Installation and User’s Guide
Alteon Switched FirewallTM Release 3.0.2 Part Number: 212535-E, April 2003
4655 Great America Parkway Santa Clara, CA 95054 Phone 1-800-4Nortel www.nortelnetworks.com Alteon Switched Firewall Installation and User’s Guide
Copyright © 2003 Nortel Networks, Inc., 4655 Great America Parkway, Santa Clara, California, 95054, USA. All rights reserved. Part Number: 212535-E. This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without warranty of any kind, either express or implied, including any kind of implied or express warranty of non- infringement or the implied warranties of merchantability or fitness for a particular purpose. U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR 2.101 (Oct. 1995) and contains “commercial technical data” and “commercial software documentation” as those terms are used in FAR 12.211-12.212 (Oct. 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct. 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov. 1995). Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc. Alteon, Alteon WebSystems, Alteon Switched Firewall, ASF 5308, ASF 5408, ASF 5610, ASF 5710, ASF 5722, Firewall OS, Firewall Director, ASF 5008, ASF 5010, Accelerator OS, Firewall Accelerator, ASF 5300, ASF 5400, ASF 5600, and ASF 5700 are trademarks of Nortel Networks, Inc. in the United States and certain other countries. FireWall-1 NG is a registered trademark of Check Point Software Technologies. Any other trademarks appearing in this manual are owned by their respective companies. Portions of this manual are Copyright © 2001 Dell Computer Corporation. All Rights Reserved. Originated in the USA.
Export This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or reexport may be required by the U.S. Department of Commerce.
Licensing This product includes software developed by Check Point Software Technologies (http:// www.checkpoint.com). This product also contains software developed by other parties. See Appendix D, “Software Licenses,” for more information.
2 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Regulatory Compliance FCC Class A Notice. The equipment complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1) The device may not cause harmful interference, and 2) This equipment must accept any interference received, including interference that may cause undesired operation. The equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. The equipment generates, uses and can radiate radio-frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. Operation of this equipment in a residential area is likely to cause harmful interference. In such a case, the user will be required to correct the interference at his own experience. Do not make mechanical or electrical modifications to the equipment. Industry Canada: This Class A digital apparatus meets all requirements of the Canadian Interference- Causing Equipment Regulations. Cet appareil Numérique de la classe A respecte toutes les exigences du Règlements sur le matériel brouilleur du Canada. VCCI Class A Notice: This is a Class A product based on the standard of the Voluntary Control Council for Interference from Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may occur. In such a case, the user may be required to take corrective actions. Japanese VCCI Class A Notice
Taiwan EMC Notice
CE Notice: The CE mark on this equipment indicates that this equipment meets or exceeds the following technical standards: EN55022, EN55024, EN60950, and all supporting document requirements.
3 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Safety Information Caution—Nortel Networks products are designed to work with single-phase power systems having a grounded neutral conductor. To reduce the risk of electric shock, do not plug Nortel Networks products into any other type of power system. Contact your facilities manager or a qualified electrician if you are not sure what type of power is supplied to your building. Caution—Not all power cords have the same ratings. Household extension cords do not have overload protection and are not meant for use with computer systems. Do not use household extension cords with your Nortel Networks product. Caution—Your Nortel Networks product is shipped with a grounding type (three-wire) power cord. To reduce the risk of electric shock, always plug the cord into a grounded power outlet.
Lithium Battery Cautions Caution—This product contains a lithium battery. Batteries are not customer replaceable parts. They may explode if mishandled. Do not dispose of the battery in fire. Do not disassemble or recharge. (Norge) ADVARSEL—Litiumbatteri - Eksplosjonsfare. Ved utskifting benyttes kun batteri som anbefalt av apparatfabrikanten. Brukt batteri returneres apparatleverandøren. (Sverige) VARNING—Explosionsfara vid felaktigt batteribyte. Använd samma batterityp eller en ekvivalent typ som rekommenderas av apparattillverkaren. Kassera använt batteri enligt fabrikantens instruktion. (Danmark) ADVARSEL! Litiumbatteri - Eksplosionsfare ved fejlagtig håndtering. Udskiftning må kun ske med batteri af samme fabrikat og type. Levér det brugte batteri tilbage til leverandøren. (Suomi) VAROITUS—Paristo voi räjähtää, jos se on virheellisesti asennettu. Vaihda paristo ainoastaan laitevalmistajan suosittelemaan tyyppiin. Hävitä käytetty paristo valmistajan ohjeiden mukaisesti.
Warranty Nortel Networks provides a limited warranty on all its products for a period of one year from the date of shipment. Free technical support and free replacement of hardware is provided for the first 90 days after shipment. You may choose to purchase additional service and support from Nortel Networks. Please contact your local sales representative for more information.
4 212535-E, April 2003 Contents
Preface 13 Product Name & Platform Changes 13 Who Should Use This Book 14 How This Book Is Organized 14 How to Get Help 15 Typographic Conventions 16
Chapter 1: The Alteon Switched Firewall 17 Feature Summary 17 Alteon Switched Firewall Basics 18 Network Elements 18 Basic Operation 20 Port Filtering 20 Topology Specifics 21 Security Processing 22 Physical Description 23 The Firewall Director 23 The Alteon Firewall Accelerator 30
Chapter 2: Hardware Installation 33 Required Equipment 34 Model Compatibility 35 Safety Precautions 35 Rack-Mounting the Firewall Accelerator 36 Rack-Mounting the Firewall Director 39 Task Summary 39 Select the Appropriate Rack-Mounting Kit 40 Remove the Rack Doors 42 Mark the Rack 42 Attach the Slide Assemblies to the Rack 44
5 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Attach the System Chassis to the Slide Assemblies 53 Add the Cable-Management Arm 55 Reattach the Cabinet Doors 56 Connecting Network Cables 57 Basic Alteon Switched Firewall Network Topology 57 Network Connector and Cable Specifications 59 Port LED Indicators 62 Automatic Selection of Redundant Connections 63 Using the Firewall Director Cable-Management Arm 64 Connecting Power 65 Connecting AC Power for the Firewall Accelerator 65 Connecting AC Power for the Firewall Director 65 Turning Power On 67 Turning Power Off 67 Connecting a Console Terminal 68 Requirements 68 Console Connector and Cable Specifications 69 Establishing a Connection 70
Chapter 3: Initial Setup 71 Overview of Initial Setup Tasks 72 Collect Basic System Information 72 Example Network 73 Use Setup for Basic Configuration 74 Configure Licenses and Interfaces 78 Install Check Point Management Tools 81 Configuring and Install Firewall Policies 89 Task Overview 89 Log in to the Policy Editor 89 Define the Alteon Switched Firewall Object 90 Establish Secure Internal Communications 92 Using Central Licensing 94 Create and Install Firewall Policies 95
Chapter 4: System Management Basics 97 Management Tools 97 Users and Passwords 98 The Single System Image 99
6 n Contents 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Chapter 5: The Command Line Interface 101 Accessing the Command Line Interface 102 Using the Local Serial Port 102 Defining the Remote Access List 102 Using Telnet 104 Using Secure Shell 106 Using the Command Line Interface 109 Basic Operation 109 The Main Menu 110 Idle Time-out 110 Multiple Administration Sessions 110 Global Commands 111 Command Line History and Editing 113 Command Line Shortcuts 114
Chapter 6: The Browser-Based Interface 115 Features 115 Getting Started 115 Requirements 115 Enabling the Browser-Based Interface 116 Setting Up the Web-Browser 117 Starting the Browser-Based Interface 118 Basics of the Browser-Based Interface 120 Interface Components 120 Basic Operation 121 BBI Forms Reference 122 Global Command Forms 122 The Monitor Forms 128 The Cluster Forms 132 The Network Forms 140 The Firewall Forms 162 The Operations Forms 167 The Administration Forms 168 The Diagnostics Forms 180
Chapter 7: Command Reference 183 Main Menu 183 Information Menu 187
Contents n 7 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network Display Menu 190 Configuration Menu 194 System Menu 197 SFD IP and Firewall License Menu 233 Accelerator Configuration Menu 235 Network Configuration Menu 241 Firewall Configuration Menu 307 Miscellaneous Settings Menu 310 Boot Menu 311 Software Management Menu 313 The Maintenance Menu 315 Diagnostics Tools Menu 316 Debug Information Menu 317 Tech Support Dump Menu 323 SFA Flow Control Configuration Menu 324
Chapter 8: Expanding the Cluster 325 Adding a Second Firewall Accelerator 326 Requirements 327 Installing the New Firewall Accelerator 327 Configuring the New Firewall Accelerator 329 Adding Firewall Directors 331 Requirements 331 Installing the New Firewall Director 332 Configuring the New Firewall Director 333 Manually Adding a Firewall Director 338 Synchronizing Firewall Directors 340 Changing the Firewall Accelerator Ports 343 Configuring the Inter-Accelerator Port 343 Configuring the Firewall Director Uplink Ports 344 Configuring the Network Ports 344
Chapter 9: Upgrading the Software 345 Upgrading to Version 3.0 345 Upgrading Version 3.0 to a Higher Version 349 Overview of Upgrade Tasks 349 Compatibility 349 Types of Upgrade 350
8 n Contents 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Installing a Minor/Major Release Upgrade 351 Activating the Software Upgrade Package 353 Reinstalling the Software 355
Chapter 10: Routing Information Protocol 357 Distance Vector Protocol 357 Stability 357 RIP and ASF 358 Routing Updates 358 Configuring for Route Redistribution 359
Chapter 11: Open Shortest Path First 363 OSPF Overview 363 Types of OSPF Areas 364 Types of OSPF Routing Devices 365 Neighbors and Adjacencies 365 The Link-State Database 366 The Shortest Path First Tree 366 Authentication 367 Internal Versus External Routing 367 Alteon Switched Firewall OSPF Implementation 368 Configurable Parameters 368 Defining Areas 369 Interface Cost 371 Electing the Designated Router and Backup 371 Summarizing Routes 371 Virtual Links 372 Router ID 372 Authentication 373 OSPF Features Not Supported in This Release 374 OSPF Configuration Examples 374 Example 1: Simple OSPF Domain 375 Example 2: Virtual Links 376 Example 3: Summarizing Routes 380 Example 4: Redistributing Routes 382 Verifying OSPF Support 384
Appendix A: Event Logging API 385 Configure the Check Point Management Server 385
Contents n 9 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Configure the Firewall Directors 390 The Check Point Log Viewer 392
Appendix B: Common Tasks 393 Managing Check Point Central Licenses 393 Installing Central Licenses with Secure Update 393 Deleting or Reinstalling Central Licenses 394 Mounting a Floppy Disk on the Firewall Director 394 Mounting a CD-ROM on the Firewall Director 395 Manually Upgrading the Firewall Accelerator 396 Tuning Check Point NG Performance 397 Increasing Connections 397 Increasing NAT Connections 400 Partially Accelerated Connections 401 Reading System Memory Information 402 Verifying VNIC Configuration 402 Recovering from a Lock-Out 403
Appendix C: Troubleshooting 405 Firewall Director Cannot Locate the Firewall Accelerator 405 Configuration Did Not Update 406 Failed to Establish Trust between Management Station and Firewall Director 407 Cannot Check Communication or Download Policy on Firewall Director 409 Low Performance with Other Devices 409 Cannot Log in to EMC Station from Management Client 410 Check Point Sends Connection Failed Messages to Firewall Director 410 Low Performance Under Heavy Traffic 410
Appendix D: Software Licenses 411 Apache Software Licence 411 mod_ssl License 412 OpenSSL and SSLeay Licenses 413 OpenSSL License 413 Original SSLeay License 414 PHP License 415 SMTPclient License 416 GNU General Public License 417
10 n Contents 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Appendix E: Specifications 423 Alteon Firewall Accelerator Specifications 423 Physical Characteristics 423 Power Requirements 423 Supported Standards 423 Port Specifications 424 Environmental Specifications 424 Certifications 424 Alteon Firewall Director Specifications 425 Physical Characteristics 425 Power Requirements 425 Environmental Specifications 425 Port Specifications 426 Certifications 426
Index 427
Contents n 11 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
12 n Contents 212535-E, April 2003 Preface
This Installation and User’s Guide describes the Alteon Switched Firewall system with ver- sion 3.0.2 software (and higher). This guide introduces the components and features of the sys- tem and explains how to perform installation, configuration and maintenance.
Product Name & Platform Changes
The Alteon Switched Firewall has been updated for integration into Nortel Networks’ larger vision for network security products. The update includes changes to all the hardware model names, as well as migration to a new hardware platform for the Firewall Director.
Although this manual uses the new product names and hardware descriptions, the Alteon Switched Firewall version 3.0.2 software is compatible with any legacy Alteon “SFA” and “SFD” products you may currently use.
The following table describes the new model naming convention used in this manual:
Table 1 Alteon Switched Firewall Product Names
Component New Name Old Name
Firewall Accelerators ASF 5700 185-SFA
ASF 5600 184-SFA
ASF 5400 AD4-SFA
ASF 5300 AD3-SFA
Firewall Directors ASF 5010 SFD-310
ASF 5008 SFD-308
13 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Who Should Use This Book
This Installation and User’s Guide is intended for network installers and system administrators engaged in configuring and maintaining a network. It assumes that you are familiar with Ether- net concepts and IP addressing.
How This Book Is Organized
The chapters in this book are organized as follows:
Chapter 1, “The Alteon Switched Firewall,” provides an overview of the major features of the Alteon Switched Firewall, including the physical layout of its components and the basic con- cepts behind their operation.
Chapter 2, “Hardware Installation,” describes how to mount the components of the Alteon Switched Firewall, connect network cables, and attach power.
Chapter 3, “Initial Setup,” describes how to perform start-up configuration on the Alteon Switched Firewall.
Chapter 4, “System Management Basics,” describes the various tools used for managing the system, and explains basic management concepts.
Chapter 5, “The Command Line Interface,” describes how to access and use the text-based management interface for collecting system information and performing configuration.
Chapter 7, “Command Reference,” explains the menus, commands, and parameters of the text-based management interface.
Chapter 6, “The Browser-Based Interface,” described how to enable, access, and use the built-in graphical user interface for managing the system with your Web browser.
Chapter 8, “Expanding the Cluster,” describes how to add components to the cluster for high-availability, increased processing capacity, and stateful failover.
Chapter 9, “Upgrading the Software,” describes how to upgrade or reinstall the Alteon Switched Firewall system component software.
Chapter 10, “Routing Information Protocol,” describes how to configure the Alteon Switched Firewall for RIP routing.
Chapter 11, “Open Shortest Path First,” describes how to configure the Alteon Switched Firewall for OSPF routing.
14 n Preface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Appendix A, “Event Logging API,” describes how to view Alteon Switched Firewall log messages with your Check Point Log Viewer.
Appendix B, “Common Tasks,” describes routine management functions.
Appendix C, “Troubleshooting,” provides suggestions for troubleshooting basic problems.
Appendix D, “Software Licenses,” provides licensing information for the software used in this product.
Appendix E, “Specifications,” describes the physical characteristics of the Alteon Switched Firewall components.
How to Get Help
If you purchased a service contract for your Nortel Networks product from a distributor or autho- rized reseller, contact the technical support staff for that distributor or reseller for assistance.
If you purchased a Nortel Networks service program, contact one of the following Nortel Net- works Technical Solutions Centers:
Technical Solutions Center Telephone
Europe, Middle East, and Africa 00800 8008 9009 or +44 (0) 870 907 9009
North America (800) 4NORTEL or (800) 466-7835
Asia Pacific (61) (2) 8870-8800
China (800) 810-5000
Additional information about the Nortel Networks Technical Solutions Centers is available at the following URL:
http://www.nortelnetworks.com/help/contact/global An Express Routing Code (ERC) is available for many Nortel Networks products and services. When you use an ERC, your call is routed to a technical support person who specializes in sup- porting that product or service. To locate an ERC for your product or service, refer to the fol- lowing URL:
http://www.nortelnetworks.com/help/contact/erc/index.html
Preface n 15 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Typographic Conventions
The following table describes the typographic styles used in this book.
Table 2 Typographic Conventions
Typeface or Meaning Example Symbol
AaBbCc123 This type is used for names of commands, View the readme.txt file. files, and directories used within the text.
It also depicts on-screen computer output and Main# prompts.
AaBbCc123 This bold type appears in command exam- Main# sys ples. It shows text that must be typed in exactly as shown.
This also shows book titles, special terms, or Read your User’s Guide thoroughly. words to be emphasized.
[ ] Command items shown inside brackets are host# ls [-a] optional and can be used or excluded as the situation demands. Do not type the brackets.
16 n Preface 212535-E, April 2003 CHAPTER 1 The Alteon Switched Firewall
The Alteon Switched Firewall is a high-performance firewall system for network security. The system uses a versatile, multi-component approach to deliver unparalleled firewall processing power, reliability, and scalability.
Feature Summary
The Alteon Switched Firewall has the following features:
n Supports Check Point FireWall-1 NG software Feature Pack 2 (FP-2). This document is based on FP-2. If you are using other versions of NG release, then refer to the Check Point Firewall-1 document. n Supports the Open Shortest Path First (OSPF) routing protocol—This implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583 and route redistribution is also supported. n Supports the Router Interface Protocol (RIP) version 1 and 2 with route redistribution. n Uses hardware acceleration for dramatically increased performance. n Provides dynamic scalability—Additional processing power can be added to the cluster without disrupting the firewall traffic. n Provides dynamic Plug N Play—Added components can be automatically configured and brought into service. n Provides a Single System Image (SSI)—all components in a given Alteon Switched Fire- wall cluster are configured together as a single system. n Supports SNMP version 2c and 3 event and alarm traps.
17 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Alteon Switched Firewall Basics
Network Elements A basic network utilizing the Alteon Switched Firewall appears as follows:
Alteon Alteon Alteon Check Point Switched Firewall: Local Remote Management Console Firewall Director & Console Console & Policy Editor Firewall Accelerator
Untrusted Client
Trusted Internet Network
Untrusted Networks
DMZ Servers
Figure 1-1 Alteon Switched Firewall Network Elements
The Networks n Trusted Networks These represent internal network resources that must be protected from unauthorized access. Trusted networks usually provide internal services such as a company’s intranet, as well as valued applications made available to external clients, such as public e-commerce Web sites. n Semi-trusted Networks To increase security, services intended primarily for external clients are often placed on a separate network so that a hostile intrusion would not affect the company’s internal net- works. A network isolated in this way is also known as a De-Militarized Zone (DMZ). n Untrusted Networks These are the external networks that are presumed to be potentially hostile, such as the Internet.
18 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Firewall n Alteon Switched Firewall The Alteon Switched Firewall is placed in the path between your various trusted, semi- trusted, and untrusted networks. It examines all traffic moving between the connected net- works and either allows or blocks that traffic, depending on the security policies defined by the administrator. The Alteon Switched Firewall consists of multiple Firewall Director and Firewall Accelerator components that are clustered together to act as a single system. n Firewall Director The Firewall Director is a compact, high-performance computing device running Firewall OS software. It uses built-in Check Point FireWall-1 NG software to inspect network traffic and enforce firewall policies. For increased firewall processing power, additional Firewall Directors can be attached to the cluster. n Firewall Accelerator The Firewall Accelerator is an Alteon switch running Accelerator OS software. It offloads the processing of secured traffic from the Firewall Director, enhancing firewall performance. For high-availability configurations, a second Firewall Accelerator and Firewall Director can be attached to the cluster.
The Management Interfaces n Alteon Local Console A local console is used for entering basic network information during initial configuration. Once the system is configured, the local console can be used to access the text-based Command Line Interface (CLI) for collecting system information and performing addi- tional configuration. The Alteon console is not used to manage or install firewall policies. n Alteon Remote Console For a list of trusted users, the administrator can separately allow or deny Telnet or Secure Shell (SSH) access to the Alteon CLI, and HTTP or SSL access to the Alteon Browser- Based Interface. Remote access features can be used for collecting system information and performing additional configuration, but not to manage or install firewall policies. n Check Point Enterprise Management Console (EMC) The EMC holds the master policy database for all the firewalls in your network. Its job is to establish Secure Internal Communications (SIC) with each valid firewall and load each firewall with the appropriate security policies. n Check Point Management Clients Check Point management client software, such as the Policy Editor, can be installed on one or more administrator workstations on your network. This software usually provides a graphical user interface for creating, modifying, and monitoring firewall policies. For
Chapter 1: The Alteon Switched Firewall n 19 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
security, management clients do not interact directly with the firewalls. Instead, any policy changes made in a management client are forwarded to the EMC which then loads them onto the firewalls. For convenience, a management client can be installed on the EMC.
Basic Operation Traditional firewall solutions involve running firewall software on a workstation or server with a general-purpose Operating System (OS). Such general-purpose OS solutions have security holes, and software firewall solutions running on them perform poorly. The Alteon Switched Firewall was created to solve these problems.
The Alteon Switched Firewall is a combination of dedicated hardware and software (hardened OS, security applications, and networking technology). It addresses the needs for security, per- formance and ease of use.
To enhance versatility, the Alteon Switched Firewall is a multi-component solution. Hardware is a combination of Alteon Firewall Accelerators and Alteon Firewall Directors. The software is a combination of Alteon Accelerator OS software and the FireWall-1 NG software from Check Point. By using the throughput of a Gigabit switch controlled by the Check Point inspection engine, the speed of the firewall is dramatically increased. If you need more connec- tions per second, additional Firewall Directors can be added.
Port Filtering The Firewall Accelerator features wire speed packet filters that allow or deny traffic based on a variety of address and protocol characteristics. These port filters screen packets before they reach the firewall inspection engine. The logging information for these filters can be passed to the Check Point ELA log and can be viewed with the Check Point log viewer.
By using Alteon port filters, security and speed can be enhanced dramatically.
20 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Topology Specifics The classic software firewall model can become a security speed bump. Typically, data enters from one network card, passes through the a policy inspection engine, and is deposited on another network card. When relying on the single processing path such systems offer, there are major limitations on speed and expandability.
The Alteon Switched Firewall solution flattens the security speed bump and boosts the speed of data.
Server Cluster Classic Firewall Scenario Firewall Clients Switch Router Internet
Server Cluster Alteon Switched Firewall Solution Alteon Switched Firewall Clients Firewall Acceleration Router Internet Firewall Accelerator
Load Balanced Firewall Traffic Control
Firewall Directors Untrusted Networks Trusted Networks Figure 1-2 Classic Firewall versus the Alteon Switched Firewall
Check Point FireWall-1 NG is a stateful inspection firewall. The Alteon Switched Firewall per- forms policy checking for every new connection request, manages the connection table, and specifies the rules for handling the subsequent packets in a session. Once a session is active, policy checking for packets is handled by the Firewall Accelerator.
Each port of a Firewall Accelerator has its own ASIC composed of two RISC processors and its own memory. These ports are connected to a high-capacity, multi-Gigabit backplane. The Firewall Accelerator performs parallel processing on data flowing though any port. All 18 pro- cessors work together regardless of the port through which the data entered the Firewall Accel- erator.
Chapter 1: The Alteon Switched Firewall n 21 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Security Processing The Firewall Director connection table is mirrored by the Firewall Accelerator. This is accom- plished through the Nortel Networks patent pending Nortel Appliance Acceleration Protocol (NAAP).
After the Firewall Director inspection engine accepts the setup packets in a session, subsequent packets belonging to the session are inspected and forwarded by the Firewall Accelerator with- out the involvement of the Firewall Director. This solution achieves a tremendous improve- ment in firewall performance because approximately 90% of the data can be accelerated at wire speed.
Traditionally, a stateful inspection firewall would either interrogate every packet or run in a cut through mode or fast mode, which would inspect the first packet and then, once the packet is accepted, allow all further packets without investigation until the session ends. By using a high speed switch as a hardware accelerator, this inspection can be done at Gigabit speeds without compromising security.
22 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Physical Description
The Alteon Switched Firewall system is comprised of the following components: one Alteon Firewall Director, and one Alteon Firewall Accelerator. Additional Firewall Directors and Firewall Accelerators can be used for high-availability configurations.
The Firewall Director This section describes the ASF 5010 and ASF 5008 Firewall Directors.
Features n 1U height, rack-mountable chassis n Serial port (DTE) at the back panel for system configuration and diagnostics n FTP download to integrated hard disk for software upgrades n The ASF 5010 feature a gigabit fiber-optic uplink port for connection to the Firewall Accelerator
Front Panel Without Bezel The Firewall Director is shipped with the front bezel detached. This protects the bezel during installation and allows access to the system’s CD-ROM and other internal elements. 1 2 3 4 5 6 7 8 9 2 1
10 11 12
Figure 1-3 Front Panel of the Firewall Director with Bezel Removed
1. Cover screws The captive screws secure the chassis cover.
2. Bezel retainer slots These slots accept the bezel retainer tabs, used for attaching the front bezel to the chassis.
Chapter 1: The Alteon Switched Firewall n 23 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
3. Bezel status connector This connector interfaces with the front bezel to provide status indicators when the bezel is attached.
4. Power button This button controls the AC power input to the system’s power supply. This button lights green when the power supply is turned on.
5. LED indicators Table 1-1 Firewall Director Front Panel LEDs
LED Description System status indicator When the system is reset, the LED is off. When the system is running, this LED displays solid blue. If the Chassis Identify function is selected, the LED flashes. There is a duplicate system attention indicator on the back-panel. The indicator flashes amber when the system needs attention due to a problem with power supplies, fans, system temperature, or hard drives. If the system is connected to AC power and an error has been detected, the amber system sta- tus indicator will flash regardless of whether the system has been powered on. Network Interface 1, 2 indicators These indicators are for the 10/100 Mbps ports on the back of the system. These LEDs are solid green when a link is detected. They flicker off when network activity is detected. Note: If A/C power is connected to the power supply, these LEDs function when the system is off. Hard-disk drive activity indicator This LED blinks when activity is detected on the hard-disk drive.
6. System door release This button releases the door to the system power bay on the top of the chassis.
CAUTION—The system power bay contains high voltages. Do not open the power bay or touch ! the internal or external connectors on the power supplies. Only trained service technicians are authorized to open the system door or remove the system cover.
7. Hard drive 8. CD-ROM drive The disk eject button is a located in the center of the drive panel.
9. Floppy disk drive The disk eject button is a metal tab located at the top, right of the drive.
24 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
10. PS/2 connector The PS/2 connector can be attached to a keyboard and mouse using a PS/2 Y-cable. When used with a monitor attached to the video connector, this provides a local console for system config- uration and diagnostics.
NOTE – Mouse input is ignored for console operation.
11. Unit identification button This button is used to help locate a particular unit within a large rack array. When an identifica- tion button is pressed, the blue system status indicator on the front and back of the unit flashes until the identification button is pressed again.
12. Video connector The video connector can be attached to a monitor as part of a local console terminal for system configuration and diagnostics.
13. Items not presently supported: n Universal Serial Bus (USB) connector
Chapter 1: The Alteon Switched Firewall n 25 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Front Panel Bezel 1 2 3 4 1
Figure 1-4 Front Bezel of the Firewall Director
1. Bezel retainer tabs (on sides) These tabs are used to attach the bezel to the chassis.
2. Bezel lock This is used to secure the bezel. When the lock slot is in horizontal position, the bezel cannot be removed. When in the vertical position, the bezel may be removed, providing access to the hard drive, CD-ROM, and other internal elements.
3. System status indicator When the system is running, this indicator displays solid blue. If the Chassis Identify function is selected, the indicator flashes. There is a duplicate indicator on the back-panel.
4. System attention indicator The indicator flashes amber when the system needs attention due to a problem with power sup- plies, fans, system temperature, or hard drives.
If the system is connected to AC power and an error has been detected, the amber system status indicator will flash regardless of whether the system has been powered on.
26 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Attaching the Bezel Leave the bezel off until the system is fully installed. Thereafter, the front bezel should remain attached except when accessing the system’s CD-ROM drive and other internal elements (see “Front Panel Without Bezel” on page 23).
1. Make sure that the bezel lock is in the unlocked (vertical) position.
2. Align the right side of the bezel first. Fit the tab on the rear right of the bezel into the rightmost retainer slot on the chassis.
3. Align the left side of the bezel. Make sure that the tab on the rear left of the bezel aligns with the leftmost retainer slot on the chassis. Gently push the tab inward (it flexes slightly) and press the bezel into place.
4. If desired, use the bezel lock to secure the bezel.
Removing the Bezel The front bezel can be removed to access the system’s CD-ROM drive and other internal ele- ments (see “Front Panel Without Bezel” on page 23).
1. Make sure that the bezel lock is in the unlocked (vertical) position.
2. Hold the bezel firmly so that it doesn’t fall away.
3. Free the left side of the bezel first. Push the leftmost bezel tab inward (it flexes slightly). When pressed far enough, the bezel tab will be released from the retainer slot on the chassis. Pull the left side of the bezel forward. The bezel will come free from the chassis. Store the front bezel in a safe place while not in use and reattach it when finished with the system’s CD-ROM or other internal elements.
Chapter 1: The Alteon Switched Firewall n 27 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Rear Panel 1a 2 3 1b 4
1 2
2 1
5 6 7 8 9 10 Figure 1-5 Rear Panel of the Firewall Director
1. Dedicated uplink to the Alteon Firewall Accelerator n ASF 5010: Uses gigabit fiber optic SC connector (1a). Not available on the ASF 5008. n ASF 5008: Uses 10/100 Mbps port 1 (1b) See “Port LED Indicators” on page 62 for conditions indicated by the port LEDs.
2. Expansion slot 3. Synchronization network connector On the 1650 Firewall Director (Figure 1-5), 10/100/1000 Mbps port 2 is used for synchroniz- ing sessions among multiple Firewall Directors to provide stateful failover. On the 1550 Fire- wall Director, 10/100 Mbps port 2 is used to provide stateful failover. See “Port LED Indicators” on page 62 for an explanation of conditions indicated by the port LEDs.
4. AC power receptacle
NOTE – The Firewall Director is equipped with one power supply on outlet 1. The secondary power supply on outlet 2 is presently not supported.
5. System status indicator LED When the system is reset, the LED is off. When the system is running, this LED displays solid blue. If the system stops or if the unit identification button is pressed, the LED flashes.
The indicator flashes amber when the system needs attention due to a problem with power sup- plies, fans, system temperature, or hard drives.
If the system is connected to AC power and an error has been detected, the amber system status indicator will flash regardless of whether the system has been powered on.
28 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
6. Unit identification button This button is used to help locate a particular unit within a large rack array. When an identifica- tion button is pressed, the blue system status indicator on the front and back of the unit flashes until the identification button is pressed again.
7. System status connector
8. Keyboard connector The keyboard connector can be attached to a keyboard. When used with a monitor attached to the video connector, this provides a local console for system configuration and diagnostics.
9. Video connector The video connector can be attached to a monitor as part of a local console terminal for system configuration and diagnostics.
10. Serial port Connects a local console terminal for system configuration and diagnostics. 11. Items not presently supported: n SCSI connector n Server management port n Universal Serial Bus (USB) connectors n Mouse connector
Chapter 1: The Alteon Switched Firewall n 29 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Alteon Firewall Accelerator This section describes the ASF 5700, ASF 5600, ASF 5400, and ASF 5300 Firewall Accelera- tors.
Features n Balances sessions among clustered Firewall Directors n Offloads secured traffic to accelerate firewall throughput n The ASF 5700 and ASF 5600 Firewall Accelerators feature dual-media network ports for 10/100 Mbps Fast Ethernet segments and Gigabit Ethernet fiber-optic segments. n The ASF 5700 Firewall Accelerator features extended session handling capacity
Front Panel 1 2 3
Data Link 1 2 3 4 5 6 7 8 Active Data Link 9 Active
Data Link Active
4 5 6 Figure 1-6 Front Panel of the ASF 5700 and ASF 5600 Firewall Accelerators 1 2 3
Data Link 1 2 3 4 5 6 7 8 Active Data Link 9
4 5 6 Figure 1-7 Front Panel of the ASF 5400 and ASF 5300 Firewall Accelerators
30 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The front panel of the Firewall Accelerator has the following features:
1. Port 1 through Port 5 are reserved for networks By default, these ports are used for connecting trusted, untrusted and semi-trusted networks to the Alteon Switched Firewall.
2. Port 6 through Port 8 are reserved for connecting Firewall Directors By default, these ports are used for connecting Firewall Directors to the Firewall Accelerator.
3. Port 9 is reserved for connecting redundant Firewall Accelerators By default, this port is used to interconnect two Firewall Accelerators in a high-availability configuration.
NOTE – The arrangement of ports varies by model. On all models, the RJ-45 jacks are for con- necting 10/100 Mbps Ethernet (10Base-T or 100Base-TX) copper segments and the SC jacks are for connecting Gigabit Ethernet (1000Base-SX) fiber optic segments. Some models have dual physical connectors on some or all ports. See “Connecting Network Cables” on page 57 for specific port and cable information.
4. Port LED indicators See “Port LED Indicators” on page 62 for an explanation of conditions indicated by the port LEDs.
5. Power LED This green LED lights to indicate that the Firewall Accelerator is on and receiving power.
6. Serial port This is a female DB-9 serial connector labeled “Console” for the console (DCE) connector. This port is used only for diagnostic and recovery functions as directed by Nortel Networks technical support.
Chapter 1: The Alteon Switched Firewall n 31 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Rear Panel 1 2
3 4 Figure 1-8 Rear Panel of the Firewall Accelerator
The rear panel of the Firewall Accelerator has the following components:
1. AC power receptacle
2. Fuse housing
3. Power switch
4. Fan exhaust
32 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 CHAPTER 2 Hardware Installation
This chapter provides step-by-step instructions for physically installing the Alteon Switched Firewall components. It is assumed that the other components of your network (routers, serv- ers, hubs, and so on) have already been physically installed.
Physical installation of the Alteon Switched Firewall involves the following tasks:
n Collect the required equipment (see page 34) n Make sure that the components are compatible (see page 35) n Understand and follow all safety precautions (see page 35) n Rack-mount the Firewall Accelerator (see page 36) n Rack-mount the Firewall Director (see page 39) n Connect the required network cables (see page 57) n Connect the power cords and power on the devices (see page 65) n Connect a console terminal to the Firewall Director serial port (see page 68) Each of these tasks is detailed in the following sections of this chapter. Required software setup is covered in Chapter 3.
NOTE – The instructions in this chapter are for installing the minimum system: one Firewall Director and one Firewall Accelerator. For configurations with multiple Firewall Directors or Firewall Accelerators, first install the minimum system as described in this chapter, then per- form initial setup as described in Chapter 3. Once the minimum system is fully configured, add the extra components as described in Chapter 8.
33 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Required Equipment
The Alteon Switched Firewall system requires the following minimum components:
n One standard 19-inch open or closed rack to mount the system (see page 36 and page 39) 2-1/2 U mounting space in: o A standard 19-inch open-frame relay rack with two 3-inch or 6-inch posts or o A standard 19-inch enclosed four-post cabinet n One Alteon Firewall Accelerator (see Table 2-1 on page 35 for system compatibility) Each Firewall Accelerator is shipped separately and includes the following items which may be required during installation: o A/C power cord o Rack mounting kit n One Alteon Firewall Director (see Table 2-1 on page 35 for system compatibility) Each Firewall Director is shipped separately and includes the following items that may be required during installation: o A/C power cord—the unit is shipped with one U.S. standard and one EU standard power cord. Country-specific power cords are available separately. o Console cable o One two-post open rack installation kit for flush mounting or center mounting o One four-post rack installation kit for cabinet mounting n You need the following tools and supplies to install the components: o #2 Phillips screwdriver o 11/32-inch wrench or nut driver (if changing Firewall Director bracket to flush-mount configuration) o Straight edge o Masking tape or felt-tip pen to mark the rack mounting position
34 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Model Compatibility
Use compatible Alteon Switched Firewall components to achieve the desired performance:
Table 2-1 Firewall Component Compatibility
Firewall Firewall System Name Performance Accelerator Director
ASF 5710 Extended Capacity Gigabit ASF 5700 ASF 5010
ASF 5610 High Capacity Gigabit ASF 5600 ASF 5010
ASF 5408 Mid-Capacity ASF 5400 ASF 5008
ASF 5308 Economy ASF 5300 ASF 5008
Safety Precautions
Always observe the precautions in the manuals for this and all other equipment you are installing.
Assembly
CAUTION—The two-post open-frame relay rack must be properly secured and stabilized ! according to the rack manufacturer or industry specifications before installing the components. The four-post cabinet rack must meet the relevant ANSI/EIA-310-D-92, IEC 297, or DIN 41494 specifications. Use extreme caution when moving a rack cabinet. Rack cabinets can be extremely heavy and yet move easily on their casters and have no brakes. Retract the leveling feet when moving the rack cabinet. Avoid long or steep inclines or ramps where loss of cabinet control may occur. When the cabinet is positions, extend the leveling feet for support and to prevent the cabinet from rolling.
Use the rack-mount kits only with the components for which they were designed. Using kits from other systems may result in damage to the components and personal injury to yourself and others. Do not place or rack-mount the equipment in any way which exceeds the maximum weight-bear- ing capacity of the surface or rack, or cause potentially hazardous uneven mechanical loading. If using components with extendable trays or slide mechanisms, do not extend more than one com- ponent at any given time. Do not climb on the rack or step or stand on any component in the rack.
To avoid pinching your fingers or hands, use caution when pressing component rail release latches and when sliding components into or out of the rack.
Chapter 2: Hardware Installation n 35 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Power
CAUTION—Make sure the device is properly grounded electrically and that power connections ! are safe, particularly when using power strips. Avoid overloading your electrical supply circuits. Electrical ratings are printed on all your equipment. Be sure that your supply circuits and wiring can support the rated power draw of whatever equipment is used. The total branch load should not exceed 80% of the circuit rating.
Temperature
CAUTION—For proper air circulation, the air vents on the devices should not be blocked or ! obstructed by cables, panels, or other materials. The ambient temperature of an operating the equipment must not exceed 40oC. When install- ing the devices in a closed or multi-unit rack assembly, please consider that the operating ambient temperature of the equipment may be higher than the ambient temperature of the room. Take appropriate steps to ensure that the devices do not overheat.
Rack-Mounting the Firewall Accelerator
The following procedure is for installing the Firewall Accelerator in a standard 19-inch open- frame relay rack with two 3-inch or 6-inch posts. Using the same equipment, the Firewall Accelerator can be flush-mounted (with the faceplate positioned flush with the rack posts) or forward-mounted (with the faceplate approximately 5 cm or 2 inches in front of the rack posts).
NOTE – Do not use the included rubber feet for a rack installation.
1. Unpack the Firewall Accelerator from its shipping box.
2. Turn the power switch to the OFF (O) position.
36 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
3. Connect the two mounting brackets to the Firewall Accelerator using the supplied screws as shown in Figure 2-1.
Flush-mount Forward-mount Flange facing front Flange facing back
Figure 2-1 Position the Firewall Accelerator Rack-Mount Brackets
Chapter 2: Hardware Installation n 37 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
4. Install the Firewall Accelerator as shown using the appropriate screws for your rack- mount system (four 10-32, 12-24, M5X.8-6H, or M6X1-6H type screws) as shown in Fig- ure 2-2.
1
2
3
4
5
6
7
8
9
Figure 2-2 Rack-Mounted Firewall Accelerator
38 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Rack-Mounting the Firewall Director
This Firewall Director can be mounted in a number of configurations:
n Standard 19-inch two-post open-frame relay rack o Flush-mount o Center-mount n Standard 19-inch four-post enclosed rack o The RapidRails™ rack kit can be installed in all the system manufacturer’s four-post rack cabinets without tools o The VersaRails™ rack kit can be installed in most industry-standard four-post rack cabinets These installation instructions for each configuration are covered in the following procedures.
Task Summary Mounting the Firewall Director involves the following tasks (covered in detail in the following sections):
1. Selecting the appropriate rack-mounting kit
1. Removing the rack doors (for enclosed racks only)
2. Marking the rack
3. Attaching the slide assemblies to the rack
4. Attaching the system chassis to the slide assemblies
5. Adding the cable-management arm and routing the cables
6. Reattaching the rack doors (for enclosed racks only)
Chapter 2: Hardware Installation n 39 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Select the Appropriate Rack-Mounting Kit
CAUTION—Use only the rack kit intended for the component being installed. Using the rack kit ! from or for another system may result in damage to the system and personal injury to yourself and others.
The Two-Post Open-Frame Rack-Mounting Kit
Slide assemblies
Stiffening Cable-management arm bracket
12-24 x 0.5-inch Pan-head Phillips screws Stop blocks Status-indicator cable Figure 2-3 Two-Post Rack-Mounting Kit Components
The two-post open-frame relay rack installation kit is intended for a standard 3-inch or 6-inch open-frame rack. The kit incorporates slide assemblies which enable the system to be pulled out of the rack for servicing. Both universal spacing or wide spacing post holes are accommo- dated. The kit contains all the parts for center-mount or flush-mount installation:
n Slide assemblies, one pair (2) n Stiffening bracket (1) n Cable-management arm (1) n Status-indicator cable assembly (1) n Stop blocks (2) n 12-24 x 0.5-inch pan-head Phillips screws (10) n Releasable tie wraps (not shown)
40 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Four-Post Cabinet Rack-Mounting Kits There are two sets of rails for four-post cabinet rack-mounting kits: one for the RapidRails sys- tem and one for VersaRails:
Common to Both Systems: RapidRails slide assembly
Cable-management arm
VersaRails slide assembly Stop block
12-24 x 0.5-inch Flange-head Phillips screws (VersaRails only) Status-indicator cable
Figure 2-4 Four-Post Rack-Mounting Kit Components
n RapidRails slide assemblies, one pair (2) n VersaRails slide assemblies, one pair (2) n 10-32 x 0.5-inch flange-head Phillips screws (10) (for VersaRails only) n Cable-management arm (1) n Stop block (1) n Status-indicator cable assembly (1) n Releasable tie wraps (not shown)
Chapter 2: Hardware Installation n 41 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Remove the Rack Doors If installing the system in a four-post cabinet rack, remove the cabinet doors using the proce- dures in the documentation provided with your rack cabinet. This will provide easy access for the rest of the installation procedure.
CAUTION—Because of the size and weight of the rack cabinet doors, never attempt to remove ! or install them by yourself.
Store the cabinet doors where they will not pose a hazard or become damaged.
Mark the Rack The Firewall Director requires 1U (44 mm or 1.75 inches) of vertical space for installation within a rack. Use the following procedure to identify an appropriate 1U position on your rack.
For this procedure you will need a straight-edge and either masking tape or a felt-tip pen to mark the mounting holes.
1. Unpack the Firewall Director from its shipping box.
2. Identify the 1U increments for your rack assembly.
Universal Spacing Wide Spacing
0.5" 0.5" 12.7mm 12.7mm
0.625" 15.9mm 1U 1.25" 1.75" 31.7mm 44mm 0.625" 15.9mm
0.5" 0.5" 12.7mm 12.7mm (Actual Size)
Figure 2-5 Determining a 1U Mounting Position on a Two-Post Rack
42 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
NOTE – Cabinet racks may differ. Some cabinets have square mounting holes instead of round ones. Some may have the 1U positions already marked and numbered (in which case you need merely select and note an empty 1U position instead of marking it with pen or tape).
Whether universal or wide spacing is used, the line dividing the top and bottom of each 1U vertical space falls exactly between the most closely spaced holes.
3. If the 1U positions are not already marked, use a straight-edge or masking tape to mark an empty 1U vertical space on the rack.
NOTE – If you are installing more than one system, install the first system in the lowest avail- able position in the rack.
Be sure to mark the same top and bottom space on both vertical posts on the front and back rails. For example, in Figure 2-6, the taped positions indicate where the system’s upper and lower edges will be located on the vertical rails.
Figure 2-6 Marking the Vertical Rails
Chapter 2: Hardware Installation n 43 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Attach the Slide Assemblies to the Rack The slide assemblies of each different rack-mounting kit are installed differently. See the appropriate procedure for your specific rack configuration:
n Two-post flush-mount (see page 45) n Two-post center-mount (see page 48) n Four-post RapidRails (see page 49) n Four-post VersaRails (see page 51)
CAUTION—You must strictly follow the procedures in this document to protect yourself and ! others. Proper planning is important to prevent injury. The two-post relay rack must be properly secured and stabilized according to the rack manu- facturer or industry specifications before installing the components.
Use extreme caution when moving a rack cabinet. Rack cabinets can be extremely heavy and yet move easily on their casters and have no brakes. Retract the leveling feet when moving the rack cabinet. Avoid long or steep inclines or ramps where loss of cabinet control may occur. When the cabinet is positions, extend the leveling feet for support and to prevent the cabinet from rolling.
44 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Two-Post Flush-Mount Installation The two-post rack kit includes brackets that can be configured for flush-mount installation. To install the slide assemblies for a flush-mount configuration, perform the following steps:
1. Locate the two slide assemblies and place them, side by side, on a smooth surface with the front ends of the slide assemblies toward you. Position both slide assemblies so that the center brackets are facing upwards (see Figure 2-7 on page 45).
NOTE – To prepare the slides for flush-mount installation, remove the front mounting bracket, rotate it 180 degrees, and reattach it on the opposite slide assembly.
Figure 2-7 Rotating the Front Mounting Bracket for Flush-Mount Installation
2. Using a #2 Phillips screwdriver and an 11/32-inch wrench or nut driver, remove two 12- 24 x 0.5-inch pan-head Phillips screws, two nuts, and two shoulder washers from each front center bracket (see Figure 2-7).
3. Remove the front bracket from both slide assemblies.
4. Place the bracket from one slide assembly onto the threaded studs on the opposite slide assembly, with the bracket turned 180 degrees so that the mounting flange faces forward (see Figure 2-7).
Chapter 2: Hardware Installation n 45 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
5. Secure each front center mount bracket (by its nuts and shoulder washers) finger tight on their opposite slide assemblies using the two shoulder washers and two nuts you removed in step 2 (see Figure 2-7).
6. Join the front brackets you just installed to the bracket on the slide assembly with the two 12-24 x 0.5-inch pan-head Phillips screws you removed in step 2 (see Figure 2-7). The joined bracket becomes the new extended rear bracket.
7. Repeat steps 4 through 6 to configure the other slide assembly.
8. Holding the left slide assembly into position in the rack at the location you marked, adjust the extended rear bracket tightly against the back of the vertical two-post rack and secure it to the rail with two 12-24 x 0.5-inch Phillips screws (see Figure 2-8).
two-post open-frame rack joined bracket
12-24 x 0.5-inch pan- head Phillips screw (4 each slide)
slide assembly
slide release shoulder screw latch on system
system release latch
Figure 2-8 Installing the Slide Assemblies for Flush-Mount Configuration
46 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
9. Secure the front bracket on the slide assembly to the two-post rail with two 12-24 x 0.5- inch pan-head Phillips screws (see Figure 2-8).
10. Perform steps 8 and 9 to install the right slide assembly in the rack.
11. Use an 11/32-inch wrench or nut driver to fully tighten the nuts on the mounting brackets on both slide assemblies that you tightened with your fingers.
12. Install the stiffening bracket into the appropriate holes at the back of the slide assemblies and secure the bracket with a 12-24 x 0.5-inch pan-head Phillips screw on each slide assembly (see Figure 2-9). If the vertical rack is 3 inches wide, use the holes at the back end of the slide assemblies (shown in Figure 2-9). If the vertical rack is 6 inches wide, use the holes located 3 inches in front of the holes at the back end of the slide assemblies.
Figure 2-9 Installing the Stiffening Bracket (shown in 3-inch rack position)
Chapter 2: Hardware Installation n 47 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Two-Post Center-Mount Installation The two-post rack kit includes brackets configured for center-mount installation. To complete the installation, perform the following steps:
1. Locate the right slide assembly and push the back bracket towards the back of the slide assembly (see Figure 2-10).
Figure 2-10 Installing the Slide Assemblies for Center-Mount Configuration
2. Position the right slide assembly in the two-post rack at the location you marked, push the back bracket forward against the vertical two-post rack, and secure the front and rear center-mounting brackets to the rack with two 12-24 x 0.5-inch pan-head Phillips screws (see Figure 2-10).
3. Repeat steps 1 and 2 to install the left slide assembly in the rack.
4. Install the stiffening bracket into the appropriate holes at the back of the slide assemblies and secure the bracket with a 12-24 x 0.5-inch pan-head Phillips screw on each slide assembly (see Figure 2-10). If the vertical rack is 3 inches wide, use the holes at the back end of the slide assemblies (shown in Figure 2-9 on page 47). If the vertical rack is 6 inches wide, use the holes located 3 inches in front of the holes at the back end of the slide assemblies.
48 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Four-Post RapidRails Installation
1. At the front of the rack cabinet, position one of the RapidRails slide assemblies so that its mounting-bracket flange fits between the marks or tape you placed on the rack (see Figure 2-11).
Figure 2-11 Installing the RapidRails Slide Assemblies
The mounting hook on the slide assembly’s front mounting bracket flange should enter the top hole between the marks you made on the vertical rails.
Chapter 2: Hardware Installation n 49 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
2. Push the slide assembly forward until the mounting hook enters its respective square hole on the vertical rail, and then push down on the mounting-bracket flange until the mounting hooks seat in the square holes and the push button pops out and clicks (see Figure 2-11 on page 49).
3. At the back of the cabinet, pull back on the mounting-bracket flange until the mounting hooks are located in their respective square holes, and then push down on the mounting- bracket flange until the mounting hooks seat in the square holes and the push button pops out and clicks.
4. Repeat steps 1 through 3 for the slide assembly on the other side of the rack.
5. Ensure that the rails are mounted at the same position on the vertical rails on each side of the rack.
50 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Four-Post VersaRails Installation
1. At the front of the rack cabinet, position one of the VersaRails slide assemblies so that its mounting-bracket flange fits between the marks or tape (or numbered location) on the rack (see Figure 2-12).
Figure 2-12 Installing the VersaRails Slide Assemblies
The three holes on the front of the mounting bracket should align with three of the holes between the marks you made on the front vertical rail.
Chapter 2: Hardware Installation n 51 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
2. Install two 10-32 x 0.5-inch flange-head Phillips screws in the mounting flange’s top and bottom holes to secure the slide assembly to the front vertical rail (see Figure 2-12 on page 51).
3. At the back of the cabinet, pull back on the mounting-bracket flange until the mounting holes align with their respective holes on the back vertical rail.
4. Install three 10-32 x 0.5-inch flange-head Phillips screws in the back mounting flange’s holes to secure the slide assembly to the back vertical rail.
5. Repeat steps 1 through 4 for the slide assembly on the other side of the rack.
6. Ensure that the slide assemblies are mounted at the same position on the vertical rails on each side of the rack.
52 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Attach the System Chassis to the Slide Assemblies
CAUTION—When installing multiple components in a rack, complete all of the procedures for ! the current system before attempting to install the next system. Due to the size and weight of the system, never attempt to install the system by yourself.
The rack-mounting kits are designed to support a single system. Using a kit to support more than one unit may cause damage or injury.
NOTE – This procedure is identical for all included rack-mounting kits.
1. Pull the slides assemblies out until they lock in the fully extended position.
2. Remove the system front bezel if attached (see “Removing the Bezel” on page 27)
3. Lift the system into position in front of the extended slides (see Figure 2-8 on page 46).
4. Place one hand on the front-bottom of the system and the other hand on the back-bottom of the system.
5. Tilt the back of the system down while aligning the back shoulder screws on the sides of the system with the back slots on the slide assemblies.
6. Engage the back shoulder screws into their slots.
7. Lower the front of the system and engage the front shoulder screws in the front slot behind the system release latch (see Figure 2-13 on page 54). The system release latch will move forward and then snap back as the shoulder screw passes into the front slot.
Use this system release latch when you wish to remove the system from the slide assemblies.
8. Press the slide release latch at the side of each slide to slide the system completely into the rack (see Figure 2-13 on page 54).
Chapter 2: Hardware Installation n 53 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
9. Push in and turn the captive thumbscrews on each side of the front chassis panel to secure the system to the rack.
Figure 2-13 Installing the System in the Rack Slide Assemblies
54 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Add the Cable-Management Arm The cable management arm can be installed on the back of the system, on either the right or left side. This procedure describes installing the cable management arm in the right side of the system, as viewed from the back. If you are installing several systems in the rack, consider installing the cable management arms on alternating sides for ease in cable routing.
To install the cable-management arm on the back of the system, perform the following steps:
1. Facing the back of the rack, locate the latch on the end of the right slide assembly.
2. Push the tab on the back end of the cable-management arm into the latch on the end of the slide assembly (see Figure 2-14).
Figure 2-14 Installing the Cable-Management Arm
The latch clicks when locked.
3. Push the tab on the remaining free end (the front) into a mating latch on the inner seg- ment of the slide assembly (see Figure 2-14). The latch clicks when locked.
Chapter 2: Hardware Installation n 55 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
4. Install a stop block on the end of the opposite slide assembly (see Figure 2-14 on page 55). The stop block prevents the backward travel of the cable-management arm and supports the weight of the arm with its load of cables. The two-post rack kit has two stop blocks: one for right-side mounting and one for left-side mounting. You can only install the proper stop block.
5. Install the status-indicator cable plug into its connector.
6. Open the wire covers on the cable-management arm by lifting the center of the wire over the top of the embossed round button on the front of the forward part of the arm, and lifting the wire over the top of a similar round button on the back part of the arm. The wire cover swings open to enable cables to be routed within the arm.
7. Route the status-indicator end of the cable through the cable-management arm, and install the indicator in its slot at the back of the cable-management arm (see Figure 2-15).
Figure 2-15 Opening the Wire Covers
Reattach the Cabinet Doors If installing the system in a four-post cabinet rack, reattach the cabinet doors using the proce- dures in the documentation provided with your rack cabinet.
CAUTION—Because of the size and weight of some rack cabinet doors, never attempt to ! remove or install them by yourself.
56 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Connecting Network Cables
Basic Alteon Switched Firewall Network Topology Once the Alteon Switched Firewall equipment is physically mounted in a rack system, the required network cables can be attached.
Although the precise network topology depends on your specific network, the basic Alteon Switched Firewall network topology suggested for initial configuration is simple, as shown below:
Untrusted Network Trusted Networks
Data Link 1 2 3 4 5 6 7 8 Active Data Internet Link 9 Intranet Active
Data Link Active Basic System TopologyFirewall Accelerator
Firewall Director
Alteon Check Point Check Point Switched Firewall Enterprise Management Console Management Client Console (optional)
Figure 2-16 Basic Alteon Switched Firewall Network
By default, the various ports on the Firewall Accelerator are reserved for specific purposes:
n Ports 1 though 5 are reserved for connecting trusted, untrusted and semi-trusted networks to the firewall. n Ports 6 though 8 are reserved for Firewall Director connections. Port 6 through 8 can also be configured for use as regular network ports. See “Changing the Firewall Accelerator Ports” on page 343 for more information. n Port 9 is reserved for interconnecting redundant Firewall Accelerators in a high-availabil- ity configuration.
Chapter 2: Hardware Installation n 57 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Using the reserved ports, connect the network cables as follows:
1. Attach the Firewall Director to any of Firewall Accelerator ports 6 though 8 n Connecting an ASF 5010 Firewall Director To sustain high levels of throughput, the high-capacity ASF 5700 or ASF 5600 Firewall Accelerator should be connected only to high-capacity ASF 5010 Firewall Director. Connect any of Firewall Accelerator ports 6 through 8 to the dedicated Firewall Director uplink port. The uplink port uses the gigabit fiber optic SC connector. The RJ-45 connec- tor is not normally supported for ASF 5010 Firewall Director connections. n Connecting an ASF 5008 Firewall Director To avoid overwhelming the Firewall Director, the economy class ASF 5008 Firewall Director should be connected only to an economy class ASF 5400 or ASF 5300 Firewall Accelerator. Connect any of Firewall Accelerator ports 6 through 8 to Firewall Director uplink port 1. The dedicated link uses a 10/100 Mbps RJ-45 connector.
NOTE – See “Network Connector and Cable Specifications” on page 59 for cable information.
2. Connect the trusted, untrusted and semi-trusted network feeds into any of ports one through five All network ports are auto-negotiating and support half- or full-duplex operation.
n ASF 5700 or ASF 5600 Firewall Accelerators: Dual-media ports Each network port has dual physical connectors: one SC-style fiber optic connector for Gigabit Ethernet (1000Base-SX) segments and one RJ-45 connector for 10/100 Mbps Ethernet (10Base-T or 100Base-TX) segments. Depending on the network devices being attached to the system, either connector may be used. For devices which use dual-homing technology to achieve link redundancy, one connector can be used as the preferred link, and the other can be used as a backup. Only one of the two jacks will be active at any given time. Selection conditions are described in “Auto- matic Selection of Redundant Connections” on page 63. n ASF 5400 or ASF 5300 Firewall Accelerators: Single-media ports The RJ-45 jack is for connecting 10/100 Mbps Ethernet (10Base-T or 100Base-TX) seg- ments to the port. Once network cabling is complete, power can be connected as described in “Connecting Power” on page 65.
58 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
NOTE – The default port assignments can be changed after initial installation and configura- tion. See “Changing the Firewall Accelerator Ports” on page 343 for more information. Also see Chapter 8, “Expanding the Cluster,” for details on adding system components to increase processing power or redundancy.
Network Connector and Cable Specifications The following specifications apply to both the Firewall Director and Firewall Accelerator.
RJ-45 Connector Specifications for 10/100 Mbps Ethernet
Specifications The RJ-45 connectors on the Firewall Director and Firewall Accelerator sup- port both the 10Base-T and 100Base-TX Ethernet standards. The ports are designed to operate with UTP Category 5 cables equipped with standard RJ-45-compatible plugs.
The following table lists the cable characteristics for connecting to 10/100Base-T ports:
Table 2-2 10/100Base-T Cable Specifications
Port Type Media Maximum Distance
10Base-T Cat. 3, 4, or 5 UTP 100 meters (325 feet)
100Base-TX Cat. 5 UTP 100 meters (325 feet)
NOTE – 100Base-T signaling requires four twisted pairs of Category 5 balanced cabling, as specified in ISO/IEC 11801:1995 and EIA/TIA-568-A (1995) and tested using procedures defined in TIA/EIA TSB95.
Dual-Media Ports Some models of Firewall Accelerator feature dual physical connectors on some or all ports. The RJ-45 connector can be used as a backup for the preferred fiber optic port, or can be used as the sole connection in network configurations where optical wiring is not implemented. See “Automatic Selection of Redundant Connections” on page 63 for more information.
Cables: Straight-Through versus Crossover 10/100Base-T cables can be wired as straight-through or crossover, depending on the devices being connected.
Chapter 2: Hardware Installation n 59 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
When connecting different classes of devices (a computing device and a network device), a straight-through cable is generally used. In a straight-through cable, each pin on one connector is wired to the same numbered pin on the other connector (pin 1 is wired to pin 1, and so on).
Straight-through cables are used in the following circumstances:
n Connecting a Firewall Accelerator port to Firewall Director uplink port 1 n Connecting a Firewall Accelerator network port to a server or workstation n Connecting the Firewall Director synchronization port to a hub, switch, or router port When connecting similar classes of devices (two computers or two switches), a crossover cable is used. A crossover cable swaps certain pairs of wires to avoid connecting the data trans- mission pins together (transmit-to-transmit). In a crossover cable, the transmit pins on one con- nector are wired to the receive pins on the other end, and vice versa.
Crossover cables are used in the following circumstances:
n Connecting the Firewall Accelerator port to a hub, switch, or router port n Directly interconnecting two Firewall Director synchronization ports
Use straight-through or crossover cables with pin assignments as specified below.
Straight-through cable Crossover cable RJ-45 RJ-45 RJ-45 RJ-45 10/100 Mbps Port 10/100 Mbps Port 10/100 Mbps Port 10/100 Mbps Port pin 1 pin 1 pin 1 pin 3 pin 2 pin 2 pin 2 pin 6 pin 3 pin 3 pin 3 pin 1 pin 6 pin 6 pin 6 pin 2
Figure 2-17 Pin assignments for 10/100 Mbps port cables
NOTE – You can use straight-through cables instead of crossover cables if the device being connected has an “uplink” setting that you can enable.
60 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
SC Fiber-Optic Connector Specifications for Gigabit Ethernet
Specifications For connecting to high-speed networks, the high-capacity ASF 5600 and ASF 5700 Firewall Accelerators feature gigabit fiber optic connectors on every port. The ASF 5300 and ASF 5400 Firewall Accelerators also have one gigabit connector on port 9 (reserved for high-availability configurations).
The SC fiber optic connectors support the 1000Base-SX Gigabit Ethernet standards, and are designed to operate with multimode fiber optic cables.
Figure 2-18 SC Fiber Optic Connector for the Alteon Switched Firewall
Table 2-3 lists the operating characteristics for the 1000Base-SX port using an 850nm laser.
Table 2-3 Multimode Fiber Operating Distance Characteristics
Description Operating Distance
62.5/160 multimode fiber Up to 220 meters (721 ft.)
62.5/200 multimode fiber Up to 275 meters (902 ft.)
50/400 multimode fiber Up to 500 meters (1,639 ft.)
50/500 multimode fiber Up to 550 meters (1,803 ft.)
Dual-Media Ports The ASF 5400, ASF 5600, and ASF 5700 Firewall Accelerators feature two physical connectors on each gigabit port: one SC fiber optic connector for Gigabit Ethernet (1000Base-SX) segments and one RJ-45 connector for 10/100 Mbps Ethernet (10Base-T or 100Base-TX) segments. Depending on the network devices being attached to the system, either connector may be used.
For devices which use dual-homing technology to achieve link redundancy, one connector can be used as the preferred link, and the other can be used as a backup. Only one of the two jacks will be active at any given time. Selection conditions are described in “Automatic Selection of Redundant Connections” on page 63.
Chapter 2: Hardware Installation n 61 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Port LED Indicators Figure 2-19 depicts the LEDs for the Firewall Accelerators and the Firewall Directors ports.
Firewall Accelerator Firewall Director
Data Link Data Link Active 10/100Base-T (RJ-45) 10/100Base-T (RJ-45)
Data Data Link Link Active1 1000Base-SX (SC) 1000Base-SX (SC)2 1Not on the ASF 5300 2ASF 5010 only
Figure 2-19 Firewall Accelerator and Firewall Director LEDs
Table 2-4 describes the states of the LEDs.
Table 2-4 Firewall Accelerator Port LEDs
LED State Description
Data Blinking Data detected on the port. Off No data detected on the port.
Link On Good link. Off No link; could be a result of a bad cable or bad connector, or configuration mismatch. Blinking Port has been disabled by software.
Active Dual-media ports:
On The jack indicated (either the RJ-45 or the SC) is selected for this port’s use. Off The jack is not selected.
Single-media ports:
On The port has a good link, or has been disabled by software. Off The port is enabled, but has no link; could be a result of a bad cable or bad connector, or configuration mismatch.
62 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Automatic Selection of Redundant Connections Some Firewall Accelerator models feature two physical connectors on the same port: one SC fiber-optic connector for Gigabit Ethernet (1000Base-SX) segments and one RJ-45 connector for 10/100 Mbps Ethernet (10Base-T or 100Base-TX) segments. The ASF 5600 and ASF 5700 Firewall Accelerators feature dual connectors on ports 1 through 9. The ASF 5400 Firewall Accelerator has one dual connector on port 9.
When connecting the Firewall Accelerator to network devices which use dual-homing technol- ogy to achieve link redundancy, one port connector can be configured as the preferred link, and the other can be configured as a backup. By default, the Gigabit Ethernet port is preferred. See “Port Menu” on page 242 for port configuration commands.
Only one of the two jacks will be active at any given time. Automatic bring-up and fail-over between the port pairs follows these rules:
n If both the preferred and backup links are inactive: o If the user activates the preferred link first (by plugging a live cable into the jack), the link immediately becomes active. o If the user activates the backup link first, it remains inactive for a user-selectable time- out (default 1.5 seconds). If the preferred link is activated prior to the time-out, it becomes the active port. Otherwise, the backup link becomes active. n If the active link fails, the backup link will become active, with minimally required soft- ware intervention. n If the backup link is active and the preferred link becomes viable (either because of a newly created connection or because of a repaired link), the backup link will remain active until one of the following conditions occurs: o The backup link fails or is removed by the user. o The user forces the preferred link to become the active link from any management interface.
Chapter 2: Hardware Installation n 63 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Using the Firewall Director Cable-Management Arm
1. Once the I/O cables are connected to their respective connectors on the system back panel, route them through the cable-management arm. Use four loosely secured releasable tie wraps (two in the middle and on each end of the cable- management arm). Do not fully tighten the tie wraps at this time (see Figure 2-20). Allow some cable slack in the cable-management arm to prevent damage to the cables.
2. Secure the cables to the cable-management arm: n After connecting the cables to the system, unscrew the thumbscrews that secure the front of the system to the front vertical rail. n Slide the system forward to the fully extended position. n Route the cables along the cable-management arm, make any adjustments to the cable slack at the hinge positions, and secure the cables to the cable-management arm with the releasable tie wraps and the wire covers over the cable-management arm.
NOTE – As you pull the system out to its furthest extension, the slide assemblies lock in the extended position. To push the system back into the rack, press the slide release latch on the side of the slide, and then slide the system completely into the rack.
3. Slide the system in and out of the rack to verify that the cables are routed correctly and do not bind, stretch, or pinch with the movement of the cable-management arm.
4. Make any necessary adjustments to ensure that the cable slack is neither too tight nor too loose, yet keeps the cables in place as the system is moved in and out of the rack.
Figure 2-20 Routing Cables
64 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Connecting Power
CAUTION—Make sure the device is properly grounded electrically and that power connections ! are safe, particularly when using power strips. Avoid overloading your electrical supply circuits. Electrical ratings are printed on the name- plates of all your equipment. Be sure that your supply circuits and wiring can support the rated power draw of whatever equipment is used. The total branch load should not exceed 80% of the circuit rating.
Connecting AC Power for the Firewall Accelerator
CAUTION—The Firewall Accelerator uses a 3A/250V fast-acting fuse. For continued protec- ! tion against risk of fire, replace only with the same type and rating fuse. French: Attention–Uti- liser un fusible de rechange de meme type.
1. Connect the power cord to the connectorFirewall Accelerator.
2. Verify that the power switch is in the off position, and plug the cord into a properly fused outlet.
Connecting AC Power for the Firewall Director
1. Connect the power cord to AC power receptacle number 1 on the back of the unit (recep- tacle number 2 is not currently supported).
NOTE – The Firewall Director power button does not have discrete on and off positions. The button can safely be in any position when you connect the power cord. The unit will not power on until you plug in the unit and press the power button.
2. Install a tie-wrap through the slot on the strain-relief tab (see Figure 2-21 on page 66).
NOTE – Though the stain-relief tab can accommodate power cords with a bend radius of up to 19 mm (0.75 inch), the system manufacturer recommends that you only use the power cords provided with the system.
Chapter 2: Hardware Installation n 65 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
3. Bend the power cord back beside the power receptacle housing and form a tight loop. Install the strain-relief tie-wrap loosely around the looped power cord (see Figure 2-21 on page 66).
Figure 2-21 Installing the Power Cord Strain Relief
4. Route the power cables through the cable management arm (see “Using the Firewall Director Cable-Management Arm” on page 64).
5. Plug the cord into a properly fused outlet.
66 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Turning Power On
1. Turn on the Firewall Accelerators. To turn power on, place the power switch in the on ( | ) position.
2. Turn on the Firewall Directors. To turn power on, press the power button on each Firewall Director. The power system indica- tor LED turns green to indicate that the power supply is turned on.
Turning Power Off
1. Stop the software on each Firewall Director. Log in to the cluster CLI and perform the following command for each Firewall Director (sav- ing the one you are connected to for last):
# /cfg/sys/cluster/host
2. Turn off the Firewall Directors. To turn power off, press the power button on either the front or back of each powered Firewall Director. When power is off, the power system indicator LED does not emit green light.
NOTE – The network interface indicators on the front panel of the Firewall Directors will func- tion when the system is off, provided AC power is connected.
3. Turn off the Firewall Accelerators.
Chapter 2: Hardware Installation n 67 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Connecting a Console Terminal
Each component of the Alteon Switched Firewall has its own console port, though they are used for different purposes:
n Alteon Firewall Director The serial port on the rear panel of the Firewall Director is used to access the system for initial configuration as well as collecting system information and statistics. n Alteon Firewall Accelerator The console port on the front panel of the Firewall Accelerator is used only for diagnostic and recovery functions as directed by Nortel Networks technical support. This section explains how to connect a console terminal to the Firewall Director serial port for system configuration.
Requirements To establish a console connection on the Firewall Director, the following is required:
n An ASCII terminal or a computer running ASCII terminal emulation software set to the parameters shown in the table below:
Table 2-5 Console Configuration Parameters
Parameter Value
Baud Rate 9600 Data Bits 8 Parity None Stop Bits 1 Flow control none
n A standard straight-through serial cable with a male DB9 connector (included with the Firewall Director). An equivalent cable can be made as outlined in the next section.
68 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Console Connector and Cable Specifications The Firewall Director serial port female DB9 connector accepts a serial cable with a male DB9 connector.
Table 2-6 Pinouts for DB9 Serial Connector
DB9 Serial Port Connector Pin Signal I/O Description
1 DCD I Data carrier detect 2 SIN I Serial input 3 SOUT O Serial output 12345 4 DTR O Data terminal ready 5 GND N/A Signal ground 6 7 8 9 6 DSR I Data set ready 7 RTS O Request to send 8 CTS I Clear to send 9 RI I Ring indicator Shell N/A N/A Chassis ground
The following figure shows the pin assignments used for creating cables that connect to termi- nals with 9-pin or 25-pin connectors.
9-pin to 9-pin cable 9-pin to 25-pin cable Firewall Director PC Serial Port Firewall Director PC Serial Port 9-Pin Connector 9-Pin Connector 9-Pin Connector 25-Pin Connector DCD pin 1 pin 1 DCD pin 1 pin 8 SIN pin 2* pin 2 SIN pin 2* pin 3 SOUT pin 3* pin 3 SOUT pin 3* pin 2 DRT pin 4 pin 4 DRT pin 4 pin 20 GND pin 5* pin 5 GND pin 5* pin 7 DSR pin 6 pin 6 DSR pin 6 pin 6 RTS pin 7 pin 7 RTS pin 7 pin 4 CTS pin 8 pin 8 CTS pin 8 pin 5 RI pin 9 pin 9 RI pin 9 not used
*Only the SIN, SOUT, and GND pins are required.
Figure 2-22 Console Cable Wiring for 9-Pin and 25-Pin Connectors
NOTE – Console cables are not intended for permanent installation and should be disconnected from the console port after configuring the Alteon Switched Firewall.
Chapter 2: Hardware Installation n 69 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Establishing a Connection
1. Connect the terminal to the serial port using the correct serial cable. When connecting to a Firewall Director, use a standard serial cable with a male DB9 connector (both shipped with the Firewall Director).
2. Power on the terminal.
3. To establish the connection, press
70 n Chapter 2: Hardware Installation 212535-E, April 2003 CHAPTER 3 Initial Setup
This chapter describes how to perform initial setup for the minimal Alteon Switched Firewall configuration (one Firewall Director and one Firewall Accelerator).
It is assumed that you have installed the Alteon Switched Firewall hardware as described in Chapter 2, “Hardware Installation:” including mounting the components, attaching network cables, turning on power, and connecting a console terminal.
The following topics are discussed in this chapter:
n “Overview of Initial Setup Tasks” on page 3-72 n “Collect Basic System Information” on page 3-72 n “Example Network” on page 3-73 n “Use Setup for Basic Configuration” on page 3-74 n “Configure Licenses and Interfaces” on page 3-78 n “Install Check Point Management Tools” on page 3-81 n “Configuring and Install Firewall Policies” on page 3-89
NOTE – For configurations with multiple Firewall Directors or Firewall Accelerators, first install the minimum system as described in Chapter 2, “Hardware Installation,” on page 33 and perform initial setup as described in this chapter. When the minimum system is fully config- ured, add and setup the extra components as described in Chapter 8, “Expanding the Cluster,” on page 325.
71 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Overview of Initial Setup Tasks
Initial setup involves the following tasks, each of which is detailed in the remaining sections of this chapter:
n Collect basic system information (page 72) n Understand the example network (page 73) n Use the CLI Setup utility for basic configuration (page 74) n Use the CLI to configure Check Point NG licenses and network details (page 78) n Install Check Point management tools on a separate administration station (page 81) n Use the management tools to configure and install firewall policies (page 89) n Update the system software, if required
Collect Basic System Information
The following is needed prior to configuring the Alteon Switched Firewall:
n A Check Point license for each Firewall Director in the cluster. n One subnet assigned for internal Alteon Switched Firewall use. This subnet must consist of the following IP addresses: o One Management IP (MIP) address. This is used as the main access point for the entire Alteon Switched Firewall cluster. o An IP address for each Firewall Director in the cluster. o An IP address for each Firewall Accelerator in the cluster.
NOTE – The highest IP address and lowest IP address in the subnet range are reserved for broadcasts and cannot be assigned to specific cluster devices.
n A list of subnets that will be statically configured on the firewall for internal subnets, plus the IP address of the internal router that handles routes for these subnets. n The IP address of the default gateway for data moving from the Alteon Switched Firewall to the Internet. n An IP address reserved for the Alteon Switched Firewall on each trusted, untrusted, and semi-trusted subnet that will connect directly to the firewall.
72 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
n A Check Point Enterprise Management Console (EMC) and Policy Editor client on one of the networks attached to the Firewall Accelerator. n The Firewall Accelerator must be installed with Accelerator OS version 1.0 or higher and the Firewall Director must be installed with Firewall OS version 1.0 or higher.
NOTE – Before upgrading the software on the Firewall Accelerator and Firewall Director, you must perform the initial setup procedures as explained in this chapter. Once initial setup is complete, see Chapter 9, “Upgrading the Software,” on page 345 for more information.
Example Network
The following example network will be used to illustrate the procedures described in this chap- ter:
Alteon Switched Firewall MIP: 192.168.1.1
Firewall Accelerator Network A (Untrusted) Network B (Trusted) IP: 192.168.1.2 Gateway: 10.1.1.2
IP: 10.2.0.0/16 Internet 1 IF1 IF2 2 IP: 10.1.1.1 IP: 10.2.0.1 Gateway: 10.2.0.1 Router 6 Inside Interface– IP: 10.1.1.2
Firewall Director IP: 192.168.1.3 Check Point EMC IP: 10.2.0.2
Figure 3-1 Example Network for Initial Setup
Using this topology, the required information is as follows:
n Alteon Switched Firewall cluster MIP address: 192.168.1.1 n Firewall Accelerator IP address: 192.168.1.2. n Firewall Director IP address: 192.168.1.3 n Firewall default gateway IP address: 10.1.1.2 (Router interface) n Network A (Untrusted) IP addresses: 10.1.1.0/24, with 10.1.1.1 reserved for firewall
Chapter 3: Initial Setup n 73 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
n Network B (Trusted) IP addresses: 10.2.0.0/16, with 10.2.0.1 reserved for firewall n Check Point Enterprise Management Console (EMC) IP address: 10.2.0.2 (located on Net- work B.) Once the network information is collected, you can use the Setup utility to begin basic system configuration.
Use Setup for Basic Configuration
The Firewall Director console connection is used to access the Alteon Switched Firewall while performing initial configuration. Connect the included console cable between the serial port on the Firewall Director to the serial port of a computer with terminal emulation software as described in “Connecting a Console Terminal” on page 68.
Press
login: admin Password: admin (not displayed)
Welcome to the Alteon Switched Firewall initialization. ------[Setup Menu] join - Join an existing SFD cluster new - Initialize SFD as a new installation offline - Initialize SFD for offline switchless maintenance boot - Boot Menu exit - Exit
>> Setup#
NOTE – If the Setup Menu does not appear, disconnect the Firewall Director from the cluster and reset it to its factory default state using the /boot/delete command (see page 312).
Below is an example of the Setup utility prompts and configuration. Follow the example to ini- tialize a “new” installation. After answering the various Setup questions, the built-in Check Point software will be initialized.
74 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
1. Select a “new” installation.
>> Setup# new Setup will guide you through the initial configuration of a new SFD cluster.
2. Enter the network IP address for this Firewall Director:
Enter an IP address for this SFD: 192.168.1.3
NOTE – The IP addresses shown here and in the following steps are taken from the example network on page 73. Enter information for your specific network configuration.
3. Enter the network mask for the entire cluster subnet:
Enter a network mask or /bit count [255.255.255.0 or /24]: /24
In this example, the cluster network spans 192.168.1.0/24.
4. Enter other network IP address information. These addresses must be in the cluster subnet.
Enter DNS server IP [none]:
5. Set your time zone by selecting continent or ocean, then country, then region. For example:
Timezone setting 1 - Africa 2 - America 3 - Antarctica 4 - Arctic 5 - Asia 6 - Atlantic 7 - Australia 8 - Europe 9 - Indian 10 - Pacific Select a continent or an ocean, or enter a full timezone name: 2
Chapter 3: Initial Setup n 75 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Countries: 1 - Antigua&Barbuda 18 - Ecuador 35 - Panama 2 - Anguilla 19 - Grenada 36 - Peru 3 - Antilles 20 - French Guiana 37 - St Pierre & Miquelon 4 - Argentina 21 - Greenland 38 - Puerto Rico 5 - Aruba 22 - Guadeloupe 39 - Paraguay 6 - Barbados 23 - Guatemala 40 - Suriname 7 - Bolivia 24 - Guyana 41 - El Salvador 8 - Brazil 25 - Honduras 42 - Turks & Caicos Is 9 - Bahamas 26 - Haiti 43 - Trinidad & Tobago 10 - Belize 27 - Jamaica 44 - United States 11 - Canada 28 - St Kitts&Nevis 45 - Uruguay 12 - Chile 29 - Cayman Islands 46 - St Vincent 13 - Colombia 30 - St Lucia 47 - Venezuela 14 - Costa Rica 31 - Martinique 48 - Virgin Islands (UK) 15 - Cuba 32 - Montserrat 49 - Virgin Islands (US) 16 - Dominica 33 - Mexico 17 - Dom. Republic 34 - Nicaragua Select a country: 44
Regions & cities: 1 - Adak 8 - Indiana/Marengo 15 - New York 2 - Anchorage 9 - Indiana/Vevay 16 - Nome 3 - Boise 10 - Indianapolis 17 - Phoenix 4 - Chicago 11 - Juneau 18 - Shiprock 5 - Denver 12 - Los Angeles 19 - Yakutat 6 - Detroit 13 - Louisville 7 - Indiana/Knox 14 - Menominee
Select a region or city: 12 Selected timezone: America/Los_Angeles
6. Select a time server and set the current date and time:
Enter NTP server name or IP address [none]:
7. Set the new administrator password:
Enter new admin user password: admin (not displayed) Enter password again: admin (not displayed)
76 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
8. Generate a new Secure Shell (SSH) host key for use secure remote administration ses- sions:
Generate a new ssh host key? ([y]/n) y (Unnecessary to press
It is recommended that you generate a new SSH key in order to maintain a high level of secu- rity when connecting to the Alteon Switched Firewall using an SSH client. Answer the prompt by pressing the y or n key. Do not press
9. Set the Check Point one-time password:
Enter CheckPoint SIC one-time password:
The one-time password entered here will be required later when establishing Secure Internal Communications (SIC) between the EMC and the Firewall Director.
10. Allow self-configuration to complete. Once the basic configuration information has been entered, the system begins a phase of self- configuration and initialization. During this phase, a series of messages are displayed. The self-configuration phase is complete when the following message is displayed:
Setup successful. Please relogin to configure.
Once this Setup process is complete, you will need to log in and configure Check Point licenses as shown in the following section.
Chapter 3: Initial Setup n 77 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Configure Licenses and Interfaces
During this portion of the initialization process, you must install additional interfaces and a Check Point license.
Once the Setup utility has been used for basic system configuration, the Setup menu is no longer displayed upon subsequent log-ins. Instead, the CLI Main Menu is displayed:
[Main Menu] info - Information Menu cfg - Configuration Menu boot - Boot Menu maint - Maintenance Menu diff - Show pending config changes [global command] validate - Validate configuration security - Display security status apply - Apply pending config changes [global command] revert - Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help [global command] exit - Exit [global command, always available]
>> Main#
Use the following CLI commands to install your Check Point licenses and to configure infor- mation about the network.
1. If local licensing is used, enter Check Point licensing information for the Firewall Direc- tor.
NOTE – If central licensing is used, skip this step. With central licensing, the license is pushed from the EMC in a later step.
The license information will be part of your Check Point package. The expected information will appear similar to this:
n Expiry date: 02aug2001 n Feature string: CPSUITE-EVAL-3DES-NG CK-CHECK-POINT n License string: aBZUeTWHR-FyxGGcdej-QiiS89a6N-isMP6Ywnn
78 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Log in to the Firewall Director using the administrator account. Be sure to enter the informa- tion exactly as shown on your specific Check Point license.
>> # /cfg/pnp/add Enter the IP Address: 192.168.1.3 (address of the Firewall Director) Enter the Expiry date for the License:
Successfully added to the registry
NOTE – Local license installation is performed through the CLI only. Do not install local licenses using the root login or Secure Update or they will be automatically deleted.
2. Configure information for the attached Firewall Accelerator:
>> iSD IP and Firewall License# /cfg/acc/ac1 >> Accelerator 1# addr 192.168.1.2
NOTE – You can also specify a MAC address in the Accelerator 1 Configuration menu. How- ever, when the automatic discovery feature is enabled, the Alteon Switched Firewall automati- cally determines the MAC address of the Firewall Accelerator. Auto discovery is on by default, but can be turned on or off using the /cfg/acc/auto command.
Chapter 3: Initial Setup n 79 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
3. Configure the ports and interfaces for the attached networks. In our example, two networks are attached to the Firewall Accelerator: Network A on port 1 and Network B on port 2. These would be configured using IP interfaces (IFs) as follows:
>> Accelerator 1# /cfg/net/port 1 (Pick Network A port 1) >> Port 1# ena (Enable port 1) >> Port 1# ../if 1 (Pick IF 1 for Net. A) >> Interface 1# addr 10.1.1.1 (Set address for IF 1) >> Interface 1# mask 255.255.255.0 (Set mask for IF 1) >> Interface 1# ena (Enable IF 1) >> Interface 1# port/add 1 (Add Net. A port to IF 1) >> Ports # /cfg/net/port 2 (Select Network B port 2) >> Port 2# ena (Enable port 2) >> Port 2# ../if 2 (Pick IF 2 for Net. B) >> Interface 2# addr 10.2.0.1 (Set address for IF 2) >> Interface 2# mask 255.255.0.0 (Set mask for IF 2) >> Interface 2# ena (Enable IF 2) >> Interface 2# port/add 2 (Add Net. B port to IF 2)
NOTE – Interface broadcast addresses will be automatically calculated from the network mask unless configured manually.
4. Configure a default gateway or static route for the external networks. Traffic headed to the Internet needs to be directed to its next hop. In this example, a default gateway is used:
>> Interface 2# /cfg/net/route/gate/gw 1 (Pick default gateway 1) >> Default gateway 1# addr 10.1.1.2 (Set gateway IP address) >> Default gateway 1# ena (Enable the gateway)
5. Apply the configuration changes:
>> Default gateway 1# apply
This command applies the configuration changes on Firewall Director as well as on the Fire- wall Accelerator (no manual configuration is required on the Firewall Accelerator). The Fire- wall Director will also upgrade the Firewall Accelerator software if required.
Once the apply process is complete, the Link LED indicators for configured ports will stop blinking. Link indicators for disabled ports will continue blinking.
80 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
In our example network, you can verify that the Firewall Accelerator configuration has been updated by examining the port LEDs. The Link LEDs for ports 1 and 2 will no longer blink.
Install Check Point Management Tools
The Alteon Switched Firewall uses standard Check Point management tools (available sepa- rately) to install, maintain, and monitor firewall policies. The following Check Point tools are required to be installed on appropriate administrator workstations on your network:
n Check Point Enterprise Management Console (EMC)–This software acts as the central database for all your firewalls. The EMC establishes secure communications with all your Check Point firewalls, stores all their firewall policies, and uploads the policies to the appropriate firewalls as necessary. The EMC must be installed on a separate administrator workstation (not on the Alteon Switched Firewall components). n Check Point Policy Editor management client–The management client software interfaces with the EMC to provide a graphic user-interface for creating, editing, and monitoring firewall security policies. It can be installed on the EMC or on administrative workstations in your network (not on the Alteon Switched Firewall components). If you have already installed an appropriate Check Point EMC and Policy Editor on worksta- tions in your network, proceed to “Configuring and Install Firewall Policies” on page 89.”
The following procedure outlines how to install the Check Point management tools with Fea- ture Pack-2. For details about this or any other version of Check Point software, please refer to your complete Check Point documentation.
1. Make sure that your EMC station meets or exceeds the minimum requirements. Check Point EMC requires a workstation or server with the following:
n Operating System: Windows NT 4.0 SP6a or Windows 2000 Server and Advanced Server (SP2) n Processor: Intel Pentium II 300 MHz or better n Disk space: 40 MB n Memory: 256 MB n Check Point NG CD-ROM n Network presence on one of the subnets attached to the Firewall Accelerator.
2. Insert the Check Point software CD-ROM into the EMC station drive. The installation program will start automatically.
Chapter 3: Initial Setup n 81 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The following material will explain any important prompts and the expected responses. For prompts not covered in these steps, follow any onscreen instructions.
3. When prompted from the Product Menu, select Server/Gateway Components and click on the Next button:
4. When prompted, specify the components being installed:
Select the checkboxes for the following items and click on the Next button:
n VPN-1 & FireWall-1 n Management Clients
NOTE – Only FireWall-1 is currently supported on this product. VPN-1 is not used.
82 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
5. When prompted to confirm installing the components, click on the Next button.
At this point, the installation program will begin installation of each component. First, a com- mon Check Point component knows as the SVN Foundation will be automatically installed and configured. When completed, the FireWall-1 software installation will begin with Feature Pack-1. Feature Pack-2 will be automatically installed during a later step.
6. When prompted, select Enterprise Primary Management as the type of product and click on the Next button.
7. Follow the onscreen prompts until Feature Pack-1 installation is complete and you see the following prompt:
Click on the OK button. The system will not reboot at this time, but will automatically con- tinue with the installation of Feature Pack-2.
Chapter 3: Initial Setup n 83 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
8. When prompted, specify whether or not to include backward compatibility with previous versions of the Check Point Firewall-1 software.
When finished, the Management Client installation will begin.
9. Follow the onscreen prompts until asked to specify the Management Client components to be installed:
Select the checkboxes for the following items and click on the Next button:
n Policy Editor n Log Viewer n System Manager n Secure Update
NOTE – In this procedure, the Management Client tools are being installed on the EMC sta- tion. These tools may also be installed on a remote station.
Click on the Next button to install the management client software.
84 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
10. Once the software is installed, click on the OK button to configure licenses:
11. When prompted, specify a valid Check Point license for the EMC. Select the Fetch From File or Add button and specify the appropriate license data:
12. When prompted, add login information for EMC administrators:
Chapter 3: Initial Setup n 85 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Click the Add button. Specify administrator name, password, and privileges and click on the OK button when done:
13. When prompted, add any remote management clients:
Specify the DNS hostname or IP address of any remote management clients which will be per- mitted to interface with this EMC station.
86 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
14. When prompted, type random characters for the cryptographic seed:
NOTE – Do not type excessively quickly. When overfilled, the input buffer may take a few moments to process.
When the cryptographic seed is generated, click the Next button to continue.
15. Initialize the Certificate Authority:
If the internal certificate authority is not initialized, you may need to reset the SIC password on the management client and on the Alteon Switched Firewall.
Chapter 3: Initial Setup n 87 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
16. Record the EMC fingerprint.
As a security measure, this fingerprint will be required in a later step to ensure that no one has impersonated the administrator.
17. When prompted, reboot the EMC station to finish installation:
Once the station is rebooted, installation of the EMC and Policy Editor are complete. The next task is to use the Policy Editor to define and install firewall policies.
88 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Configuring and Install Firewall Policies
Task Overview The initial configuration of firewall policies involves the following tasks:
n Log in to the Policy Editor n Define a firewall object in the Policy Editor n Establishing a trusted Secure Internal Communications (SIC) link between the EMC and the Firewall Director n If using central licensing, enter a license for the firewall object n Create security policies and install them on the Firewall Director The following material describes each of these tasks. However, please refer to your complete Check Point documentation for more details on using your Check Point tools.
Log in to the Policy Editor
1. Launch the Policy Editor software. Select the Policy Editor icon from the Check Point Management Clients directory:
2. Log in using an administrator account:
Enter one of the user name/password combinations configured during the installation of the EMC tools during Step 12 on page 85.
Specify the IP address of the EMC in the Management Server field and click the OK button.
Chapter 3: Initial Setup n 89 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
3. Verify the Check Point fingerprint. At this point, the Policy Editor will contact the EMC. Since this is the first contact, you will be prompted to verify the current fingerprint:
Click the Approve button to verify that the fingerprint is the same as the one obtained during installation of the EMC tools during Step 16 on page 88.
Define the Alteon Switched Firewall Object
1. Create a new Gateway object to represent the newly installed Firewall Director. From the Policy Editor menu bar, select Manage | Network Objects. When the Network Objects window appears, click on the New button and select Check Point | Gateway from the pop-up list.
2. When prompted, select “Classic node” configuration and click on the OK button.
90 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
3. Define the Firewall Director object parameters:
Enter the following information:
n Name: The name of the newly installed Firewall Director. The EMC must be configured to resolve this name to the IP address below. n IP Address: The address of the newly installed Firewall Director. In our example, the address is 192.168.1.3. n Check Point products: Select NG Feature Pack 2. n FireWall-1: Check this item from the list window.
NOTE – Only FireWall-1 is currently supported on this product. VPN-1 is not used.
Leave the Workstation Properties window open for use in the next steps.
Chapter 3: Initial Setup n 91 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Establish Secure Internal Communications
1. Establish trust between the Policy Editor and the Firewall Director. Check Point FireWall-1 NG uses a one-time password to initiate Secure Internal Comminu- tions (SIC) between configured objects and the EMC.
To establish SIC, click on the Communication button in the Workstation Properties window. The Communications window will appear:
Enter the same one-time SIC password that was defined during the Firewall Director initial setup in Step 9 on page 77 and click on the Initialize button.
The EMC will attempt to contact the Firewall Director and exchange security information. When successful, the window will indicate “Trust established.”
2. Close the Communications window.
92 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
3. Get the interfaces for the Firewall Director object. Select the Topology section of the Check Point Gateway window and click on the Get Topol- ogy button. This will retrieve the interfaces that were configured from the Firewall Director. The Get Topology button displays linked and enabled networks only.
NOTE – When using antispoofing, a message may appear stating that the Get Topology func- tion was only partially successful. When this occurs, “IP addresses behind the interface” will be undefined. Select each interface and use the Edit button to manually configure the unde- fined address. The address should represent the full range of valid source IP addresses attached through the interface. These addresses must be configured prior to loading policies to the Fire- wall Director.
4. Close the Workstation Properties window.
5. From the Policy Editor menu bar, select File | Save.
Chapter 3: Initial Setup n 93 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Using Central Licensing If using central licensing, install a license for the Firewall Director object.
NOTE – If local licensing was used in configuring interfaces in Step 1 on page 78, skip ahead to “Create and Install Firewall Policies” on page 95.
Central licenses can be easily installed, managed, or deleted using the Secure Update portion of your Check Point management tools. See your complete Check Point documentation for details.
Alternately, you can use the Windows NT command line to install a central license as follows:
1. Edit the hosts file on the EMC. Edit the c:\winnt\system32\drivers\etc\hosts file on the EMC and add one line with the Firewall Director IP address and name. For example:
192.168.1.3 isd1
2. Run the cprlic command. Click on your desktop Start button and select Run. When the Run window appears, specify cmd as the program to open and click on the OK button. In the command window, enter the license installation command in the following format:
c:\winnt\fw1\5.0\bin\cprlic put
Be sure to enter the information exactly as shown on your specific Check Point license.
3. Verify the license. To verify that the central license is installed properly, login as root on the Firewall Director and issue the following command:
cplic print -x -type The output of this command should display the installed license information.
94 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Create and Install Firewall Policies
1. Create a firewall policy test rule. At this point in the initial setup, a test is recommended to ensure that the system components are properly configured. For this test, create a policy rule that will allow any and all traffic to pass through the firewall. Later, once the firewall operation is confirmed, you can create fire- wall security rules that will restrict undesirable traffic.
From the Policy Editor menu bar, select Rules | Add Rule | Top. A new rule will be added to the rulebase. The default action of the new rule is “drop,” indicating that all traffic from any source to any destination will not pass through the firewall.
Change the action of the new rule to “accept” by right-clicking on the “drop” action icon and selecting “accept” as the new action from the pop-up list.
Also change the track setting to “log” by right-clicking on the “none” setting and selecting “log” as the new track setting from the pop-up list.
Chapter 3: Initial Setup n 95 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
2. Install the rulebase to the Firewall Director. From the menu bar, select Policy | Install. When the Install Policy window appears, select the firewall cluster object and click on the OK button.
NOTE – If the Check Point antispoofing feature is not enabled, a warning message will appear. Please refer to your company’s security policy and your Check Point documentation to deter- mine whether antispoofing is necessary for your firewall.
Click on the OK button to initiate installing the rulebase.
Close the Install Policy window when the process is complete. 3. Use the Log Viewer program to confirm proper operation of the Firewall Director. The Log Viewer lists all traffic being processed, accepted, dropped, and so on. To confirm that the Alteon Switched Firewall is properly configured, select the Log Viewer Active Mode. Use a client station to ping the firewall. If the Log Viewer displays an entry for the ping traffic, the configuration is good.
NOTE – The Log Viewer is an excellent tool for debugging and enhancing your security rules. See your complete Check Point documentation for details regarding this essential tool.
4. Use the Policy Editor to remove the test rule generated in Step 1. 5. Create and install complete firewall security rules. The exact nature of the rules included in security policy will depend on your specific needs. In general, it recommended to drop all traffic except that which is specifically required. Please refer to your company’s security policy and see your complete Check Point documentation for more information about creating and maintaining effective security policies.
96 n Chapter 3: Initial Setup 212535-E, April 2003 CHAPTER 4 System Management Basics
This chapter explains how to access system management features on the Alteon Switched Fire- wall. Management access is required for collecting system information, configuring system parameters beyond initial setup, establishing firewall security policies, and monitoring policy effectiveness.
Management Tools
The Alteon Switched Firewall provides the following system management tools:
n The Command Line Interface (CLI) The CLI offers a simple, text-based menu system for collecting system information and configuring system parameters. Use of the CLI is required for initial setup of the system. The CLI can be accessed locally at any Firewall Director or remotely via Telnet or Secure Shell (SSH). For details, see “The Command Line Interface” on page 101. n The Browser-Based Interface (BBI) The BBI allows management via your Web browser. The BBI must be enabled through the CLI after initial setup is complete. Once enabled, the BBI can be accessed by workstations included in the access list. The BBI provides a richly featured, graphical user interface that makes routine configuration and data collection easier. For details, see “The Browser-Based Interface” on page 115. n The Check Point FireWall-1 NG interface The built-in Check Point software interfaces with remote Check Point management tools. Using your required Check Point Enterprise Management Console and a management cli- ent such as the Check Point Policy Editor, you can manage the Alteon Switched Firewall policies, and view firewall logs and operational status. For details, see your Check Point documentation.
97 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Users and Passwords
Access to Alteon Switched Firewall functions is controlled through the use of unique user names and passwords. Once you establish a connection to the system via a local console or remote Telnet, SSH, or Web-browser, you are prompted to log in. To log in, you must enter a valid user name and its matching password. To enable better system management and user accountability, there are four different kinds of users, each with different levels of system access.
The default user names and passwords for each access level are listed in Table 4-1. User names and passwords are case sensitive.
Table 4-1 User Access Levels
User Name Password Description and Tasks Performed
oper oper The operator login is available through the CLI and BBI. The operator has no direct responsibility for system management. He or she can view all configuration information and operating statistics, but cannot make any configuration changes.
admin admin The administrator login is available through the CLI and BBI. The administrator has complete access to all menus, information, and configu- ration commands on the system, including the ability to add users and change passwords.
boot ForgetMe The boot login is available only through a local console terminal. The boot user can restore default passwords by reinstalling the Firewall Direc- tor software if no other method of access is available (see “Recovering from a Lock-Out” on page 403). To ensure that one avenue of access is always available in case all passwords are changed and lost, the boot user password cannot be changed.
root ForgetMe The root login is available only through a local console terminal. The root user has complete internal access to the operating system and software. Root user functions are outside the scope of this documentation.
NOTE – It is recommended that you change all the default passwords after initial configuration and as regularly as required under your network security policies. For more information, see “User Menu” on page 230 for CLI command or “Administration / Users” on page 168 for BBI forms.
98 n Chapter 4: System Management Basics 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Single System Image
The Alteon Switched Firewall system uses a Single System Image (SSI). Though the system can be composed of multiple Firewall Director and Firewall Accelerator components, the SSI allows all components to be configured and updated as a whole. When you make configuration changes at any CLI or BBI management point, those changes are automatically synchronized to the other components as required, simplifying the management process.
Through the SSI, most configuration commands affect the entire Alteon Switched Firewall cluster. In general, features cannot be enabled or disabled on individual Firewall Directors.
The SSI is also used when updating system software. Just as with configuration changes, soft- ware updates installed at any CLI management point are automatically installed on all other components as required.
Chapter 4: System Management Basics n 99 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
100 n Chapter 4: System Management Basics 212535-E, April 2003 CHAPTER 5 The Command Line Interface
The Command Line Interface (CLI) is the most direct method for viewing information about the Alteon Switched Firewall. In addition, you can use the CLI for performing all levels of sys- tem configuration.
The CLI is text-based, and can be viewed using a basic terminal. The various commands are logically grouped into a series of menus and sub-menus. Each menu displays a list of com- mands and/or sub-menus that are available, along with a summary of what each command does. Below each menu is a prompt where you can enter any command appropriate to the cur- rent menu.
This chapter describes how to access the CLI locally through any Firewall Director serial port, or remotely using a Telnet or Secure Shell (SSH) client. It also provides a list of commands and shortcuts that are commonly available from all the menus within the CLI.
NOTE – Before the CLI can be used, minimal configuration must be performed as discussed in Chapter 3, “Initial Setup” on page 71.
101 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Accessing the Command Line Interface
Using the Local Serial Port Any Firewall Director serial port provides direct, local access for managing the Alteon Switched Firewall. For details on attaching a console terminal to the serial port and establish- ing a connection, see “Connecting a Console Terminal” on page 68.
Once the connection is initiated, you will be prompted to log in and enter a valid password. For more information about different access levels and initial passwords, see “Users and Pass- words” on page 98.
When the login is validated, the Main Menu of the CLI will be displayed (see “The Main Menu” on page 110).
Defining the Remote Access List The Alteon Switched Firewall can be managed remotely using Telnet, SSH, or the BBI. For security purposes, access to these features is restricted through the remote access list.
The remote access list allows the administrator to specify IP addresses or address ranges that are permitted remote access to the system. There is only one remote access list which is shared by all remote management features.
If a client whose IP address is not on the list requests remote management access, the request is dropped. By default, the access list is empty, meaning that all remote management access is initially disallowed.
When a client’s IP address is added to the access list, that client is permitted to access all enabled remote management features. For example, if only the Telnet feature is enabled, the client will be able to use Telnet to reach the CLI. If the BBI is also enabled, the same client will be able to use their Web-browser to manage the system without any changes being made to the access list.
NOTE – When a remote management feature is enabled, access will not be allowed if the access list is left empty. Add all trusted management clients to the access list when initially enabling any remote management feature. It is also vital that you review the access list regu- larly and keep it up to date.
102 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Displaying the Access List The following CLI command is used to view the access list:
>> # /cfg/sys/accesslist/list
Adding Items to the Access List The following CLI commands are used to permit remote management access to a specific IP address or range of IP addresses.
1. Select the Access List menu:
>> # /cfg/sys/accesslist
2. Add trusted remote IP addresses to the list:
>> Access List# add
The add command can be repeated for as many remote managers as required. For example, to allow IP addresses 201.10.14.7 and 214.139.0.0/24 to access remote management features, the following commands could be used:
>> # /cfg/sys/accesslist (Select access list menu) >> Access List# add 201.10.14.7 255.255.255.255 (Add single address) >> Access List# add 214.139.0.0 255.255.255.0 (Add range of addresses)
NOTE – Although each remote management feature (Telnet, SSH, and BBI) can be enabled or disabled independently, all share the same access list. All addresses on the access list are per- mitted to access any enabled management feature. You cannot enable SSH for some and Telnet for others.
3. Apply the changes:
>> Access List# apply
Chapter 5: The Command Line Interface n 103 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Using Telnet A Telnet connection allows convenient management of the Alteon Switched Firewall from any workstation connected to the network. Telnet access provides the same management options as those available through the local serial port.
By default, Telnet access is disabled and all remote access is restricted. Depending on the severity of your security policy, you may enable Telnet and permit remote access to one or more trusted client stations.
NOTE – Telnet is not a secure protocol. All data (including the password) between a Telnet cli- ent and the Alteon Switched Firewall is unencrypted and unauthenticated. If secure remote access is required, consider using Secure Shell (SSH) (see “Using Secure Shell” on page 106).
Enabling Telnet Access Before Telnet access is possible, some configuration must first be performed using the serial port.
1. Log in as the administrator using the local serial port.
2. Check that the Firewall Directors are configured with proper IP addresses. Each Firewall Director requires its own unique IP address, as well as one Management IP (MIP) address which represents the entire Alteon Switched Firewall cluster. These IP addresses are configured during the initial setup of the cluster (see Chapter 3, “Initial Setup,” on page 71).
3. Enable Telnet access. For security purposes, Telnet access is initially disabled. To explicitly enable Telnet for the cluster, issue the following commands:
>> # /cfg/sys/adm/telnet/ena >> Administration Applications# apply
NOTE – The telnet command affects the entire Alteon Switched Firewall cluster. Telnet access cannot be enabled or disabled on individual Firewall Directors.
4. Use the access list to permit remote access to trusted clients. If you have already configured the access list for SSH or the BBI, there is no need to repeat the process. Otherwise, to permit access to only trusted clients, see “Defining the Remote Access List” on page 102.
104 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
5. Use the Check Point Policy Editor on your management client to add a security policy that allows Telnet traffic. The firewall policy should be constructed as follows:
n Source: The management client IP address or management network IP address range n Destination: The cluster MIP address n Service: Telnet n Action: Allow
Starting the Telnet Session Remote Telnet access requires a workstation with Telnet client software. To establish a Telnet session, run the Telnet client software and issue the Telnet command on your workstation:
telnet
Connect to the cluster MIP address. Using the MIP, you can make configuration changes to the cluster as a whole, and you can use the individual CLI host menus to halt or reboot a particular Firewall Director in a cluster or reset its configuration to the factory default settings. There is no need to connect to the IP address of a particular Firewall Director.
Once the Telnet session is initiated, you will be prompted to log in and enter a valid password. For more information about different access levels and initial passwords, see “Users and Pass- words” on page 98.
When the login is validated, the Main Menu of the CLI will be displayed (see “The Main Menu” on page 110.
Chapter 5: The Command Line Interface n 105 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Using Secure Shell A Secure Shell (SSH) connection allows convenient and secure management of the Alteon Switched Firewall from any workstation connected to the network. SSH access provides the same management options as those available through the local serial port.
SSH access provides the following security benefits:
n Server host authentication n Encryption of management messages n Encryption of passwords for user authentication By default, SSH access is disabled and all remote access is restricted. Depending on the sever- ity of your security policy, you may enable SSH and permit remote access to one or more trusted client stations.
Enabling SSH Access on the Alteon Switched Firewall Before SSH access is possible, some configuration must first be performed using the serial port or enabled remote management feature.
1. Log in as the administrator.
2. Check that the Firewall Directors are configured with proper IP addresses. Each Firewall Director requires its own unique IP address, as well as one Management IP (MIP) address which represents the entire Alteon Switched Firewall cluster. These IP addresses are configured during the initial setup of the cluster (see Chapter 3, “Initial Setup,” on page 71).
3. Enable SSH access. For security purposes, SSH access is initially disabled. To explicitly enable SSH for the cluster, issue the following commands:
>> # /cfg/sys/adm/ssh/ena >> Administration Applications# apply
NOTE – The ssh command affects the entire Alteon Switched Firewall cluster. SSH access cannot be enabled or disabled on individual Firewall Directors.
106 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
4. If necessary, generate new SSH keys. During the initial setup of the Alteon Switched Firewall, it was recommended that you select the option to generate new SSH host keys. This is required to maintain a high level of security when connecting to the Alteon Switched Firewall using a SSH client.
If you fear that your SSH host keys have been compromised, or at any time your security pol- icy dictates, you can create new host keys using the following CLI command:
>> # /cfg/sys/adm/ssh/gensshkey >> Administration Applications# apply
When reconnecting to the Alteon Switched Firewall after having generated new host keys, your SSH client will display a warning that the host identification (or host keys) has been changed.
5. Use the access list to permit remote access to trusted clients. If you have already configured the access list for Telnet or the BBI, there is no need to repeat the process. Otherwise, to permit access to only trusted clients, see “Defining the Remote Access List” on page 102.
6. Use the Check Point Policy Editor on your management client to add a security policy that allows SSH traffic. The firewall policy should be constructed as follows:
n Source: The management client IP address or management network IP address range n Destination: The cluster MIP address n Service: SSH n Action: Allow
Chapter 5: The Command Line Interface n 107 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Starting the SSH Session Remote SSH access requires a workstation with SSH client software. To establish an SSH con- nection with the Alteon Switched Firewall, run the SSH program on your workstation by issu- ing the following SSH command:
ssh -l
where the -l (lower case L) option is followed by the user name (admin, oper, and so on) being logged in, and the cluster MIP address.
NOTE – You cannot log in as boot or root using SSH.
Using the MIP address, you can make configuration changes to the cluster as a whole and to individual Firewall Directors as appropriate. There is no need to connect to the IP address of a particular Firewall Director.
Once the SSH session is initiated, you will be prompted to log in and enter a valid password. For more information about different access levels and initial passwords, see “Users and Pass- words” on page 98.
When the login is validated, the Main Menu of the CLI will be displayed (see “The Main Menu” on page 110.
108 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Using the Command Line Interface
Basic Operation Using the CLI, Alteon Switched Firewall administration is performed in the following manner:
n The administrator selects from a series of menu and sub-menu items, and modifies param- eters to create the desired configuration. n Most changes are considered pending and are not immediately put into effect or perma- nently saved. Only a few types of changes take effect when entered (such as changes to users and passwords). Commands that take effect immediately are noted in the command descriptions (see Chapter 7, “Command Reference”). n In order to save changes and make them take effect, the administrator must use the global Apply command. This allows the administrator to make an entire series of changes and then put them into effect all at once. n Using the validate command on the Main Menu, the administrator can validate the configuration to check for any configuration problems prior to applying them. If the con- figuration is in an invalid state, the apply command will not be allowed. n The global diff command can be used to view pending changes before they are applied. n To clear all pending changes, the administrator can use the global revert command and then continue the configuration session, or the global exit command to logout from the system. Closing your remote session will also discard pending changes, though exiting manually is preferred.
NOTE – When multiple CLI or BBI administrator sessions are open at the same time, only pending changes made during your current session will be affected by the diff, revert, or exit commands. However, if multiple CLI or BBI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence.
Chapter 5: The Command Line Interface n 109 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Main Menu After initial system setup is complete and the user performs a successful connection and login, the Main Menu of the CLI is displayed. Figure 5-1 shows the Main Menu with administrator privileges:
[Main Menu] info - Information Menu cfg - Configuration Menu boot - Boot Menu maint - Maintenance Menu diff - Show pending config changes [global command] validate - Validate configuration security - Display security status apply - Apply pending config changes [global command] revert - Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help [global command] exit - Exit [global command, always available
>> Main#
Figure 5-1 Administrator Main Menu
For more information about initial system setup, see Chapter 3, “Initial Setup,” on page 71. For details about accessing the CLI, see “Accessing the Command Line Interface” on page 102.
Idle Time-out By default, the system will disconnect your CLI session after ten minutes of inactivity. This func- tion is controlled by the idle time-out parameter as shown in the following command:
>> # /cfg/sys/adm/idle
where the time-out period is specified as an integer from 5 to 60 minutes.
Multiple Administration Sessions It is possible to have more than one CLI or BBI administrator session open at the same time. Although each concurrent administrator session is independent, when configuration changes are saved to the Single Software Image (SSI) that is shared by the cluster, the saved changes affect all users. However, if multiple CLI or BBI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence.
110 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Global Commands Some basic commands are recognized throughout the entire menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving configuration changes:
Table 5-1 Global CLI Commands
Command Action
help [
. Redisplay the current menu.
.. or up Go up one level in the menu structure.
/ If placed at the beginning of a command, go to the Main Menu. Otherwise, this is used to separate multiple commands placed on the same line.
apply Apply and save pending configuration changes.
diff Show any pending configuration changes.
exit Exit from the CLI and log out.
lines
nslookup Find the IP address or host name of a network device. The format is as fol- lows: nslookup
paste Set a password for restoring a saved configuration dump file that includes encrypted private keys.
ping Use this command to verify station-to-station connectivity across the net- work. The format is as follows: ping
[pwd Display the command path used to reach the current menu.
Chapter 5: The Command Line Interface n 111 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Table 5-1 Global CLI Commands
Command Action
revert Cancel all pending configuration changes.
traceroute Use this command to identify the route used for station-to-station connec- tivity across the network. The format is as follows: traceroute
[ verbose
112 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Command Line History and Editing Using the CLI, you can retrieve and modify previously entered commands with just a few key- strokes. The following options are available globally at the command line:
Table 5-2 Command Line History and Editing Options
Option Description
history Display a numbered list of the last 10 previously entered commands.
!! Repeat the last entered command.
!
Other keys Insert new characters at the cursor position.
Chapter 5: The Command Line Interface n 113 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Command Line Shortcuts
Command Stacking As a shortcut, you can type multiple commands on a single line separated by forward slashes ( / ). You can connect as many commands as required to access the menu option that you want. For example, the command stack to access Cluster Configuration menu from the Main# prompt is as follows:
>> Main# cfg/sys/cluster
Command Abbreviation Most commands can be abbreviated by entering the first characters which distinguish the com- mand from the others in the same menu or sub-menu. For example, the command shown above could also be entered as follows:
>> Main# c/s/cl
Tab Completion By entering the first letter of a command at any menu prompt and pressing
114 n Chapter 5: The Command Line Interface 212535-E, April 2003 CHAPTER 6 The Browser-Based Interface
This chapter explains how to use the Browser-Based Interface (BBI) to access Alteon Switched Firewall system management features from your Web browser.
Features
The BBI provides the following features:
n Intuitive and easy-to-use interface structure n Most of the same configuration and monitoring functions available through the Command Line Interface (CLI) n Can be accessed using HTTP, or secure HTTPS using Secure Socket Layer (SSL) n Nothing to install; the BBI is part of the Firewall OS software n Can be upgraded along with future software releases as available
Getting Started
Requirements n An installed Alteon Switched Firewall n PC or workstation with network access to the cluster Management IP (MIP) address n Frame-capable Web-browser software, such as the following: o Netscape Navigator 4.6 or higher o Internet Explorer 5.0 or higher n JavaScript enabled in your Web-browser
115 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Enabling the Browser-Based Interface Before BBI access is possible, some configuration must first be performed using the CLI. For information on accessing and using the CLI, see Chapter 5, “The Command Line Interface.”
1. Enable the BBI. By default, the BBI is enabled for HTTP access, and disabled for HTTPS access. The BBI can be enabled for HTTP and/or HTTPS, or fully disabled.
NOTE – HTTP is not a secure protocol. All data (including passwords) between an HTTP cli- ent and the Alteon Switched Firewall is unencrypted and is subject only to weak authentica- tion. If secure remote access is required, consider using HTTPS instead of HTTP.
To explicitly allow remote BBI access, enter the following commands in the CLI.
n To enable HTTP access:
>> # /cfg/sys/adm/web/http/ena
n To enable HTTPS access using SSL:
>> # /cfg/sys/adm/web/ssl/ena
2. If using HTTPS, generate a temporary certificate. An SSL server certificate is required for HTTPS access to the BBI. The Firewall Director can generate a temporary, self-signed certificate. The commands to create a default certificate are as follows:
>> SSL configuration# certs/serv/gen
where Name is the common name that will appear on the certificate, Country code is a two-let- ter code (US for the United States of America, CA for Canada, JP for Japan, etc.), and Key size is 512, 1024, or 2048 bits. For example:
>> SSL configuration# certs/serv/gen Alteon US 1024
NOTE – When you log in to the BBI with the temporary certificate, you will be warned that the certificate is not signed or authenticated. This should be permitted only during initial configu- ration where the system is not attached to active networks that could be a source of attack. Install a signed and authenticated certificate prior to connecting any untrusted network.
116 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
3. Apply the changes.
>> SSL configuration# apply
4. Use the access list to permit remote access to trusted clients. If you have already configured the access list for Telnet or SSH, there is no need to repeat the process. Otherwise, to permit access to only trusted clients, see “Defining the Remote Access List” on page 102.
5. Use the Check Point Policy Editor on your management client to add a security policy that allows BBI traffic. The firewall policy should be constructed as follows:
n Source: The management client IP address or management network IP address range n Destination: The cluster MIP address n Service: HTTP for non-secure access, or SSL for HTTPS access n Action: Allow
Setting Up the Web-Browser Most modern Web-browsers work with JavaScript by default and require no additional set up. However, you should check your Web-browser’s features and configuration to make sure Java- Script is enabled.
NOTE – JavaScript is not the same as Java. Please make sure that JavaScript is enabled in your Web-browser.
Chapter 6: The Browser-Based Interface n 117 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Starting the Browser-Based Interface When the Firewall Director and browser set up is done, follow these steps to launch the BBI:
1. Start your Web-browser.
2. Enter the Alteon Switched Firewall MIP address in the Web-browser’s URL field. For example, consider a cluster MIP address of 192.168.1.1. Using Netscape Navigator, you could enter the following:
If the MIP address has a name on your local domain name server, you could enter the name instead. For example, with Internet Explorer, you could enter the following:
NOTE – When you use HTTPs to connect to the BBI with a temporary certificate, you will be warned that the certificate is not signed or authenticated. This should be permitted only during initial configuration where the system is not attached to active networks that could be a source of attack. Install a signed and authenticated certificate prior to connecting any untrusted network.
118 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
3. Log in. If your Alteon Switched Firewall and browser are properly configured, you will be asked to enter a password:
Enter the account name and password for the system administrator or operator account. For more login and password information, see “Users and Passwords” on page 98.
4. Allow the main page to load. When the proper account name and password combination is entered, the BBI default page is displayed in your browser’s viewing window:
NOTE – There may be a few seconds delay while the default page collects data from all of the cluster components. You should not stop the browser while loading is in progress.
Chapter 6: The Browser-Based Interface n 119 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Basics of the Browser-Based Interface
Interface Components The BBI screen consists of the following areas:
n Main Page Menu The buttons in this area (Monitor, Cluster, and so on) represent the main categories of forms available for collecting information and configuring the system. Each main cate- gory contains a variety of sub-pages. n Sub-Pages Menu These buttons represent the sub-categories under each main page. A different list of sub- pages is available for each main page. When a sub-page is selected, the appropriate infor- mation and configuration fields are displayed in the forms area. The various pages are described in detail in the “BBI Forms Reference” on page 122. n Forms Area This area contains fields that display information or allow you to specify information for configuring the system. The fields are different for each sub-page. n Global Command Buttons These buttons are available from any page. The buttons display forms used for saving, examining, or aborting configuration changes, and for displaying help information for the current page.
120 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Basic Operation Using the BBI, Alteon Switched Firewall administration is performed in the following manner:
n The administrator selects from a series of pages and sub-pages, and modifies fields to cre- ate the desired configuration. n When finished making changes on any given page, the administrator submits the form using the appropriate Update buttons. If the user selects a new form or ends the session without submitting the information, the changes are lost. n Most submitted changes are considered pending and are not immediately put into effect or permanently saved. Only a few types of changes take effect as soon as the form is submit- ted: changes to users and passwords, and setting the time or time zone. n In order to save changes and make them take effect, the administrator must use the global Apply form. This allows the administrator to make an entire series of updates on multiple forms and then put them into effect all at once. n From the Apply form, the administrator can validate the configuration to check for any configuration problems prior to applying them. If the configuration is in an invalid state, the Apply command will not be allowed. n The global Diff form can be used to view pending changes before they are applied. n To clear all pending changes, the administrator can use the global Revert form and then continue the configuration session, or the global Logout form to exit from the system. Closing your browser will also discard pending changes, though logging out manually is preferred.
NOTE – When multiple CLI or BBI administrator sessions are open at the same time, only pending changes made during your current session will be affected by the Diff, Revert, or Logout commands. However, if multiple CLI or BBI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence.
Chapter 6: The Browser-Based Interface n 121 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
BBI Forms Reference
Global Command Forms The global command buttons are always available at the top of each form:
These buttons summon pages which are used for saving, examining, or aborting configuration changes, logging out, and for displaying help information. Each global command page pro- vides options to verify or cancel the command as appropriate.
Apply The global Apply form is used for checking the validity of the current session’s pending con- figuration changes, and for saving the configurations change and putting them into effect.
122 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
This form includes the following items:
n Apply Changes pull-down menu. To use this menu, select one of the following options and click on the Submit button: o Apply Changes When submitted, this action updates the cluster with any pending configuration changes. Pending changes are first validated for correctness (see below). If problems are found, applicable warning and error messages are displayed. If errors are found, the changes are not applied. If there are no errors (warnings are allowed), the changes are saved and put into effect. This command has no effect on pending changes in other open CLI or BBI sessions.
NOTE – The global Revert command clears pending changes. It cannot be used to restore the old configuration after the Apply Changes command has been issued.
o Validate Configuration When submitted, this button validates the current session’s pending changes, but does not apply them. The pending configuration changes are examined to ensure that they are complete and consistent. If problems are found, the following types of messages are displayed: Warnings. These appear in yellow. Warnings identify conditions that the administra- tor should pay special attention to, but which will not cause errors or prevent the con- figuration from being applied. Errors. These appear in red. Errors identify serious configuration problems that must be corrected before changes can be applied. Uncorrected errors will cause the Apply Changes command to fail. If the configuration is valid, the administrator must still separately submit the Apply Changes command. o Run Security Audit When submitted, this option lists security information, such as the status (enabled or disabled) for remote management features such as Telnet, SSH, and the BBI for the cluster and the IP addresses which can access them. It also lists which users (if any) are still configured with default passwords which should be changed. n Submit button. This button performs the action selected in the Apply Changes pull-down menu. n Back button. This button returns the previously viewed form without applying changes.
Chapter 6: The Browser-Based Interface n 123 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Diff The global Diff form provides a list of the current session’s pending configuration changes.
This form includes the following items:
n Change list. The list displays a change record for each submitted update. Each record may consist of many modifications, depending upon the complexity of the form and changes submitted. Modifications are color coded: o Green: New items that will be added to the configuration when the global Apply com- mand is given and verified. o Blue: Existing items that will be modified. o Red: Configuration items that will be deleted. n Back button. This button returns the previously viewed form. The Diff list is cleared when configuration changes are applied or reverted, or when the admin- istrator logs out or closes the browser window.
This change list does not show pending changes made in other open CLI or BBI sessions.
124 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Revert The global Revert form is used for canceling pending configuration changes.
This form includes the following items:
n Revert button. This button cancels the current session’s pending configuration changes. Applied changes are not affected. Pending changes made in other open CLI or BBI ses- sions are not affected. n Back button. This button returns the previous form without cancelling pending changes.
Logout The global Logout form is used to terminate the current user session.
This form includes the following items:
n Logout button. This button terminates the current user session. Any configuration changes made during this session that have not yet been applied will be lost. This command has no effect on pending changes in other open CLI or BBI sessions. n Back button. This button returns the previously viewed form without logging out.
NOTE – For thorough security, close all BBI windows (including help) after logging out.
Chapter 6: The Browser-Based Interface n 125 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Help The global Help form provides assistance with forms and tasks in the BBI. There are two kinds of help: context-sensitive help and task-based help.
Context-Sensitive Help Context-sensitive help displays detailed information about whatever form is currently dis- played in the BBI forms area. When you click on the global Help button, a new window appears with information appropriate to your current options:
The context-sensitive help window consists of the following areas: n Help topic menu. You can select a new help topic using the menu on the left-hand side of the help window. Each main menu item is listed, along with the sub-menu items under the current selection. Select a different menu item to reveal its sub-menu list. Select any sub- menu item to display help for the relevant form. n Forms area. This area displays detailed information about the selected topic. n Load Page link. Click on the title of this bar in the forms area to return to the main BBI window and jump directly to the form currently referenced by the help window. n Tasks Page link. Click on the title of this bar at the bottom of the help topic menu to acti- vate the task-based help system. n Close button. This button (in the top, right corner) closes the help window.
126 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Task-Based Help Task-based help directs the administrator through the steps of various common procedures. To access task-based help, first click on the global Help button and then click on the Tasks Page title at the bottom of the help topic menu in the help window. The task help menu will be dis- played in a new window with information appropriate to the current BBI form:
The Task-based help window consists of the following areas:
n Task topic menu. You can select from a list of tasks using the menu on the left-hand side of the help window. Each main task item is listed, along with the various steps under the cur- rent selection. Select a different task item to reveal its steps. Select any step to display rel- evant help information. n Forms area. This area displays detailed information about the selected task. n Previous link (if appropriate): Displays the information for the previous step in the task. n Next link (if appropriate): Displays the information for the next step in the task. n Load Page link. Click on the title of this bar in the forms area to return to the main BBI window and jump directly to the form currently referenced by the help window. n Close button. This button at the top, right-hand corner closes the task-based help window.
Chapter 6: The Browser-Based Interface n 127 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Monitor Forms
Monitor / System This is the default Monitor form. It provides an overview of the components in the cluster.
This form includes the following items:
n Firewall Accelerators. Each installed Firewall Accelerator is shown, along with its MAC address, IP address, and health status. The status of each Firewall Accelerator port is indi- cated by color: o Green indicates the port is up. o Red indicates the port is down. o Black indicates that the port has been disabled. n Firewall Director (ISDs). Each Firewall Director is shown along with its individual IP address and the cluster Management IP (MIP) address. To obtain more information about a specific Firewall Director, click on the appropriate icon (see “Monitor / iSDs” on page 129).
128 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Monitor / iSDs This form displays the status of the individual Firewall Directors in the cluster.
Chapter 6: The Browser-Based Interface n 129 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Monitor / Syslog This form displays the system logs of individual Firewall Directors in the cluster based on your choice of search criteria.
This form includes the following items:
n Host IP: IP address of the Firewall Director from which to view logs. n Search String: Search for this string in the message body. All messages that have a sub- string matching the characters in this field will be displayed when the Search button is selected. n Quick Choice menu: Provides a predefined list of basic search strings. n Messages Per Page: Maximum number of messages displayed for each request. n Case Sensitive box: Check this box to make the search case sensitive. If unchecked, the capitalization of characters in the search string and message body is disregarded. n Search button: Execute the log search using the parameters defined on this form. Search results appear at the bottom of the form.
130 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Monitor / About This form displays general product information.
Chapter 6: The Browser-Based Interface n 131 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Cluster Forms
Cluster / Time This form is used to set the date and time for all components in the cluster:
Date and Timezone n Current Time: Displays the current system time. This field cannot be edited.
Date n New Time. Specified using the month, day, year, hour, and minute pull-down menus. n Save button: Effects any changes to the date form. Changes take effect immediately, with- out the need to apply.
Timezone n Timezone: Select your region from the pull-down menu. n Save button: Effects any changes to the timezone form. Changes take effect immediately, without the need to apply.
132 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Cluster / Syslog This form is used to specify remote system log daemons and turn on local log debugging.
Debug Messages n Status menu: Enables or Disables sending debug messages to the local system log. n Update button. Submits the Debug Messages status changes to the pending configuration. Remote Servers Current Remote Servers table: n IP Address: IP address for the remote syslog server in dotted decimal notation. n Logging Severity menu: Severity of messages logged. All messages of the selected sever- ity and higher will be logged. n Delete button: Deletes a remote server. Only present if a remote server is active. Add New Remote Server: n New Server IP: IP address for the remote syslog server in dotted decimal notation. n New Server Severity: Severity of messages logged. All messages of the selected severity and higher will be logged. Form actions: n Update button: Submits the remote server form changes to the list of pending changes, but does not yet apply the changes.
Chapter 6: The Browser-Based Interface n 133 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Cluster / ELA This form is used to configure the Event Logging API (ELA) feature:
ELA allows cluster log messages to be sent to a Check Point management server for display through the Check Point Log Viewer.
NOTE – An ELA service must be configured on the Check Point Management Station, and a SIC Certificate for the service must be transferred to the Firewall Director before ELA logging can commence. For configuration details, see Appendix A, “Event Logging API,” on page 385.
134 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
General Settings n Status: Enables or Disables Check Point ELA logging. n Management Station IP: The IP address of the Check Point management server to which cluster log messages will be sent. n Minimum Severity: Severity of messages logged. All messages of the selected severity and higher will be sent to the ELA service. n Management Station DN: Distinguished name of the Check Point Management Server. n Update button: Submits the General Settings form changes to the pending configuration.
Pull SIC Certificate
NOTE – The Management Station IP and Server Distinguished Name must be configured and saved before updating the SIC certificate. If these values change, then a new certificate will need to be created.
n iSD IP: The IP address of the individual Firewall Director being updated (do not use the MIP address). n OPSEC Application Name: Name of the ELA service that was configured on the Check Point management server. Use the same name specified when creating the OPSEC appli- cation in the Check Point Policy Editor. Each Firewall Director should use a different OPSEC application. n OPSEC Password: Password used to configure the above ELA service on the Check Point management server. n OPSEC Password (again): Verify the password. n Update button: Submit the Pull SIC Certificate form changes and update the certificate on the specified Firewall Director.
Chapter 6: The Browser-Based Interface n 135 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Cluster / Archive This form is used to specify system log rotation/archiving parameters:
Log files can be rotated when the file reaches a specific size or age. When rotation occurs, the rotated log file is set aside or e-mailed to a specified address and a new log file is begun.
If the rotate size is set above 0, then log rotation occurs when the log surpasses the rotate size, or when the log rotation interval is reached, whichever occurs first. If the rotate size is set to 0, the file size is ignored and only the rotate interval is used. If an e-mail address and SMTP Server IP are set, then the log file is mailed when rotated.
This form includes the following items:
n Email: E-mail address of the administrator who will receive the log. n SMTP Server IP: IP address of the SMTP server in dotted decimal notation. Note that this server must be configured to accept messages from the Firewall Director. Also, a Check Point policy should be present to allow these messages through the firewall. n Rotate Size: Maximum size the log should reach before rotation. If 0, then the size is ignored and only the log rotate interval is used. n Interval: The interval at which the system log file should be rotated, specified in days and hours. n Update button: Submits the form changes to the pending configuration.
136 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Cluster / Accelerator(s) This form is used to configure Firewall Accelerators on the network.
Accelerator Status n Auto Discovery menu: Enables or Disables automatic discovery of Firewall Accelerators on the network. When enabled, the Firewall Directors detect the Firewall Accelerators automatically upon boot up and registers with them. If this is not enabled, the administra- tor must manually configure the MAC addresses of the Firewall Accelerator. n High Availability menu: Enables or Disables high availability for a multiple Firewall Accelerator setup. Two Firewall Accelerator are needed for this option to take effect. n Update button: Submits the Accelerator Status changes to the pending configuration.
Chapter 6: The Browser-Based Interface n 137 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Accelerator Details In a high-availability configuration, there may be up to two Firewall Accelerators.
n Set as master accelerator: Specify whether this should be the master Firewall Accelerator in a high-availability configuration. n Detected MAC address: MAC address auto-detected. This will be all zeros if no Firewall Accelerator has been detected. n MAC address: If Auto Discovery is enabled, the MAC address of the detected Firewall Accelerator is displayed (zeros if none are detected). When Auto Discovery is disabled, you can designate the MAC address of a specific Firewall Accelerator to set which will be #1 or #2 if more than one is on the network. n IP address: IP address of the Firewall Accelerator in dotted decimal notation. n Inter-Accelerator Port (IAP): This command is used to select the port used to connect Fire- wall Accelerators together in a high-availability configuration. By default, the IAP is port 9. Any Firewall Accelerator port can be used as the IAP, but must have NAAP enabled. n Update button: Submits the Accelerator Details changes to the pending configuration.
138 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Cluster / Host(s) This form is used to specify the IP addresses for the Firewall Directors on the network.
Management IP Address n MIP: Specify the Management IP for the cluster.
General Settings for each Firewall Director For each Firewall Director in the cluster, the following fields are shown:
n Name: Internal name of the Firewall Director. For display only. n Delete button: Deletes the Firewall Director from the cluster and resets it to factory default configuration settings. n Master: Checked if this the Master Firewall Director. For display only. n IP Address: IP address of this Firewall Director in dotted decimal notation. n Check Point Management Interface IP address
Form Actions n Update: Submits the form changes to the pending configuration.
Chapter 6: The Browser-Based Interface n 139 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Network Forms Network / General This is the default Network form. It is used to set the network mask.
This form includes the following items:
n Network Mask: Configure the network mask for the system using the dotted decimal notation. n Update button: Submits the form changes to the pending configuration.
Network / DNS This form is used to specify the Domain Name Service (DNS) servers. Multiple servers are allowed.
This form includes the following items:
n IP Address: Displays the IP address of the configured DNS server. n Delete button: Deletes the DNS server. Only displayed if a DNS server is present. n New DNS IP: Configure a new DNS server IP address using the dotted decimal notation. n Update button: Submits the new DNS server address to the pending configuration.
140 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / NTP This form is used to specify the Network Time Protocol (NTP) servers.
NTP servers are used by the NTP client on the Alteon Switched Firewall to synchronize its clock. The system should have access to a number of servers (at least three) in order to com- pensate for any discrepancies in the servers.
n IP Address: Displays the IP address of the configured NTP server. n Delete button: Deletes the server. Only displayed if an NTP server is present. n New NTP IP: Configure a new NTP server IP address using the dotted decimal notation. n Update button: Submits the new NTP server address to the pending configuration.
Chapter 6: The Browser-Based Interface n 141 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Ports This form is used to configure individual Firewall Accelerator ports.
This form includes the following items: n Port#: The port number on the Firewall Accelerator. n Enabled: Yes (port is enabled) or No (port is disabled). If a port is disabled, any traffic coming to the port will be dropped, and only the link LED (green) on the port will blink when an active cable is attached. If the port is enabled and an active cable is attached, both the link LED (green) and the data indicator LED (orange) will be on and blinking. The data indicator LED reflects the amount of data passing through the port. n Name: The name for the port. n Trunk: Yes (enable) or No (disable) port trunking on the port. n NAAP: Yes (enable) or No (disable) NAAP (communication between the Firewall Direc- tor and the Firewall Accelerator) on the port. n VLAN Tag: Yes (enable) or No (disable) VLAN tagging on the port. n Filters: Yes (enable) or No (disable) filtering on the port. n Filter list: List the filters that are used with the port. Filters are applied in numerical order. n Delete button: Delete a port configuration from the system. Only visible if ports are con- figured. n Modify button: Modify a displayed port. Only visible if ports are configured. See the Update form on page 144. n Add New Port button: Add and configure a new port. See the Update form on page 144.
142 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Ports/Port Mirroring This form is used to configure port mirroring to monitor traffic.
This form includes the following items: n Port Mirroring Settings: Enable or disable port mirroring. n Monitoring Ports Monitoring Port Number: Select the port to monitor traffic. This port will receive a copy of the data packet from the mirrored ports. Mirrored Port Numbers: Select ports to mirror. In the screen above Port 2 is configured for mirroring ingress traffic only.
Chapter 6: The Browser-Based Interface n 143 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Ports / Update (Add or Modify)
NOTE – On ports with only one physical connector, some of the options described on this form do not apply. Although all options appear on all models of Firewall Accelerator, any configura- tion settings for options which do not apply are disregarded.
144 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
General Settings n Identifier: The port number on the Firewall Accelerator. n Status: Enables or Disables the port. If a port is disabled, any traffic coming to the port will be dropped, and only the link LED (green) on the port will blink when an active cable is attached. If the port is enabled and an active cable is attached, both the link LED (green) and the data indicator LED (orange) will be on and blinking. The data indicator LED reflects the amount of data passing through the port. n Name: Specify a name for the port. n Port Trunk: Enables or Disables port trunking on the port. n NAAP Status: Enables or Disables NAAP (communication between the Firewall Director and the Firewall Accelerator) on that particular port. n VLAN Tag Status: Enables or Disables VLAN tagging on the port. n Filter Status: Enables or Disables filtering for the port. n Filters: Specify filters that are used with this port. Defined filters will be shown in the Available box. The Selected box lists the filters that will be applied to traffic on this port. To move a filter from one box to the other, select the filter and click on the arrow box indi- cating the direction of movement. Filters in the Selected box are applied to traffic in numerical order. n Preferred Physical Connector: If dual physical connectors are available on the port, this defines the preferred physical connector for the link. Options are fast (Fast Ethernet Port, RJ-45 connector) and gig (Gigabit Ethernet Port, SC fiber optic connector). n Backup Physical Connector: Defines the backup physical connector. Options are fast (Fast Ethernet Port, RJ-45 connector) and gig (Gigabit Ethernet Port, SC fiber optic connector).
Chapter 6: The Browser-Based Interface n 145 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Fast Physical Connection Settings If an RJ-45 connector is available on the Firewall Accelerator port, the following options are used to configure its link characteristics: n Link Speed: Sets the link speed. The choices include: any, 10, or 100 Mbps. n Link Mode: Sets the duplex operating mode. The choices include full (full-duplex), half (half-duplex), and any (for auto-negotiation). n Flow Control: Sets the flow control mode. The choices include rx (receive only), tx (trans- mit only), both (both receive and transmit), and none. n Autonegotiate: Check to enable auto-negotiation on the port, or uncheck to disable.
Gigabit Physical Connection Settings If an SC fiber optic connector is available on the Firewall Accelerator port, the following options are used to configure its link characteristics:
n Flow Control: Sets the flow control mode. The choices include rx (receive only), tx (trans- mit only), both (both receive and transmit), or none. n Autonegotiate: Check to enable auto-negotiation on the port, or uncheck to disable.
Form Actions n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.
146 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / VLANs This form is used to view and configure the settings for individual VLANs.
VLANs are required VLAN tagging is used in the network. In this case, the port will also need to be enabled for VLAN tagging.
VLANs are also used when two interfaces on the same port are connected to two different net- works. Here, they will need to be put under separate VLANs. If the administrator does not specify VLANs, then the two networks will be put under separate VLANs automatically.
Up to 242 VLANs can be configured, though each can be given an identifying number between 1 and 4093. VLAN 4094 is reserved for internal use.
This form includes the following items:
n ID: Numerical ID for the VLAN (between 1 and 4093). It can be used to specify the VLAN when configuring an interface. n Enabled: Yes (enable) or No (disable) the VLAN. n Name: Assigned name of the VLAN n Jumbo Frames: Yes (enable) or No (disable) Jumbo Frames support on the VLAN. n Port(s): Port or ports associated with this VLAN. n Delete button: Delete a VLAN from the system. Only visible if VLANs are present. n Modify button: Modify a displayed VLAN. Only visible if VLANs are present. See the Update form on page 148. n Add New VLAN button: Adds a VLAN to the configuration. See the Update form on page 148.
Chapter 6: The Browser-Based Interface n 147 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / VLANs / Update (Add or Modify)
This form includes the following items:
n Identifier: Numerical ID for the VLAN (between 1 and 4093). It can be used to specify the VLAN when configuring an interface. n Status: Enables or Disables the VLAN. n Name: Assigns a name to the VLAN or changes the existing name. n Jumbo Frames: Enables or Disables Jumbo Frames support on the VLAN. When this fea- ture is enabled, the ASF can handle frames that are far larger than the maximum normal Ethernet frame size (up to 9018 octets), reducing the overhead for host frame processing.
NOTE – Do not enable Jumbo Frame support on a VLAN with any device that cannot process frame sizes larger than Ethernet maximum frame size. Use additional VLANs to isolate traffic into Jumbo Frame and regular traffic. The ASF will automatically fragment Jumbo Frame traf- fic to regular Ethernet sizes when routing Jumbo Frame traffic to non-Jumbo Frame VLANs
n Port: Associates this VLAN with one or more ports. n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.
148 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Interfaces This form is used to view and configure the settings for individual interfaces:
The Firewall Accelerator can be configured with up to 255 IP interfaces, each representing the Firewall Accelerator on an IP subnet on the network. This form includes the following items:
n Id: Numerical ID for the interface (between 1 and 255). It can be used to specify the inter- face when configuring a new route. n Enabled: Indicates whether the interface is enabled or disabled. n Address: The IP address of the interface using the dotted decimal notation. n Mask: The IP subnet address of the interface using the dotted decimal notation. n Broadcast: The IP broadcast address for the interface using the dotted decimal notation. n VLAN: The VLAN number for the interface (1-4092). Each interface can belong to one VLAN, though any VLAN can have multiple IP interfaces in it. If an interface is not assigned a VLAN (the choice is “unassigned”), then a VLAN will be chosen automati- cally. n Port(s): Associates the interface with one or more ports. n Delete button: Delete an interface from the system. Only visible if interfaces are present. n Modify button: Modify a displayed interface. Only visible if interfaces are present. See the Update form on page 150. n Add New Interface button: Adds a new interface to the configuration. See the Update form on page 150.
Chapter 6: The Browser-Based Interface n 149 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Interfaces / Update (Add or Modify)
General Settings n Identifier: Numerical ID for the interface (between 1 and 255). It can be used to specify the interface when configuring a new route. n Status: Enables or Disables the interface. n IP Address: Configures the IP address of the interface using the dotted decimal notation. n Subnet Mask: Configures the IP subnet address of the interface using the dotted decimal notation. n Broadcast Address: Configures the IP broadcast address for the interface using the dotted decimal notation. n VLAN: Configures the VLAN number (1-4092) for the interface. Each interface can belong to one VLAN, though any VLAN can have multiple IP interfaces in it. If an inter- face is not assigned a VLAN (the choice is “unassigned”), then a VLAN will be assigned automatically. n Ports: Associates the interface with one or more ports.
150 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
VRRP For high availability through VRRP, the administrator should specify two IP addresses that will be used to configure interfaces on the two Firewall Accelerators. The IP address of the vir- tual router will be mapped to these addresses (the virtual router address is the address of the configured interface). A valid configuration can have three unique addresses on the same sub- net, or two unique addresses, with the virtual router address shared with one of the Firewall Accelerators.
NOTE – High availability must be enabled in the Cluster/Accelerator form in order for high availability to take effect.
n IP 1: IP address for first Firewall Accelerator. n IP 2: IP address for second Firewall Accelerator. n VRID: Virtual Router ID (between 1 and 255). This is used in conjunction with the IP addresses above to define a virtual router on the system.
Form Actions n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.
Chapter 6: The Browser-Based Interface n 151 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Filters This form is used for configuring port filters for the Firewall Accelerators:
The Firewall Accelerator supports up to 224 port traffic filters. Each filter can be configured to allow or deny traffic according to a variety of address and protocol specifications. Each physi- cal Firewall Accelerator port can be configured to use any combination of filters. Port traffic filtering is a feature of the Firewall Accelerator and occurs prior to inspection by the Check Point FireWall-1 NG software. Traffic that has been dropped by a port traffic filter will not be forwarded to the firewall. Traffic that has been allowed by a port traffic filter will be sent through the firewall, bypassing Check Point FireWall-1 NG inspection. Traffic which is not matched by any port filter will be passed to the firewall for Check Point FireWall-1 NG inspection. This form includes the following items: n Id: Numerical ID for the filter (between 1 and 224). It can be used to specify the filter when configuring a port. n Enabled: Yes (filter is enabled) or No (filter is disabled). n Name: Assigns a name to the filter. The name is displayed in port configuration. n MAC: Source and Destination MAC addresses to match against ingress traffic. n IP: Source and Destination IP addresses to match. n Source Port: Start and end of a source port range to match. n Dest Port: Start and end of a destination port range to match. n Protocol: IP protocol to match. Standard choices are 1 (ICMP), 2 (IGMP), 6 (TCP), 17 (UDP), 89 (OSPF), and 112 (VRRP). n Action: Allows or denies packets that match the filter. n Delete button: Deletes a filter from the system. Only visible if filters are present. n Modify button: Modifies a displayed filter. Only visible if filters are present. See the Update form on page 153. n Add New Filter button: Add a new filter to the configuration. See the Update form on page 153.
152 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Filters / Update (Add or Modify)
This form includes the following items:
n Identifier: Numerical ID for the filter (between 1 and 224). It can be used to specify the fil- ter when configuring a port. n Status: Enables or Disables the filter. n Name: Assigns a name to the filter. The name is displayed in port configuration. n Source MAC: Source MAC address to match against ingress traffic. n Destination MAC: Destination MAC address to match. n Source IP: Source IP address to match. n Source IP Mask: Used with Source IP to select an address range that this filter will affect.
Chapter 6: The Browser-Based Interface n 153 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
n Destination IP: Destination IP address to match. n Destination IP Mask: Used with the Destination IP to select a range of addresses which this filter will affect. n Protocol: IP protocol to match. Enter a numeric value or use the pull-down list. Standard choices are 1 (ICMP), 2 (IGMP), 6 (TCP), 17 (UDP), 89 (OSPF), and 112 (VRRP). n Source Port Start: Start of a source port range to match. n Source Port End: End of a source port range to match. n Destination Port Start: Start of a destination port range to match. n Destination Port End: End of a destination port range to match. n Action: Allow or deny packets that match the filter. n Inversion: Inverts the filter logic. If the conditions of the filter are met, then do not act. If the conditions of the filter are not met, perform the assigned action. n Logging: Record filter hits to the system log. n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.
154 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Routes This form is used to view and configure the current routes.
This form includes the following items:
n Destination IP: IP address of the route destination in dotted decimal notation. n Destination Subnet: Subnet mask for the route destination in dotted decimal notation. n Gateway IP: IP address of the gateway in dotted decimal notation. n Interface: Interface for the packet. n Delete button: Deletes a route from the system. Only visible if routes are present. n Modify button: Modifies a displayed route. Only visible if routes are present. See the Update form on page 156. n Add New Route button: Adds a route to the configuration. See the Update form on page 156.
Chapter 6: The Browser-Based Interface n 155 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Route / Update (Add or Modify)
This form includes the following items:
n Destination IP: IP address of the route destination in dotted decimal notation. n Destination Subnet: Subnet mask for the route destination in dotted decimal notation. n Gateway IP: IP address of the gateway in dotted decimal notation. n Route Interface: Interface for the packet. n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.
156 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Gateways This form is used to view and configure the default gateways. There can be up to four gate- ways configured.
Gateway Metric n Default Gateway Metric: Set default gateway load-balancing. If multiple default gateways are configured and enabled, the following metric choice determines which default gate- way is selected:
o Strict: The gateway number determines its level of preference. Gateway #1 acts as the pre- ferred default IP gateway until it fails or is disabled, at which point the next in line will take over as the default IP gateway.
o Roundrobin: This provides basic gateway load balancing. The ASF sends each new gateway request to the next healthy, enabled gateway in line. All gateway requests to the same destina- tion IP address are resolved to the same gateway n Update button: Submits the metric changes to the pending configuration.
Chapter 6: The Browser-Based Interface n 157 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Gateways n Id: Gateway identifier (a number between 1 and 4). n Enabled: Indicates whether the gateway is enabled or disabled. n ARP Enabled: Indicates whether ARP-only health checks are enabled or disabled. n Address: The IP address of the gateway using dotted decimal notation. n Retry Count: The number of health checks that must fail before declaring the gateway inoperative. The system uses pings to check whether the gateway is up. n Interval: This field defines the time between health checks. n Delete button: Deletes a route from the system. Only visible if gateway is present. n Modify button: Modifies a displayed route. Only visible if gateway is present. See the Update form on page 159. n Add New Gateway button: Adds a gateway to the configuration. See the Update form on page 159.
158 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Gateway / Update (Add or Modify)
This form includes the following items:
n Identifier: Gateway identifier (a number between 1 and 4). n Status: Enables or Disables the gateway for use. n ARP Status: Enable or Disable ARP-only health checks. n Address: The IP address of the gateway using dotted decimal notation. n Retry Count: The number of health checks that must fail before declaring the gateway inoperative. The system uses pings to check whether the gateway is up. n Interval: This field defines the time between health checks. n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.
Chapter 6: The Browser-Based Interface n 159 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / Local This form allows you to define and modify the cache of local networks.
Network / Local / Update (Add or Modify)
160 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Network / ARP This form allows you to add or modify IP addresses to which the Alteon Switched Firewall will respond.
Chapter 6: The Browser-Based Interface n 161 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Firewall Forms
Firewall / Settings
General n Status: Enables or Disables Check Point FireWall-1 NG processing on all healthy Firewall Directors in the cluster. n Update button: Submits the form changes to the pending configuration.
Secure Internal Communication n List of Hosts n Password n Password (again) n Submit
162 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Firewall / License Management This form is used to configure license management:
License management is used for pre-configuring resources that allow the system to automati- cally configure any new components that are added to the cluster.
Resources configured under this menu include a pool of IP addresses and Check Point licences. When Plug N Play is enabled, a new Firewall Director attached to the cluster will automatically be configured and brought into service.
Autodetect iSD n Status: Enable or Disable automatic license management. When enabled, if resources have been added, the cluster will automatically detect new Firewall Directors, join them to the cluster, configure them, and start them participating in firewall processing. When this fea- ture is disabled, you must manually configure each new Firewall Director being added to the cluster. n Save Setting button: Submits status changes to the pending configuration.
Chapter 6: The Browser-Based Interface n 163 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Check Point Licenses n IP Address: An IP address in the resource pool that can be used for cluster Firewall Direc- tors. n In Use: Shows whether the IP address is currently assigned (Yes) to an existing Firewall Director in the cluster, or whether it is available (No) to configure a newly added Firewall Director. n Licenses: Shows the number of Check Point licenses currently configured for each IP address. n Delete button: Deletes the IP address and all its associated Check Point licenses. n Modify button: Allows you to modify, delete or add Check Point licenses for the IP address. See the Update form on page 164. n Add New License Entry button: Add and configure a new IP address and Check Point license for the resource pool. See the Update form on page 164.
Firewall / License Management / Update (Add or Modify)
164 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
General Settings n IP Address: Lists the IP address in the resource pool that can be used for cluster Firewall Directors. n Shared Secret n Shared Secret (again)
Current Licenses This area of the form displays the licenses assigned to the selected IP address:
n Expiration: Expiration date of the Check Point license. n Features: Features of the Check Point license. n License: License string of the Check Point license. n Delete: When checked, prepares to delete this license from the Plug N Play resource pool.
Add New License This area of the form is used to enter information for new Check Point licenses to be assigned to the current IP address.
n Expiration Date: Sets the expiration date of the Check Point license. n Feature String: Sets the features of the Check Point license. n License String: Sets the license string of the Check Point license.
Form Actions n Update button: Submit the form changes to the pending configuration. n Back button: Return to the previously viewed form without saving this forms changes.
Chapter 6: The Browser-Based Interface n 165 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Firewall / Synchronization This form is used to configure stateful failover of sessions among Firewall Director in the clus- ter.
With synchronization, if a Firewall Director fails, its open sessions will be transparently reas- signed to a healthy Firewall Director. To achieve stateful failover, synchronization must be configured both on the Alteon Switched Firewall and on the Check Point management server. See “Synchronizing Firewall Directors” on page 340 for more information.
This form includes the following items:
n Status: Enables or Disable firewall synchronization for the cluster. n Network Address: Sets the IP network address of the synchronization network in dotted decimal notation. It is used with the network mask (defined in the Network / General form) to define appropriate IP addresses for synchronization. n Update button: Submits the form changes to the pending configuration.
166 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Operations Forms This form is used to export or import configuration files:
Export Cluster Configuration n Secret key: The case-sensitive secret key is used to encrypt the settings and must be sup- plied again when the configuration is imported. n Export button: Depending on the browser type, the administrator may have the option to output to a file or to the screen (allowing it to be captured using copy and paste functions).
Import Cluster Configuration n Text input area: Import a configuration by pasting it into the field provided. n Secret Key: The case-sensitive secret key used in the export must be supplied to decrypt the configuration settings. n Import button: Replace the current configuration using the pasted configuration informa- tion. This takes effect immediately. No apply command is required.
NOTE – Importing a configuration will cause the BBI to restart. If the import is successful, any imported configuration overrides all prior configuration settings. All changes pending at the time of the import are lost. The revert command cannot be used to recover the prior configuration.
Chapter 6: The Browser-Based Interface n 167 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Administration Forms
Administration / Users This form is used to list the permitted users and allows one to change their properties.
This form has the following items:
n Username: The login name that identifies the user in the system. There are three default users that can be modified using the BBI:
Table 6-1 Required Users
User Name Privileges admin The administration user has read and write access to all pages in the BBI.
oper The operator has read access only.
root The root user can log in locally to a Firewall Director and is given full access to the system.
NOTE – An additional default user, the boot user, cannot be modified and is not listed in the BBI.
The listed default users can be modified, but cannot be deleted. The system also maintains the following hidden users: bin, blue, daemon, nobody, and operator. These are used for internal processes only and do not have passwords. They are therefore denied external access. Internal users cannot be modified or deleted.
168 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
n Group: The group to which the user belongs. This defines the privileges that the user has as described in Table 6-1 on page 168. n Delete button: Immediately deletes a user from the system. Default users cannot be deleted. n Modify button: Modifies a displayed user. See the Update form on page 169. n Add New User button: Adds a new administrator or operator level user login. See the Update form on page 169.
Administration / Users / Update (Add or Modify)
This form contains the following items:
n Username: The identifier for the user in the system. n Group: The group to which the user belongs defines the privileges of the user. Users added to the system can be assigned either to the admin (read/write) or oper (read only) group. n Admin Password for verification. n Password: The password for the user. n Password (again) n Save button n Back button
NOTE – When the username or password is changed for an existing user, anyone currently logged into the BBI using that account will be prompted to enter the new username and pass- word before accessing any new page.
Chapter 6: The Browser-Based Interface n 169 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Administration / Access List This form is used to specify which clients are permitted to administer the system. For example, in order to access the BBI, the client must be matched by an entry in this form.
This form includes the following items:
n Client Network Address: IP address of the client in dotted decimal notation. n Client Subnet Mask: Subnet address used for matching. Uses dotted decimal notation. n Delete button: Deletes an entry from the system. Only visible if access entries are present.
NOTE – Deleting the entry corresponding to the current client will terminate the connection when the change is applied.
n Modify button: Modifies an entry in the system. Only visible if access entries are present. See the Update form on page 171. n Add New Access Control button: Adds a new entry to the access list. See the Update form on page 171.
170 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Administration / Clients / Update (Add or Modify)
Administration / Telnet-SSH This form is used to enable or disable Telnet/SSH administration.
This form includes the following items:
n Telnet: Enable administration through telnet. n SSH: Enable administration through SSH. n CLI Timeout: Sets the number of seconds a Telnet or SSH session can remain idle before being automatically disconnected. n Update button: Submits the form changes to the pending configuration. n Generate New Keys button: Create new SSH keys.
Chapter 6: The Browser-Based Interface n 171 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Administration / Web This form is used to enable or disable BBI administration.
HTTP Settings n Port: Application port used for non-secure HTTP access to the BBI. The default is port 80. n Status: Enables or Disables HTTP access to the BBI.
HTTP/SSL Settings n Port: Application port for secure HTTPS (using SSL) access to the BBI. The default is port 443. n Status: Enables or Disables HTTPS access to the BBI. n TLS: Enable TLS protocol. n SSL v2: Enable SSL v2 protocol. n SSL v3: Enable SSL v3 protocol.
Form Actions n Update button: Submits the form changes to the pending configuration.
172 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Administration / Server Certs This form is used to administer server certificates on the Firewall Director:
This form includes the following fields:
n ID: Identifier for the certificate. n Issuer: Issuer of the certificate. n Subject: Subject of the certificate n Serial Number: Serial number of the certificate. n Valid From: Starting date upon which the certificate is valid. n Valid To: Ending date upon which the certificate is valid n Delete button: Deletes a certificate from the system. Only visible if a certificate is present. n Modify button: Modifies a displayed certificate. Only visible if a certificate is present. n Add New Server Certificate button: Displays a new form used for inputting a new certifi- cate. The certificate should be pasted into the text area. n Generate Certificate Request button. n Export Certificate Request button.
Chapter 6: The Browser-Based Interface n 173 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Administration / Server Certs / Update (Add or Modify)
n Common Name: Common name (cn) to be used with the certificate. n Two-Letter Country Code: Country code to be used. For example, US for the United States of America, CA for Canada, JP for Japan, AU for Australia, etc. n Key Size: Size of the encryption key. Valid sized are either 512, 1024, or 2048 bits. n Export button: Allows the administrator to export a certificate created through using the Generate Certificate Request command. This can be used to obtain a server certificate to be added.
174 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Administration / CA Certs This form is used to administer CA certificates on the Firewall Director. This is required if server certificates from an external CA are being used.
This form includes the following fields:
n Id: Identifier for the certificate. n Issuer: Issuer of the certificate. n Subject: Subject of the certificate. n Serial Number: Serial number of the certificate. n Valid From: Starting date upon which the certificate is valid. n Valid To: Ending date upon which the certificate is valid. n Delete button: Deletes a certificate from the system. Only visible if a certificate is present. n Modify button: Modifies a displayed certificate. Only visible if a certificate is present. n Add New CA Certificate: button. Input a new certificate. The certificate should be pasted into the text area.
Chapter 6: The Browser-Based Interface n 175 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Administration / CA Certs / Update (Add or Modify)
176 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Administration / SNMP This form is used to enable or disable SNMP event and alarm messages for the Alteon Switched Firewall
Chapter 6: The Browser-Based Interface n 177 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
SNMP n Status: Enables or Disables the SNMP features. This must be enabled in order for events and alarms to be sent to the trap hosts. n Security Model n Security Level (usm) n Access n Events: Enables or Disables sending cluster event messages to the SNMP trap hosts. When enabled, messages regarding general occurrences (such as detection of a new com- ponents) is sent. n Alarms: Enable or Disable sending cluster alarm messages to the SNMP trap hosts. Alarm messages indicate serious conditions which may require administrative action. n Read Community String (v2c) n Save Settings button: Submits the form changes to the pending configuration.
Trap Hosts This area of the form lists all configured trap hosts which will receive SNMP event or alarm messages from the cluster
n IP Address: This is the IP address of the trap hosts. n Port: This is the logical port on the trap host which expects SNMP traffic. n Community (v2c): This is the community string for the trap host. n Trap User (usm) n Delete button: Removes an SNMP trap host from the cluster configuration. n Modify button: Modify parameters for an existing trap host. n Add New Trap Host button: Allows you to add and configure a new trap host.
SNMP Users (usm) n Username n Permission n Delete button n Modify button n Add New User button
178 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Administration / SNMP / Trap Host Update (Add or Modify)
Administration / SNMP / SNMP Users Update (Add or Modify)
Chapter 6: The Browser-Based Interface n 179 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
The Diagnostics Forms
Diagnostics / Security Zones This form lists the Virtual Network Interface Cards (VNICs) as derived from the network con- figuration.
n VNIC Id: Identifier for the VNIC as seen in the Check Point management tools. n IP Address: IP address for the VNIC. n VLAN: Virtual LAN associated with the VNIC. n Port(s): Port(s) associated with the VNIC.
Diagnostics / Accelerator CLI This form allows the administrator to execute diagnostic commands on the Firewall Accelerator.
180 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Diagnostics / System Commands This form is used for system diagnostics as requested by Nortel Networks customer support.
Chapter 6: The Browser-Based Interface n 181 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
182 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 CHAPTER 7 Command Reference
Main Menu
After initial system setup is complete and the user performs a successful connection and login, the Main Menu of the CLI is displayed.
[Main Menu] info - Information Menu cfg - Configuration Menu boot - Boot Menu maint - Maintenance Menu diff - Show pending config changes [global command] validate - Validate configuration security - Display security status apply - Apply pending config changes [global command] revert - Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help [global command] exit - Exit [global command, always available
Table 7-1 Main Menu
Command Syntax and Usage
info The Information Menu is used for displaying information about the current status of the Alteon Switched Firewall. See page 187 for menu items.
cfg The Configuration Menu is used for configuring the Alteon Switched Firewall. Some commands are available only from an administrator login. See page 194 for menu items.
183 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Table 7-1 Main Menu
Command Syntax and Usage
boot The Boot Menu is used for upgrading Alteon Switched Firewall software and for reboot- ing, if necessary. See page 311 for menu items.
maint The Maintenance Menu is used for system diagnostics. This should be used only at the request of Nortel Networks technical support. See page 315 for menu items.
diff This global command is available from any menu or sub-menu. It displays the difference between the applied configuration (the configuration that the system is currently using) and the pending configuration (the uncommitted changes that have not yet been applied). Only pending changes made during your current administrator session are included. Pending changes being made by other CLI or BBI administrator sessions are not included.
validate This command is used to validate pending configuration changes made during your cur- rent administration session. This command does not include pending changes being made by other CLI or BBI administrator sessions that are running at the same time. When you enter the validate command, your pending changes are examined to ensure that they are complete and consistent. If problems are found, warning or error messages are displayed. Warnings identify conditions that you should pay special attention to, but that will not cause errors or prevent the configuration from being applied when the you enter the apply command. Errors identify serious configuration problems that must be corrected before changes can be applied. Uncorrected errors will cause the apply command to fail. If the validate command returns warning or error messages, heed the messages and make any necessary configuration changes.
security This command lists the status (enabled or disabled) for remote management features such as Telnet, SSH, and the BBI for the cluster. It also lists which users (if any) are still using default passwords which should be changed.
184 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Table 7-1 Main Menu
Command Syntax and Usage
apply This global command is available from any menu or sub-menu. It is used to apply and save configuration changes made during your current administration session. Changes are considered pending and do not take effect until this command is issued. Pending changes being made by other CLI or BBI administrator sessions are not affected. When issued, the apply command first validates your session’s pending changes. If problems are found, applicable warning and error messages are displayed. Errors are serious and will cause the apply command to fail before any changes are applied. If there are no errors (warnings are allowed), the changes are saved and put into effect. Warning messages can be turned off using the /cfg/misc/warn command (see page 310). If multiple CLI or BBI administrators apply changes to the same set of parameters con- currently, the latest applied changes take precedence. The global revert command clears pending changes and will not restore the configu- ration to it’s previous settings once the apply command is issued.
revert This global command is available from any menu or sub-menu. It cancels all pending configuration changes made during your current administration session. Applied changes are not affected. Pending changes made by other open CLI or BBI sessions are also not affected.
paste This global command is available from any menu or sub-menu. It lets you restore a saved configuration dump file that includes encrypted private keys. If private keys were included when you created your configuration dump file (/cfg/ dump), you were required to specify a password for encrypting the private keys. When the paste command is issued, you will be prompted to supply the same password phrase. You can then open the configuration dump file in your text editor, copy the infor- mation, and paste it to the CLI window. When pasted, the configuration content is batch processed by the Alteon Switched Fire- wall. The pasted commands are entered as pending, and any included private keys are decrypted. You can view the pending configuration changes resulting from the batch pro- cessing by using use the global diff command. To apply the pending configuration changes, use the global apply command. The paste password phrase remains in effect until cleared. To clear the password phrase, enter the paste command again.
Chapter 7: Command Reference n 185 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide
Table 7-1 Main Menu
Command Syntax and Usage
help [