the Backup tab on the VM → Backup Now, or configure a scheduled backup job under Datacenter → Backup.
CLI backup
You can back up the data directory directly from the command line. Stop Aegis services first to ensure data consistency.
sudo systemctl stop metawifi sudo tar -czf aegis-backup-$(date +%Y%m%d).tar.gz /opt/metawifi-aegis sudo systemctl start metawifi
Copy the resulting .tar.gz file to a remote location (NAS, S3, SFTP, etc.).
To automate this with a cron job, add the following to sudo crontab -e:
0 2 * * * systemctl stop metawifi && tar -czf /var/backups/aegis/aegis-$(date +\%Y\%m\%d).tar.gz /opt/metawifi-aegis && systemctl start metawifi && find /var/backups/aegis -name "aegis-*.tar.gz" -mtime +7 -delete
This runs every night at 02:00, keeps the last 7 daily backups and removes older archives automatically.
Create the backup directory first: sudo mkdir -p /var/backups/aegis
Restore
To restore from a backup taken via the dashboard, go to Admin → Backup on a running Aegis instance,
click Restore and upload the .tar.gz file. Aegis will apply the backup and restart automatically.
To restore from a CLI or VM-level backup to a fresh installation:
-
Deploy a fresh Aegis instance
Deploy a fresh Aegis instance via OVA. Do not complete the setup wizard yet. -
Stop services
sudo systemctl stop metawifi
-
Restore the data directory
sudo rm -rf /opt/metawifi-aegis sudo tar -xzf aegis-backup-YYYYMMDD.tar.gz -C /
-
Start services
sudo systemctl start metawifi
The dashboard is available at the server's IP address with all data and settings restored.
Security hardening
Aegis ships with a set of security defaults that cover the most common hardening requirements, including NIS2-aligned controls for network monitoring infrastructure. This section explains what is enforced automatically and what you can configure.
HTTPS & TLS
Aegis serves its dashboard over HTTP by default. Enable HTTPS under Admin → HTTPS to terminate TLS at the built-in nginx reverse proxy.
| Setting | Where to configure | Notes |
|---|---|---|
| Enable HTTPS | Admin → HTTPS → Enable | Requires a certificate. Self-signed, uploaded, or Let's Encrypt. |
| Redirect HTTP → HTTPS | Admin → HTTPS → Redirect HTTP | Returns 301 for all plain-HTTP requests once enabled. |
| Let's Encrypt certificate | Admin → HTTPS → Let's Encrypt | Port 80 must be reachable from the internet. Auto-renewal runs via certbot. |
| Self-signed certificate | Admin → HTTPS → Self-signed | Good for internal use. Browsers will show a warning. |
| Upload your own certificate | Admin → HTTPS → Upload | Accepts PEM-encoded cert + key files. |
Strict-Transport-Security (HSTS) header with a 1-year max-age to all responses.
This instructs browsers to only connect over HTTPS going forward.
Session cookies
Aegis uses a server-side session cookie to maintain login state. The cookie security attributes adapt automatically to whether HTTPS is active.
| Attribute | Value | Effect |
|---|---|---|
HttpOnly |
Always on | Prevents JavaScript from reading the session cookie — blocks XSS-based session theft. |
SameSite=Lax |
Always on | Blocks cross-site request forgery (CSRF) on navigation requests. |
Secure |
When HTTPS is active | Set only on HTTPS connections so the cookie is never sent over plain HTTP. Aegis detects the actual request scheme at runtime — toggling HTTPS on or off via Admin takes effect immediately without a restart. |
Content Security Policy
All Aegis responses include a Content-Security-Policy header that restricts
what resources the browser is allowed to load.
| Directive | Allowed sources |
|---|---|
default-src | 'self' |
script-src | 'self' 'unsafe-inline' + jsDelivr CDN |
style-src | 'self' 'unsafe-inline' + Google Fonts + jsDelivr CDN |
connect-src | 'self' + WebSocket (ws: / wss:) |
img-src | 'self' data: blob: |
object-src | 'none' — plugins blocked entirely |
frame-ancestors | 'none' — embedding blocked (also enforced by X-Frame-Options: DENY) |
connect-src 'self' directive covers the same origin as the page.
If you see a CSP violation for an API call to http:// while the page is on
https://, this is a mixed-content issue: the request is leaving via HTTP
while the page is HTTPS. Enable HTTP → HTTPS redirect in
Admin → HTTPS to ensure all traffic uses HTTPS consistently.
Additional security headers
| Header | Value |
|---|---|
X-Frame-Options | DENY |
X-Content-Type-Options | nosniff |
Referrer-Policy | strict-origin-when-cross-origin |
Strict-Transport-Security | max-age=31536000; includeSubDomains (HTTPS only) |
Rate limiting
The login endpoint is rate-limited to 5 attempts per minute per IP address. After exceeding the limit, further login attempts are rejected with HTTP 429 until the window resets. This applies to both local and LDAP authentication.
NIS2 alignment
Aegis includes a number of controls that support NIS2 compliance for network monitoring infrastructure:
- Audit logging — all logins, configuration changes and device management actions are logged with timestamp, user, IP, action and result. Accessible under Admin → Audit.
- Role-based access control — Admin and Viewer roles limit who can change configuration versus who can only view dashboards.
- LDAP / Active Directory integration — centrally managed identities, group-based access and no local password sprawl.
- HTTPS encryption in transit — all dashboard traffic can be encrypted end-to-end with TLS.
- Encrypted configuration backups — scheduled backups can be AES-encrypted with a password before being written to the backup directory.
- Minimal exposure — no SSH inbound to Aegis required, no cloud dependency, no telemetry sent externally.