Alteon Switched Firewall 3.0.2 Installation And

Installation and User’s Guide

Alteon Switched FirewallTM Release 3.0.2 Part Number: 212535-E, April 2003

4655 Great America Parkway Santa Clara, CA 95054 Phone 1-800-4Nortel www.nortelnetworks.com Alteon Switched Firewall Installation and User’s Guide

Copyright © 2003 Nortel Networks, Inc., 4655 Great America Parkway, Santa Clara, California, 95054, USA. All rights reserved. Part Number: 212535-E. This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without warranty of any kind, either express or implied, including any kind of implied or express warranty of non- infringement or the implied warranties of merchantability or fitness for a particular purpose. U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR 2.101 (Oct. 1995) and contains “commercial technical data” and “commercial software documentation” as those terms are used in FAR 12.211-12.212 (Oct. 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct. 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov. 1995). Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc. Alteon, Alteon WebSystems, Alteon Switched Firewall, ASF 5308, ASF 5408, ASF 5610, ASF 5710, ASF 5722, Firewall OS, Firewall Director, ASF 5008, ASF 5010, Accelerator OS, Firewall Accelerator, ASF 5300, ASF 5400, ASF 5600, and ASF 5700 are trademarks of Nortel Networks, Inc. in the United States and certain other countries. FireWall-1 NG is a registered trademark of Check Point Software Technologies. Any other trademarks appearing in this manual are owned by their respective companies. Portions of this manual are Copyright © 2001 Dell Computer Corporation. All Rights Reserved. Originated in the USA.

Export This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or reexport may be required by the U.S. Department of Commerce.

Licensing This product includes software developed by Check Point Software Technologies (http:// www.checkpoint.com). This product also contains software developed by other parties. See Appendix D, “Software Licenses,” for more information.

2 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Regulatory Compliance FCC Class A Notice. The equipment complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1) The device may not cause harmful interference, and 2) This equipment must accept any interference received, including interference that may cause undesired operation. The equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. The equipment generates, uses and can radiate radio-frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. Operation of this equipment in a residential area is likely to cause harmful interference. In such a case, the user will be required to correct the interference at his own experience. Do not make mechanical or electrical modifications to the equipment. Industry Canada: This Class A digital apparatus meets all requirements of the Canadian Interference- Causing Equipment Regulations. Cet appareil Numérique de la classe A respecte toutes les exigences du Règlements sur le matériel brouilleur du Canada. VCCI Class A Notice: This is a Class A product based on the standard of the Voluntary Control Council for Interference from Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may occur. In such a case, the user may be required to take corrective actions. Japanese VCCI Class A Notice

Taiwan EMC Notice

CE Notice: The CE mark on this equipment indicates that this equipment meets or exceeds the following technical standards: EN55022, EN55024, EN60950, and all supporting document requirements.

3 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Safety Information Caution—Nortel Networks products are designed to work with single-phase power systems having a grounded neutral conductor. To reduce the risk of electric shock, do not plug Nortel Networks products into any other type of power system. Contact your facilities manager or a qualified electrician if you are not sure what type of power is supplied to your building. Caution—Not all power cords have the same ratings. Household extension cords do not have overload protection and are not meant for use with computer systems. Do not use household extension cords with your Nortel Networks product. Caution—Your Nortel Networks product is shipped with a grounding type (three-wire) power cord. To reduce the risk of electric shock, always plug the cord into a grounded power outlet.

Lithium Battery Cautions Caution—This product contains a lithium battery. Batteries are not customer replaceable parts. They may explode if mishandled. Do not dispose of the battery in fire. Do not disassemble or recharge. (Norge) ADVARSEL—Litiumbatteri - Eksplosjonsfare. Ved utskifting benyttes kun batteri som anbefalt av apparatfabrikanten. Brukt batteri returneres apparatleverandøren. (Sverige) VARNING—Explosionsfara vid felaktigt batteribyte. Använd samma batterityp eller en ekvivalent typ som rekommenderas av apparattillverkaren. Kassera använt batteri enligt fabrikantens instruktion. (Danmark) ADVARSEL! Litiumbatteri - Eksplosionsfare ved fejlagtig håndtering. Udskiftning må kun ske med batteri af samme fabrikat og type. Levér det brugte batteri tilbage til leverandøren. (Suomi) VAROITUS—Paristo voi räjähtää, jos se on virheellisesti asennettu. Vaihda paristo ainoastaan laitevalmistajan suosittelemaan tyyppiin. Hävitä käytetty paristo valmistajan ohjeiden mukaisesti.

Warranty Nortel Networks provides a limited warranty on all its products for a period of one year from the date of shipment. Free technical support and free replacement of hardware is provided for the first 90 days after shipment. You may choose to purchase additional service and support from Nortel Networks. Please contact your local sales representative for more information.

4 212535-E, April 2003 Contents

Preface 13 Product Name & Platform Changes 13 Who Should Use This Book 14 How This Book Is Organized 14 How to Get Help 15 Typographic Conventions 16

Chapter 1: The Alteon Switched Firewall 17 Feature Summary 17 Alteon Switched Firewall Basics 18 Network Elements 18 Basic Operation 20 Port Filtering 20 Topology Specifics 21 Security Processing 22 Physical Description 23 The Firewall Director 23 The Alteon Firewall Accelerator 30

Chapter 2: Hardware Installation 33 Required Equipment 34 Model Compatibility 35 Safety Precautions 35 Rack-Mounting the Firewall Accelerator 36 Rack-Mounting the Firewall Director 39 Task Summary 39 Select the Appropriate Rack-Mounting Kit 40 Remove the Rack Doors 42 Mark the Rack 42 Attach the Slide Assemblies to the Rack 44

5 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Attach the System Chassis to the Slide Assemblies 53 Add the Cable-Management Arm 55 Reattach the Cabinet Doors 56 Connecting Network Cables 57 Basic Alteon Switched Firewall Network Topology 57 Network Connector and Cable Specifications 59 Port LED Indicators 62 Automatic Selection of Redundant Connections 63 Using the Firewall Director Cable-Management Arm 64 Connecting Power 65 Connecting AC Power for the Firewall Accelerator 65 Connecting AC Power for the Firewall Director 65 Turning Power On 67 Turning Power Off 67 Connecting a Console Terminal 68 Requirements 68 Console Connector and Cable Specifications 69 Establishing a Connection 70

Chapter 3: Initial Setup 71 Overview of Initial Setup Tasks 72 Collect Basic System Information 72 Example Network 73 Use Setup for Basic Configuration 74 Configure Licenses and Interfaces 78 Install Check Point Management Tools 81 Configuring and Install Firewall Policies 89 Task Overview 89 Log in to the Policy Editor 89 Define the Alteon Switched Firewall Object 90 Establish Secure Internal Communications 92 Using Central Licensing 94 Create and Install Firewall Policies 95

Chapter 4: System Management Basics 97 Management Tools 97 Users and Passwords 98 The Single System Image 99

6 n Contents 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Chapter 5: The Command Line Interface 101 Accessing the Command Line Interface 102 Using the Local Serial Port 102 Defining the Remote Access List 102 Using Telnet 104 Using Secure Shell 106 Using the Command Line Interface 109 Basic Operation 109 The Main Menu 110 Idle Time-out 110 Multiple Administration Sessions 110 Global Commands 111 Command Line History and Editing 113 Command Line Shortcuts 114

Chapter 6: The Browser-Based Interface 115 Features 115 Getting Started 115 Requirements 115 Enabling the Browser-Based Interface 116 Setting Up the Web-Browser 117 Starting the Browser-Based Interface 118 Basics of the Browser-Based Interface 120 Interface Components 120 Basic Operation 121 BBI Forms Reference 122 Global Command Forms 122 The Monitor Forms 128 The Cluster Forms 132 The Network Forms 140 The Firewall Forms 162 The Operations Forms 167 The Administration Forms 168 The Diagnostics Forms 180

Chapter 7: Command Reference 183 Main Menu 183 Information Menu 187

Contents n 7 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network Display Menu 190 Configuration Menu 194 System Menu 197 SFD IP and Firewall License Menu 233 Accelerator Configuration Menu 235 Network Configuration Menu 241 Firewall Configuration Menu 307 Miscellaneous Settings Menu 310 Boot Menu 311 Software Management Menu 313 The Maintenance Menu 315 Diagnostics Tools Menu 316 Debug Information Menu 317 Tech Support Dump Menu 323 SFA Flow Control Configuration Menu 324

Chapter 8: Expanding the Cluster 325 Adding a Second Firewall Accelerator 326 Requirements 327 Installing the New Firewall Accelerator 327 Configuring the New Firewall Accelerator 329 Adding Firewall Directors 331 Requirements 331 Installing the New Firewall Director 332 Configuring the New Firewall Director 333 Manually Adding a Firewall Director 338 Synchronizing Firewall Directors 340 Changing the Firewall Accelerator Ports 343 Configuring the Inter-Accelerator Port 343 Configuring the Firewall Director Uplink Ports 344 Configuring the Network Ports 344

Chapter 9: Upgrading the Software 345 Upgrading to Version 3.0 345 Upgrading Version 3.0 to a Higher Version 349 Overview of Upgrade Tasks 349 Compatibility 349 Types of Upgrade 350

8 n Contents 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Installing a Minor/Major Release Upgrade 351 Activating the Software Upgrade Package 353 Reinstalling the Software 355

Chapter 10: Routing Information Protocol 357 Distance Vector Protocol 357 Stability 357 RIP and ASF 358 Routing Updates 358 Configuring for Route Redistribution 359

Chapter 11: Open Shortest Path First 363 OSPF Overview 363 Types of OSPF Areas 364 Types of OSPF Routing Devices 365 Neighbors and Adjacencies 365 The Link-State Database 366 The Shortest Path First Tree 366 Authentication 367 Internal Versus External Routing 367 Alteon Switched Firewall OSPF Implementation 368 Configurable Parameters 368 Defining Areas 369 Interface Cost 371 Electing the Designated Router and Backup 371 Summarizing Routes 371 Virtual Links 372 Router ID 372 Authentication 373 OSPF Features Not Supported in This Release 374 OSPF Configuration Examples 374 Example 1: Simple OSPF Domain 375 Example 2: Virtual Links 376 Example 3: Summarizing Routes 380 Example 4: Redistributing Routes 382 Verifying OSPF Support 384

Appendix A: Event Logging API 385 Configure the Check Point Management Server 385

Contents n 9 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Configure the Firewall Directors 390 The Check Point Log Viewer 392

Appendix B: Common Tasks 393 Managing Check Point Central Licenses 393 Installing Central Licenses with Secure Update 393 Deleting or Reinstalling Central Licenses 394 Mounting a Floppy Disk on the Firewall Director 394 Mounting a CD-ROM on the Firewall Director 395 Manually Upgrading the Firewall Accelerator 396 Tuning Check Point NG Performance 397 Increasing Connections 397 Increasing NAT Connections 400 Partially Accelerated Connections 401 Reading System Memory Information 402 Verifying VNIC Configuration 402 Recovering from a Lock-Out 403

Appendix C: Troubleshooting 405 Firewall Director Cannot Locate the Firewall Accelerator 405 Configuration Did Not Update 406 Failed to Establish Trust between Management Station and Firewall Director 407 Cannot Check Communication or Download Policy on Firewall Director 409 Low Performance with Other Devices 409 Cannot Log in to EMC Station from Management Client 410 Check Point Sends Connection Failed Messages to Firewall Director 410 Low Performance Under Heavy Traffic 410

Appendix D: Software Licenses 411 Apache Software Licence 411 mod_ssl License 412 OpenSSL and SSLeay Licenses 413 OpenSSL License 413 Original SSLeay License 414 PHP License 415 SMTPclient License 416 GNU General Public License 417

10 n Contents 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Appendix E: Specifications 423 Alteon Firewall Accelerator Specifications 423 Physical Characteristics 423 Power Requirements 423 Supported Standards 423 Port Specifications 424 Environmental Specifications 424 Certifications 424 Alteon Firewall Director Specifications 425 Physical Characteristics 425 Power Requirements 425 Environmental Specifications 425 Port Specifications 426 Certifications 426

Index 427

Contents n 11 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

12 n Contents 212535-E, April 2003 Preface

This Installation and User’s Guide describes the Alteon Switched Firewall system with version 3.0.2 software (and higher). This guide introduces the components and features of the system and explains how to perform installation, configuration and maintenance.

Product Name & Platform Changes

The Alteon Switched Firewall has been updated for integration into Nortel Networks’ larger vision for network security products. The update includes changes to all the hardware model names, as well as migration to a new hardware platform for the Firewall Director.

Although this manual uses the new product names and hardware descriptions, the Alteon Switched Firewall version 3.0.2 software is compatible with any legacy Alteon “SFA” and “SFD” products you may currently use.

The following table describes the new model naming convention used in this manual:

Table 1 Alteon Switched Firewall Product Names

Component New Name Old Name

Firewall Accelerators ASF 5700 185-SFA

ASF 5600 184-SFA

ASF 5400 AD4-SFA

ASF 5300 AD3-SFA

Firewall Directors ASF 5010 SFD-310

ASF 5008 SFD-308

13 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Who Should Use This Book

This Installation and User’s Guide is intended for network installers and system administrators engaged in configuring and maintaining a network. It assumes that you are familiar with Ether- net concepts and IP addressing.

How This Book Is Organized

The chapters in this book are organized as follows:

Chapter 1, “The Alteon Switched Firewall,” provides an overview of the major features of the Alteon Switched Firewall, including the physical layout of its components and the basic concepts behind their operation.

Chapter 2, “Hardware Installation,” describes how to mount the components of the Alteon Switched Firewall, connect network cables, and attach power.

Chapter 3, “Initial Setup,” describes how to perform start-up configuration on the Alteon Switched Firewall.

Chapter 4, “System Management Basics,” describes the various tools used for managing the system, and explains basic management concepts.

Chapter 5, “The Command Line Interface,” describes how to access and use the text-based management interface for collecting system information and performing configuration.

Chapter 7, “Command Reference,” explains the menus, commands, and parameters of the text-based management interface.

Chapter 6, “The Browser-Based Interface,” described how to enable, access, and use the built-in graphical user interface for managing the system with your Web browser.

Chapter 8, “Expanding the Cluster,” describes how to add components to the cluster for high-availability, increased processing capacity, and stateful failover.

Chapter 9, “Upgrading the Software,” describes how to upgrade or reinstall the Alteon Switched Firewall system component software.

Chapter 10, “Routing Information Protocol,” describes how to configure the Alteon Switched Firewall for RIP routing.

Chapter 11, “Open Shortest Path First,” describes how to configure the Alteon Switched Firewall for OSPF routing.

14 n Preface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Appendix A, “Event Logging API,” describes how to view Alteon Switched Firewall log messages with your Check Point Log Viewer.

Appendix B, “Common Tasks,” describes routine management functions.

Appendix C, “Troubleshooting,” provides suggestions for troubleshooting basic problems.

Appendix D, “Software Licenses,” provides licensing information for the software used in this product.

Appendix E, “Specifications,” describes the physical characteristics of the Alteon Switched Firewall components.

How to Get Help

If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.

If you purchased a Nortel Networks service program, contact one of the following Nortel Net- works Technical Solutions Centers:

Technical Solutions Center Telephone

Europe, Middle East, and Africa 00800 8008 9009 or +44 (0) 870 907 9009

North America (800) 4NORTEL or (800) 466-7835

Asia Pacific (61) (2) 8870-8800

China (800) 810-5000

Additional information about the Nortel Networks Technical Solutions Centers is available at the following URL:

http://www.nortelnetworks.com/help/contact/global An Express Routing Code (ERC) is available for many Nortel Networks products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate an ERC for your product or service, refer to the following URL:

http://www.nortelnetworks.com/help/contact/erc/index.html

Preface n 15 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Typographic Conventions

The following table describes the typographic styles used in this book.

Table 2 Typographic Conventions

Typeface or Meaning Example Symbol

AaBbCc123 This type is used for names of commands, View the readme.txt file. files, and directories used within the text.

It also depicts on-screen computer output and Main# prompts.

AaBbCc123 This bold type appears in command exam- Main# sys ples. It shows text that must be typed in exactly as shown.

This italicized type appears in command To establish a Telnet session, enter: examples as a parameter placeholder. Replace host# telnet the indicated text with the appropriate real name or value when using the command. Do not type the brackets.

This also shows book titles, special terms, or Read your User’s Guide thoroughly. words to be emphasized.

[ ] Command items shown inside brackets are host# ls [-a] optional and can be used or excluded as the situation demands. Do not type the brackets.

16 n Preface 212535-E, April 2003 CHAPTER 1 The Alteon Switched Firewall

The Alteon Switched Firewall is a high-performance firewall system for network security. The system uses a versatile, multi-component approach to deliver unparalleled firewall processing power, reliability, and scalability.

Feature Summary

The Alteon Switched Firewall has the following features:

n Supports Check Point FireWall-1 NG software Feature Pack 2 (FP-2). This document is based on FP-2. If you are using other versions of NG release, then refer to the Check Point Firewall-1 document. n Supports the Open Shortest Path First (OSPF) routing protocol—This implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583 and route redistribution is also supported. n Supports the Router Interface Protocol (RIP) version 1 and 2 with route redistribution. n Uses hardware acceleration for dramatically increased performance. n Provides dynamic scalability—Additional processing power can be added to the cluster without disrupting the firewall traffic. n Provides dynamic Plug N Play—Added components can be automatically configured and brought into service. n Provides a Single System Image (SSI)—all components in a given Alteon Switched Fire- wall cluster are configured together as a single system. n Supports SNMP version 2c and 3 event and alarm traps.

17 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Alteon Switched Firewall Basics

Network Elements A basic network utilizing the Alteon Switched Firewall appears as follows:

Alteon Alteon Alteon Check Point Switched Firewall: Local Remote Management Console Firewall Director & Console Console & Policy Editor Firewall Accelerator

Untrusted Client

Trusted Internet Network

Untrusted Networks

DMZ Servers

Figure 1-1 Alteon Switched Firewall Network Elements

The Networks n Trusted Networks These represent internal network resources that must be protected from unauthorized access. Trusted networks usually provide internal services such as a company’s intranet, as well as valued applications made available to external clients, such as public e-commerce Web sites. n Semi-trusted Networks To increase security, services intended primarily for external clients are often placed on a separate network so that a hostile intrusion would not affect the company’s internal networks. A network isolated in this way is also known as a De-Militarized Zone (DMZ). n Untrusted Networks These are the external networks that are presumed to be potentially hostile, such as the Internet.

18 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Firewall n Alteon Switched Firewall The Alteon Switched Firewall is placed in the path between your various trusted, semi- trusted, and untrusted networks. It examines all traffic moving between the connected networks and either allows or blocks that traffic, depending on the security policies defined by the administrator. The Alteon Switched Firewall consists of multiple Firewall Director and Firewall Accelerator components that are clustered together to act as a single system. n Firewall Director The Firewall Director is a compact, high-performance computing device running Firewall OS software. It uses built-in Check Point FireWall-1 NG software to inspect network traffic and enforce firewall policies. For increased firewall processing power, additional Firewall Directors can be attached to the cluster. n Firewall Accelerator The Firewall Accelerator is an Alteon switch running Accelerator OS software. It offloads the processing of secured traffic from the Firewall Director, enhancing firewall performance. For high-availability configurations, a second Firewall Accelerator and Firewall Director can be attached to the cluster.

The Management Interfaces n Alteon Local Console A local console is used for entering basic network information during initial configuration. Once the system is configured, the local console can be used to access the text-based Command Line Interface (CLI) for collecting system information and performing additional configuration. The Alteon console is not used to manage or install firewall policies. n Alteon Remote Console For a list of trusted users, the administrator can separately allow or deny Telnet or Secure Shell (SSH) access to the Alteon CLI, and HTTP or SSL access to the Alteon Browser- Based Interface. Remote access features can be used for collecting system information and performing additional configuration, but not to manage or install firewall policies. n Check Point Enterprise Management Console (EMC) The EMC holds the master policy database for all the firewalls in your network. Its job is to establish Secure Internal Communications (SIC) with each valid firewall and load each firewall with the appropriate security policies. n Check Point Management Clients Check Point management client software, such as the Policy Editor, can be installed on one or more administrator workstations on your network. This software usually provides a graphical user interface for creating, modifying, and monitoring firewall policies. For

Chapter 1: The Alteon Switched Firewall n 19 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

security, management clients do not interact directly with the firewalls. Instead, any policy changes made in a management client are forwarded to the EMC which then loads them onto the firewalls. For convenience, a management client can be installed on the EMC.

Basic Operation Traditional firewall solutions involve running firewall software on a workstation or server with a general-purpose Operating System (OS). Such general-purpose OS solutions have security holes, and software firewall solutions running on them perform poorly. The Alteon Switched Firewall was created to solve these problems.

The Alteon Switched Firewall is a combination of dedicated hardware and software (hardened OS, security applications, and networking technology). It addresses the needs for security, performance and ease of use.

To enhance versatility, the Alteon Switched Firewall is a multi-component solution. Hardware is a combination of Alteon Firewall Accelerators and Alteon Firewall Directors. The software is a combination of Alteon Accelerator OS software and the FireWall-1 NG software from Check Point. By using the throughput of a Gigabit switch controlled by the Check Point inspection engine, the speed of the firewall is dramatically increased. If you need more connections per second, additional Firewall Directors can be added.

Port Filtering The Firewall Accelerator features wire speed packet filters that allow or deny traffic based on a variety of address and protocol characteristics. These port filters screen packets before they reach the firewall inspection engine. The logging information for these filters can be passed to the Check Point ELA log and can be viewed with the Check Point log viewer.

By using Alteon port filters, security and speed can be enhanced dramatically.

20 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Topology Specifics The classic software firewall model can become a security speed bump. Typically, data enters from one network card, passes through the a policy inspection engine, and is deposited on another network card. When relying on the single processing path such systems offer, there are major limitations on speed and expandability.

The Alteon Switched Firewall solution flattens the security speed bump and boosts the speed of data.

Server Cluster Classic Firewall Scenario Firewall Clients Switch Router Internet

Server Cluster Alteon Switched Firewall Solution Alteon Switched Firewall Clients Firewall Acceleration Router Internet Firewall Accelerator

Load Balanced Firewall Traffic Control

Firewall Directors Untrusted Networks Trusted Networks Figure 1-2 Classic Firewall versus the Alteon Switched Firewall

Check Point FireWall-1 NG is a stateful inspection firewall. The Alteon Switched Firewall performs policy checking for every new connection request, manages the connection table, and specifies the rules for handling the subsequent packets in a session. Once a session is active, policy checking for packets is handled by the Firewall Accelerator.

Each port of a Firewall Accelerator has its own ASIC composed of two RISC processors and its own memory. These ports are connected to a high-capacity, multi-Gigabit backplane. The Firewall Accelerator performs parallel processing on data flowing though any port. All 18 processors work together regardless of the port through which the data entered the Firewall Accel- erator.

Chapter 1: The Alteon Switched Firewall n 21 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Security Processing The Firewall Director connection table is mirrored by the Firewall Accelerator. This is accomplished through the Nortel Networks patent pending Nortel Appliance Acceleration Protocol (NAAP).

After the Firewall Director inspection engine accepts the setup packets in a session, subsequent packets belonging to the session are inspected and forwarded by the Firewall Accelerator without the involvement of the Firewall Director. This solution achieves a tremendous improve- ment in firewall performance because approximately 90% of the data can be accelerated at wire speed.

Traditionally, a stateful inspection firewall would either interrogate every packet or run in a cut through mode or fast mode, which would inspect the first packet and then, once the packet is accepted, allow all further packets without investigation until the session ends. By using a high speed switch as a hardware accelerator, this inspection can be done at Gigabit speeds without compromising security.

22 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Physical Description

The Alteon Switched Firewall system is comprised of the following components: one Alteon Firewall Director, and one Alteon Firewall Accelerator. Additional Firewall Directors and Firewall Accelerators can be used for high-availability configurations.

The Firewall Director This section describes the ASF 5010 and ASF 5008 Firewall Directors.

Features n 1U height, rack-mountable chassis n Serial port (DTE) at the back panel for system configuration and diagnostics n FTP download to integrated hard disk for software upgrades n The ASF 5010 feature a gigabit fiber-optic uplink port for connection to the Firewall Accelerator

Front Panel Without Bezel The Firewall Director is shipped with the front bezel detached. This protects the bezel during installation and allows access to the system’s CD-ROM and other internal elements. 1 2 3 4 5 6 7 8 9 2 1

10 11 12

Figure 1-3 Front Panel of the Firewall Director with Bezel Removed

1. Cover screws The captive screws secure the chassis cover.

2. Bezel retainer slots These slots accept the bezel retainer tabs, used for attaching the front bezel to the chassis.

Chapter 1: The Alteon Switched Firewall n 23 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Bezel status connector This connector interfaces with the front bezel to provide status indicators when the bezel is attached.

4. Power button This button controls the AC power input to the system’s power supply. This button lights green when the power supply is turned on.

5. LED indicators Table 1-1 Firewall Director Front Panel LEDs

LED Description System status indicator When the system is reset, the LED is off. When the system is running, this LED displays solid blue. If the Chassis Identify function is selected, the LED flashes. There is a duplicate system attention indicator on the back-panel. The indicator flashes amber when the system needs attention due to a problem with power supplies, fans, system temperature, or hard drives. If the system is connected to AC power and an error has been detected, the amber system status indicator will flash regardless of whether the system has been powered on. Network Interface 1, 2 indicators These indicators are for the 10/100 Mbps ports on the back of the system. These LEDs are solid green when a link is detected. They flicker off when network activity is detected. Note: If A/C power is connected to the power supply, these LEDs function when the system is off. Hard-disk drive activity indicator This LED blinks when activity is detected on the hard-disk drive.

6. System door release This button releases the door to the system power bay on the top of the chassis.

CAUTION—The system power bay contains high voltages. Do not open the power bay or touch ! the internal or external connectors on the power supplies. Only trained service technicians are authorized to open the system door or remove the system cover.

7. Hard drive 8. CD-ROM drive The disk eject button is a located in the center of the drive panel.

9. Floppy disk drive The disk eject button is a metal tab located at the top, right of the drive.

24 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

10. PS/2 connector The PS/2 connector can be attached to a keyboard and mouse using a PS/2 Y-cable. When used with a monitor attached to the video connector, this provides a local console for system configuration and diagnostics.

NOTE – Mouse input is ignored for console operation.

11. Unit identification button This button is used to help locate a particular unit within a large rack array. When an identification button is pressed, the blue system status indicator on the front and back of the unit flashes until the identification button is pressed again.

12. Video connector The video connector can be attached to a monitor as part of a local console terminal for system configuration and diagnostics.

13. Items not presently supported: n Universal Serial Bus (USB) connector

Chapter 1: The Alteon Switched Firewall n 25 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Front Panel Bezel 1 2 3 4 1

Figure 1-4 Front Bezel of the Firewall Director

1. Bezel retainer tabs (on sides) These tabs are used to attach the bezel to the chassis.

2. Bezel lock This is used to secure the bezel. When the lock slot is in horizontal position, the bezel cannot be removed. When in the vertical position, the bezel may be removed, providing access to the hard drive, CD-ROM, and other internal elements.

3. System status indicator When the system is running, this indicator displays solid blue. If the Chassis Identify function is selected, the indicator flashes. There is a duplicate indicator on the back-panel.

4. System attention indicator The indicator flashes amber when the system needs attention due to a problem with power supplies, fans, system temperature, or hard drives.

If the system is connected to AC power and an error has been detected, the amber system status indicator will flash regardless of whether the system has been powered on.

26 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Attaching the Bezel Leave the bezel off until the system is fully installed. Thereafter, the front bezel should remain attached except when accessing the system’s CD-ROM drive and other internal elements (see “Front Panel Without Bezel” on page 23).

1. Make sure that the bezel lock is in the unlocked (vertical) position.

2. Align the right side of the bezel first. Fit the tab on the rear right of the bezel into the rightmost retainer slot on the chassis.

3. Align the left side of the bezel. Make sure that the tab on the rear left of the bezel aligns with the leftmost retainer slot on the chassis. Gently push the tab inward (it flexes slightly) and press the bezel into place.

4. If desired, use the bezel lock to secure the bezel.

Removing the Bezel The front bezel can be removed to access the system’s CD-ROM drive and other internal elements (see “Front Panel Without Bezel” on page 23).

1. Make sure that the bezel lock is in the unlocked (vertical) position.

2. Hold the bezel firmly so that it doesn’t fall away.

3. Free the left side of the bezel first. Push the leftmost bezel tab inward (it flexes slightly). When pressed far enough, the bezel tab will be released from the retainer slot on the chassis. Pull the left side of the bezel forward. The bezel will come free from the chassis. Store the front bezel in a safe place while not in use and reattach it when finished with the system’s CD-ROM or other internal elements.

Chapter 1: The Alteon Switched Firewall n 27 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Rear Panel 1a 2 3 1b 4

1 2

2 1

5 6 7 8 9 10 Figure 1-5 Rear Panel of the Firewall Director

1. Dedicated uplink to the Alteon Firewall Accelerator n ASF 5010: Uses gigabit fiber optic SC connector (1a). Not available on the ASF 5008. n ASF 5008: Uses 10/100 Mbps port 1 (1b) See “Port LED Indicators” on page 62 for conditions indicated by the port LEDs.

2. Expansion slot 3. Synchronization network connector On the 1650 Firewall Director (Figure 1-5), 10/100/1000 Mbps port 2 is used for synchronizing sessions among multiple Firewall Directors to provide stateful failover. On the 1550 Fire- wall Director, 10/100 Mbps port 2 is used to provide stateful failover. See “Port LED Indicators” on page 62 for an explanation of conditions indicated by the port LEDs.

4. AC power receptacle

NOTE – The Firewall Director is equipped with one power supply on outlet 1. The secondary power supply on outlet 2 is presently not supported.

5. System status indicator LED When the system is reset, the LED is off. When the system is running, this LED displays solid blue. If the system stops or if the unit identification button is pressed, the LED flashes.

The indicator flashes amber when the system needs attention due to a problem with power supplies, fans, system temperature, or hard drives.

If the system is connected to AC power and an error has been detected, the amber system status indicator will flash regardless of whether the system has been powered on.

28 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

6. Unit identification button This button is used to help locate a particular unit within a large rack array. When an identification button is pressed, the blue system status indicator on the front and back of the unit flashes until the identification button is pressed again.

7. System status connector

8. Keyboard connector The keyboard connector can be attached to a keyboard. When used with a monitor attached to the video connector, this provides a local console for system configuration and diagnostics.

9. Video connector The video connector can be attached to a monitor as part of a local console terminal for system configuration and diagnostics.

10. Serial port Connects a local console terminal for system configuration and diagnostics. 11. Items not presently supported: n SCSI connector n Server management port n Universal Serial Bus (USB) connectors n Mouse connector

Chapter 1: The Alteon Switched Firewall n 29 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Alteon Firewall Accelerator This section describes the ASF 5700, ASF 5600, ASF 5400, and ASF 5300 Firewall Accelera- tors.

Features n Balances sessions among clustered Firewall Directors n Offloads secured traffic to accelerate firewall throughput n The ASF 5700 and ASF 5600 Firewall Accelerators feature dual-media network ports for 10/100 Mbps Fast Ethernet segments and Gigabit Ethernet fiber-optic segments. n The ASF 5700 Firewall Accelerator features extended session handling capacity

Front Panel 1 2 3

Data Link 1 2 3 4 5 6 7 8 Active Data Link 9 Active

Data Link Active

4 5 6 Figure 1-6 Front Panel of the ASF 5700 and ASF 5600 Firewall Accelerators 1 2 3

Data Link 1 2 3 4 5 6 7 8 Active Data Link 9

4 5 6 Figure 1-7 Front Panel of the ASF 5400 and ASF 5300 Firewall Accelerators

30 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The front panel of the Firewall Accelerator has the following features:

1. Port 1 through Port 5 are reserved for networks By default, these ports are used for connecting trusted, untrusted and semi-trusted networks to the Alteon Switched Firewall.

2. Port 6 through Port 8 are reserved for connecting Firewall Directors By default, these ports are used for connecting Firewall Directors to the Firewall Accelerator.

3. Port 9 is reserved for connecting redundant Firewall Accelerators By default, this port is used to interconnect two Firewall Accelerators in a high-availability configuration.

NOTE – The arrangement of ports varies by model. On all models, the RJ-45 jacks are for connecting 10/100 Mbps Ethernet (10Base-T or 100Base-TX) copper segments and the SC jacks are for connecting Gigabit Ethernet (1000Base-SX) fiber optic segments. Some models have dual physical connectors on some or all ports. See “Connecting Network Cables” on page 57 for specific port and cable information.

4. Port LED indicators See “Port LED Indicators” on page 62 for an explanation of conditions indicated by the port LEDs.

5. Power LED This green LED lights to indicate that the Firewall Accelerator is on and receiving power.

6. Serial port This is a female DB-9 serial connector labeled “Console” for the console (DCE) connector. This port is used only for diagnostic and recovery functions as directed by Nortel Networks technical support.

Chapter 1: The Alteon Switched Firewall n 31 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Rear Panel 1 2

3 4 Figure 1-8 Rear Panel of the Firewall Accelerator

The rear panel of the Firewall Accelerator has the following components:

1. AC power receptacle

2. Fuse housing

3. Power switch

4. Fan exhaust

32 n Chapter 1: The Alteon Switched Firewall 212535-E, April 2003 CHAPTER 2 Hardware Installation

This chapter provides step-by-step instructions for physically installing the Alteon Switched Firewall components. It is assumed that the other components of your network (routers, servers, hubs, and so on) have already been physically installed.

Physical installation of the Alteon Switched Firewall involves the following tasks:

n Collect the required equipment (see page 34) n Make sure that the components are compatible (see page 35) n Understand and follow all safety precautions (see page 35) n Rack-mount the Firewall Accelerator (see page 36) n Rack-mount the Firewall Director (see page 39) n Connect the required network cables (see page 57) n Connect the power cords and power on the devices (see page 65) n Connect a console terminal to the Firewall Director serial port (see page 68) Each of these tasks is detailed in the following sections of this chapter. Required software setup is covered in Chapter 3.

NOTE – The instructions in this chapter are for installing the minimum system: one Firewall Director and one Firewall Accelerator. For configurations with multiple Firewall Directors or Firewall Accelerators, first install the minimum system as described in this chapter, then perform initial setup as described in Chapter 3. Once the minimum system is fully configured, add the extra components as described in Chapter 8.

33 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Required Equipment

The Alteon Switched Firewall system requires the following minimum components:

n One standard 19-inch open or closed rack to mount the system (see page 36 and page 39) 2-1/2 U mounting space in: o A standard 19-inch open-frame relay rack with two 3-inch or 6-inch posts or o A standard 19-inch enclosed four-post cabinet n One Alteon Firewall Accelerator (see Table 2-1 on page 35 for system compatibility) Each Firewall Accelerator is shipped separately and includes the following items which may be required during installation: o A/C power cord o Rack mounting kit n One Alteon Firewall Director (see Table 2-1 on page 35 for system compatibility) Each Firewall Director is shipped separately and includes the following items that may be required during installation: o A/C power cord—the unit is shipped with one U.S. standard and one EU standard power cord. Country-specific power cords are available separately. o Console cable o One two-post open rack installation kit for flush mounting or center mounting o One four-post rack installation kit for cabinet mounting n You need the following tools and supplies to install the components: o #2 Phillips screwdriver o 11/32-inch wrench or nut driver (if changing Firewall Director bracket to flush-mount configuration) o Straight edge o Masking tape or felt-tip pen to mark the rack mounting position

34 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Model Compatibility

Use compatible Alteon Switched Firewall components to achieve the desired performance:

Table 2-1 Firewall Component Compatibility

Firewall Firewall System Name Performance Accelerator Director

ASF 5710 Extended Capacity Gigabit ASF 5700 ASF 5010

ASF 5610 High Capacity Gigabit ASF 5600 ASF 5010

ASF 5408 Mid-Capacity ASF 5400 ASF 5008

ASF 5308 Economy ASF 5300 ASF 5008

Safety Precautions

Always observe the precautions in the manuals for this and all other equipment you are installing.

Assembly

CAUTION—The two-post open-frame relay rack must be properly secured and stabilized ! according to the rack manufacturer or industry specifications before installing the components. The four-post cabinet rack must meet the relevant ANSI/EIA-310-D-92, IEC 297, or DIN 41494 specifications. Use extreme caution when moving a rack cabinet. Rack cabinets can be extremely heavy and yet move easily on their casters and have no brakes. Retract the leveling feet when moving the rack cabinet. Avoid long or steep inclines or ramps where loss of cabinet control may occur. When the cabinet is positions, extend the leveling feet for support and to prevent the cabinet from rolling.

Use the rack-mount kits only with the components for which they were designed. Using kits from other systems may result in damage to the components and personal injury to yourself and others. Do not place or rack-mount the equipment in any way which exceeds the maximum weight-bear- ing capacity of the surface or rack, or cause potentially hazardous uneven mechanical loading. If using components with extendable trays or slide mechanisms, do not extend more than one component at any given time. Do not climb on the rack or step or stand on any component in the rack.

To avoid pinching your fingers or hands, use caution when pressing component rail release latches and when sliding components into or out of the rack.

Chapter 2: Hardware Installation n 35 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Power

CAUTION—Make sure the device is properly grounded electrically and that power connections ! are safe, particularly when using power strips. Avoid overloading your electrical supply circuits. Electrical ratings are printed on all your equipment. Be sure that your supply circuits and wiring can support the rated power draw of whatever equipment is used. The total branch load should not exceed 80% of the circuit rating.

Temperature

CAUTION—For proper air circulation, the air vents on the devices should not be blocked or ! obstructed by cables, panels, or other materials. The ambient temperature of an operating the equipment must not exceed 40oC. When installing the devices in a closed or multi-unit rack assembly, please consider that the operating ambient temperature of the equipment may be higher than the ambient temperature of the room. Take appropriate steps to ensure that the devices do not overheat.

Rack-Mounting the Firewall Accelerator

The following procedure is for installing the Firewall Accelerator in a standard 19-inch open- frame relay rack with two 3-inch or 6-inch posts. Using the same equipment, the Firewall Accelerator can be flush-mounted (with the faceplate positioned flush with the rack posts) or forward-mounted (with the faceplate approximately 5 cm or 2 inches in front of the rack posts).

NOTE – Do not use the included rubber feet for a rack installation.

1. Unpack the Firewall Accelerator from its shipping box.

2. Turn the power switch to the OFF (O) position.

36 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Connect the two mounting brackets to the Firewall Accelerator using the supplied screws as shown in Figure 2-1.

Flush-mount Forward-mount Flange facing front Flange facing back

Figure 2-1 Position the Firewall Accelerator Rack-Mount Brackets

Chapter 2: Hardware Installation n 37 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

4. Install the Firewall Accelerator as shown using the appropriate screws for your rack- mount system (four 10-32, 12-24, M5X.8-6H, or M6X1-6H type screws) as shown in Fig- ure 2-2.

Figure 2-2 Rack-Mounted Firewall Accelerator

38 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Rack-Mounting the Firewall Director

This Firewall Director can be mounted in a number of configurations:

n Standard 19-inch two-post open-frame relay rack o Flush-mount o Center-mount n Standard 19-inch four-post enclosed rack o The RapidRails™ rack kit can be installed in all the system manufacturer’s four-post rack cabinets without tools o The VersaRails™ rack kit can be installed in most industry-standard four-post rack cabinets These installation instructions for each configuration are covered in the following procedures.

Task Summary Mounting the Firewall Director involves the following tasks (covered in detail in the following sections):

1. Selecting the appropriate rack-mounting kit

1. Removing the rack doors (for enclosed racks only)

2. Marking the rack

3. Attaching the slide assemblies to the rack

4. Attaching the system chassis to the slide assemblies

5. Adding the cable-management arm and routing the cables

6. Reattaching the rack doors (for enclosed racks only)

Chapter 2: Hardware Installation n 39 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Select the Appropriate Rack-Mounting Kit

CAUTION—Use only the rack kit intended for the component being installed. Using the rack kit ! from or for another system may result in damage to the system and personal injury to yourself and others.

The Two-Post Open-Frame Rack-Mounting Kit

Slide assemblies

Stiffening Cable-management arm bracket

12-24 x 0.5-inch Pan-head Phillips screws Stop blocks Status-indicator cable Figure 2-3 Two-Post Rack-Mounting Kit Components

The two-post open-frame relay rack installation kit is intended for a standard 3-inch or 6-inch open-frame rack. The kit incorporates slide assemblies which enable the system to be pulled out of the rack for servicing. Both universal spacing or wide spacing post holes are accommo- dated. The kit contains all the parts for center-mount or flush-mount installation:

n Slide assemblies, one pair (2) n Stiffening bracket (1) n Cable-management arm (1) n Status-indicator cable assembly (1) n Stop blocks (2) n 12-24 x 0.5-inch pan-head Phillips screws (10) n Releasable tie wraps (not shown)

40 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Four-Post Cabinet Rack-Mounting Kits There are two sets of rails for four-post cabinet rack-mounting kits: one for the RapidRails system and one for VersaRails:

Common to Both Systems: RapidRails slide assembly

Cable-management arm

VersaRails slide assembly Stop block

12-24 x 0.5-inch Flange-head Phillips screws (VersaRails only) Status-indicator cable

Figure 2-4 Four-Post Rack-Mounting Kit Components

n RapidRails slide assemblies, one pair (2) n VersaRails slide assemblies, one pair (2) n 10-32 x 0.5-inch flange-head Phillips screws (10) (for VersaRails only) n Cable-management arm (1) n Stop block (1) n Status-indicator cable assembly (1) n Releasable tie wraps (not shown)

Chapter 2: Hardware Installation n 41 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Remove the Rack Doors If installing the system in a four-post cabinet rack, remove the cabinet doors using the procedures in the documentation provided with your rack cabinet. This will provide easy access for the rest of the installation procedure.

CAUTION—Because of the size and weight of the rack cabinet doors, never attempt to remove ! or install them by yourself.

Store the cabinet doors where they will not pose a hazard or become damaged.

Mark the Rack The Firewall Director requires 1U (44 mm or 1.75 inches) of vertical space for installation within a rack. Use the following procedure to identify an appropriate 1U position on your rack.

For this procedure you will need a straight-edge and either masking tape or a felt-tip pen to mark the mounting holes.

1. Unpack the Firewall Director from its shipping box.

2. Identify the 1U increments for your rack assembly.

Universal Spacing Wide Spacing

0.5" 0.5" 12.7mm 12.7mm

0.625" 15.9mm 1U 1.25" 1.75" 31.7mm 44mm 0.625" 15.9mm

0.5" 0.5" 12.7mm 12.7mm (Actual Size)

Figure 2-5 Determining a 1U Mounting Position on a Two-Post Rack

42 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

NOTE – Cabinet racks may differ. Some cabinets have square mounting holes instead of round ones. Some may have the 1U positions already marked and numbered (in which case you need merely select and note an empty 1U position instead of marking it with pen or tape).

Whether universal or wide spacing is used, the line dividing the top and bottom of each 1U vertical space falls exactly between the most closely spaced holes.

3. If the 1U positions are not already marked, use a straight-edge or masking tape to mark an empty 1U vertical space on the rack.

NOTE – If you are installing more than one system, install the first system in the lowest available position in the rack.

Be sure to mark the same top and bottom space on both vertical posts on the front and back rails. For example, in Figure 2-6, the taped positions indicate where the system’s upper and lower edges will be located on the vertical rails.

Figure 2-6 Marking the Vertical Rails

Chapter 2: Hardware Installation n 43 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Attach the Slide Assemblies to the Rack The slide assemblies of each different rack-mounting kit are installed differently. See the appropriate procedure for your specific rack configuration:

n Two-post flush-mount (see page 45) n Two-post center-mount (see page 48) n Four-post RapidRails (see page 49) n Four-post VersaRails (see page 51)

CAUTION—You must strictly follow the procedures in this document to protect yourself and ! others. Proper planning is important to prevent injury. The two-post relay rack must be properly secured and stabilized according to the rack manufacturer or industry specifications before installing the components.

Use extreme caution when moving a rack cabinet. Rack cabinets can be extremely heavy and yet move easily on their casters and have no brakes. Retract the leveling feet when moving the rack cabinet. Avoid long or steep inclines or ramps where loss of cabinet control may occur. When the cabinet is positions, extend the leveling feet for support and to prevent the cabinet from rolling.

44 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Two-Post Flush-Mount Installation The two-post rack kit includes brackets that can be configured for flush-mount installation. To install the slide assemblies for a flush-mount configuration, perform the following steps:

1. Locate the two slide assemblies and place them, side by side, on a smooth surface with the front ends of the slide assemblies toward you. Position both slide assemblies so that the center brackets are facing upwards (see Figure 2-7 on page 45).

NOTE – To prepare the slides for flush-mount installation, remove the front mounting bracket, rotate it 180 degrees, and reattach it on the opposite slide assembly.

Figure 2-7 Rotating the Front Mounting Bracket for Flush-Mount Installation

2. Using a #2 Phillips screwdriver and an 11/32-inch wrench or nut driver, remove two 12- 24 x 0.5-inch pan-head Phillips screws, two nuts, and two shoulder washers from each front center bracket (see Figure 2-7).

3. Remove the front bracket from both slide assemblies.

4. Place the bracket from one slide assembly onto the threaded studs on the opposite slide assembly, with the bracket turned 180 degrees so that the mounting flange faces forward (see Figure 2-7).

Chapter 2: Hardware Installation n 45 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

5. Secure each front center mount bracket (by its nuts and shoulder washers) finger tight on their opposite slide assemblies using the two shoulder washers and two nuts you removed in step 2 (see Figure 2-7).

6. Join the front brackets you just installed to the bracket on the slide assembly with the two 12-24 x 0.5-inch pan-head Phillips screws you removed in step 2 (see Figure 2-7). The joined bracket becomes the new extended rear bracket.

7. Repeat steps 4 through 6 to configure the other slide assembly.

8. Holding the left slide assembly into position in the rack at the location you marked, adjust the extended rear bracket tightly against the back of the vertical two-post rack and secure it to the rail with two 12-24 x 0.5-inch Phillips screws (see Figure 2-8).

two-post open-frame rack joined bracket

12-24 x 0.5-inch pan- head Phillips screw (4 each slide)

slide assembly

slide release shoulder screw latch on system

system release latch

Figure 2-8 Installing the Slide Assemblies for Flush-Mount Configuration

46 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

9. Secure the front bracket on the slide assembly to the two-post rail with two 12-24 x 0.5- inch pan-head Phillips screws (see Figure 2-8).

10. Perform steps 8 and 9 to install the right slide assembly in the rack.

11. Use an 11/32-inch wrench or nut driver to fully tighten the nuts on the mounting brackets on both slide assemblies that you tightened with your fingers.

12. Install the stiffening bracket into the appropriate holes at the back of the slide assemblies and secure the bracket with a 12-24 x 0.5-inch pan-head Phillips screw on each slide assembly (see Figure 2-9). If the vertical rack is 3 inches wide, use the holes at the back end of the slide assemblies (shown in Figure 2-9). If the vertical rack is 6 inches wide, use the holes located 3 inches in front of the holes at the back end of the slide assemblies.

Figure 2-9 Installing the Stiffening Bracket (shown in 3-inch rack position)

Chapter 2: Hardware Installation n 47 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Two-Post Center-Mount Installation The two-post rack kit includes brackets configured for center-mount installation. To complete the installation, perform the following steps:

1. Locate the right slide assembly and push the back bracket towards the back of the slide assembly (see Figure 2-10).

Figure 2-10 Installing the Slide Assemblies for Center-Mount Configuration

2. Position the right slide assembly in the two-post rack at the location you marked, push the back bracket forward against the vertical two-post rack, and secure the front and rear center-mounting brackets to the rack with two 12-24 x 0.5-inch pan-head Phillips screws (see Figure 2-10).

3. Repeat steps 1 and 2 to install the left slide assembly in the rack.

4. Install the stiffening bracket into the appropriate holes at the back of the slide assemblies and secure the bracket with a 12-24 x 0.5-inch pan-head Phillips screw on each slide assembly (see Figure 2-10). If the vertical rack is 3 inches wide, use the holes at the back end of the slide assemblies (shown in Figure 2-9 on page 47). If the vertical rack is 6 inches wide, use the holes located 3 inches in front of the holes at the back end of the slide assemblies.

48 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Four-Post RapidRails Installation

1. At the front of the rack cabinet, position one of the RapidRails slide assemblies so that its mounting-bracket flange fits between the marks or tape you placed on the rack (see Figure 2-11).

Figure 2-11 Installing the RapidRails Slide Assemblies

The mounting hook on the slide assembly’s front mounting bracket flange should enter the top hole between the marks you made on the vertical rails.

Chapter 2: Hardware Installation n 49 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

2. Push the slide assembly forward until the mounting hook enters its respective square hole on the vertical rail, and then push down on the mounting-bracket flange until the mounting hooks seat in the square holes and the push button pops out and clicks (see Figure 2-11 on page 49).

3. At the back of the cabinet, pull back on the mounting-bracket flange until the mounting hooks are located in their respective square holes, and then push down on the mounting- bracket flange until the mounting hooks seat in the square holes and the push button pops out and clicks.

4. Repeat steps 1 through 3 for the slide assembly on the other side of the rack.

5. Ensure that the rails are mounted at the same position on the vertical rails on each side of the rack.

50 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Four-Post VersaRails Installation

1. At the front of the rack cabinet, position one of the VersaRails slide assemblies so that its mounting-bracket flange fits between the marks or tape (or numbered location) on the rack (see Figure 2-12).

Figure 2-12 Installing the VersaRails Slide Assemblies

The three holes on the front of the mounting bracket should align with three of the holes between the marks you made on the front vertical rail.

Chapter 2: Hardware Installation n 51 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

2. Install two 10-32 x 0.5-inch flange-head Phillips screws in the mounting flange’s top and bottom holes to secure the slide assembly to the front vertical rail (see Figure 2-12 on page 51).

3. At the back of the cabinet, pull back on the mounting-bracket flange until the mounting holes align with their respective holes on the back vertical rail.

4. Install three 10-32 x 0.5-inch flange-head Phillips screws in the back mounting flange’s holes to secure the slide assembly to the back vertical rail.

5. Repeat steps 1 through 4 for the slide assembly on the other side of the rack.

6. Ensure that the slide assemblies are mounted at the same position on the vertical rails on each side of the rack.

52 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Attach the System Chassis to the Slide Assemblies

CAUTION—When installing multiple components in a rack, complete all of the procedures for ! the current system before attempting to install the next system. Due to the size and weight of the system, never attempt to install the system by yourself.

The rack-mounting kits are designed to support a single system. Using a kit to support more than one unit may cause damage or injury.

NOTE – This procedure is identical for all included rack-mounting kits.

1. Pull the slides assemblies out until they lock in the fully extended position.

2. Remove the system front bezel if attached (see “Removing the Bezel” on page 27)

3. Lift the system into position in front of the extended slides (see Figure 2-8 on page 46).

4. Place one hand on the front-bottom of the system and the other hand on the back-bottom of the system.

5. Tilt the back of the system down while aligning the back shoulder screws on the sides of the system with the back slots on the slide assemblies.

6. Engage the back shoulder screws into their slots.

7. Lower the front of the system and engage the front shoulder screws in the front slot behind the system release latch (see Figure 2-13 on page 54). The system release latch will move forward and then snap back as the shoulder screw passes into the front slot.

Use this system release latch when you wish to remove the system from the slide assemblies.

8. Press the slide release latch at the side of each slide to slide the system completely into the rack (see Figure 2-13 on page 54).

Chapter 2: Hardware Installation n 53 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

9. Push in and turn the captive thumbscrews on each side of the front chassis panel to secure the system to the rack.

Figure 2-13 Installing the System in the Rack Slide Assemblies

54 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Add the Cable-Management Arm The cable management arm can be installed on the back of the system, on either the right or left side. This procedure describes installing the cable management arm in the right side of the system, as viewed from the back. If you are installing several systems in the rack, consider installing the cable management arms on alternating sides for ease in cable routing.

To install the cable-management arm on the back of the system, perform the following steps:

1. Facing the back of the rack, locate the latch on the end of the right slide assembly.

2. Push the tab on the back end of the cable-management arm into the latch on the end of the slide assembly (see Figure 2-14).

Figure 2-14 Installing the Cable-Management Arm

The latch clicks when locked.

3. Push the tab on the remaining free end (the front) into a mating latch on the inner segment of the slide assembly (see Figure 2-14). The latch clicks when locked.

Chapter 2: Hardware Installation n 55 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

4. Install a stop block on the end of the opposite slide assembly (see Figure 2-14 on page 55). The stop block prevents the backward travel of the cable-management arm and supports the weight of the arm with its load of cables. The two-post rack kit has two stop blocks: one for right-side mounting and one for left-side mounting. You can only install the proper stop block.

5. Install the status-indicator cable plug into its connector.

6. Open the wire covers on the cable-management arm by lifting the center of the wire over the top of the embossed round button on the front of the forward part of the arm, and lifting the wire over the top of a similar round button on the back part of the arm. The wire cover swings open to enable cables to be routed within the arm.

7. Route the status-indicator end of the cable through the cable-management arm, and install the indicator in its slot at the back of the cable-management arm (see Figure 2-15).

Figure 2-15 Opening the Wire Covers

Reattach the Cabinet Doors If installing the system in a four-post cabinet rack, reattach the cabinet doors using the procedures in the documentation provided with your rack cabinet.

CAUTION—Because of the size and weight of some rack cabinet doors, never attempt to ! remove or install them by yourself.

56 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Connecting Network Cables

Basic Alteon Switched Firewall Network Topology Once the Alteon Switched Firewall equipment is physically mounted in a rack system, the required network cables can be attached.

Although the precise network topology depends on your specific network, the basic Alteon Switched Firewall network topology suggested for initial configuration is simple, as shown below:

Untrusted Network Trusted Networks

Data Link 1 2 3 4 5 6 7 8 Active Data Internet Link 9 Intranet Active

Data Link Active Basic System TopologyFirewall Accelerator

Firewall Director

Alteon Check Point Check Point Switched Firewall Enterprise Management Console Management Client Console (optional)

Figure 2-16 Basic Alteon Switched Firewall Network

By default, the various ports on the Firewall Accelerator are reserved for specific purposes:

n Ports 1 though 5 are reserved for connecting trusted, untrusted and semi-trusted networks to the firewall. n Ports 6 though 8 are reserved for Firewall Director connections. Port 6 through 8 can also be configured for use as regular network ports. See “Changing the Firewall Accelerator Ports” on page 343 for more information. n Port 9 is reserved for interconnecting redundant Firewall Accelerators in a high-availability configuration.

Chapter 2: Hardware Installation n 57 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Using the reserved ports, connect the network cables as follows:

1. Attach the Firewall Director to any of Firewall Accelerator ports 6 though 8 n Connecting an ASF 5010 Firewall Director To sustain high levels of throughput, the high-capacity ASF 5700 or ASF 5600 Firewall Accelerator should be connected only to high-capacity ASF 5010 Firewall Director. Connect any of Firewall Accelerator ports 6 through 8 to the dedicated Firewall Director uplink port. The uplink port uses the gigabit fiber optic SC connector. The RJ-45 connector is not normally supported for ASF 5010 Firewall Director connections. n Connecting an ASF 5008 Firewall Director To avoid overwhelming the Firewall Director, the economy class ASF 5008 Firewall Director should be connected only to an economy class ASF 5400 or ASF 5300 Firewall Accelerator. Connect any of Firewall Accelerator ports 6 through 8 to Firewall Director uplink port 1. The dedicated link uses a 10/100 Mbps RJ-45 connector.

NOTE – See “Network Connector and Cable Specifications” on page 59 for cable information.

2. Connect the trusted, untrusted and semi-trusted network feeds into any of ports one through five All network ports are auto-negotiating and support half- or full-duplex operation.

n ASF 5700 or ASF 5600 Firewall Accelerators: Dual-media ports Each network port has dual physical connectors: one SC-style fiber optic connector for Gigabit Ethernet (1000Base-SX) segments and one RJ-45 connector for 10/100 Mbps Ethernet (10Base-T or 100Base-TX) segments. Depending on the network devices being attached to the system, either connector may be used. For devices which use dual-homing technology to achieve link redundancy, one connector can be used as the preferred link, and the other can be used as a backup. Only one of the two jacks will be active at any given time. Selection conditions are described in “Auto- matic Selection of Redundant Connections” on page 63. n ASF 5400 or ASF 5300 Firewall Accelerators: Single-media ports The RJ-45 jack is for connecting 10/100 Mbps Ethernet (10Base-T or 100Base-TX) segments to the port. Once network cabling is complete, power can be connected as described in “Connecting Power” on page 65.

58 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

NOTE – The default port assignments can be changed after initial installation and configuration. See “Changing the Firewall Accelerator Ports” on page 343 for more information. Also see Chapter 8, “Expanding the Cluster,” for details on adding system components to increase processing power or redundancy.

Network Connector and Cable Specifications The following specifications apply to both the Firewall Director and Firewall Accelerator.

RJ-45 Connector Specifications for 10/100 Mbps Ethernet

Specifications The RJ-45 connectors on the Firewall Director and Firewall Accelerator support both the 10Base-T and 100Base-TX Ethernet standards. The ports are designed to operate with UTP Category 5 cables equipped with standard RJ-45-compatible plugs.

The following table lists the cable characteristics for connecting to 10/100Base-T ports:

Table 2-2 10/100Base-T Cable Specifications

Port Type Media Maximum Distance

10Base-T Cat. 3, 4, or 5 UTP 100 meters (325 feet)

100Base-TX Cat. 5 UTP 100 meters (325 feet)

NOTE – 100Base-T signaling requires four twisted pairs of Category 5 balanced cabling, as specified in ISO/IEC 11801:1995 and EIA/TIA-568-A (1995) and tested using procedures defined in TIA/EIA TSB95.

Dual-Media Ports Some models of Firewall Accelerator feature dual physical connectors on some or all ports. The RJ-45 connector can be used as a backup for the preferred fiber optic port, or can be used as the sole connection in network configurations where optical wiring is not implemented. See “Automatic Selection of Redundant Connections” on page 63 for more information.

Cables: Straight-Through versus Crossover 10/100Base-T cables can be wired as straight-through or crossover, depending on the devices being connected.

Chapter 2: Hardware Installation n 59 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

When connecting different classes of devices (a computing device and a network device), a straight-through cable is generally used. In a straight-through cable, each pin on one connector is wired to the same numbered pin on the other connector (pin 1 is wired to pin 1, and so on).

Straight-through cables are used in the following circumstances:

n Connecting a Firewall Accelerator port to Firewall Director uplink port 1 n Connecting a Firewall Accelerator network port to a server or workstation n Connecting the Firewall Director synchronization port to a hub, switch, or router port When connecting similar classes of devices (two computers or two switches), a crossover cable is used. A crossover cable swaps certain pairs of wires to avoid connecting the data transmission pins together (transmit-to-transmit). In a crossover cable, the transmit pins on one connector are wired to the receive pins on the other end, and vice versa.

Crossover cables are used in the following circumstances:

n Connecting the Firewall Accelerator port to a hub, switch, or router port n Directly interconnecting two Firewall Director synchronization ports

Use straight-through or crossover cables with pin assignments as specified below.

Straight-through cable Crossover cable RJ-45 RJ-45 RJ-45 RJ-45 10/100 Mbps Port 10/100 Mbps Port 10/100 Mbps Port 10/100 Mbps Port pin 1 pin 1 pin 1 pin 3 pin 2 pin 2 pin 2 pin 6 pin 3 pin 3 pin 3 pin 1 pin 6 pin 6 pin 6 pin 2

Figure 2-17 Pin assignments for 10/100 Mbps port cables

NOTE – You can use straight-through cables instead of crossover cables if the device being connected has an “uplink” setting that you can enable.

60 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

SC Fiber-Optic Connector Specifications for Gigabit Ethernet

Specifications For connecting to high-speed networks, the high-capacity ASF 5600 and ASF 5700 Firewall Accelerators feature gigabit fiber optic connectors on every port. The ASF 5300 and ASF 5400 Firewall Accelerators also have one gigabit connector on port 9 (reserved for high-availability configurations).

The SC fiber optic connectors support the 1000Base-SX Gigabit Ethernet standards, and are designed to operate with multimode fiber optic cables.

Figure 2-18 SC Fiber Optic Connector for the Alteon Switched Firewall

Table 2-3 lists the operating characteristics for the 1000Base-SX port using an 850nm laser.

Table 2-3 Multimode Fiber Operating Distance Characteristics

Description Operating Distance

62.5/160 multimode fiber Up to 220 meters (721 ft.)

62.5/200 multimode fiber Up to 275 meters (902 ft.)

50/400 multimode fiber Up to 500 meters (1,639 ft.)

50/500 multimode fiber Up to 550 meters (1,803 ft.)

Dual-Media Ports The ASF 5400, ASF 5600, and ASF 5700 Firewall Accelerators feature two physical connectors on each gigabit port: one SC fiber optic connector for Gigabit Ethernet (1000Base-SX) segments and one RJ-45 connector for 10/100 Mbps Ethernet (10Base-T or 100Base-TX) segments. Depending on the network devices being attached to the system, either connector may be used.

For devices which use dual-homing technology to achieve link redundancy, one connector can be used as the preferred link, and the other can be used as a backup. Only one of the two jacks will be active at any given time. Selection conditions are described in “Automatic Selection of Redundant Connections” on page 63.

Chapter 2: Hardware Installation n 61 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Port LED Indicators Figure 2-19 depicts the LEDs for the Firewall Accelerators and the Firewall Directors ports.

Firewall Accelerator Firewall Director

Data Link Data Link Active 10/100Base-T (RJ-45) 10/100Base-T (RJ-45)

Data Data Link Link Active1 1000Base-SX (SC) 1000Base-SX (SC)2 1Not on the ASF 5300 2ASF 5010 only

Figure 2-19 Firewall Accelerator and Firewall Director LEDs

Table 2-4 describes the states of the LEDs.

Table 2-4 Firewall Accelerator Port LEDs

LED State Description

Data Blinking Data detected on the port. Off No data detected on the port.

Link On Good link. Off No link; could be a result of a bad cable or bad connector, or configuration mismatch. Blinking Port has been disabled by software.

Active Dual-media ports:

On The jack indicated (either the RJ-45 or the SC) is selected for this port’s use. Off The jack is not selected.

Single-media ports:

On The port has a good link, or has been disabled by software. Off The port is enabled, but has no link; could be a result of a bad cable or bad connector, or configuration mismatch.

62 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Automatic Selection of Redundant Connections Some Firewall Accelerator models feature two physical connectors on the same port: one SC fiber-optic connector for Gigabit Ethernet (1000Base-SX) segments and one RJ-45 connector for 10/100 Mbps Ethernet (10Base-T or 100Base-TX) segments. The ASF 5600 and ASF 5700 Firewall Accelerators feature dual connectors on ports 1 through 9. The ASF 5400 Firewall Accelerator has one dual connector on port 9.

When connecting the Firewall Accelerator to network devices which use dual-homing technology to achieve link redundancy, one port connector can be configured as the preferred link, and the other can be configured as a backup. By default, the Gigabit Ethernet port is preferred. See “Port Menu” on page 242 for port configuration commands.

Only one of the two jacks will be active at any given time. Automatic bring-up and fail-over between the port pairs follows these rules:

n If both the preferred and backup links are inactive: o If the user activates the preferred link first (by plugging a live cable into the jack), the link immediately becomes active. o If the user activates the backup link first, it remains inactive for a user-selectable timeout (default 1.5 seconds). If the preferred link is activated prior to the time-out, it becomes the active port. Otherwise, the backup link becomes active. n If the active link fails, the backup link will become active, with minimally required software intervention. n If the backup link is active and the preferred link becomes viable (either because of a newly created connection or because of a repaired link), the backup link will remain active until one of the following conditions occurs: o The backup link fails or is removed by the user. o The user forces the preferred link to become the active link from any management interface.

Chapter 2: Hardware Installation n 63 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Using the Firewall Director Cable-Management Arm

1. Once the I/O cables are connected to their respective connectors on the system back panel, route them through the cable-management arm. Use four loosely secured releasable tie wraps (two in the middle and on each end of the cable- management arm). Do not fully tighten the tie wraps at this time (see Figure 2-20). Allow some cable slack in the cable-management arm to prevent damage to the cables.

2. Secure the cables to the cable-management arm: n After connecting the cables to the system, unscrew the thumbscrews that secure the front of the system to the front vertical rail. n Slide the system forward to the fully extended position. n Route the cables along the cable-management arm, make any adjustments to the cable slack at the hinge positions, and secure the cables to the cable-management arm with the releasable tie wraps and the wire covers over the cable-management arm.

NOTE – As you pull the system out to its furthest extension, the slide assemblies lock in the extended position. To push the system back into the rack, press the slide release latch on the side of the slide, and then slide the system completely into the rack.

3. Slide the system in and out of the rack to verify that the cables are routed correctly and do not bind, stretch, or pinch with the movement of the cable-management arm.

4. Make any necessary adjustments to ensure that the cable slack is neither too tight nor too loose, yet keeps the cables in place as the system is moved in and out of the rack.

Figure 2-20 Routing Cables

64 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Connecting Power

CAUTION—Make sure the device is properly grounded electrically and that power connections ! are safe, particularly when using power strips. Avoid overloading your electrical supply circuits. Electrical ratings are printed on the name- plates of all your equipment. Be sure that your supply circuits and wiring can support the rated power draw of whatever equipment is used. The total branch load should not exceed 80% of the circuit rating.

Connecting AC Power for the Firewall Accelerator

CAUTION—The Firewall Accelerator uses a 3A/250V fast-acting fuse. For continued protec- ! tion against risk of fire, replace only with the same type and rating fuse. French: Attention–Uti- liser un fusible de rechange de meme type.

1. Connect the power cord to the connectorFirewall Accelerator.

2. Verify that the power switch is in the off position, and plug the cord into a properly fused outlet.

Connecting AC Power for the Firewall Director

1. Connect the power cord to AC power receptacle number 1 on the back of the unit (receptacle number 2 is not currently supported).

NOTE – The Firewall Director power button does not have discrete on and off positions. The button can safely be in any position when you connect the power cord. The unit will not power on until you plug in the unit and press the power button.

2. Install a tie-wrap through the slot on the strain-relief tab (see Figure 2-21 on page 66).

NOTE – Though the stain-relief tab can accommodate power cords with a bend radius of up to 19 mm (0.75 inch), the system manufacturer recommends that you only use the power cords provided with the system.

Chapter 2: Hardware Installation n 65 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Bend the power cord back beside the power receptacle housing and form a tight loop. Install the strain-relief tie-wrap loosely around the looped power cord (see Figure 2-21 on page 66).

Figure 2-21 Installing the Power Cord Strain Relief

4. Route the power cables through the cable management arm (see “Using the Firewall Director Cable-Management Arm” on page 64).

5. Plug the cord into a properly fused outlet.

66 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Turning Power On

1. Turn on the Firewall Accelerators. To turn power on, place the power switch in the on ( | ) position.

2. Turn on the Firewall Directors. To turn power on, press the power button on each Firewall Director. The power system indicator LED turns green to indicate that the power supply is turned on.

Turning Power Off

1. Stop the software on each Firewall Director. Log in to the cluster CLI and perform the following command for each Firewall Director (saving the one you are connected to for last):

# /cfg/sys/cluster/host /halt

2. Turn off the Firewall Directors. To turn power off, press the power button on either the front or back of each powered Firewall Director. When power is off, the power system indicator LED does not emit green light.

NOTE – The network interface indicators on the front panel of the Firewall Directors will function when the system is off, provided AC power is connected.

3. Turn off the Firewall Accelerators.

Chapter 2: Hardware Installation n 67 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Connecting a Console Terminal

Each component of the Alteon Switched Firewall has its own console port, though they are used for different purposes:

n Alteon Firewall Director The serial port on the rear panel of the Firewall Director is used to access the system for initial configuration as well as collecting system information and statistics. n Alteon Firewall Accelerator The console port on the front panel of the Firewall Accelerator is used only for diagnostic and recovery functions as directed by Nortel Networks technical support. This section explains how to connect a console terminal to the Firewall Director serial port for system configuration.

Requirements To establish a console connection on the Firewall Director, the following is required:

n An ASCII terminal or a computer running ASCII terminal emulation software set to the parameters shown in the table below:

Table 2-5 Console Configuration Parameters

Parameter Value

Baud Rate 9600 Data Bits 8 Parity None Stop Bits 1 Flow control none

n A standard straight-through serial cable with a male DB9 connector (included with the Firewall Director). An equivalent cable can be made as outlined in the next section.

68 n Chapter 2: Hardware Installation 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Console Connector and Cable Specifications The Firewall Director serial port female DB9 connector accepts a serial cable with a male DB9 connector.

Table 2-6 Pinouts for DB9 Serial Connector

DB9 Serial Port Connector Pin Signal I/O Description

1 DCD I Data carrier detect 2 SIN I Serial input 3 SOUT O Serial output 12345 4 DTR O Data terminal ready 5 GND N/A Signal ground 6 7 8 9 6 DSR I Data set ready 7 RTS O Request to send 8 CTS I Clear to send 9 RI I Ring indicator Shell N/A N/A Chassis ground

The following figure shows the pin assignments used for creating cables that connect to termi- nals with 9-pin or 25-pin connectors.

9-pin to 9-pin cable 9-pin to 25-pin cable Firewall Director PC Serial Port Firewall Director PC Serial Port 9-Pin Connector 9-Pin Connector 9-Pin Connector 25-Pin Connector DCD pin 1 pin 1 DCD pin 1 pin 8 SIN pin 2* pin 2 SIN pin 2* pin 3 SOUT pin 3* pin 3 SOUT pin 3* pin 2 DRT pin 4 pin 4 DRT pin 4 pin 20 GND pin 5* pin 5 GND pin 5* pin 7 DSR pin 6 pin 6 DSR pin 6 pin 6 RTS pin 7 pin 7 RTS pin 7 pin 4 CTS pin 8 pin 8 CTS pin 8 pin 5 RI pin 9 pin 9 RI pin 9 not used

*Only the SIN, SOUT, and GND pins are required.

Figure 2-22 Console Cable Wiring for 9-Pin and 25-Pin Connectors

NOTE – Console cables are not intended for permanent installation and should be disconnected from the console port after configuring the Alteon Switched Firewall.

Chapter 2: Hardware Installation n 69 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Establishing a Connection

1. Connect the terminal to the serial port using the correct serial cable. When connecting to a Firewall Director, use a standard serial cable with a male DB9 connector (both shipped with the Firewall Director).

2. Power on the terminal.

3. To establish the connection, press on your terminal. You should now see the login prompt. See “Users and Passwords” on page 98 for more login information.

70 n Chapter 2: Hardware Installation 212535-E, April 2003 CHAPTER 3 Initial Setup

This chapter describes how to perform initial setup for the minimal Alteon Switched Firewall configuration (one Firewall Director and one Firewall Accelerator).

It is assumed that you have installed the Alteon Switched Firewall hardware as described in Chapter 2, “Hardware Installation:” including mounting the components, attaching network cables, turning on power, and connecting a console terminal.

The following topics are discussed in this chapter:

n “Overview of Initial Setup Tasks” on page 3-72 n “Collect Basic System Information” on page 3-72 n “Example Network” on page 3-73 n “Use Setup for Basic Configuration” on page 3-74 n “Configure Licenses and Interfaces” on page 3-78 n “Install Check Point Management Tools” on page 3-81 n “Configuring and Install Firewall Policies” on page 3-89

NOTE – For configurations with multiple Firewall Directors or Firewall Accelerators, first install the minimum system as described in Chapter 2, “Hardware Installation,” on page 33 and perform initial setup as described in this chapter. When the minimum system is fully configured, add and setup the extra components as described in Chapter 8, “Expanding the Cluster,” on page 325.

71 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Overview of Initial Setup Tasks

Initial setup involves the following tasks, each of which is detailed in the remaining sections of this chapter:

n Collect basic system information (page 72) n Understand the example network (page 73) n Use the CLI Setup utility for basic configuration (page 74) n Use the CLI to configure Check Point NG licenses and network details (page 78) n Install Check Point management tools on a separate administration station (page 81) n Use the management tools to configure and install firewall policies (page 89) n Update the system software, if required

Collect Basic System Information

The following is needed prior to configuring the Alteon Switched Firewall:

n A Check Point license for each Firewall Director in the cluster. n One subnet assigned for internal Alteon Switched Firewall use. This subnet must consist of the following IP addresses: o One Management IP (MIP) address. This is used as the main access point for the entire Alteon Switched Firewall cluster. o An IP address for each Firewall Director in the cluster. o An IP address for each Firewall Accelerator in the cluster.

NOTE – The highest IP address and lowest IP address in the subnet range are reserved for broadcasts and cannot be assigned to specific cluster devices.

n A list of subnets that will be statically configured on the firewall for internal subnets, plus the IP address of the internal router that handles routes for these subnets. n The IP address of the default gateway for data moving from the Alteon Switched Firewall to the Internet. n An IP address reserved for the Alteon Switched Firewall on each trusted, untrusted, and semi-trusted subnet that will connect directly to the firewall.

72 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

n A Check Point Enterprise Management Console (EMC) and Policy Editor client on one of the networks attached to the Firewall Accelerator. n The Firewall Accelerator must be installed with Accelerator OS version 1.0 or higher and the Firewall Director must be installed with Firewall OS version 1.0 or higher.

NOTE – Before upgrading the software on the Firewall Accelerator and Firewall Director, you must perform the initial setup procedures as explained in this chapter. Once initial setup is complete, see Chapter 9, “Upgrading the Software,” on page 345 for more information.

Example Network

The following example network will be used to illustrate the procedures described in this chapter:

Alteon Switched Firewall MIP: 192.168.1.1

Firewall Accelerator Network A (Untrusted) Network B (Trusted) IP: 192.168.1.2 Gateway: 10.1.1.2

IP: 10.2.0.0/16 Internet 1 IF1 IF2 2 IP: 10.1.1.1 IP: 10.2.0.1 Gateway: 10.2.0.1 Router 6 Inside Interface– IP: 10.1.1.2

Firewall Director IP: 192.168.1.3 Check Point EMC IP: 10.2.0.2

Figure 3-1 Example Network for Initial Setup

Using this topology, the required information is as follows:

n Alteon Switched Firewall cluster MIP address: 192.168.1.1 n Firewall Accelerator IP address: 192.168.1.2. n Firewall Director IP address: 192.168.1.3 n Firewall default gateway IP address: 10.1.1.2 (Router interface) n Network A (Untrusted) IP addresses: 10.1.1.0/24, with 10.1.1.1 reserved for firewall

Chapter 3: Initial Setup n 73 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

n Network B (Trusted) IP addresses: 10.2.0.0/16, with 10.2.0.1 reserved for firewall n Check Point Enterprise Management Console (EMC) IP address: 10.2.0.2 (located on Net- work B.) Once the network information is collected, you can use the Setup utility to begin basic system configuration.

Use Setup for Basic Configuration

The Firewall Director console connection is used to access the Alteon Switched Firewall while performing initial configuration. Connect the included console cable between the serial port on the Firewall Director to the serial port of a computer with terminal emulation software as described in “Connecting a Console Terminal” on page 68.

Press on the console terminal to establish the connection. The Alteon Switched Fire- wall login prompt will appear. Enter the default login name (admin) and the default password (admin). If the Alteon Switched Firewall is set to factory defaults, a special Setup utility menu will appear:

Welcome to the Alteon Switched Firewall initialization. ------[Setup Menu] join - Join an existing SFD cluster new - Initialize SFD as a new installation offline - Initialize SFD for offline switchless maintenance boot - Boot Menu exit - Exit

>> Setup#

NOTE – If the Setup Menu does not appear, disconnect the Firewall Director from the cluster and reset it to its factory default state using the /boot/delete command (see page 312).

Below is an example of the Setup utility prompts and configuration. Follow the example to initialize a “new” installation. After answering the various Setup questions, the built-in Check Point software will be initialized.

74 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

1. Select a “new” installation.

>> Setup# new Setup will guide you through the initial configuration of a new SFD cluster.

2. Enter the network IP address for this Firewall Director:

Enter an IP address for this SFD: 192.168.1.3

NOTE – The IP addresses shown here and in the following steps are taken from the example network on page 73. Enter information for your specific network configuration.

3. Enter the network mask for the entire cluster subnet:

Enter a network mask or /bit count [255.255.255.0 or /24]: /24

In this example, the cluster network spans 192.168.1.0/24.

4. Enter other network IP address information. These addresses must be in the cluster subnet.

Enter DNS server IP [none]: Enter the cluster Master IP address (MIP): 192.168.1.1

5. Set your time zone by selecting continent or ocean, then country, then region. For example:

Timezone setting 1 - Africa 2 - America 3 - Antarctica 4 - Arctic 5 - Asia 6 - Atlantic 7 - Australia 8 - Europe 9 - Indian 10 - Pacific Select a continent or an ocean, or enter a full timezone name: 2

Chapter 3: Initial Setup n 75 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Countries: 1 - Antigua&Barbuda 18 - Ecuador 35 - Panama 2 - Anguilla 19 - Grenada 36 - Peru 3 - Antilles 20 - French Guiana 37 - St Pierre & Miquelon 4 - Argentina 21 - Greenland 38 - Puerto Rico 5 - Aruba 22 - Guadeloupe 39 - Paraguay 6 - Barbados 23 - Guatemala 40 - Suriname 7 - Bolivia 24 - Guyana 41 - El Salvador 8 - Brazil 25 - Honduras 42 - Turks & Caicos Is 9 - Bahamas 26 - Haiti 43 - Trinidad & Tobago 10 - Belize 27 - Jamaica 44 - United States 11 - Canada 28 - St Kitts&Nevis 45 - Uruguay 12 - Chile 29 - Cayman Islands 46 - St Vincent 13 - Colombia 30 - St Lucia 47 - Venezuela 14 - Costa Rica 31 - Martinique 48 - Virgin Islands (UK) 15 - Cuba 32 - Montserrat 49 - Virgin Islands (US) 16 - Dominica 33 - Mexico 17 - Dom. Republic 34 - Nicaragua Select a country: 44

Regions & cities: 1 - Adak 8 - Indiana/Marengo 15 - New York 2 - Anchorage 9 - Indiana/Vevay 16 - Nome 3 - Boise 10 - Indianapolis 17 - Phoenix 4 - Chicago 11 - Juneau 18 - Shiprock 5 - Denver 12 - Los Angeles 19 - Yakutat 6 - Detroit 13 - Louisville 7 - Indiana/Knox 14 - Menominee

Select a region or city: 12 Selected timezone: America/Los_Angeles

6. Select a time server and set the current date and time:

Enter NTP server name or IP address [none]: Enter the current local date (YYY-MM-DD) [2001-07-10]: Enter the current local time (24-hour, HH:MM:SS) [14:21:23]:

7. Set the new administrator password:

Enter new admin user password: admin (not displayed) Enter password again: admin (not displayed)

76 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

8. Generate a new Secure Shell (SSH) host key for use secure remote administration sessions:

Generate a new ssh host key? ([y]/n) y (Unnecessary to press )

It is recommended that you generate a new SSH key in order to maintain a high level of security when connecting to the Alteon Switched Firewall using an SSH client. Answer the prompt by pressing the y or n key. Do not press .

9. Set the Check Point one-time password:

Enter CheckPoint SIC one-time password: (not displayed) Enter password again: (not displayed)

The one-time password entered here will be required later when establishing Secure Internal Communications (SIC) between the EMC and the Firewall Director.

10. Allow self-configuration to complete. Once the basic configuration information has been entered, the system begins a phase of self- configuration and initialization. During this phase, a series of messages are displayed. The self-configuration phase is complete when the following message is displayed:

Setup successful. Please relogin to configure.

Once this Setup process is complete, you will need to log in and configure Check Point licenses as shown in the following section.

Chapter 3: Initial Setup n 77 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Configure Licenses and Interfaces

During this portion of the initialization process, you must install additional interfaces and a Check Point license.

Once the Setup utility has been used for basic system configuration, the Setup menu is no longer displayed upon subsequent log-ins. Instead, the CLI Main Menu is displayed:

[Main Menu] info - Information Menu cfg - Configuration Menu boot - Boot Menu maint - Maintenance Menu diff - Show pending config changes [global command] validate - Validate configuration security - Display security status apply - Apply pending config changes [global command] revert - Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help [global command] exit - Exit [global command, always available]

>> Main#

Use the following CLI commands to install your Check Point licenses and to configure information about the network.

1. If local licensing is used, enter Check Point licensing information for the Firewall Direc- tor.

NOTE – If central licensing is used, skip this step. With central licensing, the license is pushed from the EMC in a later step.

The license information will be part of your Check Point package. The expected information will appear similar to this:

n Expiry date: 02aug2001 n Feature string: CPSUITE-EVAL-3DES-NG CK-CHECK-POINT n License string: aBZUeTWHR-FyxGGcdej-QiiS89a6N-isMP6Ywnn

78 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Log in to the Firewall Director using the administrator account. Be sure to enter the information exactly as shown on your specific Check Point license.

>> # /cfg/pnp/add Enter the IP Address: 192.168.1.3 (address of the Firewall Director) Enter the Expiry date for the License: Enter the Feature string: Enter the License string:

Successfully added to the registry

NOTE – Local license installation is performed through the CLI only. Do not install local licenses using the root login or Secure Update or they will be automatically deleted.

2. Configure information for the attached Firewall Accelerator:

>> iSD IP and Firewall License# /cfg/acc/ac1 >> Accelerator 1# addr 192.168.1.2

NOTE – You can also specify a MAC address in the Accelerator 1 Configuration menu. How- ever, when the automatic discovery feature is enabled, the Alteon Switched Firewall automatically determines the MAC address of the Firewall Accelerator. Auto discovery is on by default, but can be turned on or off using the /cfg/acc/auto command.

Chapter 3: Initial Setup n 79 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Configure the ports and interfaces for the attached networks. In our example, two networks are attached to the Firewall Accelerator: Network A on port 1 and Network B on port 2. These would be configured using IP interfaces (IFs) as follows:

>> Accelerator 1# /cfg/net/port 1 (Pick Network A port 1) >> Port 1# ena (Enable port 1) >> Port 1# ../if 1 (Pick IF 1 for Net. A) >> Interface 1# addr 10.1.1.1 (Set address for IF 1) >> Interface 1# mask 255.255.255.0 (Set mask for IF 1) >> Interface 1# ena (Enable IF 1) >> Interface 1# port/add 1 (Add Net. A port to IF 1) >> Ports # /cfg/net/port 2 (Select Network B port 2) >> Port 2# ena (Enable port 2) >> Port 2# ../if 2 (Pick IF 2 for Net. B) >> Interface 2# addr 10.2.0.1 (Set address for IF 2) >> Interface 2# mask 255.255.0.0 (Set mask for IF 2) >> Interface 2# ena (Enable IF 2) >> Interface 2# port/add 2 (Add Net. B port to IF 2)

NOTE – Interface broadcast addresses will be automatically calculated from the network mask unless configured manually.

4. Configure a default gateway or static route for the external networks. Traffic headed to the Internet needs to be directed to its next hop. In this example, a default gateway is used:

>> Interface 2# /cfg/net/route/gate/gw 1 (Pick default gateway 1) >> Default gateway 1# addr 10.1.1.2 (Set gateway IP address) >> Default gateway 1# ena (Enable the gateway)

5. Apply the configuration changes:

>> Default gateway 1# apply

This command applies the configuration changes on Firewall Director as well as on the Fire- wall Accelerator (no manual configuration is required on the Firewall Accelerator). The Fire- wall Director will also upgrade the Firewall Accelerator software if required.

Once the apply process is complete, the Link LED indicators for configured ports will stop blinking. Link indicators for disabled ports will continue blinking.

80 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

In our example network, you can verify that the Firewall Accelerator configuration has been updated by examining the port LEDs. The Link LEDs for ports 1 and 2 will no longer blink.

Install Check Point Management Tools

The Alteon Switched Firewall uses standard Check Point management tools (available separately) to install, maintain, and monitor firewall policies. The following Check Point tools are required to be installed on appropriate administrator workstations on your network:

n Check Point Enterprise Management Console (EMC)–This software acts as the central database for all your firewalls. The EMC establishes secure communications with all your Check Point firewalls, stores all their firewall policies, and uploads the policies to the appropriate firewalls as necessary. The EMC must be installed on a separate administrator workstation (not on the Alteon Switched Firewall components). n Check Point Policy Editor management client–The management client software interfaces with the EMC to provide a graphic user-interface for creating, editing, and monitoring firewall security policies. It can be installed on the EMC or on administrative workstations in your network (not on the Alteon Switched Firewall components). If you have already installed an appropriate Check Point EMC and Policy Editor on workstations in your network, proceed to “Configuring and Install Firewall Policies” on page 89.”

The following procedure outlines how to install the Check Point management tools with Fea- ture Pack-2. For details about this or any other version of Check Point software, please refer to your complete Check Point documentation.

1. Make sure that your EMC station meets or exceeds the minimum requirements. Check Point EMC requires a workstation or server with the following:

n Operating System: Windows NT 4.0 SP6a or Windows 2000 Server and Advanced Server (SP2) n Processor: Intel Pentium II 300 MHz or better n Disk space: 40 MB n Memory: 256 MB n Check Point NG CD-ROM n Network presence on one of the subnets attached to the Firewall Accelerator.

2. Insert the Check Point software CD-ROM into the EMC station drive. The installation program will start automatically.

Chapter 3: Initial Setup n 81 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The following material will explain any important prompts and the expected responses. For prompts not covered in these steps, follow any onscreen instructions.

3. When prompted from the Product Menu, select Server/Gateway Components and click on the Next button:

4. When prompted, specify the components being installed:

Select the checkboxes for the following items and click on the Next button:

n VPN-1 & FireWall-1 n Management Clients

NOTE – Only FireWall-1 is currently supported on this product. VPN-1 is not used.

82 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

5. When prompted to confirm installing the components, click on the Next button.

At this point, the installation program will begin installation of each component. First, a common Check Point component knows as the SVN Foundation will be automatically installed and configured. When completed, the FireWall-1 software installation will begin with Feature Pack-1. Feature Pack-2 will be automatically installed during a later step.

6. When prompted, select Enterprise Primary Management as the type of product and click on the Next button.

7. Follow the onscreen prompts until Feature Pack-1 installation is complete and you see the following prompt:

Click on the OK button. The system will not reboot at this time, but will automatically continue with the installation of Feature Pack-2.

Chapter 3: Initial Setup n 83 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

8. When prompted, specify whether or not to include backward compatibility with previous versions of the Check Point Firewall-1 software.

When finished, the Management Client installation will begin.

9. Follow the onscreen prompts until asked to specify the Management Client components to be installed:

Select the checkboxes for the following items and click on the Next button:

n Policy Editor n Log Viewer n System Manager n Secure Update

NOTE – In this procedure, the Management Client tools are being installed on the EMC station. These tools may also be installed on a remote station.

Click on the Next button to install the management client software.

84 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

10. Once the software is installed, click on the OK button to configure licenses:

11. When prompted, specify a valid Check Point license for the EMC. Select the Fetch From File or Add button and specify the appropriate license data:

12. When prompted, add login information for EMC administrators:

Chapter 3: Initial Setup n 85 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Click the Add button. Specify administrator name, password, and privileges and click on the OK button when done:

13. When prompted, add any remote management clients:

Specify the DNS hostname or IP address of any remote management clients which will be permitted to interface with this EMC station.

86 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

14. When prompted, type random characters for the cryptographic seed:

NOTE – Do not type excessively quickly. When overfilled, the input buffer may take a few moments to process.

When the cryptographic seed is generated, click the Next button to continue.

15. Initialize the Certificate Authority:

If the internal certificate authority is not initialized, you may need to reset the SIC password on the management client and on the Alteon Switched Firewall.

Chapter 3: Initial Setup n 87 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

16. Record the EMC fingerprint.

As a security measure, this fingerprint will be required in a later step to ensure that no one has impersonated the administrator.

17. When prompted, reboot the EMC station to finish installation:

Once the station is rebooted, installation of the EMC and Policy Editor are complete. The next task is to use the Policy Editor to define and install firewall policies.

88 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Configuring and Install Firewall Policies

Task Overview The initial configuration of firewall policies involves the following tasks:

n Log in to the Policy Editor n Define a firewall object in the Policy Editor n Establishing a trusted Secure Internal Communications (SIC) link between the EMC and the Firewall Director n If using central licensing, enter a license for the firewall object n Create security policies and install them on the Firewall Director The following material describes each of these tasks. However, please refer to your complete Check Point documentation for more details on using your Check Point tools.

1. Launch the Policy Editor software. Select the Policy Editor icon from the Check Point Management Clients directory:

2. Log in using an administrator account:

Enter one of the user name/password combinations configured during the installation of the EMC tools during Step 12 on page 85.

Specify the IP address of the EMC in the Management Server field and click the OK button.

Chapter 3: Initial Setup n 89 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Verify the Check Point fingerprint. At this point, the Policy Editor will contact the EMC. Since this is the first contact, you will be prompted to verify the current fingerprint:

Click the Approve button to verify that the fingerprint is the same as the one obtained during installation of the EMC tools during Step 16 on page 88.

Define the Alteon Switched Firewall Object

1. Create a new Gateway object to represent the newly installed Firewall Director. From the Policy Editor menu bar, select Manage | Network Objects. When the Network Objects window appears, click on the New button and select Check Point | Gateway from the pop-up list.

2. When prompted, select “Classic node” configuration and click on the OK button.

90 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Define the Firewall Director object parameters:

Enter the following information:

n Name: The name of the newly installed Firewall Director. The EMC must be configured to resolve this name to the IP address below. n IP Address: The address of the newly installed Firewall Director. In our example, the address is 192.168.1.3. n Check Point products: Select NG Feature Pack 2. n FireWall-1: Check this item from the list window.

NOTE – Only FireWall-1 is currently supported on this product. VPN-1 is not used.

Leave the Workstation Properties window open for use in the next steps.

Chapter 3: Initial Setup n 91 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Establish Secure Internal Communications

1. Establish trust between the Policy Editor and the Firewall Director. Check Point FireWall-1 NG uses a one-time password to initiate Secure Internal Comminu- tions (SIC) between configured objects and the EMC.

To establish SIC, click on the Communication button in the Workstation Properties window. The Communications window will appear:

Enter the same one-time SIC password that was defined during the Firewall Director initial setup in Step 9 on page 77 and click on the Initialize button.

The EMC will attempt to contact the Firewall Director and exchange security information. When successful, the window will indicate “Trust established.”

2. Close the Communications window.

92 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Get the interfaces for the Firewall Director object. Select the Topology section of the Check Point Gateway window and click on the Get Topol- ogy button. This will retrieve the interfaces that were configured from the Firewall Director. The Get Topology button displays linked and enabled networks only.

NOTE – When using antispoofing, a message may appear stating that the Get Topology function was only partially successful. When this occurs, “IP addresses behind the interface” will be undefined. Select each interface and use the Edit button to manually configure the undefined address. The address should represent the full range of valid source IP addresses attached through the interface. These addresses must be configured prior to loading policies to the Fire- wall Director.

4. Close the Workstation Properties window.

5. From the Policy Editor menu bar, select File | Save.

Chapter 3: Initial Setup n 93 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Using Central Licensing If using central licensing, install a license for the Firewall Director object.

NOTE – If local licensing was used in configuring interfaces in Step 1 on page 78, skip ahead to “Create and Install Firewall Policies” on page 95.

Central licenses can be easily installed, managed, or deleted using the Secure Update portion of your Check Point management tools. See your complete Check Point documentation for details.

Alternately, you can use the Windows NT command line to install a central license as follows:

1. Edit the hosts file on the EMC. Edit the c:\winnt\system32\drivers\etc\hosts file on the EMC and add one line with the Firewall Director IP address and name. For example:

192.168.1.3 isd1

2. Run the cprlic command. Click on your desktop Start button and select Run. When the Run window appears, specify cmd as the program to open and click on the OK button. In the command window, enter the license installation command in the following format:

c:\winnt\fw1\5.0\bin\cprlic put Use the Firewall Director name as entered in the hosts file earlier in this step.

Be sure to enter the information exactly as shown on your specific Check Point license.

3. Verify the license. To verify that the central license is installed properly, login as root on the Firewall Director and issue the following command:

cplic print -x -type The output of this command should display the installed license information.

94 n Chapter 3: Initial Setup 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Create and Install Firewall Policies

1. Create a firewall policy test rule. At this point in the initial setup, a test is recommended to ensure that the system components are properly configured. For this test, create a policy rule that will allow any and all traffic to pass through the firewall. Later, once the firewall operation is confirmed, you can create firewall security rules that will restrict undesirable traffic.

From the Policy Editor menu bar, select Rules | Add Rule | Top. A new rule will be added to the rulebase. The default action of the new rule is “drop,” indicating that all traffic from any source to any destination will not pass through the firewall.

Change the action of the new rule to “accept” by right-clicking on the “drop” action icon and selecting “accept” as the new action from the pop-up list.

Also change the track setting to “log” by right-clicking on the “none” setting and selecting “log” as the new track setting from the pop-up list.

Chapter 3: Initial Setup n 95 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

2. Install the rulebase to the Firewall Director. From the menu bar, select Policy | Install. When the Install Policy window appears, select the firewall cluster object and click on the OK button.

NOTE – If the Check Point antispoofing feature is not enabled, a warning message will appear. Please refer to your company’s security policy and your Check Point documentation to determine whether antispoofing is necessary for your firewall.

Click on the OK button to initiate installing the rulebase.

Close the Install Policy window when the process is complete. 3. Use the Log Viewer program to confirm proper operation of the Firewall Director. The Log Viewer lists all traffic being processed, accepted, dropped, and so on. To confirm that the Alteon Switched Firewall is properly configured, select the Log Viewer Active Mode. Use a client station to ping the firewall. If the Log Viewer displays an entry for the ping traffic, the configuration is good.

NOTE – The Log Viewer is an excellent tool for debugging and enhancing your security rules. See your complete Check Point documentation for details regarding this essential tool.

4. Use the Policy Editor to remove the test rule generated in Step 1. 5. Create and install complete firewall security rules. The exact nature of the rules included in security policy will depend on your specific needs. In general, it recommended to drop all traffic except that which is specifically required. Please refer to your company’s security policy and see your complete Check Point documentation for more information about creating and maintaining effective security policies.

96 n Chapter 3: Initial Setup 212535-E, April 2003 CHAPTER 4 System Management Basics

This chapter explains how to access system management features on the Alteon Switched Fire- wall. Management access is required for collecting system information, configuring system parameters beyond initial setup, establishing firewall security policies, and monitoring policy effectiveness.

Management Tools

The Alteon Switched Firewall provides the following system management tools:

n The Command Line Interface (CLI) The CLI offers a simple, text-based menu system for collecting system information and configuring system parameters. Use of the CLI is required for initial setup of the system. The CLI can be accessed locally at any Firewall Director or remotely via Telnet or Secure Shell (SSH). For details, see “The Command Line Interface” on page 101. n The Browser-Based Interface (BBI) The BBI allows management via your Web browser. The BBI must be enabled through the CLI after initial setup is complete. Once enabled, the BBI can be accessed by workstations included in the access list. The BBI provides a richly featured, graphical user interface that makes routine configuration and data collection easier. For details, see “The Browser-Based Interface” on page 115. n The Check Point FireWall-1 NG interface The built-in Check Point software interfaces with remote Check Point management tools. Using your required Check Point Enterprise Management Console and a management client such as the Check Point Policy Editor, you can manage the Alteon Switched Firewall policies, and view firewall logs and operational status. For details, see your Check Point documentation.

97 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Users and Passwords

Access to Alteon Switched Firewall functions is controlled through the use of unique user names and passwords. Once you establish a connection to the system via a local console or remote Telnet, SSH, or Web-browser, you are prompted to log in. To log in, you must enter a valid user name and its matching password. To enable better system management and user accountability, there are four different kinds of users, each with different levels of system access.

The default user names and passwords for each access level are listed in Table 4-1. User names and passwords are case sensitive.

Table 4-1 User Access Levels

User Name Password Description and Tasks Performed

oper oper The operator login is available through the CLI and BBI. The operator has no direct responsibility for system management. He or she can view all configuration information and operating statistics, but cannot make any configuration changes.

admin admin The administrator login is available through the CLI and BBI. The administrator has complete access to all menus, information, and configuration commands on the system, including the ability to add users and change passwords.

boot ForgetMe The boot login is available only through a local console terminal. The boot user can restore default passwords by reinstalling the Firewall Direc- tor software if no other method of access is available (see “Recovering from a Lock-Out” on page 403). To ensure that one avenue of access is always available in case all passwords are changed and lost, the boot user password cannot be changed.

root ForgetMe The root login is available only through a local console terminal. The root user has complete internal access to the operating system and software. Root user functions are outside the scope of this documentation.

NOTE – It is recommended that you change all the default passwords after initial configuration and as regularly as required under your network security policies. For more information, see “User Menu” on page 230 for CLI command or “Administration / Users” on page 168 for BBI forms.

98 n Chapter 4: System Management Basics 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Single System Image

The Alteon Switched Firewall system uses a Single System Image (SSI). Though the system can be composed of multiple Firewall Director and Firewall Accelerator components, the SSI allows all components to be configured and updated as a whole. When you make configuration changes at any CLI or BBI management point, those changes are automatically synchronized to the other components as required, simplifying the management process.

Through the SSI, most configuration commands affect the entire Alteon Switched Firewall cluster. In general, features cannot be enabled or disabled on individual Firewall Directors.

The SSI is also used when updating system software. Just as with configuration changes, software updates installed at any CLI management point are automatically installed on all other components as required.

Chapter 4: System Management Basics n 99 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

100 n Chapter 4: System Management Basics 212535-E, April 2003 CHAPTER 5 The Command Line Interface

The Command Line Interface (CLI) is the most direct method for viewing information about the Alteon Switched Firewall. In addition, you can use the CLI for performing all levels of system configuration.

The CLI is text-based, and can be viewed using a basic terminal. The various commands are logically grouped into a series of menus and sub-menus. Each menu displays a list of commands and/or sub-menus that are available, along with a summary of what each command does. Below each menu is a prompt where you can enter any command appropriate to the current menu.

This chapter describes how to access the CLI locally through any Firewall Director serial port, or remotely using a Telnet or Secure Shell (SSH) client. It also provides a list of commands and shortcuts that are commonly available from all the menus within the CLI.

NOTE – Before the CLI can be used, minimal configuration must be performed as discussed in Chapter 3, “Initial Setup” on page 71.

101 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Accessing the Command Line Interface

Using the Local Serial Port Any Firewall Director serial port provides direct, local access for managing the Alteon Switched Firewall. For details on attaching a console terminal to the serial port and establishing a connection, see “Connecting a Console Terminal” on page 68.

Once the connection is initiated, you will be prompted to log in and enter a valid password. For more information about different access levels and initial passwords, see “Users and Pass- words” on page 98.

When the login is validated, the Main Menu of the CLI will be displayed (see “The Main Menu” on page 110).

Defining the Remote Access List The Alteon Switched Firewall can be managed remotely using Telnet, SSH, or the BBI. For security purposes, access to these features is restricted through the remote access list.

The remote access list allows the administrator to specify IP addresses or address ranges that are permitted remote access to the system. There is only one remote access list which is shared by all remote management features.

If a client whose IP address is not on the list requests remote management access, the request is dropped. By default, the access list is empty, meaning that all remote management access is initially disallowed.

When a client’s IP address is added to the access list, that client is permitted to access all enabled remote management features. For example, if only the Telnet feature is enabled, the client will be able to use Telnet to reach the CLI. If the BBI is also enabled, the same client will be able to use their Web-browser to manage the system without any changes being made to the access list.

NOTE – When a remote management feature is enabled, access will not be allowed if the access list is left empty. Add all trusted management clients to the access list when initially enabling any remote management feature. It is also vital that you review the access list regularly and keep it up to date.

102 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Displaying the Access List The following CLI command is used to view the access list:

>> # /cfg/sys/accesslist/list

Adding Items to the Access List The following CLI commands are used to permit remote management access to a specific IP address or range of IP addresses.

1. Select the Access List menu:

>> # /cfg/sys/accesslist

2. Add trusted remote IP addresses to the list:

>> Access List# add

The add command can be repeated for as many remote managers as required. For example, to allow IP addresses 201.10.14.7 and 214.139.0.0/24 to access remote management features, the following commands could be used:

>> # /cfg/sys/accesslist (Select access list menu) >> Access List# add 201.10.14.7 255.255.255.255 (Add single address) >> Access List# add 214.139.0.0 255.255.255.0 (Add range of addresses)

NOTE – Although each remote management feature (Telnet, SSH, and BBI) can be enabled or disabled independently, all share the same access list. All addresses on the access list are permitted to access any enabled management feature. You cannot enable SSH for some and Telnet for others.

3. Apply the changes:

>> Access List# apply

Chapter 5: The Command Line Interface n 103 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Using Telnet A Telnet connection allows convenient management of the Alteon Switched Firewall from any workstation connected to the network. Telnet access provides the same management options as those available through the local serial port.

By default, Telnet access is disabled and all remote access is restricted. Depending on the severity of your security policy, you may enable Telnet and permit remote access to one or more trusted client stations.

NOTE – Telnet is not a secure protocol. All data (including the password) between a Telnet client and the Alteon Switched Firewall is unencrypted and unauthenticated. If secure remote access is required, consider using Secure Shell (SSH) (see “Using Secure Shell” on page 106).

Enabling Telnet Access Before Telnet access is possible, some configuration must first be performed using the serial port.

1. Log in as the administrator using the local serial port.

2. Check that the Firewall Directors are configured with proper IP addresses. Each Firewall Director requires its own unique IP address, as well as one Management IP (MIP) address which represents the entire Alteon Switched Firewall cluster. These IP addresses are configured during the initial setup of the cluster (see Chapter 3, “Initial Setup,” on page 71).

3. Enable Telnet access. For security purposes, Telnet access is initially disabled. To explicitly enable Telnet for the cluster, issue the following commands:

>> # /cfg/sys/adm/telnet/ena >> Administration Applications# apply

NOTE – The telnet command affects the entire Alteon Switched Firewall cluster. Telnet access cannot be enabled or disabled on individual Firewall Directors.

4. Use the access list to permit remote access to trusted clients. If you have already configured the access list for SSH or the BBI, there is no need to repeat the process. Otherwise, to permit access to only trusted clients, see “Defining the Remote Access List” on page 102.

104 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

5. Use the Check Point Policy Editor on your management client to add a security policy that allows Telnet traffic. The firewall policy should be constructed as follows:

n Source: The management client IP address or management network IP address range n Destination: The cluster MIP address n Service: Telnet n Action: Allow

Starting the Telnet Session Remote Telnet access requires a workstation with Telnet client software. To establish a Telnet session, run the Telnet client software and issue the Telnet command on your workstation:

telnet

Connect to the cluster MIP address. Using the MIP, you can make configuration changes to the cluster as a whole, and you can use the individual CLI host menus to halt or reboot a particular Firewall Director in a cluster or reset its configuration to the factory default settings. There is no need to connect to the IP address of a particular Firewall Director.

Once the Telnet session is initiated, you will be prompted to log in and enter a valid password. For more information about different access levels and initial passwords, see “Users and Pass- words” on page 98.

When the login is validated, the Main Menu of the CLI will be displayed (see “The Main Menu” on page 110.

Chapter 5: The Command Line Interface n 105 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Using Secure Shell A Secure Shell (SSH) connection allows convenient and secure management of the Alteon Switched Firewall from any workstation connected to the network. SSH access provides the same management options as those available through the local serial port.

SSH access provides the following security benefits:

n Server host authentication n Encryption of management messages n Encryption of passwords for user authentication By default, SSH access is disabled and all remote access is restricted. Depending on the severity of your security policy, you may enable SSH and permit remote access to one or more trusted client stations.

Enabling SSH Access on the Alteon Switched Firewall Before SSH access is possible, some configuration must first be performed using the serial port or enabled remote management feature.

1. Log in as the administrator.

3. Enable SSH access. For security purposes, SSH access is initially disabled. To explicitly enable SSH for the cluster, issue the following commands:

>> # /cfg/sys/adm/ssh/ena >> Administration Applications# apply

NOTE – The ssh command affects the entire Alteon Switched Firewall cluster. SSH access cannot be enabled or disabled on individual Firewall Directors.

106 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

4. If necessary, generate new SSH keys. During the initial setup of the Alteon Switched Firewall, it was recommended that you select the option to generate new SSH host keys. This is required to maintain a high level of security when connecting to the Alteon Switched Firewall using a SSH client.

If you fear that your SSH host keys have been compromised, or at any time your security policy dictates, you can create new host keys using the following CLI command:

>> # /cfg/sys/adm/ssh/gensshkey >> Administration Applications# apply

When reconnecting to the Alteon Switched Firewall after having generated new host keys, your SSH client will display a warning that the host identification (or host keys) has been changed.

5. Use the access list to permit remote access to trusted clients. If you have already configured the access list for Telnet or the BBI, there is no need to repeat the process. Otherwise, to permit access to only trusted clients, see “Defining the Remote Access List” on page 102.

6. Use the Check Point Policy Editor on your management client to add a security policy that allows SSH traffic. The firewall policy should be constructed as follows:

n Source: The management client IP address or management network IP address range n Destination: The cluster MIP address n Service: SSH n Action: Allow

Chapter 5: The Command Line Interface n 107 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Starting the SSH Session Remote SSH access requires a workstation with SSH client software. To establish an SSH connection with the Alteon Switched Firewall, run the SSH program on your workstation by issu- ing the following SSH command:

ssh -l

where the -l (lower case L) option is followed by the user name (admin, oper, and so on) being logged in, and the cluster MIP address.

NOTE – You cannot log in as boot or root using SSH.

Using the MIP address, you can make configuration changes to the cluster as a whole and to individual Firewall Directors as appropriate. There is no need to connect to the IP address of a particular Firewall Director.

Once the SSH session is initiated, you will be prompted to log in and enter a valid password. For more information about different access levels and initial passwords, see “Users and Pass- words” on page 98.

When the login is validated, the Main Menu of the CLI will be displayed (see “The Main Menu” on page 110.

108 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Using the Command Line Interface

Basic Operation Using the CLI, Alteon Switched Firewall administration is performed in the following manner:

n The administrator selects from a series of menu and sub-menu items, and modifies parameters to create the desired configuration. n Most changes are considered pending and are not immediately put into effect or permanently saved. Only a few types of changes take effect when entered (such as changes to users and passwords). Commands that take effect immediately are noted in the command descriptions (see Chapter 7, “Command Reference”). n In order to save changes and make them take effect, the administrator must use the global Apply command. This allows the administrator to make an entire series of changes and then put them into effect all at once. n Using the validate command on the Main Menu, the administrator can validate the configuration to check for any configuration problems prior to applying them. If the configuration is in an invalid state, the apply command will not be allowed. n The global diff command can be used to view pending changes before they are applied. n To clear all pending changes, the administrator can use the global revert command and then continue the configuration session, or the global exit command to logout from the system. Closing your remote session will also discard pending changes, though exiting manually is preferred.

NOTE – When multiple CLI or BBI administrator sessions are open at the same time, only pending changes made during your current session will be affected by the diff, revert, or exit commands. However, if multiple CLI or BBI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence.

Chapter 5: The Command Line Interface n 109 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Main Menu After initial system setup is complete and the user performs a successful connection and login, the Main Menu of the CLI is displayed. Figure 5-1 shows the Main Menu with administrator privileges:

>> Main#

Figure 5-1 Administrator Main Menu

For more information about initial system setup, see Chapter 3, “Initial Setup,” on page 71. For details about accessing the CLI, see “Accessing the Command Line Interface” on page 102.

Idle Time-out By default, the system will disconnect your CLI session after ten minutes of inactivity. This function is controlled by the idle time-out parameter as shown in the following command:

>> # /cfg/sys/adm/idle

where the time-out period is specified as an integer from 5 to 60 minutes.

Multiple Administration Sessions It is possible to have more than one CLI or BBI administrator session open at the same time. Although each concurrent administrator session is independent, when configuration changes are saved to the Single Software Image (SSI) that is shared by the cluster, the saved changes affect all users. However, if multiple CLI or BBI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence.

110 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Global Commands Some basic commands are recognized throughout the entire menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving configuration changes:

Table 5-1 Global CLI Commands

Command Action

help [] Provides more information about a specific command on the current menu. When used without the command parameter, a summary of the global commands is displayed.

. Redisplay the current menu.

.. or up Go up one level in the menu structure.

/ If placed at the beginning of a command, go to the Main Menu. Otherwise, this is used to separate multiple commands placed on the same line.

apply Apply and save pending configuration changes.

diff Show any pending configuration changes.

exit Exit from the CLI and log out.

lines Set the number of lines (n) that display on the screen at one time. The default is 24 lines. When used without a value, the current setting is displayed.

nslookup Find the IP address or host name of a network device. The format is as follows: nslookup In order to use this command, you must have configured the cluster to use a DNS server. If you did not specify a DNS server during the initial setup procedure, you can add a DNS server at any time by using the /cfg/sys/dns/add command.

paste Set a password for restoring a saved configuration dump file that includes encrypted private keys.

ping Use this command to verify station-to-station connectivity across the network. The format is as follows: ping

[ []] Where address is the hostname or IP address of the device, tries (optional) is the number of attempts (1-32), and delay (optional) is the number of milliseconds between attempts. The DNS parameters must be configured if specifying hostnames (see “DNS Servers Menu” on page 201).

pwd Display the command path used to reach the current menu.

Chapter 5: The Command Line Interface n 111 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 5-1 Global CLI Commands

Command Action

revert Cancel all pending configuration changes.

traceroute Use this command to identify the route used for station-to-station connectivity across the network. The format is as follows: traceroute

[ []] Where address is the hostname or IP address of the target station, max- hops (optional) is the maximum distance to trace (1-16 devices), and delay (optional) is the number of milliseconds for wait for the response. As with ping, the DNS parameters must be configured if specifying hostnames.

verbose Sets the level of information displayed on the screen: 0 = Quiet: Nothing appears except errors—not even prompts. 1 = Normal: Prompts and requested output are shown, but no menus. 2 = Verbose: Everything is shown. When used without a value, the current setting is displayed.

112 n Chapter 5: The Command Line Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Command Line History and Editing Using the CLI, you can retrieve and modify previously entered commands with just a few key- strokes. The following options are available globally at the command line:

Table 5-2 Command Line History and Editing Options

Option Description

history Display a numbered list of the last 10 previously entered commands.

!! Repeat the last entered command.

! Repeat the nth command shown on the history list.

(Also the up arrow key.) Recall the previous command from the history list. This can be used multiple times to work backward through the last 10 commands. The recalled command can be entered as is, or edited using the options below.

(Also the down arrow key.) Recall the next command from the history list. This can be used multiple times to work forward through the last 10 commands. The recalled command can be entered as is, or edited using the options below.

Move the cursor to the beginning of command line.

Move cursor to the end of the command line.

(Also the left arrow key.) Move the cursor back one position to the left.

(Also the right arrow key.) Move the cursor forward one position to the right.

(Also the Delete key.) Erase one character to the left of the cursor position.

Delete one character at the cursor position.

Kill (erase) all characters from the cursor position to the end of the command line.

Redraw the screen.

Clear the entire line.

Other keys Insert new characters at the cursor position.

Chapter 5: The Command Line Interface n 113 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Command Line Shortcuts

Command Stacking As a shortcut, you can type multiple commands on a single line separated by forward slashes ( / ). You can connect as many commands as required to access the menu option that you want. For example, the command stack to access Cluster Configuration menu from the Main# prompt is as follows:

>> Main# cfg/sys/cluster

Command Abbreviation Most commands can be abbreviated by entering the first characters which distinguish the command from the others in the same menu or sub-menu. For example, the command shown above could also be entered as follows:

>> Main# c/s/cl

Tab Completion By entering the first letter of a command at any menu prompt and pressing , all commands in that menu beginning with the letter you typed are displayed. By typing additional let- ters, you can further refine the list of commands or options displayed. If only one command matches the letter(s) when is pressed, that command will be supplied on the command line. You can then execute the command by pressing . If the key is pressed without any input on the command line, the currently active menu will be displayed.

114 n Chapter 5: The Command Line Interface 212535-E, April 2003 CHAPTER 6 The Browser-Based Interface

This chapter explains how to use the Browser-Based Interface (BBI) to access Alteon Switched Firewall system management features from your Web browser.

Features

The BBI provides the following features:

n Intuitive and easy-to-use interface structure n Most of the same configuration and monitoring functions available through the Command Line Interface (CLI) n Can be accessed using HTTP, or secure HTTPS using Secure Socket Layer (SSL) n Nothing to install; the BBI is part of the Firewall OS software n Can be upgraded along with future software releases as available

Getting Started

Requirements n An installed Alteon Switched Firewall n PC or workstation with network access to the cluster Management IP (MIP) address n Frame-capable Web-browser software, such as the following: o Netscape Navigator 4.6 or higher o Internet Explorer 5.0 or higher n JavaScript enabled in your Web-browser

115 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Enabling the Browser-Based Interface Before BBI access is possible, some configuration must first be performed using the CLI. For information on accessing and using the CLI, see Chapter 5, “The Command Line Interface.”

1. Enable the BBI. By default, the BBI is enabled for HTTP access, and disabled for HTTPS access. The BBI can be enabled for HTTP and/or HTTPS, or fully disabled.

NOTE – HTTP is not a secure protocol. All data (including passwords) between an HTTP client and the Alteon Switched Firewall is unencrypted and is subject only to weak authentication. If secure remote access is required, consider using HTTPS instead of HTTP.

To explicitly allow remote BBI access, enter the following commands in the CLI.

n To enable HTTP access:

>> # /cfg/sys/adm/web/http/ena

n To enable HTTPS access using SSL:

>> # /cfg/sys/adm/web/ssl/ena

2. If using HTTPS, generate a temporary certificate. An SSL server certificate is required for HTTPS access to the BBI. The Firewall Director can generate a temporary, self-signed certificate. The commands to create a default certificate are as follows:

>> SSL configuration# certs/serv/gen Do you want to generate a self-signed certificate with the generated Key? y

where Name is the common name that will appear on the certificate, Country code is a two-letter code (US for the United States of America, CA for Canada, JP for Japan, etc.), and Key size is 512, 1024, or 2048 bits. For example:

>> SSL configuration# certs/serv/gen Alteon US 1024

NOTE – When you log in to the BBI with the temporary certificate, you will be warned that the certificate is not signed or authenticated. This should be permitted only during initial configuration where the system is not attached to active networks that could be a source of attack. Install a signed and authenticated certificate prior to connecting any untrusted network.

116 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Apply the changes.

>> SSL configuration# apply

4. Use the access list to permit remote access to trusted clients. If you have already configured the access list for Telnet or SSH, there is no need to repeat the process. Otherwise, to permit access to only trusted clients, see “Defining the Remote Access List” on page 102.

5. Use the Check Point Policy Editor on your management client to add a security policy that allows BBI traffic. The firewall policy should be constructed as follows:

n Source: The management client IP address or management network IP address range n Destination: The cluster MIP address n Service: HTTP for non-secure access, or SSL for HTTPS access n Action: Allow

Setting Up the Web-Browser Most modern Web-browsers work with JavaScript by default and require no additional set up. However, you should check your Web-browser’s features and configuration to make sure Java- Script is enabled.

NOTE – JavaScript is not the same as Java. Please make sure that JavaScript is enabled in your Web-browser.

Chapter 6: The Browser-Based Interface n 117 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Starting the Browser-Based Interface When the Firewall Director and browser set up is done, follow these steps to launch the BBI:

1. Start your Web-browser.

2. Enter the Alteon Switched Firewall MIP address in the Web-browser’s URL field. For example, consider a cluster MIP address of 192.168.1.1. Using Netscape Navigator, you could enter the following:

If the MIP address has a name on your local domain name server, you could enter the name instead. For example, with Internet Explorer, you could enter the following:

NOTE – When you use HTTPs to connect to the BBI with a temporary certificate, you will be warned that the certificate is not signed or authenticated. This should be permitted only during initial configuration where the system is not attached to active networks that could be a source of attack. Install a signed and authenticated certificate prior to connecting any untrusted network.

118 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Log in. If your Alteon Switched Firewall and browser are properly configured, you will be asked to enter a password:

Enter the account name and password for the system administrator or operator account. For more login and password information, see “Users and Passwords” on page 98.

4. Allow the main page to load. When the proper account name and password combination is entered, the BBI default page is displayed in your browser’s viewing window:

NOTE – There may be a few seconds delay while the default page collects data from all of the cluster components. You should not stop the browser while loading is in progress.

Chapter 6: The Browser-Based Interface n 119 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Basics of the Browser-Based Interface

Interface Components The BBI screen consists of the following areas:

n Main Page Menu The buttons in this area (Monitor, Cluster, and so on) represent the main categories of forms available for collecting information and configuring the system. Each main category contains a variety of sub-pages. n Sub-Pages Menu These buttons represent the sub-categories under each main page. A different list of sub- pages is available for each main page. When a sub-page is selected, the appropriate information and configuration fields are displayed in the forms area. The various pages are described in detail in the “BBI Forms Reference” on page 122. n Forms Area This area contains fields that display information or allow you to specify information for configuring the system. The fields are different for each sub-page. n Global Command Buttons These buttons are available from any page. The buttons display forms used for saving, examining, or aborting configuration changes, and for displaying help information for the current page.

120 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Basic Operation Using the BBI, Alteon Switched Firewall administration is performed in the following manner:

n The administrator selects from a series of pages and sub-pages, and modifies fields to create the desired configuration. n When finished making changes on any given page, the administrator submits the form using the appropriate Update buttons. If the user selects a new form or ends the session without submitting the information, the changes are lost. n Most submitted changes are considered pending and are not immediately put into effect or permanently saved. Only a few types of changes take effect as soon as the form is submitted: changes to users and passwords, and setting the time or time zone. n In order to save changes and make them take effect, the administrator must use the global Apply form. This allows the administrator to make an entire series of updates on multiple forms and then put them into effect all at once. n From the Apply form, the administrator can validate the configuration to check for any configuration problems prior to applying them. If the configuration is in an invalid state, the Apply command will not be allowed. n The global Diff form can be used to view pending changes before they are applied. n To clear all pending changes, the administrator can use the global Revert form and then continue the configuration session, or the global Logout form to exit from the system. Closing your browser will also discard pending changes, though logging out manually is preferred.

NOTE – When multiple CLI or BBI administrator sessions are open at the same time, only pending changes made during your current session will be affected by the Diff, Revert, or Logout commands. However, if multiple CLI or BBI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence.

Chapter 6: The Browser-Based Interface n 121 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

BBI Forms Reference

Global Command Forms The global command buttons are always available at the top of each form:

These buttons summon pages which are used for saving, examining, or aborting configuration changes, logging out, and for displaying help information. Each global command page provides options to verify or cancel the command as appropriate.

Apply The global Apply form is used for checking the validity of the current session’s pending configuration changes, and for saving the configurations change and putting them into effect.

122 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

This form includes the following items:

n Apply Changes pull-down menu. To use this menu, select one of the following options and click on the Submit button: o Apply Changes When submitted, this action updates the cluster with any pending configuration changes. Pending changes are first validated for correctness (see below). If problems are found, applicable warning and error messages are displayed. If errors are found, the changes are not applied. If there are no errors (warnings are allowed), the changes are saved and put into effect. This command has no effect on pending changes in other open CLI or BBI sessions.

NOTE – The global Revert command clears pending changes. It cannot be used to restore the old configuration after the Apply Changes command has been issued.

o Validate Configuration When submitted, this button validates the current session’s pending changes, but does not apply them. The pending configuration changes are examined to ensure that they are complete and consistent. If problems are found, the following types of messages are displayed: Warnings. These appear in yellow. Warnings identify conditions that the administrator should pay special attention to, but which will not cause errors or prevent the configuration from being applied. Errors. These appear in red. Errors identify serious configuration problems that must be corrected before changes can be applied. Uncorrected errors will cause the Apply Changes command to fail. If the configuration is valid, the administrator must still separately submit the Apply Changes command. o Run Security Audit When submitted, this option lists security information, such as the status (enabled or disabled) for remote management features such as Telnet, SSH, and the BBI for the cluster and the IP addresses which can access them. It also lists which users (if any) are still configured with default passwords which should be changed. n Submit button. This button performs the action selected in the Apply Changes pull-down menu. n Back button. This button returns the previously viewed form without applying changes.

Chapter 6: The Browser-Based Interface n 123 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Diff The global Diff form provides a list of the current session’s pending configuration changes.

This form includes the following items:

n Change list. The list displays a change record for each submitted update. Each record may consist of many modifications, depending upon the complexity of the form and changes submitted. Modifications are color coded: o Green: New items that will be added to the configuration when the global Apply command is given and verified. o Blue: Existing items that will be modified. o Red: Configuration items that will be deleted. n Back button. This button returns the previously viewed form. The Diff list is cleared when configuration changes are applied or reverted, or when the administrator logs out or closes the browser window.

This change list does not show pending changes made in other open CLI or BBI sessions.

124 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Revert The global Revert form is used for canceling pending configuration changes.

This form includes the following items:

n Revert button. This button cancels the current session’s pending configuration changes. Applied changes are not affected. Pending changes made in other open CLI or BBI sessions are not affected. n Back button. This button returns the previous form without cancelling pending changes.

Logout The global Logout form is used to terminate the current user session.

This form includes the following items:

n Logout button. This button terminates the current user session. Any configuration changes made during this session that have not yet been applied will be lost. This command has no effect on pending changes in other open CLI or BBI sessions. n Back button. This button returns the previously viewed form without logging out.

NOTE – For thorough security, close all BBI windows (including help) after logging out.

Chapter 6: The Browser-Based Interface n 125 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Help The global Help form provides assistance with forms and tasks in the BBI. There are two kinds of help: context-sensitive help and task-based help.

Context-Sensitive Help Context-sensitive help displays detailed information about whatever form is currently displayed in the BBI forms area. When you click on the global Help button, a new window appears with information appropriate to your current options:

The context-sensitive help window consists of the following areas: n Help topic menu. You can select a new help topic using the menu on the left-hand side of the help window. Each main menu item is listed, along with the sub-menu items under the current selection. Select a different menu item to reveal its sub-menu list. Select any sub- menu item to display help for the relevant form. n Forms area. This area displays detailed information about the selected topic. n Load Page link. Click on the title of this bar in the forms area to return to the main BBI window and jump directly to the form currently referenced by the help window. n Tasks Page link. Click on the title of this bar at the bottom of the help topic menu to activate the task-based help system. n Close button. This button (in the top, right corner) closes the help window.

126 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Task-Based Help Task-based help directs the administrator through the steps of various common procedures. To access task-based help, first click on the global Help button and then click on the Tasks Page title at the bottom of the help topic menu in the help window. The task help menu will be displayed in a new window with information appropriate to the current BBI form:

The Task-based help window consists of the following areas:

n Task topic menu. You can select from a list of tasks using the menu on the left-hand side of the help window. Each main task item is listed, along with the various steps under the current selection. Select a different task item to reveal its steps. Select any step to display relevant help information. n Forms area. This area displays detailed information about the selected task. n Previous link (if appropriate): Displays the information for the previous step in the task. n Next link (if appropriate): Displays the information for the next step in the task. n Load Page link. Click on the title of this bar in the forms area to return to the main BBI window and jump directly to the form currently referenced by the help window. n Close button. This button at the top, right-hand corner closes the task-based help window.

Chapter 6: The Browser-Based Interface n 127 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Monitor Forms

Monitor / System This is the default Monitor form. It provides an overview of the components in the cluster.

This form includes the following items:

n Firewall Accelerators. Each installed Firewall Accelerator is shown, along with its MAC address, IP address, and health status. The status of each Firewall Accelerator port is indicated by color: o Green indicates the port is up. o Red indicates the port is down. o Black indicates that the port has been disabled. n Firewall Director (ISDs). Each Firewall Director is shown along with its individual IP address and the cluster Management IP (MIP) address. To obtain more information about a specific Firewall Director, click on the appropriate icon (see “Monitor / iSDs” on page 129).

128 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Monitor / iSDs This form displays the status of the individual Firewall Directors in the cluster.

Chapter 6: The Browser-Based Interface n 129 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Monitor / Syslog This form displays the system logs of individual Firewall Directors in the cluster based on your choice of search criteria.

This form includes the following items:

n Host IP: IP address of the Firewall Director from which to view logs. n Search String: Search for this string in the message body. All messages that have a sub- string matching the characters in this field will be displayed when the Search button is selected. n Quick Choice menu: Provides a predefined list of basic search strings. n Messages Per Page: Maximum number of messages displayed for each request. n Case Sensitive box: Check this box to make the search case sensitive. If unchecked, the capitalization of characters in the search string and message body is disregarded. n Search button: Execute the log search using the parameters defined on this form. Search results appear at the bottom of the form.

130 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Monitor / About This form displays general product information.

Chapter 6: The Browser-Based Interface n 131 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Cluster Forms

Cluster / Time This form is used to set the date and time for all components in the cluster:

Date and Timezone n Current Time: Displays the current system time. This field cannot be edited.

Date n New Time. Specified using the month, day, year, hour, and minute pull-down menus. n Save button: Effects any changes to the date form. Changes take effect immediately, without the need to apply.

Timezone n Timezone: Select your region from the pull-down menu. n Save button: Effects any changes to the timezone form. Changes take effect immediately, without the need to apply.

132 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Cluster / Syslog This form is used to specify remote system log daemons and turn on local log debugging.

Debug Messages n Status menu: Enables or Disables sending debug messages to the local system log. n Update button. Submits the Debug Messages status changes to the pending configuration. Remote Servers Current Remote Servers table: n IP Address: IP address for the remote syslog server in dotted decimal notation. n Logging Severity menu: Severity of messages logged. All messages of the selected severity and higher will be logged. n Delete button: Deletes a remote server. Only present if a remote server is active. Add New Remote Server: n New Server IP: IP address for the remote syslog server in dotted decimal notation. n New Server Severity: Severity of messages logged. All messages of the selected severity and higher will be logged. Form actions: n Update button: Submits the remote server form changes to the list of pending changes, but does not yet apply the changes.

Chapter 6: The Browser-Based Interface n 133 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Cluster / ELA This form is used to configure the Event Logging API (ELA) feature:

ELA allows cluster log messages to be sent to a Check Point management server for display through the Check Point Log Viewer.

NOTE – An ELA service must be configured on the Check Point Management Station, and a SIC Certificate for the service must be transferred to the Firewall Director before ELA logging can commence. For configuration details, see Appendix A, “Event Logging API,” on page 385.

134 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

General Settings n Status: Enables or Disables Check Point ELA logging. n Management Station IP: The IP address of the Check Point management server to which cluster log messages will be sent. n Minimum Severity: Severity of messages logged. All messages of the selected severity and higher will be sent to the ELA service. n Management Station DN: Distinguished name of the Check Point Management Server. n Update button: Submits the General Settings form changes to the pending configuration.

Pull SIC Certificate

NOTE – The Management Station IP and Server Distinguished Name must be configured and saved before updating the SIC certificate. If these values change, then a new certificate will need to be created.

n iSD IP: The IP address of the individual Firewall Director being updated (do not use the MIP address). n OPSEC Application Name: Name of the ELA service that was configured on the Check Point management server. Use the same name specified when creating the OPSEC application in the Check Point Policy Editor. Each Firewall Director should use a different OPSEC application. n OPSEC Password: Password used to configure the above ELA service on the Check Point management server. n OPSEC Password (again): Verify the password. n Update button: Submit the Pull SIC Certificate form changes and update the certificate on the specified Firewall Director.

Chapter 6: The Browser-Based Interface n 135 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Cluster / Archive This form is used to specify system log rotation/archiving parameters:

Log files can be rotated when the file reaches a specific size or age. When rotation occurs, the rotated log file is set aside or e-mailed to a specified address and a new log file is begun.

If the rotate size is set above 0, then log rotation occurs when the log surpasses the rotate size, or when the log rotation interval is reached, whichever occurs first. If the rotate size is set to 0, the file size is ignored and only the rotate interval is used. If an e-mail address and SMTP Server IP are set, then the log file is mailed when rotated.

This form includes the following items:

n Email: E-mail address of the administrator who will receive the log. n SMTP Server IP: IP address of the SMTP server in dotted decimal notation. Note that this server must be configured to accept messages from the Firewall Director. Also, a Check Point policy should be present to allow these messages through the firewall. n Rotate Size: Maximum size the log should reach before rotation. If 0, then the size is ignored and only the log rotate interval is used. n Interval: The interval at which the system log file should be rotated, specified in days and hours. n Update button: Submits the form changes to the pending configuration.

136 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Cluster / Accelerator(s) This form is used to configure Firewall Accelerators on the network.

Accelerator Status n Auto Discovery menu: Enables or Disables automatic discovery of Firewall Accelerators on the network. When enabled, the Firewall Directors detect the Firewall Accelerators automatically upon boot up and registers with them. If this is not enabled, the administrator must manually configure the MAC addresses of the Firewall Accelerator. n High Availability menu: Enables or Disables high availability for a multiple Firewall Accelerator setup. Two Firewall Accelerator are needed for this option to take effect. n Update button: Submits the Accelerator Status changes to the pending configuration.

Chapter 6: The Browser-Based Interface n 137 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Accelerator Details In a high-availability configuration, there may be up to two Firewall Accelerators.

n Set as master accelerator: Specify whether this should be the master Firewall Accelerator in a high-availability configuration. n Detected MAC address: MAC address auto-detected. This will be all zeros if no Firewall Accelerator has been detected. n MAC address: If Auto Discovery is enabled, the MAC address of the detected Firewall Accelerator is displayed (zeros if none are detected). When Auto Discovery is disabled, you can designate the MAC address of a specific Firewall Accelerator to set which will be #1 or #2 if more than one is on the network. n IP address: IP address of the Firewall Accelerator in dotted decimal notation. n Inter-Accelerator Port (IAP): This command is used to select the port used to connect Fire- wall Accelerators together in a high-availability configuration. By default, the IAP is port 9. Any Firewall Accelerator port can be used as the IAP, but must have NAAP enabled. n Update button: Submits the Accelerator Details changes to the pending configuration.

138 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Cluster / Host(s) This form is used to specify the IP addresses for the Firewall Directors on the network.

Management IP Address n MIP: Specify the Management IP for the cluster.

General Settings for each Firewall Director For each Firewall Director in the cluster, the following fields are shown:

n Name: Internal name of the Firewall Director. For display only. n Delete button: Deletes the Firewall Director from the cluster and resets it to factory default configuration settings. n Master: Checked if this the Master Firewall Director. For display only. n IP Address: IP address of this Firewall Director in dotted decimal notation. n Check Point Management Interface IP address

Form Actions n Update: Submits the form changes to the pending configuration.

Chapter 6: The Browser-Based Interface n 139 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Network Forms Network / General This is the default Network form. It is used to set the network mask.

This form includes the following items:

n Network Mask: Configure the network mask for the system using the dotted decimal notation. n Update button: Submits the form changes to the pending configuration.

Network / DNS This form is used to specify the Domain Name Service (DNS) servers. Multiple servers are allowed.

This form includes the following items:

n IP Address: Displays the IP address of the configured DNS server. n Delete button: Deletes the DNS server. Only displayed if a DNS server is present. n New DNS IP: Configure a new DNS server IP address using the dotted decimal notation. n Update button: Submits the new DNS server address to the pending configuration.

140 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / NTP This form is used to specify the Network Time Protocol (NTP) servers.

NTP servers are used by the NTP client on the Alteon Switched Firewall to synchronize its clock. The system should have access to a number of servers (at least three) in order to compensate for any discrepancies in the servers.

n IP Address: Displays the IP address of the configured NTP server. n Delete button: Deletes the server. Only displayed if an NTP server is present. n New NTP IP: Configure a new NTP server IP address using the dotted decimal notation. n Update button: Submits the new NTP server address to the pending configuration.

Chapter 6: The Browser-Based Interface n 141 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Ports This form is used to configure individual Firewall Accelerator ports.

This form includes the following items: n Port#: The port number on the Firewall Accelerator. n Enabled: Yes (port is enabled) or No (port is disabled). If a port is disabled, any traffic coming to the port will be dropped, and only the link LED (green) on the port will blink when an active cable is attached. If the port is enabled and an active cable is attached, both the link LED (green) and the data indicator LED (orange) will be on and blinking. The data indicator LED reflects the amount of data passing through the port. n Name: The name for the port. n Trunk: Yes (enable) or No (disable) port trunking on the port. n NAAP: Yes (enable) or No (disable) NAAP (communication between the Firewall Direc- tor and the Firewall Accelerator) on the port. n VLAN Tag: Yes (enable) or No (disable) VLAN tagging on the port. n Filters: Yes (enable) or No (disable) filtering on the port. n Filter list: List the filters that are used with the port. Filters are applied in numerical order. n Delete button: Delete a port configuration from the system. Only visible if ports are configured. n Modify button: Modify a displayed port. Only visible if ports are configured. See the Update form on page 144. n Add New Port button: Add and configure a new port. See the Update form on page 144.

142 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Ports/Port Mirroring This form is used to configure port mirroring to monitor traffic.

This form includes the following items: n Port Mirroring Settings: Enable or disable port mirroring. n Monitoring Ports Monitoring Port Number: Select the port to monitor traffic. This port will receive a copy of the data packet from the mirrored ports. Mirrored Port Numbers: Select ports to mirror. In the screen above Port 2 is configured for mirroring ingress traffic only.

Chapter 6: The Browser-Based Interface n 143 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Ports / Update (Add or Modify)

NOTE – On ports with only one physical connector, some of the options described on this form do not apply. Although all options appear on all models of Firewall Accelerator, any configuration settings for options which do not apply are disregarded.

144 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

General Settings n Identifier: The port number on the Firewall Accelerator. n Status: Enables or Disables the port. If a port is disabled, any traffic coming to the port will be dropped, and only the link LED (green) on the port will blink when an active cable is attached. If the port is enabled and an active cable is attached, both the link LED (green) and the data indicator LED (orange) will be on and blinking. The data indicator LED reflects the amount of data passing through the port. n Name: Specify a name for the port. n Port Trunk: Enables or Disables port trunking on the port. n NAAP Status: Enables or Disables NAAP (communication between the Firewall Director and the Firewall Accelerator) on that particular port. n VLAN Tag Status: Enables or Disables VLAN tagging on the port. n Filter Status: Enables or Disables filtering for the port. n Filters: Specify filters that are used with this port. Defined filters will be shown in the Available box. The Selected box lists the filters that will be applied to traffic on this port. To move a filter from one box to the other, select the filter and click on the arrow box indicating the direction of movement. Filters in the Selected box are applied to traffic in numerical order. n Preferred Physical Connector: If dual physical connectors are available on the port, this defines the preferred physical connector for the link. Options are fast (Fast Ethernet Port, RJ-45 connector) and gig (Gigabit Ethernet Port, SC fiber optic connector). n Backup Physical Connector: Defines the backup physical connector. Options are fast (Fast Ethernet Port, RJ-45 connector) and gig (Gigabit Ethernet Port, SC fiber optic connector).

Chapter 6: The Browser-Based Interface n 145 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Fast Physical Connection Settings If an RJ-45 connector is available on the Firewall Accelerator port, the following options are used to configure its link characteristics: n Link Speed: Sets the link speed. The choices include: any, 10, or 100 Mbps. n Link Mode: Sets the duplex operating mode. The choices include full (full-duplex), half (half-duplex), and any (for auto-negotiation). n Flow Control: Sets the flow control mode. The choices include rx (receive only), tx (transmit only), both (both receive and transmit), and none. n Autonegotiate: Check to enable auto-negotiation on the port, or uncheck to disable.

Gigabit Physical Connection Settings If an SC fiber optic connector is available on the Firewall Accelerator port, the following options are used to configure its link characteristics:

n Flow Control: Sets the flow control mode. The choices include rx (receive only), tx (transmit only), both (both receive and transmit), or none. n Autonegotiate: Check to enable auto-negotiation on the port, or uncheck to disable.

Form Actions n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.

146 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / VLANs This form is used to view and configure the settings for individual VLANs.

VLANs are required VLAN tagging is used in the network. In this case, the port will also need to be enabled for VLAN tagging.

VLANs are also used when two interfaces on the same port are connected to two different networks. Here, they will need to be put under separate VLANs. If the administrator does not specify VLANs, then the two networks will be put under separate VLANs automatically.

Up to 242 VLANs can be configured, though each can be given an identifying number between 1 and 4093. VLAN 4094 is reserved for internal use.

This form includes the following items:

n ID: Numerical ID for the VLAN (between 1 and 4093). It can be used to specify the VLAN when configuring an interface. n Enabled: Yes (enable) or No (disable) the VLAN. n Name: Assigned name of the VLAN n Jumbo Frames: Yes (enable) or No (disable) Jumbo Frames support on the VLAN. n Port(s): Port or ports associated with this VLAN. n Delete button: Delete a VLAN from the system. Only visible if VLANs are present. n Modify button: Modify a displayed VLAN. Only visible if VLANs are present. See the Update form on page 148. n Add New VLAN button: Adds a VLAN to the configuration. See the Update form on page 148.

Chapter 6: The Browser-Based Interface n 147 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / VLANs / Update (Add or Modify)

This form includes the following items:

n Identifier: Numerical ID for the VLAN (between 1 and 4093). It can be used to specify the VLAN when configuring an interface. n Status: Enables or Disables the VLAN. n Name: Assigns a name to the VLAN or changes the existing name. n Jumbo Frames: Enables or Disables Jumbo Frames support on the VLAN. When this feature is enabled, the ASF can handle frames that are far larger than the maximum normal Ethernet frame size (up to 9018 octets), reducing the overhead for host frame processing.

NOTE – Do not enable Jumbo Frame support on a VLAN with any device that cannot process frame sizes larger than Ethernet maximum frame size. Use additional VLANs to isolate traffic into Jumbo Frame and regular traffic. The ASF will automatically fragment Jumbo Frame traffic to regular Ethernet sizes when routing Jumbo Frame traffic to non-Jumbo Frame VLANs

n Port: Associates this VLAN with one or more ports. n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.

148 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Interfaces This form is used to view and configure the settings for individual interfaces:

The Firewall Accelerator can be configured with up to 255 IP interfaces, each representing the Firewall Accelerator on an IP subnet on the network. This form includes the following items:

n Id: Numerical ID for the interface (between 1 and 255). It can be used to specify the interface when configuring a new route. n Enabled: Indicates whether the interface is enabled or disabled. n Address: The IP address of the interface using the dotted decimal notation. n Mask: The IP subnet address of the interface using the dotted decimal notation. n Broadcast: The IP broadcast address for the interface using the dotted decimal notation. n VLAN: The VLAN number for the interface (1-4092). Each interface can belong to one VLAN, though any VLAN can have multiple IP interfaces in it. If an interface is not assigned a VLAN (the choice is “unassigned”), then a VLAN will be chosen automatically. n Port(s): Associates the interface with one or more ports. n Delete button: Delete an interface from the system. Only visible if interfaces are present. n Modify button: Modify a displayed interface. Only visible if interfaces are present. See the Update form on page 150. n Add New Interface button: Adds a new interface to the configuration. See the Update form on page 150.

Chapter 6: The Browser-Based Interface n 149 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Interfaces / Update (Add or Modify)

General Settings n Identifier: Numerical ID for the interface (between 1 and 255). It can be used to specify the interface when configuring a new route. n Status: Enables or Disables the interface. n IP Address: Configures the IP address of the interface using the dotted decimal notation. n Subnet Mask: Configures the IP subnet address of the interface using the dotted decimal notation. n Broadcast Address: Configures the IP broadcast address for the interface using the dotted decimal notation. n VLAN: Configures the VLAN number (1-4092) for the interface. Each interface can belong to one VLAN, though any VLAN can have multiple IP interfaces in it. If an interface is not assigned a VLAN (the choice is “unassigned”), then a VLAN will be assigned automatically. n Ports: Associates the interface with one or more ports.

150 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

VRRP For high availability through VRRP, the administrator should specify two IP addresses that will be used to configure interfaces on the two Firewall Accelerators. The IP address of the virtual router will be mapped to these addresses (the virtual router address is the address of the configured interface). A valid configuration can have three unique addresses on the same subnet, or two unique addresses, with the virtual router address shared with one of the Firewall Accelerators.

NOTE – High availability must be enabled in the Cluster/Accelerator form in order for high availability to take effect.

n IP 1: IP address for first Firewall Accelerator. n IP 2: IP address for second Firewall Accelerator. n VRID: Virtual Router ID (between 1 and 255). This is used in conjunction with the IP addresses above to define a virtual router on the system.

Form Actions n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.

Chapter 6: The Browser-Based Interface n 151 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Filters This form is used for configuring port filters for the Firewall Accelerators:

The Firewall Accelerator supports up to 224 port traffic filters. Each filter can be configured to allow or deny traffic according to a variety of address and protocol specifications. Each physical Firewall Accelerator port can be configured to use any combination of filters. Port traffic filtering is a feature of the Firewall Accelerator and occurs prior to inspection by the Check Point FireWall-1 NG software. Traffic that has been dropped by a port traffic filter will not be forwarded to the firewall. Traffic that has been allowed by a port traffic filter will be sent through the firewall, bypassing Check Point FireWall-1 NG inspection. Traffic which is not matched by any port filter will be passed to the firewall for Check Point FireWall-1 NG inspection. This form includes the following items: n Id: Numerical ID for the filter (between 1 and 224). It can be used to specify the filter when configuring a port. n Enabled: Yes (filter is enabled) or No (filter is disabled). n Name: Assigns a name to the filter. The name is displayed in port configuration. n MAC: Source and Destination MAC addresses to match against ingress traffic. n IP: Source and Destination IP addresses to match. n Source Port: Start and end of a source port range to match. n Dest Port: Start and end of a destination port range to match. n Protocol: IP protocol to match. Standard choices are 1 (ICMP), 2 (IGMP), 6 (TCP), 17 (UDP), 89 (OSPF), and 112 (VRRP). n Action: Allows or denies packets that match the filter. n Delete button: Deletes a filter from the system. Only visible if filters are present. n Modify button: Modifies a displayed filter. Only visible if filters are present. See the Update form on page 153. n Add New Filter button: Add a new filter to the configuration. See the Update form on page 153.

152 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Filters / Update (Add or Modify)

This form includes the following items:

n Identifier: Numerical ID for the filter (between 1 and 224). It can be used to specify the filter when configuring a port. n Status: Enables or Disables the filter. n Name: Assigns a name to the filter. The name is displayed in port configuration. n Source MAC: Source MAC address to match against ingress traffic. n Destination MAC: Destination MAC address to match. n Source IP: Source IP address to match. n Source IP Mask: Used with Source IP to select an address range that this filter will affect.

Chapter 6: The Browser-Based Interface n 153 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

n Destination IP: Destination IP address to match. n Destination IP Mask: Used with the Destination IP to select a range of addresses which this filter will affect. n Protocol: IP protocol to match. Enter a numeric value or use the pull-down list. Standard choices are 1 (ICMP), 2 (IGMP), 6 (TCP), 17 (UDP), 89 (OSPF), and 112 (VRRP). n Source Port Start: Start of a source port range to match. n Source Port End: End of a source port range to match. n Destination Port Start: Start of a destination port range to match. n Destination Port End: End of a destination port range to match. n Action: Allow or deny packets that match the filter. n Inversion: Inverts the filter logic. If the conditions of the filter are met, then do not act. If the conditions of the filter are not met, perform the assigned action. n Logging: Record filter hits to the system log. n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.

154 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Routes This form is used to view and configure the current routes.

This form includes the following items:

n Destination IP: IP address of the route destination in dotted decimal notation. n Destination Subnet: Subnet mask for the route destination in dotted decimal notation. n Gateway IP: IP address of the gateway in dotted decimal notation. n Interface: Interface for the packet. n Delete button: Deletes a route from the system. Only visible if routes are present. n Modify button: Modifies a displayed route. Only visible if routes are present. See the Update form on page 156. n Add New Route button: Adds a route to the configuration. See the Update form on page 156.

Chapter 6: The Browser-Based Interface n 155 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Route / Update (Add or Modify)

This form includes the following items:

n Destination IP: IP address of the route destination in dotted decimal notation. n Destination Subnet: Subnet mask for the route destination in dotted decimal notation. n Gateway IP: IP address of the gateway in dotted decimal notation. n Route Interface: Interface for the packet. n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.

156 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Gateways This form is used to view and configure the default gateways. There can be up to four gateways configured.

Gateway Metric n Default Gateway Metric: Set default gateway load-balancing. If multiple default gateways are configured and enabled, the following metric choice determines which default gateway is selected:

o Strict: The gateway number determines its level of preference. Gateway #1 acts as the preferred default IP gateway until it fails or is disabled, at which point the next in line will take over as the default IP gateway.

o Roundrobin: This provides basic gateway load balancing. The ASF sends each new gateway request to the next healthy, enabled gateway in line. All gateway requests to the same destination IP address are resolved to the same gateway n Update button: Submits the metric changes to the pending configuration.

Chapter 6: The Browser-Based Interface n 157 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Gateways n Id: Gateway identifier (a number between 1 and 4). n Enabled: Indicates whether the gateway is enabled or disabled. n ARP Enabled: Indicates whether ARP-only health checks are enabled or disabled. n Address: The IP address of the gateway using dotted decimal notation. n Retry Count: The number of health checks that must fail before declaring the gateway inoperative. The system uses pings to check whether the gateway is up. n Interval: This field defines the time between health checks. n Delete button: Deletes a route from the system. Only visible if gateway is present. n Modify button: Modifies a displayed route. Only visible if gateway is present. See the Update form on page 159. n Add New Gateway button: Adds a gateway to the configuration. See the Update form on page 159.

158 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Gateway / Update (Add or Modify)

This form includes the following items:

n Identifier: Gateway identifier (a number between 1 and 4). n Status: Enables or Disables the gateway for use. n ARP Status: Enable or Disable ARP-only health checks. n Address: The IP address of the gateway using dotted decimal notation. n Retry Count: The number of health checks that must fail before declaring the gateway inoperative. The system uses pings to check whether the gateway is up. n Interval: This field defines the time between health checks. n Update button: Submits the form changes to the pending configuration. n Back button: Returns to the previously viewed form without saving changes to this form.

Chapter 6: The Browser-Based Interface n 159 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / Local This form allows you to define and modify the cache of local networks.

Network / Local / Update (Add or Modify)

160 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Network / ARP This form allows you to add or modify IP addresses to which the Alteon Switched Firewall will respond.

Chapter 6: The Browser-Based Interface n 161 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Firewall Forms

Firewall / Settings

General n Status: Enables or Disables Check Point FireWall-1 NG processing on all healthy Firewall Directors in the cluster. n Update button: Submits the form changes to the pending configuration.

Secure Internal Communication n List of Hosts n Password n Password (again) n Submit

162 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Firewall / License Management This form is used to configure license management:

License management is used for pre-configuring resources that allow the system to automatically configure any new components that are added to the cluster.

Resources configured under this menu include a pool of IP addresses and Check Point licences. When Plug N Play is enabled, a new Firewall Director attached to the cluster will automatically be configured and brought into service.

Autodetect iSD n Status: Enable or Disable automatic license management. When enabled, if resources have been added, the cluster will automatically detect new Firewall Directors, join them to the cluster, configure them, and start them participating in firewall processing. When this feature is disabled, you must manually configure each new Firewall Director being added to the cluster. n Save Setting button: Submits status changes to the pending configuration.

Chapter 6: The Browser-Based Interface n 163 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Check Point Licenses n IP Address: An IP address in the resource pool that can be used for cluster Firewall Direc- tors. n In Use: Shows whether the IP address is currently assigned (Yes) to an existing Firewall Director in the cluster, or whether it is available (No) to configure a newly added Firewall Director. n Licenses: Shows the number of Check Point licenses currently configured for each IP address. n Delete button: Deletes the IP address and all its associated Check Point licenses. n Modify button: Allows you to modify, delete or add Check Point licenses for the IP address. See the Update form on page 164. n Add New License Entry button: Add and configure a new IP address and Check Point license for the resource pool. See the Update form on page 164.

Firewall / License Management / Update (Add or Modify)

164 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

General Settings n IP Address: Lists the IP address in the resource pool that can be used for cluster Firewall Directors. n Shared Secret n Shared Secret (again)

Current Licenses This area of the form displays the licenses assigned to the selected IP address:

n Expiration: Expiration date of the Check Point license. n Features: Features of the Check Point license. n License: License string of the Check Point license. n Delete: When checked, prepares to delete this license from the Plug N Play resource pool.

Add New License This area of the form is used to enter information for new Check Point licenses to be assigned to the current IP address.

n Expiration Date: Sets the expiration date of the Check Point license. n Feature String: Sets the features of the Check Point license. n License String: Sets the license string of the Check Point license.

Form Actions n Update button: Submit the form changes to the pending configuration. n Back button: Return to the previously viewed form without saving this forms changes.

Chapter 6: The Browser-Based Interface n 165 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Firewall / Synchronization This form is used to configure stateful failover of sessions among Firewall Director in the cluster.

With synchronization, if a Firewall Director fails, its open sessions will be transparently reassigned to a healthy Firewall Director. To achieve stateful failover, synchronization must be configured both on the Alteon Switched Firewall and on the Check Point management server. See “Synchronizing Firewall Directors” on page 340 for more information.

This form includes the following items:

n Status: Enables or Disable firewall synchronization for the cluster. n Network Address: Sets the IP network address of the synchronization network in dotted decimal notation. It is used with the network mask (defined in the Network / General form) to define appropriate IP addresses for synchronization. n Update button: Submits the form changes to the pending configuration.

166 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Operations Forms This form is used to export or import configuration files:

Export Cluster Configuration n Secret key: The case-sensitive secret key is used to encrypt the settings and must be supplied again when the configuration is imported. n Export button: Depending on the browser type, the administrator may have the option to output to a file or to the screen (allowing it to be captured using copy and paste functions).

Import Cluster Configuration n Text input area: Import a configuration by pasting it into the field provided. n Secret Key: The case-sensitive secret key used in the export must be supplied to decrypt the configuration settings. n Import button: Replace the current configuration using the pasted configuration information. This takes effect immediately. No apply command is required.

NOTE – Importing a configuration will cause the BBI to restart. If the import is successful, any imported configuration overrides all prior configuration settings. All changes pending at the time of the import are lost. The revert command cannot be used to recover the prior configuration.

Chapter 6: The Browser-Based Interface n 167 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Administration Forms

Administration / Users This form is used to list the permitted users and allows one to change their properties.

This form has the following items:

n Username: The login name that identifies the user in the system. There are three default users that can be modified using the BBI:

Table 6-1 Required Users

User Name Privileges admin The administration user has read and write access to all pages in the BBI.

oper The operator has read access only.

root The root user can log in locally to a Firewall Director and is given full access to the system.

NOTE – An additional default user, the boot user, cannot be modified and is not listed in the BBI.

The listed default users can be modified, but cannot be deleted. The system also maintains the following hidden users: bin, blue, daemon, nobody, and operator. These are used for internal processes only and do not have passwords. They are therefore denied external access. Internal users cannot be modified or deleted.

168 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

n Group: The group to which the user belongs. This defines the privileges that the user has as described in Table 6-1 on page 168. n Delete button: Immediately deletes a user from the system. Default users cannot be deleted. n Modify button: Modifies a displayed user. See the Update form on page 169. n Add New User button: Adds a new administrator or operator level user login. See the Update form on page 169.

Administration / Users / Update (Add or Modify)

This form contains the following items:

n Username: The identifier for the user in the system. n Group: The group to which the user belongs defines the privileges of the user. Users added to the system can be assigned either to the admin (read/write) or oper (read only) group. n Admin Password for verification. n Password: The password for the user. n Password (again) n Save button n Back button

NOTE – When the username or password is changed for an existing user, anyone currently logged into the BBI using that account will be prompted to enter the new username and password before accessing any new page.

Chapter 6: The Browser-Based Interface n 169 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Administration / Access List This form is used to specify which clients are permitted to administer the system. For example, in order to access the BBI, the client must be matched by an entry in this form.

This form includes the following items:

n Client Network Address: IP address of the client in dotted decimal notation. n Client Subnet Mask: Subnet address used for matching. Uses dotted decimal notation. n Delete button: Deletes an entry from the system. Only visible if access entries are present.

NOTE – Deleting the entry corresponding to the current client will terminate the connection when the change is applied.

n Modify button: Modifies an entry in the system. Only visible if access entries are present. See the Update form on page 171. n Add New Access Control button: Adds a new entry to the access list. See the Update form on page 171.

170 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Administration / Clients / Update (Add or Modify)

Administration / Telnet-SSH This form is used to enable or disable Telnet/SSH administration.

This form includes the following items:

n Telnet: Enable administration through telnet. n SSH: Enable administration through SSH. n CLI Timeout: Sets the number of seconds a Telnet or SSH session can remain idle before being automatically disconnected. n Update button: Submits the form changes to the pending configuration. n Generate New Keys button: Create new SSH keys.

Chapter 6: The Browser-Based Interface n 171 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Administration / Web This form is used to enable or disable BBI administration.

HTTP Settings n Port: Application port used for non-secure HTTP access to the BBI. The default is port 80. n Status: Enables or Disables HTTP access to the BBI.

HTTP/SSL Settings n Port: Application port for secure HTTPS (using SSL) access to the BBI. The default is port 443. n Status: Enables or Disables HTTPS access to the BBI. n TLS: Enable TLS protocol. n SSL v2: Enable SSL v2 protocol. n SSL v3: Enable SSL v3 protocol.

Form Actions n Update button: Submits the form changes to the pending configuration.

172 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Administration / Server Certs This form is used to administer server certificates on the Firewall Director:

This form includes the following fields:

n ID: Identifier for the certificate. n Issuer: Issuer of the certificate. n Subject: Subject of the certificate n Serial Number: Serial number of the certificate. n Valid From: Starting date upon which the certificate is valid. n Valid To: Ending date upon which the certificate is valid n Delete button: Deletes a certificate from the system. Only visible if a certificate is present. n Modify button: Modifies a displayed certificate. Only visible if a certificate is present. n Add New Server Certificate button: Displays a new form used for inputting a new certificate. The certificate should be pasted into the text area. n Generate Certificate Request button. n Export Certificate Request button.

Chapter 6: The Browser-Based Interface n 173 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Administration / Server Certs / Update (Add or Modify)

n Common Name: Common name (cn) to be used with the certificate. n Two-Letter Country Code: Country code to be used. For example, US for the United States of America, CA for Canada, JP for Japan, AU for Australia, etc. n Key Size: Size of the encryption key. Valid sized are either 512, 1024, or 2048 bits. n Export button: Allows the administrator to export a certificate created through using the Generate Certificate Request command. This can be used to obtain a server certificate to be added.

174 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Administration / CA Certs This form is used to administer CA certificates on the Firewall Director. This is required if server certificates from an external CA are being used.

This form includes the following fields:

n Id: Identifier for the certificate. n Issuer: Issuer of the certificate. n Subject: Subject of the certificate. n Serial Number: Serial number of the certificate. n Valid From: Starting date upon which the certificate is valid. n Valid To: Ending date upon which the certificate is valid. n Delete button: Deletes a certificate from the system. Only visible if a certificate is present. n Modify button: Modifies a displayed certificate. Only visible if a certificate is present. n Add New CA Certificate: button. Input a new certificate. The certificate should be pasted into the text area.

Chapter 6: The Browser-Based Interface n 175 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Administration / CA Certs / Update (Add or Modify)

176 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Administration / SNMP This form is used to enable or disable SNMP event and alarm messages for the Alteon Switched Firewall

Chapter 6: The Browser-Based Interface n 177 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

SNMP n Status: Enables or Disables the SNMP features. This must be enabled in order for events and alarms to be sent to the trap hosts. n Security Model n Security Level (usm) n Access n Events: Enables or Disables sending cluster event messages to the SNMP trap hosts. When enabled, messages regarding general occurrences (such as detection of a new components) is sent. n Alarms: Enable or Disable sending cluster alarm messages to the SNMP trap hosts. Alarm messages indicate serious conditions which may require administrative action. n Read Community String (v2c) n Save Settings button: Submits the form changes to the pending configuration.

Trap Hosts This area of the form lists all configured trap hosts which will receive SNMP event or alarm messages from the cluster

n IP Address: This is the IP address of the trap hosts. n Port: This is the logical port on the trap host which expects SNMP traffic. n Community (v2c): This is the community string for the trap host. n Trap User (usm) n Delete button: Removes an SNMP trap host from the cluster configuration. n Modify button: Modify parameters for an existing trap host. n Add New Trap Host button: Allows you to add and configure a new trap host.

SNMP Users (usm) n Username n Permission n Delete button n Modify button n Add New User button

178 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Administration / SNMP / Trap Host Update (Add or Modify)

Administration / SNMP / SNMP Users Update (Add or Modify)

Chapter 6: The Browser-Based Interface n 179 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Diagnostics Forms

Diagnostics / Security Zones This form lists the Virtual Network Interface Cards (VNICs) as derived from the network configuration.

n VNIC Id: Identifier for the VNIC as seen in the Check Point management tools. n IP Address: IP address for the VNIC. n VLAN: Virtual LAN associated with the VNIC. n Port(s): Port(s) associated with the VNIC.

Diagnostics / Accelerator CLI This form allows the administrator to execute diagnostic commands on the Firewall Accelerator.

180 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Diagnostics / System Commands This form is used for system diagnostics as requested by Nortel Networks customer support.

Chapter 6: The Browser-Based Interface n 181 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

182 n Chapter 6: The Browser-Based Interface 212535-E, April 2003 CHAPTER 7 Command Reference

Main Menu

After initial system setup is complete and the user performs a successful connection and login, the Main Menu of the CLI is displayed.

Table 7-1 Main Menu

Command Syntax and Usage

info The Information Menu is used for displaying information about the current status of the Alteon Switched Firewall. See page 187 for menu items.

cfg The Configuration Menu is used for configuring the Alteon Switched Firewall. Some commands are available only from an administrator login. See page 194 for menu items.

183 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-1 Main Menu

Command Syntax and Usage

boot The Boot Menu is used for upgrading Alteon Switched Firewall software and for rebooting, if necessary. See page 311 for menu items.

maint The Maintenance Menu is used for system diagnostics. This should be used only at the request of Nortel Networks technical support. See page 315 for menu items.

diff This global command is available from any menu or sub-menu. It displays the difference between the applied configuration (the configuration that the system is currently using) and the pending configuration (the uncommitted changes that have not yet been applied). Only pending changes made during your current administrator session are included. Pending changes being made by other CLI or BBI administrator sessions are not included.

validate This command is used to validate pending configuration changes made during your current administration session. This command does not include pending changes being made by other CLI or BBI administrator sessions that are running at the same time. When you enter the validate command, your pending changes are examined to ensure that they are complete and consistent. If problems are found, warning or error messages are displayed. Warnings identify conditions that you should pay special attention to, but that will not cause errors or prevent the configuration from being applied when the you enter the apply command. Errors identify serious configuration problems that must be corrected before changes can be applied. Uncorrected errors will cause the apply command to fail. If the validate command returns warning or error messages, heed the messages and make any necessary configuration changes.

security This command lists the status (enabled or disabled) for remote management features such as Telnet, SSH, and the BBI for the cluster. It also lists which users (if any) are still using default passwords which should be changed.

184 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-1 Main Menu

Command Syntax and Usage

apply This global command is available from any menu or sub-menu. It is used to apply and save configuration changes made during your current administration session. Changes are considered pending and do not take effect until this command is issued. Pending changes being made by other CLI or BBI administrator sessions are not affected. When issued, the apply command first validates your session’s pending changes. If problems are found, applicable warning and error messages are displayed. Errors are serious and will cause the apply command to fail before any changes are applied. If there are no errors (warnings are allowed), the changes are saved and put into effect. Warning messages can be turned off using the /cfg/misc/warn command (see page 310). If multiple CLI or BBI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence. The global revert command clears pending changes and will not restore the configuration to it’s previous settings once the apply command is issued.

revert This global command is available from any menu or sub-menu. It cancels all pending configuration changes made during your current administration session. Applied changes are not affected. Pending changes made by other open CLI or BBI sessions are also not affected.

paste This global command is available from any menu or sub-menu. It lets you restore a saved configuration dump file that includes encrypted private keys. If private keys were included when you created your configuration dump file (/cfg/ dump), you were required to specify a password for encrypting the private keys. When the paste command is issued, you will be prompted to supply the same password phrase. You can then open the configuration dump file in your text editor, copy the information, and paste it to the CLI window. When pasted, the configuration content is batch processed by the Alteon Switched Fire- wall. The pasted commands are entered as pending, and any included private keys are decrypted. You can view the pending configuration changes resulting from the batch processing by using use the global diff command. To apply the pending configuration changes, use the global apply command. The paste password phrase remains in effect until cleared. To clear the password phrase, enter the paste command again.

Chapter 7: Command Reference n 185 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-1 Main Menu

Command Syntax and Usage

help [

] This global command is available from any menu or sub-menu. It provides brief information about any specific command on the current menu. When used without a parameter, the help command displays a list of global commands.

exit This global command is available from any menu or sub-menu. It exits the CLI and logs out the current session. Pending changes made during your current session will be lost if not applied. This command does not affect other open CLI or BBI sessions.

186 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/info Information Menu

[Information Menu] clu - Display runtime information of all SFDs host - Display runtime information of one SFD det - Display detected Accelerator(s) net - Network Display Menu syslog - Display syslog entries fw - Display firewall configuration log - Display Platform Logging configuration lic - Display installed license(s) acc - Display Accelerator configuration telnet - Display Telnet configuration ssh - Display SSH configuration snmp - Display SNMP configuration web - Display Web configuration time - Display Time Settings asfnet - Display ASF Internal Network configuration

The Information Menu is used for displaying information about the current status of the Alteon Switched Firewall.

Table 7-2 Information Menu (/info)

Command Syntax and Usage

clu This command displays runtime information for all the Firewall Directors in the cluster. Information includes CPU usage, hard disk usage, status of important applications such as Web server, firewall, Inet server, as well as status of firewall acceleration.

host This command displays runtime information for the selected Firewall Director. Informa- tion includes CPU usage, hard disk usage, status of important applications such as Web server, firewall, Inet server, as well as status of firewall acceleration.

det This command displays the MAC addresses and status of the Firewall Accelerators that are being used by the Firewall Director for the firewall acceleration.

Chapter 7: Command Reference n 187 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-2 Information Menu (/info)

Command Syntax and Usage

net The Network Display Menu is used for displaying current network information for the Alteon Switched Firewall cluster. Information includes network ports, trunking, interfaces, and routing. See page 190 for menu items.

syslog This command displays the last syslog messages. After each set of ten syslog messages are displayed, your are prompted whether to continue the display (enter y) or exit (enter n).

fw This command displays the current firewall configuration settings. Displayed information includes firewall status (enabled or disabled), management IP addresses, and synchronization network configuration. This is the same information available using the / cfg/fw/cur command.

log This command displays the current system message logging settings. This is the same information available using the /cfg/sys/log/cur command.

lic This command displays the current Check Point license information for the selected Firewall Director. Displayed information includes host IP address, license expiration date, signature string, and feature string. This is the same information available using the /cfg/pnp/cur command.

acc This command displays the current Firewall Accelerator configuration settings. Dis- played information includes automatic discovery and high-availability settings, a list of MAC and IP addresses for active Firewall Accelerators, preferred Firewall Accelerator, and health check settings. This is the same information available using the /cfg/acc/ cur command.

telnet This command displays the current Telnet configuration settings: enabled or disabled. This is the same information available using the /cfg/sys/adm/telnet/cur command.

ssh This command displays the current SSH configuration settings: enabled or disabled. This is the same information available using the /cfg/sys/adm/ssh/cur command.

188 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-2 Information Menu (/info)

Command Syntax and Usage

snmp This command displays the current SNMP configuration settings. Displayed information includes a list of trap hosts, and status of event and alarm messages. This is the same information available using the /cfg/sys/adm/snmp/cur command.

web This command displays the current BBI configuration settings. Displayed information includes status (enabled or disabled) and service port number for HTTP and HTTPS (with SSL), and certificate information for SSL. This is the same information available using the /cfg/sys/adm/web/cur command.

time This command displays the current time and date settings, including any NTP server settings. This is the same information available using the /cfg/sys/time/cur command.

asfnet This command displays the current network settings for the Alteon Switched Firewall cluster and hosts. This is the same information available using the /cfg/sys/cluster/cur command.

Chapter 7: Command Reference n 189 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/info/net Network Display Menu

[Network Display Menu] port - Display configured ports trunk - Display configured trunks if - Display configured interfaces route - Route Information Menu local - Display local net configuration dump - Display all network configuration

The Network Display Menu is used for displaying current network information for the Alteon Switched Firewall cluster. Information includes network routes, ports, interfaces, and gateways.

Table 7-3 Network Display Menu (/info/net)

Command Syntax and Usage

port This command displays information about all ports configured on the Firewall Accelera- tor. Displayed information includes port name, type (IP or NAAP), assigned interfaces, VLAN, VLAN tagging status, and filters.

trunk This command displays information about all port trunks configured on the Firewall Accelerator. For each trunk, displayed information includes the trunk number, master port, and a list of other ports that belong to the trunk.

if This command displays information about all the IP interfaces configured on the system. Displayed information includes IP addresses, masks, VLANs, and the ports to which the IP interfaces are assigned. It also displays the names of interfaces devices that are automatically created for each IP interface.

route The Route Information Menu is used for displaying current information about the various routing protocols used with the Alteon Switched Firewall. Information includes static routes, default gateways, RIP and OSPF settings. See page 191 for menu items.

local This command displays all IP addresses in the local network route cache.

dump This command displays all information for each option in the Information Menu.

190 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/info/net/route Route Information Menu

[Route Information Menu] static - Display configured static routes gw - Display default gateways rip - RIP Router Menu ospf - OSPF Router Menu table - Display complete unicast route table

The Route Information Menu is used for displaying current information about the various routing protocols used with the Alteon Switched Firewall cluster.

Table 7-4 Route Information Menu (/info/net/route)

Command Syntax and Usage

static This command displays all the static routes configured on the system.

gw This command displays all the gateways configured and enabled on the system.

rip The RIP Router Information Menu is used for displaying current RIP information. See page 192 for menu items.

ospf The OSPF Router Information Menu is used for displaying current OSPF information. See page 193 for menu items.

table This command lists all unicast routes on the system.

Chapter 7: Command Reference n 191 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/info/net/route/rip RIP Router Information Menu

[RIP Router Information Menu] routes - Display RIP routes fib - Display RIP router FIB

The RIP Router Information Menu is used for displaying RIP routing information.

Table 7-5 RIP Router Information Menu (/info/net/route/rip)

Command Syntax and Usage

routes This command displays all RIP routes from the unicast table.

fib This command displays all RIP routes contained in the Forwarding Information-Base (FIB) advertised by the Alteon Switched Firewall. This includes routes which have been redistributed from other protocols.

192 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/info/net/route/ospf OSPF Router Information Menu

[OSPF Router Information Menu] routes - Display OSPF routes lsa - Display OSPF LSA information neigh - Display OSPF neighbor information if - Display OSPF interface information fib - Display OSPF router FIB

The OSPF Router Information Menu is used for obtaining information about OSPF routes, links, neighbors, and interfaces.

Table 7-6 OSPF Router Information Menu (/info/net/route/ospf)

Command Syntax and Usage

routes This command displays all OSPF routes from the unicast table.

lsa This command displays the OSPF Links State Advertisement (LSA) tables.

neigh This command displays information about the Alteon Switched Firewalls OSPF neighbors. Neighbors are routing devices that maintain information about each others’ health.

if This command displays information about the configured OSPF interfaces.

fib This command displays all OSPF routes contained in the Forwarding Information-Base (FIB) advertised by the Alteon Switched Firewall. This includes routes which have been redistributed from other protocols.

Chapter 7: Command Reference n 193 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg Configuration Menu

[Configuration Menu] sys - System-wide Parameter Menu pnp - SFD IP and Firewall License Menu acc - Accelerator Configuration Menu net - Network Configuration Menu fw - Firewall Configuration Menu ptcfg - Backup current configuration to tftp server gtcfg - Restore current configuration from tftp server misc - Miscellaneous Settings Menu dump - Dump configuration on screen for copy-and-paste cur - Display current settings

The Configuration Menu is used for configuring the Alteon Switched Firewall. Some commands are available only from the administrator login.

Table 7-7 Configuration Menu (/cfg)

Command Syntax and Usage

sys The System Menu is used for configuring system-wide parameters on a per cluster basis. See page 197 for menu items.

pnp The SFD IP and Firewall License (Plug N Play) Menu is used for pre-configuring resources that are used by the system to automatically configure any new components when they are added to the cluster. Resources configured under this menu include a pool of IP addresses and Check Point licences. See page 233 for menu items.

acc The Accelerator Configuration Menu is used to configure parameters for the cluster Fire- wall Accelerators. This includes the IP addresses and MAC addresses of the Firewall Accelerators and options for high availability and auto detection. See page 235 for menu items.

194 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-7 Configuration Menu (/cfg)

Command Syntax and Usage

net The Network Configuration Menu is used to configure the networks passing traffic through the firewall. See page 241 for menu items.

fw The Firewall Configuration Menu is used to configure firewall related options such as enabling firewall or resetting the Check Point Secure Internal Communications (SIC). See page 307 for menu items.

ptcfg This command saves the current configuration, including private keys and certificates, to a file on the selected TFTP server. The information is saved in a plain-text file, and can later be restored by using the gtcfg command. You will be prompted to specify a password phrase before the information is sent to the TFTP server. The password phrase is used to encrypt all included private keys. If you later restore the configuration using the gtcfg command, you will be prompted to reenter the password phrase.

gtcfg This command retrieves and applies a configuration file, including private keys and certificates, from the selected TFTP server. You will be prompted to enter the same password phrase supplied when the file was created using the ptcfg command.

misc Use the Miscellaneous Settings Menu to turn on or off configuration warning messages. See page 310 for menu items.

Chapter 7: Command Reference n 195 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-7 Configuration Menu (/cfg)

Command Syntax and Usage

dump This command displays the current configuration parameters in CLI compatible format. You can capture the screen display and save the configuration to a text editor file by performing a copy-and-paste operation. The configuration can later be restored by pasting the contents of the saved text file at any command prompt in the CLI. When pasted, the content is batch processed by the Alteon Switched Firewall. To view the pending configuration changes resulting from the batch processing, use the diff command. To apply the configuration changes, use the apply command. If you choose to include private keys in the configuration dump, you are required to specify a password phrase. The password phrase you specify will be used to encrypt all secret information. When restoring a configuration that includes secret information, use the global paste command. Before pasting the configuration, you will be prompted to reenter the password phrase.

cur This command displays all current configuration settings. The output of the cur command is for viewing only. It cannot be captured to a file and later restored. If you wish to save the configuration for restoration later on, use the dump or ptcfg commands.

196 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys System Menu

[System Menu] time - Date and Time Menu dns - DNS Servers Menu cluster - Cluster Menu accesslist - Access List Menu adm - Administrative Applications Menu log - Platform Logging Menu user - User access control menu cur - Display current settings

The System Menu is used for configuring system-wide parameters on a per cluster basis.

Table 7-8 System Menu (/cfg/sys)

Command Syntax and Usage

time The Date and Time Menu is used set the cluster date, time, time zone, and NTP options. See page 198 for menu items.

dns The DNS Servers Menu lets you change Domain Name System (DNS) parameters. See page 201 for menu items.

cluster The Cluster Menu is used for assigning the cluster management address and for accessing individual Firewall Director menus. See page 202 for menu items.

accesslist The Access List Menu is used to restrict remote access to Alteon Switched Firewall management features. You can add, delete, or list trusted IP addresses which are allowed Telnet, Secure Shell (SSH), or Browser-Based Interface (BBI) access to the system. If the access list is not configured, users will not be able to access remote management features even when those features are otherwise enabled. See page 205 for menu items.

Chapter 7: Command Reference n 197 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-8 System Menu (/cfg/sys)

Command Syntax and Usage

adm The Administrative Applications Menu is used to configure Alteon Switched Firewall remote management features such as Telnet, SSH, SNMP, and the BBI. See page 206 for menu items.

log The Platform Logging Menu is used to configure system message logging features. Mes- sages can be logged to the system console terminal, ELA facility, and archived to a file that can be automatically e-mailed. See page 224 for menu items.

user The User Menu is used to add, modify, delete, or list Alteon Switched Firewall user accounts, and change passwords. See page 230 for menu items.

cur This command displays the current settings for items in the System Menu.

/cfg/sys/time Date and Time Menu

[Date and Time Menu] date - Set system date time - Set system time tzone - Set Timezone ntp - Configure NTP servers cur - Display current settings

198 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Date and Time Menu is used set the cluster date, time, and time zone options.

Table 7-9 Date and Time Menu (/cfg/sys/time)

Command Syntax and Usage

date This command sets the system date according to the specified format.

time This command sets the system time using a 24-hour clock format.

tzone [] This command sets the system time zone. When entered without a parameter, you will be prompted to select your time zone from a list of continents/oceans, countries, and regions (if applicable). If you know your time zone from a previous use of this command, you can set the value directly by including the time zone string within quotes.

ntp The NTP Servers Menu is used to synchronize system time with Network Time Protocol (NTP) servers. See page 200 for menu items.

cur This command displays the current settings for items in the Date and Time Menu.

Chapter 7: Command Reference n 199 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/time/ntp NTP Servers Menu

[NTP Servers Menu] list - List all values del - Delete a value by number add - Add a new value

The NTP Servers Menu is used to add or delete Network Time Protocol (NTP) servers to synchronize system time.

NOTE – In order to use this feature, you must install a firewall rule that allows NTP traffic to pass to and from the Firewall Directors.

Table 7-10 NTP Servers Menu (/cfg/sys/time/ntp)

Command Syntax and Usage

list This command lists all configured NTP servers by their index number and IP address.

del This command lets you remove an NTP server from the cluster configuration by specifying the server’s index number. Use the list command to display the index numbers and IP addresses of configured NTP servers.

add This command lets you add an NTP server. The NTP server with the specified IP address will be added to the list of NTP servers used to synchronize the Alteon Switched Fire- wall system clock. A number of NTP servers (at least three) should be available in order to compensate for any discrepancies among the servers.

200 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/dns DNS Servers Menu

[DNS Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

The DNS Servers Menu lets you change Domain Name System (DNS) parameters.

NOTE – In order to use this feature, you must install a firewall rule that allows DNS traffic to pass to and from the Firewall Directors.

Table 7-11 DNS Servers Menu (/cfg/sys/dns)

Command Syntax and Usage

list This command displays all DNS servers by their index number and IP address.

del This command lets you remove a DNS server by index number. Use the list command to display the index numbers and IP addresses of added DNS servers.

add This command lets you add a new DNS server. The DNS server with the specified IP address will be added.

insert This command lets you add a new DNS server to the list at the specified index position. All existing items at the specified index number and higher are incremented by one position.

move This command removes the DNS server of the specified from index number and inserts it at the specified to index number.

Chapter 7: Command Reference n 201 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/cluster Cluster Configuration Menu

[Cluster Menu] net - Set ASF internal subnet network mask - Set ASF internal subnet mask mip - Set management IP (MIP) address host - iSD Host Menu cur - Display current settings

The Cluster Menu is used for assigning the cluster management address and for accessing individual Firewall Director menus.

Table 7-12 Cluster Configuration Menu (/cfg/sys/cluster)

Command Syntax and Usage

net This command lets you change the base IP address of the Alteon Switched Firewall internal network (established during initial configuration). Note: Disable Check Point antispoofing before changing the internal network address.

mask This command lets you change the network mask for all Firewall Directors in the cluster. This mask is used in combination with the net command to create an IP address range for the Alteon Switched Firewall network.

mip This command lets you change the cluster Management IP (MIP) address. The MIP address identifies the cluster on the network. This address is used when accessing remote management features such as Telnet, SSH, or the BBI. The address must be unique on the network.

host The iSD Host Menu is used for performing actions on a specific Firewall Director, identified by its host number. The host number for each specific Firewall Director can be listed using the cur command. This menu is used to put the Firewall Director into master or slave mode, set its IP address, halt it, reboot it, or reset it to factory default configuration in preparation for removal from the cluster. See page 203 for menu items.

cur This command displays the current settings for items in the Cluster Menu.

202 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/cluster/host iSD Host Menu

[iSD Host 1 Menu] type - Set type of the iSD ip - Set IP address halt - Halt the iSD reboot - Reboot the iSD delete - Remove iSD Host cur - Display current settings

This menu is used for performing actions on a specific Firewall Director, identified by host number. The host number can be found using the /cfg/sys/cluster/cur command.

Table 7-13 iSD Host Menu (/cfg/sys/cluster/host)

Command Syntax and Usage

type master|slave This command lets you set the currently selected Firewall Director as master or slave. A master is capable of hosting the cluster Management IP (MIP) address. Up to four masters can be present in a cluster. If an active master fails, one of the other masters will become active and host the MIP address. Depending on the total number of iSD hosts in a cluster and the desired level of redundancy, it is recommended that two to four iSD hosts are configured as masters. When installing the first Firewall Director in a new cluster (by selecting new in the Setup Menu), it is automatically configured as master. When adding more Firewall Directors to the same cluster (by selecting join in the Setup Menu), the first three additional Firewall Directors in a cluster will also be masters. When adding one or more Firewall Directors to a cluster that already contains four masters, any added Firewall Directors are automatically configured as slave. Normally, you will only need to change the type setting when you have removed one or more master Firewall Directors from a cluster. In this case, if there are any slave devices, you may want to promote one of them to become a master. To determine which Firewall Director is currently hosting the MIP address, use the / info/clu command. To view the host number of each Firewall Director in a cluster, use the /cfg/sys/cluster/cur command.

ip This command is used to set the IP address of the currently selected Firewall Director. Changing this address does not affect the Management IP address which defines the cluster itself. The IP address is specified using dotted decimal notation. Note that you will be logged out when you apply the new IP address.

Chapter 7: Command Reference n 203 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-13 iSD Host Menu (/cfg/sys/cluster/host)

Command Syntax and Usage

halt After confirmation, this command stops the currently selected Firewall Director. Always use this command before turning off the device. If the Firewall Director you want to halt has become isolated from the cluster, you will receive an error message when performing the halt command. You can then try logging in to the specific Firewall Director using its local serial port (or a Telnet or SSH connection to the Firewall Director’s individually assigned IP address) and use the / boot/halt command.

reboot After confirmation, this command reboots the currently selected Firewall Director. If the Firewall Director you want to reboot has become isolated from the cluster, you will receive an error message when performing the reboot command. You can then try logging in to the specific Firewall Director using its local serial port (or a Telnet or SSH connection to the Firewall Director’s individually assigned IP address) and use the / boot/reboot command.

delete After confirmation, this command lets you remove the currently selected Firewall Direc- tor “cleanly” from the cluster, and resets the removed Firewall Director to its factory default configuration. Other iSD hosts in the cluster are unaffected. To ensure that you remove the intended Firewall Director, view the current settings by using the cur command. To view the host number, type (master or slave), and IP address for all Firewall Directors in a cluster, use the /cfg/sys/cluster/cur command. Once you have removed a Firewall Director from the cluster using the delete command, you can only access the device through a console terminal attached directly to its local serial port. You can then log in using the administration account (admin) and the default password (admin) to access the Setup Menu. When multiple Firewall Directors are present in a cluster, you cannot delete a particular Firewall Director if it is the only one that has a health status “up.” If that is the case, you will receive an error message when performing the delete command. To delete a Fire- wall Director from the cluster while all the other cluster members are down, see the / boot/delete command on page 312.

cur This command displays the current settings for items in the current iSD Host Menu.

204 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/accesslist Access List Menu

[Access List Menu] list - List all values del - Delete a value by number add - Add a new value

The Alteon Switched Firewall can be managed remotely using Telnet, SSH, or the BBI. For security purposes, access to these features is restricted through the cluster access list.

The access list allows the administrator to specify IP addresses or address ranges that are permitted remote access to the system. There is only one access list which is shared by all remote management features.

Requests for remote management access from any client whose IP address is not on the access list are dropped. By default, the access list is empty, meaning that all remote management access is initially disallowed.

When a client’s IP address is added to the access list, that client is permitted to access all enabled remote management features, provided that a firewall rule exists to allow the type of traffic, and that the user supplies the appropriate password.

The following options are available on the Access List Menu:

Table 7-14 Access List Menu (/cfg/sys/accesslist)

Command Syntax and Usage

list This command displays all index and IP address information for all trusted clients which can access enabled remote management features.

del This command lets you remove an access entry by index number. Use the list command to display the index numbers and IP addresses of access entries.

add This command lets you add a new IP address or range of addresses to the access list. Any added clients are considered trusted and have access to any enabled remote management features.

Chapter 7: Command Reference n 205 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/adm Administrative Applications Menu

[Administrative Applications Menu] idle - Set CLI idle timeout telnet - Telnet Administration Menu ssh - SSH Administration Menu snmp - SNMP Administration Menu web - Web Administration Menu cur - Display current settings

The Administrative Applications Menu is used to configure Alteon Switched Firewall remote management features such as Telnet, SSH, SNMP, and the BBI.

Table 7-15 Administrative Application Menu (/cfg/sys/adm)

Command Syntax and Usage

idle This command sets amount of time that a local or remote CLI session can remain inactive before being automatically logged out. The time period is specified in seconds, from 300 to 3600. The default is 300 seconds (5 minutes).

telnet The Telnet Administration Menu is used to enable or disable Telnet for remote access to the Alteon Switched Firewall management CLI. See page 207 for menu items.

ssh This menu is used to enable or disable Secure Shell (SSH) for remote access to the ASF management CLI. This menu is also used for generating SSH host keys. See page 209 for menu items.

snmp The SNMP Administration Menu is used to enable or disable Simple Network Manage- ment Protocol (SNMP) for remote management of the Alteon Switched Firewall. This menu is also used for defining SNMP information, permission levels, and traps. See page 210 for menu items.

206 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-15 Administrative Application Menu (/cfg/sys/adm)

Command Syntax and Usage

web The Web Administration Menu to used to configure the Browser-Based Interface (BBI). The BBI provides HTTP or Secure Socket Layer (SSL) access for remote management of the Alteon Switched Firewall using a Web browser. See page 217 for menu items.

cur This command displays the current Administrative Applications Menu settings.

/cfg/sys/adm/telnet Telnet Administration Menu

[Telnet Administration Menu] ena - Enable Telnet dis - Disable Telnet cur - Display current settings

The Telnet Administration Menu is used to enable or disable remote Telnet access to the Alteon Switched Firewall CLI. By default, Telnet access is disabled. Depending on the severity of your security policy, you may enable Telnet access and restrict it to one or more trusted clients.

Chapter 7: Command Reference n 207 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

NOTE – Telnet is not a secure protocol. All data (including the password) between a Telnet client and the Alteon Switched Firewall is unencrypted and unauthenticated. If secure remote access is required, see “Using Secure Shell” on page 106. For more information on the Telnet feature, see “Using Telnet” on page 104.

Table 7-16 Telnet Administration Menu (/cfg/sys/adm/telnet)

Command Syntax and Usage

ena This command enables the Telnet management feature. When enabled, Telnet access to the cluster MIP address is allowed for trusted clients which have been added to the cluster access list (see “Defining the Remote Access List” on page 102).

dis This command disables the Telnet management feature. This is the default. When disabled, all active Telnet administration sessions will be terminated, and all net Telnet requests sent to the MIP address will be dropped.

cur This command displays the current Telnet settings.

208 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/adm/ssh SSH Administration Menu

[SSH Administration Menu] ena - Enable SSH dis - Disable SSH gensshkeys - Generate new SSH host keys cur - Display current settings

The SSH Administration Menu is used to enable or disable Secure Shell (SSH) for remote access to the Alteon Switched Firewall management CLI. This menu is also used for generating SSH host keys.

An SSH connection allows secure management of the Alteon Switched Firewall from any workstation connected to the network. SSH access provides server host authentication, encryption of management messages, and encryption of passwords for user authentication. By default, SSH is disabled.

NOTE – In order to use this feature, you must install a firewall rule that allows SSH traffic to pass to and from the Firewall Directors.

For more information on the SSH feature, see “Using Secure Shell” on page 106.

Table 7-17 SSH Administration Menu (/cfg/sys/adm/ssh)

Command Syntax and Usage

ena This command enables the SSH management feature. When enabled, SSH access to the cluster MIP address is allowed for trusted clients which have been added to the cluster access list (see “Defining the Remote Access List” on page 102).

dis This command disables the SSH management feature. This is the default. When disabled, all active SSH administration sessions will be terminated, and all net SSH requests sent to the MIP address will be dropped.

gensshkeys This command generates new SSH host keys.

cur This command displays the current SSH settings.

Chapter 7: Command Reference n 209 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/adm/snmp SNMP Administration Menu

[SNMP Administration Menu] ena - Enable SNMP dis - Disable SNMP model - Set security model level - Set usm security level access - Set read access control events - Set trap events alarms - Set trap alarms rcomm - Set v2c read community wcomm - Set v2c write community users - SNMP USM Users Menu hosts - Trap Hosts Menu system - SNMP System Information Menu adv - Advanced SNMP Options Menu cur - Display current settings

The Alteon Switched Firewall software supports elements of the Simple Network Management Protocol (SNMP). If you are running an SNMP network management station on your network, you can read and write ASF configuration information and collect statistics using the following SNMP Managed Information Bases (MIBs):

n MIB II (RFC 1213) n Ethernet MIB (RFC 1643) n Bridge MIB (RFC 1493)

NOTE – In order to use this feature, you must install a firewall rule that allows SNMP traffic to pass to and from the Firewall Directors.

Table 7-18 SNMP Administration Menu Options (/cfg/sys/adm/snmp)

Command Syntax and Usage

ena This command enables the SNMP features.

dis This command disables the SNMP features. This is the default.

210 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-18 SNMP Administration Menu Options (/cfg/sys/adm/snmp)

Command Syntax and Usage

model v2c|usm This command is used to specify which form of SNMP security will be used by the ASF: n v2c: Use the SNMP version 2C security model. n usm: Use the SNMP version 3 User-based Security Model (USM).

level auth|encrypt This command is used only when usm is selected. It is used to specify the desired degree of SNMP USM security: n auth: Verify the SNMP user password before granting SNMP access. SNMP information is transmitted in plain text. n encrypt: Verify the SNMP user password before granting SNMP access and encrypt all SNMP information with the user’s individual key. USM user names, along with their passwords and encryption keys, are defined in the SNMP Users Menu (/cfg/sys/adm/snmp/users)

access d|r This command sets the SNMP access control: n d: Disable SNMP read capability. Users will be sent only enabled event and alarm messages and are not permitted to read SNMP information from the ASF. n r: Enable SNMP read capability. Users will be sent enabled event and alarm messages and are also allowed to read SNMP information from the supported ASF MIBs.

events y|n This command is used to enable or disable sending cluster event messages to the SNMP trap hosts. When enabled, messages regarding general occurrences (such as detection of a new components) are sent.

alarms y|n This command is used to enable or disable sending cluster alarm messages to the SNMP trap hosts. Alarm messages indicate serious conditions which may require administrative action.

rcomm This command is used only when the v2c security model is selected. The read community string controls SNMP “get” access to the cluster. It can have a maximum of 32 characters. The default read community string is public and should be changed for security.

Chapter 7: Command Reference n 211 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-18 SNMP Administration Menu Options (/cfg/sys/adm/snmp)

Command Syntax and Usage

wcomm This command is used only when the v2c security model is selected. The write community string controls SNMP “set” access to the cluster. It can have a maximum of 32 characters. The default put community string is private and should be changed for security.

users The SNMP Users Menu is used to list, add, and remove USM users. When usm is selected as the security model, SNMP access is granted for user/password defined in the SNMP Users Menu. See page 213 for menu items.

hosts The Trap Hosts Menu is used to add, remove, or list hosts which will receive cluster event or alarm messages. See page 214 for menu items.

system The SNMP System Information Menu is used to configure basic identification information such as support contact name, system name, and system location. See page 215 for menu items.

adv The Advanced SNMP Settings Menu is used to configure less common SNMP options. See page 216 for menu items.

cur This command displays the current SNMP Administration Menu settings.

212 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/adm/snmp/users SNMP Users Menu

[SNMP Users Menu] list - List all users del - Delete a user by name add - Add a new user

The SNMP Users Menu is used list, add, and remove USM users. When usm is selected as the security model (/cfg/sys/adm/snmp/model), SNMP access is granted for user/password defined in this menu.

Table 7-19 SNMP Users Menu Options (/cfg/sys/adm/snmp/users)

Command Syntax and Usage

list This command lists all configured USM users.

del This command lets you remove a USM user from the cluster configuration. Use the list command to display the configured USM users.

add This command lets you add a USM user. When the command is initiated, you will be prompted to enter the following: n get and/or trap: specify whether the user is authorized to perform SNMP get requests and/or receive enabled trap event and alarm messages. Enter get trap to specify that both are allowed. n user password (and confirmation): password the user must enter for access.

Chapter 7: Command Reference n 213 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/adm/snmp/hosts Trap Hosts Menu

[Trap Hosts Menu] list - List all values del - Delete a value by number add - Add a new value

The Trap Hosts Menu is used to add, remove, or list hosts which will receive SNMP event or alarm messages from the cluster.

Table 7-20 Trap Hosts Menu Options (/cfg/sys/adm/snmp/hosts)

Command Syntax and Usage

list This command lists all configured trap hosts which will receive SNMP event or alarm messages from the cluster.

del This command lets you remove an SNMP trap host from the cluster configuration by specifying the trap host’s index number. Use the list command to display the index numbers and IP addresses of configured trap hosts.

add This command lets you add an SNMP trap host. The trap host with the specified IP address will receive any enabled SNMP messages from the cluster. Event messages and alarm messages can be independently enabled or disabled in the SNMP Administration Menu (see page 210).

214 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/adm/snmp/system SNMP System Information Menu

[SNMP System Information Menu] contact - Set Contact name - Set Name loc - Set Location cur - Display current settings

The SNMP System Information Menu is used to configure basic identification information such as support contact name, system name, and system location.

Table 7-21 SNMP System Information Options (/cfg/sys/adm/snmp/system)

Command Syntax and Usage

contact Configures the name of the system contact. The contact can have a maximum of 64 characters.

name Configures the name for the system. The name can have a maximum of 64 characters.

loc Configures the name of the system location. The location can have a maximum of 64 characters.

cur This command displays the current SNMP System Information settings.

Chapter 7: Command Reference n 215 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/adm/snmp/adv Advanced SNMP Settings Menu

[SNMP Advanced Settings Menu] allinf - Set allow snmp requests through all interfaces trapsrcip - Set source ip of traps cur - Display current settings

The Advanced SNMP Options Menu is used to configure less common SNMP options.

Table 7-22 Advanced SNMP Menu Options (/cfg/sys/adm/snmp/adv)

Command Syntax and Usage

allinf y|n This command determines which interfaces will accept SNMP requests. If enabled (y), SNMP requests will be accepted on all interfaces. If disabled (n), SNMP requests will be accepted only at the cluster MIP address or individual Firewall Director IP address. This option is disabled by default.

trapsrcip auto|unique|mip This command is used to configure which source IP address will be used with SNMP traps generated from the Alteon Switched Firewall. n auto: The IP address of the outgoing interface is used. This is the default. n unique: The IP address of the individual Firewall Director is used. n mip: The IP address of the cluster MIP is used. This setting is useful with applications (such as some versions of HP OpenView) that expect devices to be limited to only one IP address.

cur This command displays the current settings for all options in the Advanced SNMP Set- tings Menu.

216 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/adm/web Web Administration Menu

[Web Administration Menu] http - HTTP Configuration Menu ssl - SSL Configuration Menu cur - Display current settings

The Web Administration Menu is used to configure the Browser-Based Interface (BBI). The BBI allows for refined, intuitive remote management of the Alteon Switched Firewall using a Web browser. The BBI can be configured to use HTTP (non-secure), HTTPS with Secure Socket Layer (SSL), or both.

NOTE – In order to use this feature, you must install a firewall rule that allows HTTP or HTTPS traffic to pass to and from the Firewall Directors.

For more information, see Chapter 6, “The Browser-Based Interface,” on page 115.

Table 7-23 Web Administration Menu (/cfg/sys/adm/web)

Command Syntax and Usage

http The HTTP Configuration Menu is used to configure BBI access using HTTP (non- secure). See page 218 for menu items.

ssl The SSL Configuration Menu is used to configure BBI access using HTTPS with Secure Socket Layer (SSL). For security reasons, using SSL with the BBI is highly recommended. See page 219 for menu items.

cur This command displays the current settings for items in the Web Administration Menu.

Chapter 7: Command Reference n 217 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/adm/web/http HTTP Configuration Menu

[HTTP Configuration Menu] port - Set HTTP Port number ena - Enable HTTP dis - Disable HTTP cur - Display current settings

The HTTP Configuration Menu is used to configure BBI access using HTTP. By default, HTTP access is enabled, but restricted to trusted clients. Depending on the severity of your security policy, you may disable HTTP access and refine the list of trusted clients.

NOTE – HTTP is not a secure protocol. All data (including passwords) between an HTTP client and the Alteon Switched Firewall is unencrypted and unauthenticated. If secure remote access is required, see the “SSL Configuration Menu” on page 219.

For more information, see Chapter 6, “The Browser-Based Interface,” on page 115.

Table 7-24 HTTP Configuration Menu (/cfg/sys/adm/web/http)

Command Syntax and Usage

port This command sets the logical HTTP port which is used by the built-in BBI Web server. By default, the Web server uses well-known HTTP port 80. This can be changed to use any port number, but should not be set to any port which is being used by other services.

ena This command enables HTTP access to the BBI. This is the default. When enabled, HTTP access to the cluster MIP address is allowed for trusted clients which have been added to the cluster access list (see “Defining the Remote Access List” on page 102).

dis This command disables HTTP access to the BBI. When disabled, HTTP requests to the MIP address are dropped.

cur This command displays the current HTTP settings.

218 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/adm/web/ssl SSL Configuration Menu

[SSL Configuration Menu] port - Set SSL port number ena - Enable SSL dis - Disable SSL tls - Set TLS sslv2 - Set SSL version 2 sslv3 - Set SSL version 3 certs - Certificate Management Menu cur - Display current settings

The SSL Configuration Menu is used to configure BBI access using HTTPS. HTTPS uses Secure Socket Layer (SSL) to provide server host authentication, encryption of management messages, and encryption of passwords for user authentication. Using SSL with the BBI is highly recommended for security reasons. By default, SSL is disabled.

In addition to enabling/disabling the HTTPS feature, this menu allows you to set the HTTPS port, set SSL version, and access menus for generating SSL certificates.

For more information, see Chapter 6, “The Browser-Based Interface,” on page 115.

Table 7-25 SSL Configuration Menu (/cfg/sys/adm/web/ssl)

Command Syntax and Usage

port This command sets the logical HTTPS port which is used by the built-in BBI Web server. By default, the Web server uses well-known HTTPS port 443. This can be changed to use any port number, but should not be set to any port which is being used by other services.

ena This command enables HTTPS access to the BBI. When enabled, HTTPS access to the cluster MIP address is allowed for trusted clients which have been added to the cluster access list (see “Defining the Remote Access List” on page 102). Note that an SSL certificate must be generated using the Certificate Management Menu (certs) before HTTPS will function.

dis This command disables HTTPS access to the BBI. This is the default. When disabled, HTTPS requests to the MIP address will be dropped.

Chapter 7: Command Reference n 219 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-25 SSL Configuration Menu (/cfg/sys/adm/web/ssl)

Command Syntax and Usage

tls y|n This command enables or disables Transport Level Security (TLS) for SSL.

sslv2 y|n This command enables or disables SSL Version 2.

sslv3 y|n This command enables or disables SSL Version 3.

certs The Certificate Management Menu is used to configure server certificates and external Certificate Authority certificates required for SSL. See page 220 for menu items.

cur This command displays the current settings for items in the SSL Administration Menu, including security certificates.

/cfg/sys/adm/web/ssl/certs Certificate Management Menu

[Certificate Management Menu] serv - Server Certificate Management Menu ca - Certificate Authority Management Menu cur - Display current settings

220 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Certificate Management Menu is used to add or remove server certificates and external Certificate Authority certificates required for SSL.

Table 7-26 Certificate Management Menu (/cfg/sys/adm/web/ssl/certs)

Command Syntax and Usage

serv The Server Certificate Management Menu is used to generate a certificate request or create a self-signed certificate. See page 221 for menu items.

ca The Certificate Authority Management Menu is used to manage CA (Certification Author- ity) certificates. This is required if server certificates from external CAs are being used. See page 222 for menu items.

cur This command displays the current settings under the Certificate Management Menu.

/cfg/sys/adm/web/ssl/certs/serv Server Certificate Management Menu

[Server Certificate Management Menu] gen - Generate certificate request - this erases old key exp - Export certificate request list - List server certificates del - Delete a server certificate add - Add a server certificate cur - Display current settings

Chapter 7: Command Reference n 221 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Server Certificate Management Menu is used to administer SSL server certificates.

Table 7-27 Server Certificate Management (/cfg/sys/adm/web/ssl/certs/serv)

Command Syntax and Usage

gen This command will generate a certificate request or a self-signed certificate.

exp This command is used for exporting certificate requests to an external Certificate Authority (CA). This command produces output that can be copied and pasted into a text file and sent to the CA to be signed. Do not use this if creating a self-signed certificate. Once the CA has responded with a PEM encoded certificate, use the add command to enter the certificate into the system.

list This command displays a list of configured server certificates.

del This command is used for deleting a server certificate.

add This command is used for adding a signed server certificate. After you have entered this command, the system will expect you to paste the PEM encoded certificate into the CLI. When done pasting the certificate, add three periods (...) and press to return to the CLI.

cur This command displays the current server certificate settings.

/cfg/sys/adm/web/ssl/certs/ca CA Certificate Management Menu

[CA Certificate Management Menu] list - List CA certificates del - Delete a CA certificate add - Add a CA certificate cur - Display current settings

222 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The CA Certificate Management Menu is used to administer SSL external Certificate Author- ity (CA) certificates.

Table 7-28 CA Certificate Management Menu (/cfg/sys/adm/web/ssl/certs/ca)

Command Syntax and Usage

list This command lists all configured CA certificates.

del This command is used to remove a CA certificate from the cluster configuration.

add This command is used to add a CA certificate. After you have entered this command, the system will expect you to paste the PEM encoded certificate into the CLI. When done pasting the certificate, add three periods (...) and press to return to the CLI.

cur This command displays the current CA certificate settings.

Chapter 7: Command Reference n 223 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/log Platform Logging Menu

[Platform Logging Menu] syslog - Syslog Logging Menu ela - ELA Logging Menu arch - Log Archiving Menu debug - Set syslog debugging srcip - Set syslog source IP mode cur - Display current settings

The Platform Logging Menu is used to configure system message logging features. Messages can be logged to the system console terminal, ELA facility, archived to a file which can be automatically e-mailed, and used for debugging.

Table 7-29 Platform Logging Menu (/cfg/sys/log)

Command Syntax and Usage

syslog The System Logging Menu is used to configure syslog servers. The Alteon Switched Firewall software can send log messages to specified syslog hosts. See page 225 for menu items.

ela The ELA Menu is used to configure the Event Logging API (ELA) feature. ELA allows cluster log messages to be sent to a Check Point management server for display through the Check Point Log Viewer. See page 227 for menu items.

arch The Log Archiving Menu is used to archive log files when the file reaches a specific size or age. When log rotation occurs, the current log file is set aside or e-mailed to a specified address and a new log file is begun. See page 228 for menu items.

debug y|n This command is used to enable or disable specialized debugging log messages. This is disabled by default and should be enabled only as directed by Nortel Networks technical support.

224 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-29 Platform Logging Menu (/cfg/sys/log)

Command Syntax and Usage

srcip auto|unique|mip This command is used to configure which source IP address will be used with logs generated from the Alteon Switched Firewall. n auto: The IP address of the outgoing interface is used. This is the default. n unique: The IP address of the individual Firewall Director is used. n mip: The IP address of the cluster MIP is used. This setting is useful with applications (such as some versions of HP OpenView) that expect devices to be limited to only one IP address.

cur This command displays the current settings for all items in the Platform Logging Menu.

/cfg/sys/log/syslog System Logging Menu

[System Logging Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

The System Logging Menu is used to configure syslog servers. The Alteon Switched Firewall software can send log messages to specified syslog hosts.

Table 7-30 System Log Menu (/cfg/sys/log/syslog)

Command Syntax and Usage

list This command displays all configured syslog servers by their index number, IP address, and facility number.

del This command lets you remove a syslog server from the cluster configuration by specifying the server’s index number.

Chapter 7: Command Reference n 225 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-30 System Log Menu (/cfg/sys/log/syslog)

Command Syntax and Usage

add This command lets you add a new syslog server, including its IP address and local facility number. The local facility number can be used to uniquely identify syslog entries. For more information, see the UNIX manual page for syslog.conf.

insert This command lets you add a new IP address to the access list at the specified index position. All existing items at the specified index number and higher are incremented by one position.

move This command removes the IP address of the specified from index number and inserts it at the specified to index number in the access list.

226 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/log/ela ELA Logging Menu

[ELA Logging Menu] ena - Enable ELA dis - Disable ELA addr - Set management station IP address sev - Set minimum logging severity dn - Set management station DN pull - Pull SIC certificate cur - Display current settings

The ELA Logging Menu is used to configure the Event Logging API (ELA) feature. ELA allows cluster log messages to be sent to a Check Point management server for display through the Check Point Log Viewer.

ELA configuration requires steps at both the Alteon Switched Firewall and at Check Point management server. For configuration details, see Appendix A, “Event Logging API,” on page 385.

The ELA Logging Menu has the following options:

Table 7-31 ELA Logging Menu (/cfg/sys/log/ela)

Command Syntax and Usage

ena This command is used to enable the ELA feature. When enabled, system log messages will be sent to the Check Point management server.

dis This command is used to disable ELA. This is the default.

addr This command is used to set the IP address of the management server to which cluster log messages will be sent. Specify the IP address in dotted decimal notation.

dn This command is used to set the Distinguished Name (DN) of management server. The DN is defined in the Check Point Policy Editor under the management server properties. The DN is found in the Secure Internal Communication (SIC) area.

Chapter 7: Command Reference n 227 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-31 ELA Logging Menu (/cfg/sys/log/ela)

Command Syntax and Usage

pull This command is used to obtain a certificate for secure communication from the management server.

cur This command displays the current ELA settings.

/cfg/sys/log/arch Log Archiving Menu

[Log Archiving Menu] email - Set e-mail address to send log smtp - Set SMTP server address int - Set log archive interval size - Set maximum size of archived log cur - Display current settings

The Log Archiving Menu is used to archive log files when the file reaches a specific size or age. When log rotation occurs, the current log file is set aside or e-mailed to a specified address and a new log file is begun.

228 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-32 Log Archiving Menu (/cfg/sys/log/arch)

Command Syntax and Usage

email This command is used in conjunction with smtp to set the e-mail address where log files will be sent when the log interval or maximum log size is reached.

smtp This command is used to set the IP address of the SMTP mail server that holds the e-mail address specified in the email command. The IP address should be specified in dotted decimal notation. Note that the specified SMTP server must be configured to accept messages from the cluster. Also, a Check Point policy should be present to allow these messages through the firewall.

int This command is used to set the time interval at which the log files are rotated. The interval is specified in number of days and number of hours.

size This command is used to set the maximum size a log file is allowed to reach before trig- gering rotation. The size is specified in kilobytes. If set to 0, the file size is ignored and only the interval (int) is used to determine rotation.

cur This command displays the current log archiving settings.

Chapter 7: Command Reference n 229 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/user User Menu

[User Menu] passwd - Change own password expire - Set password expire time interval list - List all users del - Delete a user add - Add a new user edit - Edit a user

The User Menu is used to add, modify, delete, or list Alteon Switched Firewall user accounts, and change passwords.

There are four default user accounts which cannot be deleted: admin, oper, root, and boot. See “Users and Passwords” on page 98 for information about default passwords and privileges. Only the administrator can change the passwords.

The password for the boot user cannot be changed. This ensures that if you were to lose all system passwords, the boot user would be able to access the system through the local serial port.

Table 7-33 User Menu (/cfg/sys/user)

Command Syntax and Usage

passwd This command is used to change the administrator password. Only the admin user can perform this action. You will be prompted to enter the current administrator password. Then, you will be prompted to enter and confirm the new administrator password.

expire [s][m][d] This command sets the interval that user passwords expire. Time can be specified in seconds (s), minutes (m), or days (d). When a user attempts to log in using the expired password, they will be prompted to change the password. When the expiration value is set to 0 (zero), passwords do not expire. The default is 0.

list This command lists all editable user accounts. The boot user is not listed because this account cannot be altered.

del This command lets you delete user accounts. Only the admin user can perform this action. Of the four default users (admin, oper, root, and boot), only oper can be deleted.

230 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-33 User Menu (/cfg/sys/user)

Command Syntax and Usage

add This command lets you add a user account. Only the admin user can perform this action. After adding a user account, you must also assign the account to a group using the Edit User Menu (edit).

edit The Edit User Menu is used to change user passwords and assign group privileges. See page 231 for menu items.

/cfg/sys/user/edit Edit User Menu

[User name Menu] password - Login password groups - Groups cur - Display current settings

The Edit User Menu is used to change passwords and assign group privileges for the user account specified by the user name.

Table 7-34 Edit User Menu (/cfg/sys/user/edit)

Command Syntax and Usage

password This command lets you change the password for the selected user. Only the admin user can perform this action. You will be prompted to enter the current administrator password. Then, you will be prompted to enter and confirm the new user password.

group This command lets you assign the selected user to a group. By default there are three predefined groups: admin, oper, and root. For the privileges of each group, see “Users and Passwords” on page 98. You can also define your own groups. Any user placed in a group other than one of the predefined groups will be given oper privileges only.

cur This command displays the current group settings for the selected user.

Chapter 7: Command Reference n 231 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/sys/user/edit /groups Groups Menu

[Groups Menu] list - List all values del - Delete a value by number add - Add a new value

The Groups Menu is used to assign the selected user to one or more groups.

By default there are three predefined groups: admin, oper, and root. For the privileges of each group, see “Users and Passwords” on page 98. You can also define your own groups. Any user placed in a group other than one of the predefined groups will be given oper privileges only.

Table 7-35 Groups Menu (/cfg/sys/user/edit /groups)

Command Syntax and Usage

list This command displays all configured groups to which the user belongs by their index number.

del This command lets you remove the user from a group by specifying the group’s index number.

add This command lets you add the user to the specified group.

232 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/pnp SFD IP and Firewall License Menu

[SFD IP and Firewall License Menu] ena - Enable Plug N Play dis - Disable Plug N Play list - List detailed status of current IPs and Licenses del - Delete IP address and firewall license add - Add new IP address and firewall license cur - Display current settings

The SFD IP and Firewall License Menu is used for pre-configuring resources that allow the system to automatically configure any new Firewall Directors that are added to the cluster.

Resources configured under this menu include a pool of IP addresses and Check Point licences. When Plug N Play is enabled and if resources are available, a new Firewall Director attached to the cluster will automatically be configured and brought into service.

See “Adding Firewall Directors” on page 331 for more information.

Table 7-36 iSD IP and Firewall License Menu (/cfg/pnp)

Command Syntax and Usage

ena This command is used to turn on the Plug N Play feature. This is the default. If resources are available (using the add command), Plug N Play allows the cluster to automatically detect new Firewall Directors, join them to the cluster, configure them, and start them participating in firewall processing.

dis This command is used to turn off the Plug N Play feature. When Plug N Play is disabled, you must manually configure each new Firewall Director being added to the cluster.

list This command is used list the IP addresses and Check Point licenses currently in the Plug N Play resource pool. Listed data includes the expiration dates of the licenses. Licenses configured using the Check Point central licensing mechanism will not be listed using this command.

Chapter 7: Command Reference n 233 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-36 iSD IP and Firewall License Menu (/cfg/pnp)

Command Syntax and Usage

del This command is used to remove an IP address and/or Check Point license from the Plug N Play resource pool. You will be prompted to enter the IP address you wish to have removed from the pool. Only unused resources can be deleted. To remove a Fire- wall Director which is presently a member of the cluster, see the iSD Host Menu delete command on page 204.

add This command is used to add and IP address and/or Check Point license to the Plug N Play resource pool. You will be prompted to enter an IP address and Check Point license information.

cur This command displays the current settings for the items in the SFD IP and Firewall License Menu, including information about used and unused Check Point licenses.

234 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/acc Accelerator Configuration Menu

[Accelerator Configuration Menu] auto - Set auto discovery ha - Set high availability vma - Set VMA-based performance rearp - Set re-ARP period in minutes passwd - Set accelerator password ac1 - Accelerator 1 Menu ac2 - Accelerator 2 Menu master - preferred HA master det - Display detected accelerators hc - Health Check Menu mgmtnet - Set higher priority management network cur - Display current settings

The Accelerator Configuration Menu is used to configure parameters for the cluster Firewall Accelerators. This includes the IP addresses and MAC addresses of the Firewall Accelerators and options for high availability and auto detection.

Table 7-37 Accelerator Configuration Menu (/cfg/acc)

Command Syntax and Usage

auto y|n This command is used to configure the automatic discovery feature. If this feature is enabled, when the Firewall Director boots up, it will automatically detect the attached Firewall Accelerator and use it for acceleration when the firewall software starts. If auto detect is disabled, the administrator must manually configure the MAC addresses of the Firewall Accelerators which will be used by the Firewall Directors to accelerate firewall processing (see ac1 and ac2).

ha y|n This command is used to enable or disable the high-availability feature. This is disabled by default. High-availability requires two Firewall Accelerators installed in a redundant configuration. See Chapter 8, “Expanding the Cluster,” on page 325 for more information.

Chapter 7: Command Reference n 235 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-37 Accelerator Configuration Menu (/cfg/acc)

Command Syntax and Usage

vma on|partial|off This command is used to configure the Virtual Matrix Architecture (VMA) feature on the Firewall Accelerator. n on: All Firewall Accelerator ports share session resource information. This is used primarily in complex network environments where a session’s responses may use a different port path than the session’s requests. VMA is on by default. n partial: In this mode, Firewall Accelerator ports 3, 4, 5, and 6 are disabled and their session resources are diverted to the remaining ports. This increases session capacity and speed on the available ports and can be used in complex networks. n off: All Firewall Accelerator ports are responsible for their own session information. This increases firewall speed, but requires simpler network structures where a session’s responses return on the same port path as the session’s requests.

rearp Sets the re-ARP period in minutes. The Alteon Switched Firewall periodically sends ARP (Address Resolution Protocol) requests to refresh its address database. This command is used for setting the interval between ARP refreshes of the next IP address in the database. The default interval is 10 minutes.

passwd This command lets you change the password used for direct access to the Firewall Accelerator console port. The default password is admin, but can be changed for security purposes. When this command is entered, you will be prompted to enter and confirm the new password.

ac1 The Accelerator 1 Menu is used to configure the MAC and IP addresses of the first Fire- wall Accelerator in the cluster. See page 238 for menu items.

ac2 The Accelerator 2 Menu is used to configure the MAC and IP addresses of the second Firewall Accelerator in the cluster. This is needed only in high-availability configurations. See page 239 for menu items.

master 1|2 This command is used to select which Firewall Accelerator is preferred for firewall acceleration in a high-availability configuration. This setting is ignored when the automatic discovery feature is enabled (see the auto command on page 235). Specify 1 to use the Firewall Accelerator defined in ac1, and 2 for ac2.

236 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-37 Accelerator Configuration Menu (/cfg/acc)

Command Syntax and Usage

det When automatic discovery (auto) is enabled, the first discovered Firewall Accelerator in a high-availability configuration is used for the firewall acceleration. This command lists the MAC address and IP address of the active Firewall Accelerator that is currently being used for firewall acceleration.

hc The Health Check Parameters Menu is used to configure parameters to determine when a Firewall Accelerator should be determined up or down. See page 240 for menu items.

mgmtnet This command is used to configure a priority management network for the Alteon Switched Firewall. Traffic on the priority management network is favored from being dropped under conditions of excessive firewall load. This prevents the Alteon Switched Firewall from losing contact with management tools during denial-of-service attacks.

cur This command displays the current settings for all items in the Accelerator Configuration Menu.

Chapter 7: Command Reference n 237 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/acc/ac1 Accelerator 1 Menu

[Accelerator 1 Menu] mac - Set MAC Address addr - Set IP Address iap - Set inter-accelerator Port cur - Display current settings

The Accelerator 1 Menu is used to configure the MAC and IP addresses of the first Firewall Accelerator in the cluster.

Table 7-38 Accelerator 1 Menu (/cfg/acc/ac1)

Command Syntax and Usage

mac This command is used to manually configure the MAC address for the first Firewall Accelerator in the cluster. This is only required if the automatic discovery feature is disabled. This MAC address is ignored if automatic discovery is enabled. See the auto command on page 235 for details.

addr This command is used to set the IP address for the first Firewall Accelerator in the cluster. This address must be in the same subnet as the cluster MIP address and must be specified in dotted decimal notation.

iap This command is used to select the port used to connect Firewall Accelerators together in a high-availability configuration. By default, the IAP is port 9. Any Firewall Acceler- ator port can be used as the IAP, but must have NAAP enabled.

cur This command displays the current settings for Firewall Accelerator 1.

238 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/acc/ac2 Accelerator 2 Menu

[Accelerator 2 Menu] mac - Set MAC Address addr - Set IP Address iap - Set inter-accelerator Port cur - Display current settings

The Accelerator 2 Menu is used to configure the MAC and IP addresses of the second Firewall Accelerator in the cluster. This is needed only in high-availability configurations.

Table 7-39 Accelerator 2 Menu (/cfg/acc/ac2)

Command Syntax and Usage

mac This command is used to manually configure the MAC address for the second Firewall Accelerator in the cluster. This is only required if the automatic discovery feature is disabled. This MAC address is ignored if automatic discovery is enabled. See the auto command on page 235 for details.

addr This command is used to set the IP address for the second Firewall Accelerator in the cluster. This address must be in the same subnet as the cluster MIP address and must be specified in dotted decimal notation.

cur This command displays the current settings for Firewall Accelerator 2.

Chapter 7: Command Reference n 239 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/acc/hc Health Check Parameters Menu

[Health Check Parameters Menu] ret - Set retry count int - Set health check interval in seconds cur - Display current settings

The Health Check Parameters Menu is used to configure parameters to determine when a Fire- wall Accelerator should be determined up or down.

Each Firewall Accelerator tests the status of the other. These tests are performed at regular, definable intervals. If a Firewall Accelerator fails its test a definable number of times, the device is classified as down. If the master Firewall Accelerator in a high-availability configuration is down, the backup will take over.

Table 7-40 Health Check Parameter Menu (/cfg/acc/hc)

Command Syntax and Usage

ret This command is used to specify the number of tests which are permitted to fail before classifying a Firewall Accelerator as down. The default is 6.

int This command is used to specify the time between health checks. This is specified in seconds. The default is 1.

cur This command displays the current health check settings.

240 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net Network Configuration Menu

[Network Configuration Menu] port - Port Menu vlan - VLAN Menu if - Interface Menu route - Routing Settings Menu mirr - Port Mirroring Menu adv - Advanced Settings Menu cur - Display current settings

Use the Network Configuration Menu to configure networks passing traffic through the firewall.

Table 7-41 Network Configuration Menu (/cfg/net)

Command Syntax and Usage

port The Network Port Menu is used for configuring the specified physical port on the Fire- wall Accelerator. In addition to enabling or disabling ports and specify port link characteristics, this menu is used to apply port filters. See page 242 for menu items.

vlan The VLANs Menu is used to configure Virtual Local Area Networks (VLANs). VLANs are required where multiple networks are attached to a single Firewall Accelerator port or for participation in networks where VLAN tagging is used. Up to 242 VLANs can be configured, though each can be given an identifying number between 1 and 4092. VLAN 4093 and 4094 are reserved for internal use. See page 250 for menu items.

if The IP Interface Menu is used to configure IP interfaces. An IP interface is required for each network which will be attached to the cluster. Up to 255 IP interfaces can be configured. See page 254 for menu items.

route The Routing Settings Menu is used to configure default IP gateways, static routes, RIP, and OSPF parameters. See page 259 for menu items.

Chapter 7: Command Reference n 241 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-41 Network Configuration Menu (/cfg/net)

Command Syntax and Usage

mirr The Port Mirroring Menu is used to monitor ports for diagnostics. See page 293 for menu items.

adv The Advanced Settings Menu is used to configure domain name, port filter, local route caching, VRRP, and proxy ARP parameters. See page 296 for menu items.

cur This command displays the current settings for all items in the Network Menu.

/cfg/net/port Port Menu

[Port 1 Menu] name - Set port name fast - Fast Physical Link Menu gig - Gigabit Physical Link Menu pref - Set preferred physical connector back - Set backup physical connector trunk - Set trunk membership ena - Enable port dis - Disable Port del - Remove Port cur - Display current settings ------When trunked, items below are set by master port-- filt - Port Filters Menu enf - Set filtering naap - Set NAAP vtag - Set VLAN tagging

The Network Port Menu is used for configuring the specified physical port on the Firewall Accelerator. In addition to enabling or disabling a port, this menu is used to specify port link characteristics, apply port filters, and trunk ports together.

242 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Physical Port Connector Characteristics Different models of the Firewall Accelerator have different port connector arrangements:

Table 7-42 Port Connectors by Firewall Accelerator Model

Firewall Accelerator Ports 1 though 8 Port 9

ASF 5700 Dual: SC and RJ-45 Dual: SC and RJ-45

ASF 5600 Dual: SC and RJ-45 Dual: SC and RJ-45

ASF 5400 RJ-45 only Dual: SC and RJ-45

ASF 5300 RJ-45 only SC only

The SC fiber optic connectors are for attaching Gigabit Ethernet (1000Base-SX) segments to the port. The RJ-45 copper connector are for attaching 10/100 Mbps Ethernet (10Base-T or 100Base-TX) segments.

On ports with dual physical connectors, either connector may be used, depending on the network devices being attached to the system. When connecting devices which use dual-homing technology to achieve link redundancy, one of the dual connectors can be used as the preferred link, and the other can be used as a backup.

On ports with only one physical connector, some of the options described in the Port Menu and submenus do not apply. Although all options appear on all models of Firewall Accelerator, any configuration settings for options which do not apply are disregarded.

For physical port specifications and LED behavior, see “Connecting Network Cables” on page 57.

Port Menu Options

Table 7-43 Port Menu (/cfg/net/port)

Command Syntax and Usage

name This command sets a name for the port. The assigned port name appears next to the port number on some information screens. The default is set to None.

fast If an RJ-45 connector is available on the Firewall Accelerator port, the Fast Physical Link Menu is used to configure its link characteristics. You can set port speed, duplex mode, flow control, and negotiation mode for the port link. See page 247 for menu items.

Chapter 7: Command Reference n 243 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-43 Port Menu (/cfg/net/port)

Command Syntax and Usage

gig If an SC connector is available on the Firewall Accelerator port, the Gigabit Physical Link Menu is used to configure its link characteristics. You can set port flow control, and negotiation mode for the port link. See page 248 for menu items.

pref fast|gig If dual physical connectors are available on the port, this option defines the preferred connector used for the link. Choices are: n fast: Fast Ethernet Port, RJ-45 connector n gig: Gigabit Ethernet Port, SC fiber connector (default)

back fast|gig|none If dual physical connectors are available on the port, this option defines the physical connector to use when the preferred choice fails or is unavailable. Choices are: n fast: Fast Ethernet Port, RJ-45 connector n gig: Gigabit Ethernet Port, SC fiber connector n none: None (default)

trunk |no|master This command manages the current port’s participation in trunks. The following options can be used: n master port number: group the current port into a trunk with the indicated master port. The current port will adopt all filtering, NAAP, and VLAN tagging settings from the specified master port. n no: Release the current port from its trunk. If the master port is removed from the trunk, a new one must be designated. n master: Designate the current port as the master for its trunk group. All other ports in the trunk will automatically adopt all filtering, NAAP, and VLAN tagging changes from the master port. For more information, see “Port Trunking” on page 246.

ena This command enables the port.

dis This command disables the port.

del This command resets the port parameters to default values and then disables the port. The port can be reconfigured and reenabled at any time.

244 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-43 Port Menu (/cfg/net/port)

Command Syntax and Usage

cur This command displays the current settings for the selected port.

filt The Port Filters Menu is used to assign, remove, or list port filters for this port. Before filters can be assigned to specific ports, they must first be creating using the Advanced Filtering Menu (see page 297). If the port belongs to a trunk, settings for this menu are taken from the master trunk port. See page 249 for items under the Port Filters Menu.

enf y|n This command enabled or disabled filtering on this port. When enabled, the filters assigned in the Port Filters Menu (filt) are applied to traffic on this port. When disabled (the default), not port filtering is performed by the Firewall Accelerator. If the port belongs to a trunk, settings for this item are taken from the master trunk port. See the “Filter Definition Menu” on page 297 for more information.

naap y|n This command enables or disables Nortel Appliance Acceleration Protocol (NAAP) on the port. NAAP is required to be enabled for any Firewall Accelerator port connected to one or more Firewall Directors. NAAP should be disabled for any ports Firewall Accel- erator port connected to trusted, untrusted, or semi-trusted networks. The isd default setting depends on the port number: n Ports 1 through 5 are initially reserved for network traffic and have NAAP disabled. n Ports 6, 7, and 8 are initially reserved for Firewall Director connections and have NAAP enabled. n Port 9 is initially reserved for connection to a redundant Firewall Accelerator and has NAAP enabled. If the port belongs to a trunk, settings for this item are taken from the master trunk port.

vtag y|n This command enables or disables VLAN tagging for this port. It is disabled by default. VLAN tagging is required whenever the port participates in multiple VLANs. If the port belongs to a trunk, settings for this item are taken from the master trunk port.

Chapter 7: Command Reference n 245 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Port Trunking Port trunks can provide super-bandwidth connections between the ASF and other trunk-capable devices. A trunk is a group of ports that act together, combining their bandwidth to create a single, larger capacity port with built-in fault tolerance. Port trunking has the following rules: n Up to four trunk groups can be configured on the ASF. n Any physical Firewall Accelerator port can belong to no more than one trunk group. n Up to eight network ports can belong to the same trunk group. n Best performance is achieved when all ports in a trunk are configured for the same speed. n Trunking with non-Alteon devices must comply with RFC 802.1Q or Cisco® EtherChan- nel® technology. One physical port in the trunk group must be designated as the master. The master port retains control of those port settings which must be the same for each port in the trunk: filtering (filt and enf), NAAP (naap), and VLAN tagging (vtag). For these options, the settings for the master port override those of the other ports as long as they remain in the trunk. When a port is released from the trunk, it’s regular port settings are restored. Physical link options, such as port speed, flow control, and such, can be different for each port in the trunk.

To specify a trunk group consisting of ports 1, 2, and 3, with port 1 as the master, the following commands could be used:

>> # /cfg/net/port 1 (Select Accelerator port 1) >> Port 1# trunk master (Select port 1 as the trunk master) >> Port 1# ../port 2 (Select port 2) >> Port 2# trunk 1 (Trunk port 2 with master port 1) >> Port 2# ../port 3 (Select port 3) >> Port 3# trunk 1 (Trunk port 3 with master port 1) >> Port 3# apply (Apply configuration changes)

NOTE – If you trunk ports to a non-master port or fail to define a master port, the CLI will report configuration errors when the apply command is given, and the apply will fail.

246 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/port /fast Fast Physical Link Menu

[Fast Physical Link Menu] speed - Set link speed mode - Set full or half duplex mode fctl - Set flow control auto - Set autonegotiation cur - Display current settings

The Fast Physical Link Menu is used to configure link characteristic when using the RJ-45 copper connector on the Firewall Accelerator ports. You can set port speed, duplex mode, flow control, and negotiation mode for the port link.

NOTE – Fast Physical Link Menu options are disregarded if the port has no RJ-45 connector.

Table 7-44 Fast Physical Link Menu (/cfg/net/port <#>/fast)

Command Syntax and Usage

speed any|10|100 When autonegotiation (auto) is disabled, this command specifies the link speed. The choices include: n any: automatic detection (default) n 10: 10 Mbps n 100: 100 Mbps

mode any|full|half When autonegotiation (auto) is disabled, this command specifies the duplex operating mode. The choices include: n any: automatic negotiation (default) n full: Full-duplex n half: Half-duplex

fctl rx|tx|both|none When autonegotiation (auto) is disabled, this command specifies the flow control. The choices include: n rx: Receive flow control n tx: Transmit flow control n both: Both receive and transmit flow control (default) n none: No flow control

Chapter 7: Command Reference n 247 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-44 Fast Physical Link Menu (/cfg/net/port <#>/fast)

Command Syntax and Usage

auto y|n This command enables or disables autonegotiation for the port. This is enabled by default. When enabled, the Firewall Accelerator negotiates with the connected device to find the best port speed, duplex mode, and flow control, and overrides the manual speed, mode, and fctl settings. When autonegotiation is disabled, manual port settings are used. If you have difficulty establishing a link with other network devices, turn autonegotiation off and set the port properties manually.

cur This command displays the current settings for the selected port link.

/cfg/net/port /gig Gigabit Physical Link Menu

[Gigabit Physical Link Menu] fctl - Set flow control auto - Set autonegotiation cur - Display current settings

The Gigabit Physical Link Menu is used to configure link characteristic when using the SC fiber optic connector on the Firewall Accelerator ports. You can set port flow control, and negotiation mode for the port link.

248 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

NOTE – Gigabit Physical Link Menu options are disregarded if the port has no SC connector.

Table 7-45 Gigabit Physical Link Menu (/cfg/net/port <#>/gig)

Command Syntax and Usage

auto y|n This command enables or disables autonegotiation for the port. This is enabled by default. When enabled, the Firewall Accelerator negotiates with the connected device to find the best flow control, and overrides the manual fctl setting. When autonegotiation is disabled, the fctl setting is used. If you have difficulty establishing a link with other network devices, turn autonegotiation off and set the port properties manually.

cur This command displays the current settings for the selected port link.

/cfg/net/port /filt Port Filters Menu

[Port Filters Menu] list - List all values del - Delete a value by number add - Add a new value

Chapter 7: Command Reference n 249 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Port Filters Menu is used to assign, remove, or list port filters for a specific port. Port filters can allow or deny traffic according to a variety of address and protocol specifications.

Table 7-46 Port Filters Menu (/cfg/net/port <#>/filt

Command Syntax and Usage

list This command displays all filters assigned to this port by their index number.

del This command lets you remove a filter from this port by specifying its index number. Use the list command to display the index numbers of filters on this port.

add This command lets you assign a filter to this port. Before filters can be assigned, they must first be created using the Advanced Filtering Menu (see page 297).

/cfg/net/vlan VLAN Menu

[VLAN 1 Menu] name - Set VLAN Name port - Ports Menu jumbo - Set Enable Jumbo Frames ena - Enable VLAN dis - Disable VLAN del - Remove VLAN cur - Display current settings

The VLAN Menu is used to configure Virtual Local Area Networks (VLANs). VLANs are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments. For the Alteon Switched Firewall, VLANs are configured for various reasons:

n If any of the networks attached to the cluster use VLAN tagging, then VLANs must be configured and VLAN tagging must be enabled on participating ports. n If there are two IP interfaces on the same port which belong to two different networks, then the IP interface must be placed in separate VLANs. If this is not configured, it will be done automatically.

250 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Up to 242 VLANs can be configured for the cluster. Even though the maximum number of VLANs supported at any given time is 242, each can be identified with any number between 1–4092. VLAN 4093 and 4094 are reserved internal use.

The default VLAN is 0, however, if required VLANs are not configured by the administrator, they will be automatically assigned an appropriate VLAN number in the 1–4092 range.

VLANs are assigned on a per-port basis. Each port on the Firewall Accelerator can belong to one or more VLANs, and each VLAN can have any number of Firewall Accelerator ports in its membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging enabled (see the “Port Menu” on page 242).

Chapter 7: Command Reference n 251 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The VLAN Menu has the following items:

Table 7-47 VLAN Menu (/cfg/net/vlan)

Command Syntax and Usage

name This command assigns a name to the VLAN or changes the existing name. The VLAN name can be a maximum of 32 characters. To clear the VLAN name, specify none.

port The VLAN Ports Menu is used to assign, remove, or list Firewall Accelerator ports for this VLAN. See page 253 for menu items.

jumbo y|n This command enables or disables Jumbo Frame support on this VLAN. When this feature is enabled, the ASF can handle frames that are far larger than the maximum normal Ethernet frame size (up to 9018 octets), reducing the overhead for host frame processing. Do not enable Jumbo Frame support on a VLAN with any device that cannot process frame sizes larger than Ethernet maximum frame size. Use additional VLANs to isolate traffic into Jumbo Frame and regular traffic.

ena This command enables this VLAN.

dis This command disables this VLAN.

del This command removes this VLAN from the cluster configuration.

cur This command displays the current settings for this VLAN.

252 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/vlan /port VLAN Ports Menu

[VLAN Ports Menu] list - List all values del - Delete a value by number add - Add a new value

The VLAN Ports Menu is used to assign, remove, or list Firewall Accelerator ports for this VLAN.

Table 7-48 VLAN Ports Menu (/cfg/net/vlan <#>/port)

Command Syntax and Usage

list This command displays all ports assigned to this VLAN by their index number.

del This command lets you remove a port from the VLAN by specifying the port’s index number. Use the list command to display the index numbers of assigned ports.

add This command lets you add the specified port to the VLAN.

NOTE – All ports must belong to at least one VLAN. Any port that is removed from a VLAN and that is not a member of any other VLAN is automatically assigned a unique VLAN number. Also, you cannot add a port to more than one VLAN unless the port has VLAN tagging turned on (see the vtag command on page 245).

Chapter 7: Command Reference n 253 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/if Interface Menu

[Interface 1 Menu] port - Interface Ports Menu addr - Set IP address mask - Set subnet mask broad - Set broadcast address vlan - Set VLAN number vrrp - VRRP Menu ena - Enable interface dis - Disable interface del - Remove Interface cur - Display current settings

The Interface Menu is used to configure IP interfaces for the cluster. Primarily, each IP interface represents a network attached to the Firewall Accelerator. Up to 255 IP interfaces can be configured.

In essence, IP interfaces play a role similar to that of the Network Interface Cards (NICs) in a typical firewall. A typical firewall usually has only two NICs: one for connecting to the external, untrusted network on the outside of the firewall, and another for connecting to the internal, trusted side of the firewall. The NICs provide the physical port connections for the firewall, and the NIC IP addresses are used as the default gateway in the network devices attached to them, thus directing traffic to the firewall.

The Alteon Switched Firewall IP interfaces are similar, but far more versatile. Up to 255 IP interfaces can be defined, and each IP interface can be assigned to multiple physical ports on the Firewall Accelerator. This allows the cluster to have a presence on many networks. Just as

254 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

with typical NICs, network devices attached to the Firewall Accelerator ports must be configured to use an IP interface as their default gateway. Do not use the MIP address or any IP address in the cluster subnet as the default gateway for a network.

Table 7-49 Interface Menu (/cfg/net/if)

Command Syntax and Usage

port The Interface Ports Menu is used to assign, remove, or list ports for this IP interface. See page 256 for menu items.

addr This command configures the IP address of the IP interface using dotted decimal notation. This gives the cluster a presence on a connected trusted, untrusted, or semi-trusted network. Devices on the connected networks should use this IP address as their default gateway to that their outbound traffic is directed to the firewall.

mask This command configures the IP subnet address mask for the IP interface using dotted decimal notation.

broad This command configures the IP broadcast address for the IP interface using dotted decimal notation.

vlan This command configures the VLAN number for this IP interface. Each interface can belong to one VLAN, though any VLAN can have multiple IP interfaces in it.

vrrp The VRRP Menu is used for configuring a the IP interface for high-availability when redundant Firewall Accelerators are used. Virtual Router Redundancy Protocol (VRRP) ensures that if the active Firewall Accelerator fails, the redundant Firewall Accelerator will take over. In a high-availability configuration, each participating IP interface must be configured separately for VRRP. See page 257 for menu items.

ena This command enables this IP interface.

dis This command disables this IP interface.

Chapter 7: Command Reference n 255 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-49 Interface Menu (/cfg/net/if)

Command Syntax and Usage

del This command removes this IP interface from the cluster configuration.

cur This command displays the current settings for this IP interface.

/cfg/net/if /port Interface Ports Menu

[Interface Ports Menu] list - List all values del - Delete a value by number add - Add a new value

The Interface Ports Menu is used to assign, remove, or list ports for the specified IP interface.

Table 7-50 Interface Ports Menu (/cfg/net/if <#>/port)

Command Syntax and Usage

list This command displays all ports assigned to this IP interface by their index number.

del This command lets you remove a port from the IP interface by specifying the port’s index number. Use the list command to display the index numbers of assigned ports.

add This command lets you add the specified port to the IP Interface.

256 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/if /vrrp VRRP Menu

[VRRP Menu] vrid - Set virtual router ID ip1 - Set IP1 ip2 - Set IP2 prio - Set Interface’s VRRP priority cur - Display current settings

The VRRP Menu is used for configuring a cluster for high-availability when redundant Fire- wall Accelerators are used. Virtual Router Redundancy Protocol (VRRP) ensures that if the active Firewall Accelerator fails, the redundant Firewall Accelerator will take over. In a high- availability configuration, each participating IP interface must be configured separately with its own VRRP parameters.

VRRP is enabled or disabled cluster-wide using the ha command under the Accelerator Con- figuration Menu (see page 235).

When VRRP is used, the IP interface acts as a virtual router. This means that the IP interface’s IP address is shared by both Firewall Accelerators, but is only active on the master. To accom- plish this without duplicating the shared IP address on two physical devices on the network, the IP interface is assigned two sub-addresses: one new IP address on the same subnet for each Firewall Accelerator.

Table 7-51 VRRP Menu (/cfg/net/if/vrrp)

Command Syntax and Usage

vrid This command assigns a virtual router ID for the IP interface. The vrid must be unique in your network.

ip1 This command defines the IP address used to represent Firewall Accelerator #1 in this virtual router. The IP address must be in the same subnet as the IP interface and is specified using dotted decimal notation.

ip2 This command defines the IP address used to represent Firewall Accelerator #2 in this virtual router. The IP address must be in the same subnet as the IP interface and is specified using dotted decimal notation.

Chapter 7: Command Reference n 257 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-51 VRRP Menu (/cfg/net/if/vrrp)

Command Syntax and Usage

prio Defines the election priority bias for this IP interface. This can be any integer between 1 and 254. The default value is 100. During the master router election process, the routing device with the highest router priority number wins. If there is a tie, the device with the highest IP interface address wins.

cur This command displays the current settings for VRRP.

258 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route Routing Settings Menu

[Routing Settings Menu] gate - Default Gateways Menu static - Static Routing Table Menu rip - RIP Routing Menu ospf - Open Shortest Path First (OSPF) Menu cur - Display current settings

The Routing Settings Menu is used to configure routing parameters. Firewall Accelerators 5400, 5600, and 5700 can support up to 2048 total routes which can be defined among default gateways, static routes, RIP routes, and OSPF routes. Firewall Accelerator 5300 supports up to a total of 1024 routes.

Table 7-52 Routing Settings Menu (/cfg/net/route)

Command Syntax and Usage

gate The Default Gateways Menu is used to configure default IP gateways for the cluster. See page 260 for menu items.

static The Static Routing Table Menu is used to add, delete, or list static routes. The cluster uses these routes to route packets within the attached networks. See page 263 for menu items.

rip The RIP Menu is used to configure Router Interface Protocol (RIP) parameters for RIP version 1 and RIP version 2 (multicasting) networks. See page 264 for menu items.

ospf The OSPF Menu is used to configure the ASF for use with Open Shortest Path First (OSPF) routing protocol. See page 276 for menu items.

cur This command displays current settings for all items in the Routing Settings Menu.

Chapter 7: Command Reference n 259 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/gate Default Gateways Menu

[Default Gateways Menu] gw - Default gateway menu metric - Set default gateway metric cur - Display current settings

The Default Gateways Menu is used to configure up to four default IP gateways for the cluster. The default IP gateways are used to route the network traffic.

Table 7-53 Default Gateways Menu (/cfg/net/route/gate)

Command Syntax and Usage

gw The Gateway Settings Menu is used to configure up to four default IP gateways for the cluster. The default IP gateways are used to route the network traffic. See page 261 for menu items.

metric strict|roundrobin This command is used to control default gateway load-balancing. If multiple default gateways are configured and enabled, the following metrics can be specified to determine which default gateway is selected: n strict: The gateway number determines its level of preference. Gateway #1 acts as the preferred default IP gateway until it fails or is disabled, at which point the next in line will take over as the default IP gateway. n roundrobin: This provides basic gateway load balancing. The ASF sends each new gateway request to the next healthy, enabled gateway in line. All gateway requests to the same destination IP address are resolved to the same gateway.

cur This command displays current settings for all items in the Default Gateways Menu.

260 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/gate/gw Default Gateway Menu

[Default gateway 1 Menu] addr - Set IP address intr - Set interval between ping attempts in seconds retry - Set number of failed attempts to declare gateway DOWN arp - Set ARP-only health checks ena - Enable default gateway dis - Disable default gateway del - Remove Default Gateway cur - Display current settings

The Default Gateway Menu is used to configure up to four default IP gateways for the cluster. The default IP gateways are used to route traffic through the firewall. For example, packets from the internal networks that arrive at the firewall with an external destination address are typically sent to the default gateway as their next hop toward an external router.

If multiple default gateways are configured and healthy, the cluster will use the metric option (see page 260) on the Default Gateways Menu (/cfg/net/route/gate) to determine the appropriate default gateway.

NOTE – The default gateways configured here are for routing traffic away from the firewall, not to it. To direct traffic to the firewall, networks attached to the Firewall Accelerators use IP interfaces for their default gateways. See the “Interface Menu” on page 254 for more information.

Table 7-54 Default Gateway Menu Options (/cfg/net/route/gate/gw)

Command Syntax and Usage

addr This command configures the IP address of the default IP gateway using dotted decimal notation.

intr The cluster pings the default IP gateways to verify that they are up. The intr option sets the time between health checks. The range is from 1 to 60 seconds. The default is 2 seconds.

retry This command sets the number of failed health check attempts required before declaring a default IP gateway inoperative. The range is from 1 to 120 attempts. The default is 8 attempts.

Chapter 7: Command Reference n 261 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-54 Default Gateway Menu Options (/cfg/net/route/gate/gw)

Command Syntax and Usage

arp y|n This command enables or disables ARP-only (Address Resolution Protocol) health checks. This option is disabled by default.

ena This command enables this default IP gateway for use.

dis This command disables this default IP gateway.

del This command removes this default IP gateway from the cluster configuration.

cur This command displays the current settings for this default IP gateway.

262 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/static Static Routing Table Menu

[Static Routing Table Menu] list - List all values del - Delete a value by number add - Add a new value

The Static Routing Table Menu is used to add, delete, or list static routes. The cluster uses these routes to route packets within the attached networks. The ASF routing table is shared by the static and dynamic routes. If you configure more static routes, then you have less space for the dynamic routes.

ASF 5400, 5600, and 5700 allows you to configure 2048 - 3 - ((number of interfaces + 1) * 3) static routes. ASF 5300 allows you to configure 1024 - 3 - ((number of interfaces + 1) * 3) static routes. Each interface on the ASF adds three entries to the routing table. The Firewall Accelerator will have an additional interface than the user-defined interface on the Firewall Director.

Table 7-55 Static Routing Table Menu (/cfg/net/route/static)

Command Syntax and Usage

list This command lists all configured routes by their index number and IP address information.

del This command lets you remove a route from the cluster configuration by specifying the routes index number. Use the list command to display the index numbers of configured routes.

add This command adds a static route based on destination IP address, destination subnet mask, and gateway IP address. Enter all addresses using dotted decimal notation.

Chapter 7: Command Reference n 263 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/rip RIP Menu

[RIP Menu] if - RIP Interface Menu version - Set default RIP version metric - Set Default RIP metric distance - Set Default RIP distance update - Set RIP Update broad/multicast interval timeout - Set RIP route timeout ena - Enable RIP dis - Disable RIP cur - Display current settings

The RIP Menu is used to configure Router Interface Protocol (RIP) parameters. The Alteon Switched Firewall supports either RIP version 1 or RIP version 2 (multicasting) networks.

Table 7-56 RIP Menu (/cfg/net/route/rip)

Command Syntax and Usage

if The RIP Interface Menu is used to configure IP interfaces for use with RIP. An interface is required for each network which will be attached to the cluster. Up to 256 interfaces can be configured. See page 266 for menu items.

version v1|v2 This command is used to specify which version of RIP is used on the Alteon Switched Firewall: version 1 (v1) or multicast version 2 (v2). The default is v2.

redist The Route Redistribution Menu is used to define how routes from other protocols are converted for use with RIP. See page 270 for menu items.

metric This command sets the default RIP metric used for advertising RIP routes. The default is 1.

264 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-56 RIP Menu (/cfg/net/route/rip)

Command Syntax and Usage

distance This command sets the administrative distance used for route selection. The default is 120. The administrative distance is updated for the new routes that are learned; the distance for the old routes remain the same. The route with the least adminstrative distance is used for selection into the routing information base(RIB)/forwarding information base (FIB) tables.

update This command sets the interval between RIP update broadcasts. The default is 30 seconds.

timeout This command sets the amount of time a RIP route will be allowed to remain idle until it expires. Expired routes are given a hop count of 16 (infinite). The default is 180 seconds.

ena This command enables RIP forwarding for the cluster. Note: RIP requires that the automatic inclusion of configured routes in the local route cache be turned off (/cfg/net/ adv/local/auto n)

dis This command disables RIP forwarding for the cluster. This is the default.

cur This command displays the current settings for all the options in the RIP Menu.

Chapter 7: Command Reference n 265 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/rip/if RIP Interface Menu

[RIP Interface 1 Menu] splithz - Set Split-horizon listen - Set Listen-only txver - Set Version of Transmitted RIP packets rxver - Set Version of Received RIP packets auth - Set Authentication type key - Set password authentication key md5keys - MD5 authentication keychain ena - Enable interface dis - Disable interface cur - Display current settings

The RIP Interface Menu is used to configure IP interfaces for use with RIP. An interface is required for each network which will be attached to the cluster. Up to 256 interfaces can be configured.

Table 7-57 RIP Interface Menu (/cfg/net/route/rip/if)

Command Syntax and Usage

splithz y|n This command enables or disables split horizon with poison reverse for this interface. The split horizon algorithm helps prevent broadcast loops. When enabled (y), learned routes are not advertised back to the router from which they were learned. The default is enabled (y). When disabled (n), the command does poison reverse which advertises back all the learned routes with a metric of 16.

listen y|n This command enables or disables listen only for this interface. When enabled (y), the interface will learn routes from other routers, but will not transmit RIP updates. When disabled (n), the interface will learn routes and transmit updates. The default is disabled.

txver default|v1|v2|v1v2 This command sets the RIP version used to transmit RIP updates from this interface: n default: The version specified in the RIP Menu (/cfg/net/route/rip/version) is used. n v1: RIP version 1 is used. n v2: RIP version 2 is used. n v1v2: Both RIP version 1 and RIP version 2 are used.

266 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-57 RIP Interface Menu (/cfg/net/route/rip/if)

Command Syntax and Usage

rxver default|v1|v2|v1v2 This command sets the RIP version accepted for RIP updates on this interface: n default: The version specified in the RIP Menu (/cfg/net/route/rip/version) is accepted. n v1: RIP version 1 is accepted. n v2: RIP version 2 is accepted. n v1v2: Both RIP version 1 and RIP version 2 are accepted.

auth none|password|md5 This command sets the authentication type for this interface: n none turns off RIP authentication. n password turns on type 1 (plain text) password authentication. The passwords are set using the key option. n md5 turns on MD5 (strong encryption) password authentication. The passwords are defined using the RIP Interface MD5 Keychain Menu (see page 269). For more information, see “RIP Authentication” on page 268.

key This option is used with the RIP auth option. When the auth option is set to password, the key option sets the password to be used for RIP authentication on this IP interface. Specify a type 1 (plain text) password of up to 16 characters. To clear the key, specify none as the value.

md5keys The RIP Interface MD5 Keychain Menu is used for defining MD5 passwords. MD5 is a strong encryption technique used to protect RIP data and passwords. For more information, see “RIP Authentication” on page 268. See page 269 for menu items.

ena This command enables this RIP interface for use.

dis This command disables this RIP interface.

cur This command displays the current settings for all the options in the RIP Interface Menu.

Chapter 7: Command Reference n 267 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

RIP Authentication RIP protocol exchanges can be authenticated so that only trusted devices can participate. The Alteon Switched Firewall supports simple authentication (type 1 plain text passwords) and MD5 authentication (encrypted data and passwords) among neighboring routing devices in an area.

RIP simple passwords are enabled or disabled individually for each defined interface using the following CLI commands:

>> # /cfg/net/route/rip/if (Select RIP interface) >> RIP Interface# auth password|none (Set simple authentication on/off)

RIP MD5 passwords use strong cryptographic to protect data and passwords.

MD5 passwords are enabled or disabled individually for each defined interface using the following CLI commands:

>> # /cfg/net/route/rip/if (Select RIP interface) >> RIP Interface# auth md5|none (Set MD5 authentication on/off)

MD5 passwords an up to 16 characters and are defined in the MD5 Keychain Menu using the following CLI commands:

>> RIP Interface# md5keys (Select the MD5 Keychain Menu) >> MD5 Keychain# add (Set MD5 password)

268 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/rip/if <#>/md5keys RIP Interface MD5 Keychain Menu

[RIP Interface MD5 Keychain Menu] list - List all values del - Delete a value by number add - Add a new value

MD5 is a strong encryption technique used to protect RIP data and passwords. The RIP Inter- face MD5 Keychain Menu is used for defining MD5 passwords.

For more information, see “RIP Authentication” on page 268.

Table 7-58 RIP Interface MD5 Keychain Menu (/cfg/net/route/rip/if/md5keys)

Command Syntax and Usage

list This command lists all configured MD5 keys by their index number.

del This command lets you remove an MD5 key from the interface configuration by specifying the key index number. Use the list command to display the index numbers of configured keys.

add This option is used to define the MD5 password. Specify a password of up to 16 characters. Defined passwords are ignored until MD5 authentication is enabled (see auth on page 267).

Chapter 7: Command Reference n 269 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/rip/redist Route Redistribution Menu

[Route Redistribution Menu] connected - Connected Route Redistribution Menu static - Static Route Redistribution Menu ospf - OSPF Route Redistribution Menu defaultgw - Default Gateway Redistribution Menu fictitious - Fictitious Route Redistribution Menu cur - Display current settings

The Route Redistribution Menu is used to advertise routes from other protocols into RIP.

Table 7-59 Route Redistribution Menu (/cfg/net/route/rip/redist)

Command Syntax and Usage

connected The Connected Route Redistribution Menu is used for advertising connected routes via RIP. See page 271 for menu items.

static The Static Route Redistribution Menu is used for advertising static routes via RIP. See page 272 for menu items.

ospf The OSPF Route Redistribution Menu is used for advertising OSPF routes via RIP. See page 275 for menu items.

fictitious The Fictitious Route Redistribution Menu is used as a diagnostics tool to troubleshoot routes that are not installed. See page 275 for menu items.

defaultgw The Default Gateway Redistribution Menu is used for advertising default gateway routes via RIP. See page 274 for menu items. cur This command displays current settings for all items in the OSPF Route Redistribution Menu.

270 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/rip/redist/connected RIP Connected Route Redistribution Menu

[RIP Connected Route Redistribution Menu] metric - Set Metric assigned to connected routes ena - Enable redistribution of connected routes dis - Disable redistribution of connected routes cur - Display current settings

The RIP Connected Route Redistribution Menu is used to redistribute connected routes into RIP.

Table 7-60 RIP Connected Route Redist. (/cfg/net/route/rip/redist/connected)

Command Syntax and Usage

metric Sets metric of advertised connected routes. Ranges from 1 to 16 and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 1.

enable Enables advertising of connected routes.

disable Disables advertising of connected routes.

cur Displays current configuration for connected routes.

Chapter 7: Command Reference n 271 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/rip/redist/static RIP Static Route Redistribution Menu

[RIP Static Route Redistribution Menu] metric - Set Metric assigned to static routes ena - Enable redistribution of static routes dis - Disable redistribution of static routes cur - Display current settings

The RIP Static Route Redistribution Menu is used to redistribute static routes into RIP.

Table 7-61 RIP Static Route Redistribution Menu (/cfg/net/route/rip/redist/static)

Command Syntax and Usage

metric Sets metric of advertised static routes. Ranges from 1 to 16 and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 1.

enable Enables advertising static routes.

disable Disables advertising static routes.

cur Displays the current static routes configured for redistribution.

272 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/rip/redist/ospf RIP OSPF Route Redistribution Menu

[RIP OSPF Route Redistribution Menu] metric - Set Metric assigned to OSPF routes ena - Enable redistribution of OSPF routes dis - Disable redistribution of OSPF routes cur - Display current settings

The RIP OSPF Route Redistribution Menu is used to redistribute OSPF routes into RIP.

Table 7-62 RIP OSPF Route Redistribution Menu (/cfg/net/route/rip/redist/ospf)

Command Syntax and Usage

metric Sets metric of advertised OSPF routes. Ranges from 1 to 16 and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 1. OSPF Type1 is defined in the same units as OSPF interface cost (that is, in terms of the link state metric). OSPF Type 2 external metrics are an order of magnitude larger; any Type 2 metric is considered greater than the cost of any path internal to the AS. This configuration parameter can be used to have an OSPF domain prefer type1 routes over type 2. OSPF Type 1 is default.

enable Enables advertising of OSPF routes.

disable Disables advertising of OSPF routes.

cur Displays the current OSPF routes configured for redistribution.

Chapter 7: Command Reference n 273 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/rip/redist/defaultgw RIP Default Route Redistribution Menu

[RIP Default Route Redistribution Menu] metric - Set Metric assigned to connected routes ena - Enable redistribution of connected routes dis - Disable redistribution of connected routes cur - Display current settings

The RIP Default Route Redistribution Menu is used to redistribute default gateway routes into RIP.

Table 7-63 RIP Default Route Redistribution Menu (/cfg/net/route/rip/redist/ defaultgw)

Command Syntax and Usage

metric Sets metric of advertised default routes.Ranges from 1 to 16 and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 1.

enable Enables advertising of default routes.

disable Disables advertising of default routes.

cur Displays the current default routes configured for redistribution.

274 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/rip/redist/fictitious RIP Fictitious Route Redistribution Menu

[RIP Fictitious Route Redistribution Menu] metric - --All fictitious routes use the default metric-- networks - Fictitious reachable networks list ena - Enable redistribution of fictitious routes dis - Disable redistribution of fictitious routes cur - Display current settings

The RIP Fictitious Route Redistribution Menu is used as a diagnostic tool to troubleshoot routes that are not installed into the RIP domain.

Table 7-64 RIP Fictitiuos Route Redistribution (/cfg/net/route/rip/redist/fictitious)

Command Syntax and Usage

metric Sets metric of advertised fictitious routes.Ranges from 1 to 16 and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 1.

networks Lists fictitious networks that can be reached. See page 276 for menu items.

enable Enables advertising of fictitious routes.

disable Disables advertising of fictitious routes.

cur Displays the current fictitious routes configured for redistribution.

Chapter 7: Command Reference n 275 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/rip/redist/fictitious/networks Fictitious RIP Reachable Networks Menu

[Fictitious RIP Reachable Networks Menu] list - List all values del - Delete a value by number add - Add a new value

The Fictitious RIP Reachable Networks Menu is used to add and delete fictitious networks to the currently configured networks.

Table 7-65 Fictitiuos RIP Networks (/cfg/net/route/rip/redist/fictitious/networks)

Command Syntax and Usage

list This command displays all currently configured networks.

del This command deletes a configured network.

add This command adds the network to the currently configured networks.

/cfg/net/route/ospf OSPF Menu

[OSPF Menu] aindex - OSPF Area Index Menu range - OSPF Summary Range Menu if - OSPF Interface Menu virt - OSPF Virtual Link Menu redist - Route Redistribution Menu metric - Set default metric rtrid - Set OSPF router ID spf - Set time interval between two SPF calculations ena - Enable OSPF dis - Disable OSPF cur - Display current settings

The OSPF Menu is used to configure the ASF for use with Open Shortest Path First (OSPF) routing protocol. OSPF uses flooding to exchange link state updates between routers. Any change in routing information is flooded to all routers in the network

276 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

For more information on using OSPF, see Chapter 11, “Open Shortest Path First.”

Table 7-66 OSPF Menu Options (/cfg/net/route/ospf)

Command Syntax and Usage

aindex The OSPF Area Index Menu is used for defining OSPF area numbers and parameters. Note—The area index specified in this menu option does not represent the actual OSPF area number. It is an arbitrary index used only on the ASF. The actual area value is defined in the OSPF Area Menu using the areaid option. See page 278 for menu items.

range The OSPF Summary Range Menu is used for defining OSPF summary routes and condensing OSPF routing information. See page 280 for menu items.

if The OSPF Interface Menu is used for attaching IP interface networks to OSPF areas. See page 282 for menu items.

virt The OSPF Virtual Link Menu is used for connecting partitioned areas together. See page 285 for menu items. redist This command displays Route Redistribution menu. See page 288 for menu items.

metric | none> This command sets the priority for choosing the ASF for default routes where multiple Area Boundary Routers (ABR) or Autonomous System Boundary Routers (ASBR) exist in an area. Selecting none sets no default routes. OSPF Type1 is defined in the same units as OSPF interface cost (that is, in terms of the link state metric). OSPF Type 2 external metrics are an order of magnitude larger; any Type 2 metric is considered greater than the cost of any path internal to the AS. This configuration parameter can be used to have an OSPF domain prefer type1 routes over type 2. OSPF Type 1 is default.

Chapter 7: Command Reference n 277 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-66 OSPF Menu Options (/cfg/net/route/ospf)

Command Syntax and Usage

rtrid This command sets a static router ID for this ASF cluster. The router ID is expressed in dotted decimal IP address format. OSPF, when enabled, uses the router ID to identify the routing device. If no router ID is specified, or if the router ID is set to 0.0.0.0 and the ASF is rebooted, the cluster dynamically selects one of the active IP interfaces on the cluster as the router ID. When using OSPF virtual links, the router ID must be set.

spf This command sets the time interval, in seconds, between each calculation of the shortest path tree. The default for spf calculation interval is 5 seconds and the default for spf calculation hold time is 10 seconds. ena This command globally turns on OSPF. dis This command globally turns off OSPF. cur This command displays current settings for all items in the OSPF configuration.

/cfg/net/route/ospf/aindex OSPF Area Index Menu

[OSPF Area Index 1 Menu] id - Set area ID type - Set area type metric - Set stub area metric ena - Enable area dis - Disable area del - Delete OSPF Area Index cur - Display current settings

The OSPF Area Index Menu is used for defining OSPF area numbers and parameters.

278 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

For more information on using OSPF, see Chapter 11, “Open Shortest Path First.”

Table 7-67 OSPF Area Index Menu Options (/cfg/net/route/ospf/aindex)

Command Syntax and Usage

id This command sets the OSPF area number in dotted decimal notation. The area number can be set using the last octet format (0.0.0.1 for area 1) or using multi-octet format (1.1.1.1), though the same format should be used throughout an area.

type transit|stub|nssa This command sets the area type: n transit for the backbone or any area that contains a virtual link. n stub for any area that contains no external routes. n nssa for any area that can process external routes but does not advertise external routes originating from outside its area. The default type is transit.

metric <0-16777215> This command sets the stub area metric. Other routing devices add this value to the cost of routing to this stub area when building their SPF tree.

ena This command enables this area.

dis This command disables this area.

del This command deletes this area index from the configuration.

cur This command displays current settings for all items in the OSPF Area Menu.

Chapter 7: Command Reference n 279 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/ospf/range OSPF Summary Range Menu

[OSPF Summary Range 1 Menu] addr - Set IP address mask - Set IP mask aindex - Set area index hide - Set range hiding ena - Enable range dis - Disable range del - Remove OSPF Summary Range cur - Display current settings

This menu is used for defining OSPF summary routes. Without summarization, each routing device in an OSPF network would retain a route to every subnet in the network. With summarization, routing devices can reduce some sets of routes to a single advertisement, reducing both the load on the routing device and the perceived complexity of the network. The impor- tance of route summarization increases with network size.

For more information on using OSPF, see Chapter 11, “Open Shortest Path First.”

Table 7-68 OSPF Summary Range Menu Options (/cfg/net/route/ospf/range)

Command Syntax and Usage

addr This command sets the base IP address for the summary range, using dotted decimal notation.

mask This command sets the IP mask for the summary range, using dotted decimal notation.

aindex Sets the area index number into which the summary range is to be injected.

hide y|n When enabled, this command forces the address range to be removed from any other summary ranges being injected into the defined area by the Firewall. This is useful for removing sections from large summary ranges that are not fully contiguous or contain gaps. This option is disabled by default. ena This command enables this range.

280 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-68 OSPF Summary Range Menu Options (/cfg/net/route/ospf/range)

Command Syntax and Usage dis This command disables this range. del This command removes this range from the configuration. cur This command displays current settings for all items in the OSPF Summary Range Menu.

Chapter 7: Command Reference n 281 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/ospf/if OSPF Interface Menu

[OSPF Interface 1 Menu] aindex - Set area index prio - Set interface router priority cost - Set interface cost hello - Set hello interval in seconds dead - Set dead interval in seconds trans - Set transmit delay in seconds retra - Set retransmit delay in seconds auth - Set authentication type key - Set password authentication key md5key - Set MD5 authentication key ena - Enable interface dis - Disable interface cur - Display current settings

The OSPF Interface Menu is used for attaching IP interface networks to OSPF areas. For more information on using OSPF, see Chapter 11, “Open Shortest Path First.”

NOTE – The hello interval (hello), dead interval (dead), transmit interval (trans) and retransmit interval (retra) must be the same on all OSPF routing devices within an area. Using incompatible values could keep adjacencies from forming and could stop or loop routing updates.

The OSPF Interface Menu has the following items:

Table 7-69 OSPF Interface Menu Options (/cfg/net/route/ospf/if)

Command Syntax and Usage

aindex This command sets the OSPF area index to attach to the network for the current IP interface.

prio This command sets the IP interface (IF) priority that is used when electing a Designated Router (DR) and Backup Designated Router (BDR) for the area. The default is 1 (lowest priority). A value of 0 specifies that the elected interface is DROTHER and cannot be used as a DR or BDR.

282 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-69 OSPF Interface Menu Options (/cfg/net/route/ospf/if)

Command Syntax and Usage

cost This command sets the cost of output routes on this interface. Cost is used in calculating the shortest path tree throughout the AS. Cost is based on bandwidth. Low cost indicates high bandwidth. The default is 1.

hello This command sets the hello interval in seconds. The Firewall Director holding the MIP sends hello messages to inform neighbors that the link is up. The default is 10 seconds. This value must be the same on all routing devices within the area.

dead This command sets the router dead interval, in seconds. If the Firewall Director holding the MIP does not receive hello on the IP interface within the dead interval, the Fire- wall Director holding the MIP will declare the interface to be down. Typically, the dead value is four times the value of hello. The default is 40 seconds. This value must be the same on all routing devices within the area.

trans This command sets the transmit delay, in seconds. This is the estimated time required to transmit an LSA to adjacencies on this interface, taking into account transmission and propagation delays. The default is 1 second. This value must be the same on all routing devices within the area.

retra This command sets the time interval, in seconds, between each transmission of LSAs to adjacencies on this interface. The default value is five seconds. This value must be the same on all routing devices within the area.

auth none|password|md5 This command sets the authentication type for this interface: n none turns off OSPF authentication. n password turns on type 1 (plain text) password authentication. The password is set using the key option. n md5 turns on MD5 (strong encryption) password authentication. The password is defined using the md5key option. For more information, see “Authentication” on page 367.

Chapter 7: Command Reference n 283 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-69 OSPF Interface Menu Options (/cfg/net/route/ospf/if)

Command Syntax and Usage

key This option is used with the OSPF auth option. When the auth option is set to password, the key option sets the password to be used for OSPF authentication on this IP interface. Specify a type 1 (plain text) password of up to eight characters. To clear the key, specify none as the value.

md5key This option is used to define an MD5 ID number and password pair for OSPF authentication on this IP interface. Assigned passwords are ignored until MD5 authentication is enabled in the auth option. ena This command enables this interface. dis This command disables this interface. cur This command displays current settings for all items in the OSPF Interface Menu.

284 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/ospf/virt OSPF Virtual Link Configuration

[OSPF Virtual Link 1 Menu] aindex - Set area index nbr - Set virtual neighbor router hello - Set hello interval in seconds dead - Set dead interval in seconds trans - Set transmit delay in seconds retra - Set retransmit delay in seconds auth - Set authentication type key - Set password authentication key md5key - Set MD5 authentication key ena - Enable virtual link dis - Disable virtual link del - Remove OSPF Virtual Link cur - Display current settings

Virtual links are typically created to connect one area to the backbone through another non- backbone area. The virtual link must be configured at each endpoint of the virtual link, though they may traverse multiple routing devices.

The minimum requirements for configuring a virtual link are the aindex and nbr options in this menu and the rtrid option in the OSPF Menu (see page 276).

For more information on using OSPF, see Chapter 11, “Open Shortest Path First.”

NOTE – The hello interval (hello), dead interval (dead), transmit delay (trans) and retransmit delay (retra) must be the same on all OSPF routing devices within an area. Using incompatible values could keep adjacencies from forming and may stop or loop routing updates.

Table 7-70 OSPF Virtual Link Menu Options (/cfg/net/route/ospf/virt)

Command Syntax and Usage

aindex This command sets the OSPF area index through which the virtual link passes.

nbr This command sets the router ID of the recipient neighbor (endpoint of the virtual link). The neighbor router ID is specified in dotted decimal format.

Chapter 7: Command Reference n 285 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-70 OSPF Virtual Link Menu Options (/cfg/net/route/ospf/virt)

Command Syntax and Usage

hello This command sets the hello interval, in seconds. The Firewall Director holding the MIP sends hello messages to inform other network devices that the virtual link is up. The default is 10 seconds. This value must be the same on all routing devices within the area.

dead This command sets the dead interval, in seconds. If the Firewall Director holding the MIP does not receive a hello on the IP interface within the deal interval, the Firewall Director holding the MIP will declare the virtual link to be down. Typically, the dead value is four times the hello value. The default is 40 seconds. This value must be the same on all routing devices within the area.

trans This command sets the transmit delay, in seconds. This is the estimated time required to transmit an LSA to adjacencies, taking into account transmission and propagation delays. The default is one second. This value must be the same on all routing devices within the area.

retra This command sets the time interval, in seconds, between each transmission of LSAs to adjacencies. The default is five seconds. This value must be the same on all routing devices within the area.

auth none|password|md5 This command sets the authentication type for this interface: n none turns off OSPF authentication. n password turns on type 1 (plain text) password authentication. The password is set using the key option. n md5 turns on MD5 (strong encryption) password authentication. The password is defined using md5key option. For more information, see “Authentication” on page 367.

286 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-70 OSPF Virtual Link Menu Options (/cfg/net/route/ospf/virt)

Command Syntax and Usage

md5key This option is used to define an MD5 ID number and password pair for OSPF authentication on this IP interface. Assigned passwords are ignored until MD5 authentication is enabled in the auth option. ena This command enables this virtual link. dis This command disables this virtual link. del This command deletes this virtual link from the configuration. cur This command displays current settings for all items in the OSPF Virtual Link Menu.

Chapter 7: Command Reference n 287 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/ospf/redist OSPF Route Redistribution Menu

[Route Redistribution Menu] connected - Connected Route Redistribution Menu static - Static Route Redistribution Menu rip - RIP Route Redistribution Menu defaultgw - Default Gateway Redistribution Menu cur - Display current settings

The Route Redistribution Menu is used to redistribute static, RIP, and default gateway routes via OSPF. If the routes are learned from a certain routing protocol, you have to enable that protocol for those routes to be redistributed into the network.

Table 7-71 Route Redistribution Menu (/cfg/net/route/ospf/redist)

Command Syntax and Usage

connected The Connected Route Redistribution Menu is used for advertising connected routes via OSPF. See page 289 for menu items.

static The Static Route Redistribution Menu is used for advertising static routes via OSPF. See page 290 for menu items.

rip The RIP Route Redistribution Menu is used for advertising RIP routes via OSPF. See page 291 for menu items.

defaultgw The Default Gateway Redistribution Menu is used for advertising default gateway routes via OSPF. See page 292 for menu items. cur This command displays current settings for all items in the OSPF Route Redistribution Menu.

288 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/ospf/redist/connected OSPF Connected Route Redistribution Menu

[OSPF Connected Route Redistribution Menu] metric - Set Metric assigned to connected routes ena - Enable redistribution of connected routes dis - Disable redistribution of connected routes cur - Display current settings

The OSPF Connected Route Redistribution Menu is used to redistribute connected routes into OSPF.

Table 7-72 OSPF Connected Route Redistribution Menu (/cfg/net/route/ospf/ redist/connected)

Command Syntax and Usage

metric Sets metric of advertised static routes. Ranges from 1 to 16777214 and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 10.

enable Enables advertising of connected routes.

disable Disables advertising of connected routes.

cur This command displays current settings for the OSPF Connected Route Redistribution Menu.

Chapter 7: Command Reference n 289 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/ospf/redist/static OSPF Static Route Redistribution Menu

[OSPF Static Route Redistribution Menu] metric - Set Metric assigned to static routes ena - Enable redistribution of static routes dis - Disable redistribution of static routes cur - Display current settings

The OSPF Static Route Redistribution Menu is used to redistribute static routes into OSPF.

Table 7-73 OSPF Static Route Redistribution Menu (/cfg/net/route/ospf/redist/ static)

Command Syntax and Usage

metric Sets metric of advertised static routes. Ranges from 1 to 16777214 and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 10.

enable Enables advertising static routes.

disable Disables advertising static routes.

cur Displays the current static routes configured for redistribution into OSPF.

290 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/ospf/redist/rip OSPF RIP Route Redistribution Menu

[OSPF RIP Route Redistribution Menu] metric - Set Metric assigned to routes originating from RIP ena - Enable redistribution of RIP routes dis - Disable redistribution of RIP routes cur - Display current settings

The OSPF RIP Route Redistribution Menu is used to redistribute RIP routes into OSPF.

Table 7-74 OSPF RIP Route Redistribution Menu (/cfg/net/route/ospf/redist/rip)

Command Syntax and Usage

metric Sets metric of advertised RIP routes. Ranges from 1 to 16777214 and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 10.

enable Enables advertising of RIP routes.

disable Disables advertising of RIP routes.

cur Displays the current RIP routes configured for redistribution into OSPF.

Chapter 7: Command Reference n 291 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/route/ospf/redist/defaultgw OSPF Default Gateway Route Redistribution Menu

[OSPF Default Gateway Route Redistribution Menu] metric - Set Metric assigned to default gateway routes ena - Enable redistribution of default gateway routes dis - Disable redistribution of default gateway routes cur - Display current settings

The OSPF Default Gateway Route Redistribution Menu is used to redistribute default gateway routes into OSPF.

Table 7-75 OSPF Default Gateway Route Redistribution Menu (/cfg/net/route/ ospf/redist/defaultgw)

Command Syntax and Usage

metric Sets metric of advertised default gateway routes. Ranges from 1 to 6777214 and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 10.

enable Enables advertising of default gateway routes.

disable Disables advertising of default gateway routes.

cur Displays the current default gateway routes configured for redistribution into OSPF.

292 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/mirr Port Mirroring Menu

[Port Mirroring Menu] ena - Enable Port Mirroring dis - Disable Port Mirroring monport - Monitoring Port-based PM Menu cur - Display all Mirrored and Monitoring ports

The Port Mirroring Menu is used to monitor ports.

Table 7-76 Port Mirroring Menu (/cfg/net/mirr)

Command Syntax and Usage

ena This command enables port mirroring.

dis This command disables port mirroring.

monport The Monitoring port-based menu is used to configure ports for monitoring. The must be a network port on the Firewall accelerator. See page 294 for menu items.

cur This command displays current settings for all items in the Port Mirroring Menu.

Chapter 7: Command Reference n 293 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/mirr/monport Monitoring Port Menu

[Monitoring Port Menu] edit - Add/Delete Ports to be Mirrored del - Remove Monitoring Ports cur - Display Mirrored Ports

The Monitoring Port Menu is used to configure the ports that you want to monitor.

Table 7-77 Monitoring Port Menu (/cfg/net/mirr/monport)

Command Syntax and Usage

edit This command adds and deletes ports to be mirrored. See page 295 for menu items.

del This command removes the monitoring port.

cur This command displays all the ports that are monitored by port .

294 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/mirr/monport/edit Mirrored Ports Menu

[Mirrored Ports Menu] list - List all values del - Delete a value by number add - Add a new value

The Mirrored Ports Menu is used to configure the mirrored ports that you want to monitor.

Table 7-78 Mirrored Ports Menu (/cfg/net/mirr/monport/edit)

Command Syntax and Usage

list This command lists the mirrored ports.

del This command deletes the mirrored port.

add This command adds ports to be monitored.

Chapter 7: Command Reference n 295 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/adv Advanced Settings Menu

[Advanced Settings Menu] domain - Set Domain Name filt - Filter Definition Menu parp - Proxy ARP Menu local - Local Network Route Caching Menu vrrp - Advanced VRRP Configuration Menu cur - Display current settings

The Advanced Settings Menu is used to configure domain name, port traffic filter, proxy ARP, local network cache, and VRRP parameters.

Table 7-79 Advanced Settings Menu (/cfg/net/adv)

Command Syntax and Usage

domain This command sets the SMTP domain server name for the cluster, as used with some third-party software applications.

filt The Filter Definition Menu is used to create or modify port traffic filters. Port traffic filters can be configured to allow or deny traffic according to a variety of address and protocol specifications and are processed prior to firewall processing. See page 297 for menu items.

parp The Proxy ARP IP Menu is used to configure IP addresses which the cluster should respond to on behalf of Network Address Translation (NAT) features configured in the Check Point FireWall-1 NG software. See page 302 for menu items.

local The Local Network Route Caching Menu is used to configure IP addresses which will be included in the local network route cache. See page 304 for menu items.

296 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-79 Advanced Settings Menu (/cfg/net/adv)

Command Syntax and Usage

vrrp The Advanced VRRP Configuration Menu is used to configure advanced VRRP settings. See page 306 for menu items.

cur This command displays current settings for all items in the Advanced Settings Menu.

/cfg/net/adv/filt Filter Definition Menu

[Filtering 1 Menu] name - Set filter name smac - Set source MAC address dmac - Set destination MAC address sip - Set source IP address smask - Set source IP mask dip - Set destination IP address dmask - Set destination IP mask proto - Set IP protocol sport - Set source TCP/UDP port range dport - Set destination TCP/UDP port range action - Set filter action inv - Set inversion log - Set logging ena - Enable filter dis - Disable filter del - Remove Filter Definition cur - Display current settings

The Filter Definition Menu is used to create or modify port traffic filters. The Alteon Switched Firewall supports up to 224 port traffic filters. Each filter can be configured to allow or deny traffic according to a variety of address and protocol specifications, and each physical Firewall Accelerator port can be configured to use any combination of filters.

Port traffic filtering is a feature of the Firewall Accelerator and occurs prior to inspection by the Check Point FireWall-1 NG software. Traffic that has been dropped by a port traffic filter will not be forwarded to the firewall. Traffic that has been allowed by a port traffic filter will

Chapter 7: Command Reference n 297 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

be sent though the firewall, bypassing Check Point FireWall-1 NG inspection. Only traffic which is not matched by any port traffic filter will be passed to the firewall for Check Point FireWall-1 NG inspection.

The following parameters are required for filtering:

n Set the address, masks, and/or protocol that will be affected by the filter n Set the filter action (allow or deny) n Enable the filter n Add the filter to a Firewall Accelerator port n Enable filtering on the Firewall Accelerator port

NOTE – Filtering criteria options can be used in combination. If criteria is left to default settings, the filter will be broad and will affect more traffic. The more criteria which is specifically set, the narrower the filter becomes, affecting a smaller portion of the traffic.

The Filter Definition Menu has the following items:

Table 7-80 Filter Definition Menu Options (/cfg/net/adv/filt)

Command Syntax and Usage

name This command sets the filter name. This allows you to provide a comment for the intended function of the filter. The name can have a maximum of 64 characters.

smac any| If defined, traffic with this source MAC address will be affected by this filter. The default is any.

dmac any| If defined, traffic with this destination MAC address will be affected by this filter. The default is any.

sip any| If defined, traffic with this source IP address will be affected by this filter. Specify an IP address in dotted decimal notation, or any. A range of IP addresses is produced when used with smask below. The default is any if the source MAC address is any.

smask This IP address mask is used with the sip to select a range of source IP addresses which this filter will affect. See “Defining IP Address Ranges for Filters” on page 301 for details on producing address ranges.

298 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-80 Filter Definition Menu Options (/cfg/net/adv/filt)

Command Syntax and Usage

dip any| If defined, traffic with this destination IP address will be affected by this filter. Specify an IP address in dotted decimal notation, or any. A range of addresses is produced when used with dmask below. The default is any if the destination MAC address is any.

dmask This IP address mask is used with the dip to select traffic which this filter will affect. See “Defining IP Address Ranges for Filters” on page 301 for details on producing address ranges.

proto any|| If defined, traffic from the specified protocol is affected by this filter. Specify the protocol number, name, or any. The default is any. Below are some of the well-known protocols.

Number Name Number Name 1 icmp 17 udp 2 igmp 89 ospf 6 tcp 112 vrrp

Chapter 7: Command Reference n 299 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-80 Filter Definition Menu Options (/cfg/net/adv/filt)

Command Syntax and Usage

sport If defined, traffic with the specified TCP or UDP source port range will be affected by this filter. To specify a single port, rather than a range, use the chosen port number as both the start and end number. For example, to select only port 80, use the following command: sport 80 80 To specify matching for any port (the default), use the following command: sport 0 0 Listed below are some of the well-known ports:

Number Name Number Name 20 ftp-data 111 sunrpc 21 ftp 119 nntp 22 ssh 123 ntp 23 telnet 143 imap 25 smtp 144 news 37 time 161 snmp 42 name 162 snmptrap 43 whois 179 bgp 53 domain 194 irc 69 tftp 220 imap3 70 gopher 389 ldap 79 finger 443 https 80 http 520 rip 109 pop2 554 rtsp 110 pop3 1985 hsrp

dport any|||- If defined, traffic with the specified real server TCP or UDP destination port will be affected by this filter. Specify the port number, range, name, or any. The default is any.

action allow|deny This specify the action this filter takes when traffic matched the specified criteria: allow Allow the frame to pass through the firewall with no further inspection (default). deny Discard the frame before it can be inspected by the firewall.

inv e|d This command lets you enable or disable inverting the filter logic. When disabled (the default), the filter behaves normally. When enabled, if the conditions of the filter are met, the filter takes no action. Otherwise, if the conditions for the filter are not met, the filter performs the assigned action.

300 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-80 Filter Definition Menu Options (/cfg/net/adv/filt)

Command Syntax and Usage

log e|d This command enables or disables logging for this filter. If enabled, each time the filter action is taken, a message is sent to the system log. By default, this is disabled.

ena This command enables this filter.

dis This command disables this filter.

del This command removes this filter from the cluster configuration.

cur This command displays the current settings for this filter.

Defining IP Address Ranges for Filters You can specify a range of IP address for filtering both the source and/or destination IP address for traffic. When a range of IP addresses is needed, the sip (source) or dip (destination) defines the base IP address in the desired range, and the smask (source) or dmask (destination) is the mask which is applied to produce the range.

For example, to determine if a client request’s destination IP address should be allowed, the destination IP address is masked (bitwise AND) with the dmask and then compared to the dip.

As another example, you could configure two filters so that each would handle traffic filtering for one half of the Internet. To do this, you could define the following parameters:

Table 7-81 Filtering IP Address Ranges

Filter Internet Address Range dip dmask

#1 0.0.0.0 - 127.255.255.255 0.0.0.0 128.0.0.0

#2 128.0.0.0 - 255.255.255.255 128.0.0.0 128.0.0.0

Chapter 7: Command Reference n 301 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/adv/parp Proxy ARP Menu

[Proxy ARP Menu] parp - Proxy ARP List Menu sfd - Set proxying of SFD’s IPs & MIP cur - Display current settings

The Proxy ARP Menu is used to configure IP addresses which the cluster should respond to on behalf of Network Address Translation (NAT) features configured in the Check Point Fire- Wall-1 NG software.

Table 7-82 Proxy ARP Menu (/cfg/net/adv/parp)

Command Syntax and Usage

parp The Proxy ARP List Menu is used to add, delete, or list proxied addresses. See page 302 for menu items.

sfd e|d This command enables or disables whether the cluster will respond to Address Resolu- tion Protocol (ARP) requests for the cluster Firewall Director and Management IP (MIP) addresses.

cur This command displays the current settings for the proxy ARP menu.

/cfg/net/adv/parp/parp Proxy ARP List Menu

[Proxy ARP List Menu] list - List all values del - Delete a value by number add - Add a new value

302 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Proxy ARP List Menu is used to add, delete, or list IP addresses which the cluster should serve as proxy.

Table 7-83 Proxy ARP List Menu (/cfg/net/adv/parp/parp)

Command Syntax and Usage

list This command displays all proxy ARP addresses by their index number.

del This command lets you remove a proxy ARP address by specifying its index number. Use the list command to display the proxy ARP index numbers.

add This command lets you add the specified proxy ARP address. The IP address should be specified in dotted decimal notation. The maximum number of entries is 2,000 minus one for each Firewall Director and Firewall Accelerator in the cluster.

Chapter 7: Command Reference n 303 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/adv/local Local Network Route Caching Menu

[Local Network Route Caching Menu] local - Local Network List Menu auto - Enable/disable automatically adding interfaces and static routes to local network list cur - Display current settings

The Local Network Route Caching Menu is used to configure IP addresses and ranges which will be included in the local network route cache. By caching IP addresses for local network devices, ASF performance can be increased.

Table 7-84 Local Network Route Caching Menu (/cfg/net/adv/local)

Command Syntax and Usage

local The Local Network List Menu is used to list, add, and delete IP addresses from the route cache. See page 305 for menu items.

auto y|n This command allows you to enable or disable inclusion of the configured ASF interfaces and static routes to the route cache.

cur This command displays the current settings for the local network route cache.

304 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/adv/local/local Local Network List Menu

[Local Network List Menu] list - List all values del - Delete a value by number add - Add a new value

The Local Network List Menu is used to add, delete, or list the IP addresses and ranges in the local network route cache.

Table 7-85 Local Network List Menu (/cfg/net/adv/local/local)

Command Syntax and Usage

list This command lists all configured local networks by their index number. Displayed information includes the IP address and subnet mask.

del This command lets you remove a local network by specifying its index number. Use the list command to display the index numbers.

add This command lets you add the specified local networks. The IP address should be specified in dotted decimal notation.

Chapter 7: Command Reference n 305 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/net/adv/vrrp Advanced VRRP Configuration Menu

[Advanced VRRP Configuration Menu] vrid - Set virtual router group ID adver - Set advertisement interval cur - Display current settings

The Advanced VRRP Configuration Menu is used to configure advanced VRRP settings.

Table 7-86 Advanced VRRP Configuration Menu (/cfg/net/adv/vrrp)

Command Syntax and Usage

vrid This command sets the group ID for the virtual router.The default group ID for a virtual router is 255.

adver This command sets the time interval between VRRP advertisements broadcast from the Alteon Switched Firewall.

cur This command displays the current settings for the Advanced VRRP Configuration Menu.

306 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/fw Firewall Configuration Menu

[Firewall Configuration Menu] ena - Enable firewall dis - Disable firewall sic - Reset Check Point SIC accel - Set automatic acceleration restart sync - Sync Configuration Menu software - Firewall Software Menu cur - Display current settings

The Firewall Configuration Menu is used to configure firewall related options such as enabling firewall or resetting the Check Point Secure Internal Communications (SIC).

Table 7-87 Firewall Configuration Menu (/cfg/fw)

Command Syntax and Usage

ena Enable the Check Point FireWall-1 NG processing on all healthy Firewall Directors in the cluster.

dis Disable the Check Point FireWall-1 NG processing on the cluster and mark all Firewall Directors as down. The Check Point management server cannot be used to manage cluster firewall policies in the disabled state.

sic This command is used to reset the Check Point Secure Internal Communication (SIC) state for a specific Firewall Director in the cluster. You will be prompted to enter the IP address of the target Firewall Director in dotted decimal notation.

accel y|n This command is used to enable or disable the automatic restart feature for Firewall Accelerators. This is disabled by default.

sync The Synchronization Configuration Menu is used to configure stateful failover of sessions among Firewall Director in the cluster. With synchronization, if a Firewall Director fails, its open sessions will be transparently reassigned to a healthy Firewall Director. See page 308 for menu items.

Chapter 7: Command Reference n 307 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-87 Firewall Configuration Menu (/cfg/fw)

Command Syntax and Usage

software Use the Firewall Software Menu to update the built-in Check Point FireWall-1 NG software. See page 309 for menu items.

cur This command displays the current Firewall Configuration Menu settings.

/cfg/fw/sync Synchronization Menu

[Sync Configuration Menu] ena - Enable sync dis - Disable sync net - Set sync network address cur - Display current settings

The Synchronization Configuration Menu is used to configure stateful failover of sessions among Firewall Director in the cluster. With synchronization, if a Firewall Director fails, its open sessions will be transparently reassigned to a healthy Firewall Director.

Stateful failover may require additional hardware and Check Point software configuration. See “Synchronizing Firewall Directors” on page 340 for details.

Table 7-88 Synchronization Menu (/cfg/fw/sync)

Command Syntax and Usage

ena This command is used to enable synchronization for stateful failover among multiple Firewall Directors in the cluster.

dis This command is used to disable synchronization for stateful failover. This is the default.

308 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-88 Synchronization Menu (/cfg/fw/sync)

Command Syntax and Usage

net This command is used to configure the base IP address of the Firewall Director synchronization network. This command is used in conjunction with the /cfg/sys/netmask option (see page 202) to define the synchronization network range.

cur This command displays the current firewall synchronization settings.

/cfg/fw/software Firewall Software Menu

[Firewall Software Menu] fp2 - Upgrade to Check Point Feature Pack 2 fp2hf - Upgrade to Check Point Feature Pack 2 Hotfix 1 fp3 - Upgrade to Check Point Feature Pack 3 cur - Display current version of firewall software

The Firewall Software Menu is used to update the built-in Check Point FireWall-1 NG software.

Table 7-89 Firewall Software Menu (/cfg/fw/software)

Command Syntax and Usage

fp2 This command is used to activate the Check Point Feature Pack 2 software.

fp2hf This command is used to activate the Check Point Feature Pack 2 Hotfix 1 software.

fp3 This command is used to activate the Check Point Feature Pack 3 software.

cur This command displays the current settings for items in the Firewall Software Menu.

Chapter 7: Command Reference n 309 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/cfg/misc Miscellaneous Settings Menu

[Miscellaneous Settings Menu] warn - Set warnings when configuration is applied cur - Display current settings

The Miscellaneous Settings Menu is used to turn on or off configuration warning messages.

Table 7-90 Miscellaneous Settings Menu (/cfg/misc)

Command Syntax and Usage

warn y|n This command is used to turn on or off warning messages. When enabled (the default), whenever the global apply command is issued, applicable warning are displayed if problems are found in the pending configuration changes. Warnings will not cause the apply command to fail, but can be helpful for managing configuration issues.

cur This command displays the current settings for items in the Miscellaneous Settings Menu.

310 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/boot Boot Menu

[Boot Menu] software - Software Management Menu halt - Halt the iSD reboot - Reboot the iSD delete - Delete the iSD

The Boot Menu is used for upgrading Alteon Switched Firewall software and for rebooting, if necessary.

NOTE – The Software Management Menu option is not available using the operator account.

Table 7-91 Boot Menu (/boot)

Command Syntax and Usage

software The Software Management Menu is used to load, activate, or remove Alteon Switched Firewall software upgrade packages. See page 313 for menu items.

halt This command should be used only when the target Firewall Director has been isolated from the cluster and cannot be halted using the preferred /cfg/sys/clu/ host /halt command. After confirmation, this command stops the particular Firewall Director to which you have connected via Telnet, SSH, or a console terminal. If using Telnet or SSH, use this command only when you have connected to a particular Firewall Director’s individually assigned IP address. Do not use the halt command when connected to the Management IP (MIP) address.

Chapter 7: Command Reference n 311 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-91 Boot Menu (/boot)

Command Syntax and Usage

reboot This command should be used only when the target Firewall Director has been isolated from the cluster and cannot be rebooted using the preferred /cfg/sys/clu/ host /reboot command. After confirmation, this command reboots the particular Firewall Director to which you have connected via Telnet, SSH or console terminal. When using Telnet or SSH, use this command only when you have connected to a particular Firewall Director’s individually assigned IP address. Do not use the reboot command when connected to the Manage- ment IP (MIP) address.

delete This command should be used only when the target Firewall Director has been isolated from the cluster and cannot be deleted using the preferred /cfg/sys/clu/ host /delete command. After confirmation, this command removes the particular Firewall Director to which you have connected via Telnet, SSH, or a console terminal. It also resets the removed Fire- wall Director to its factory default configuration. If you are using Telnet or SSH, only use this command when you have connected to the iSD host’s individually assigned IP address. Do not use the delete command when connected to the cluster Management IP (MIP) address. If there are other Firewall Directors in the cluster, you should also connect to the cluster MIP address (locally or remotely) and purge the deleted Firewall Director configuration from the cluster by using the /cfg/sys/cluster/host /delete command. Once you have removed a Firewall Director from the cluster, you can only access the device through a console terminal attached directly to its local serial port. You can then log in using the administration account (admin) and the default password (admin) to access the Setup Menu.

312 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/boot/software Software Management Menu

[Software Management Menu] cur - Display current software status activate - Select software version to run download - Download a new software package via TFTP/FTP del - Remove downloaded (unpacked) releases patch - Software Patches Menu

The Software Management Menu is used to load, activate, or remove Alteon Switched Fire- wall software upgrade packages.

Table 7-92 Software Management Menu (/boot/software)

Command Syntax and Usage

cur This command displays the software status of the particular Firewall Director to which your current Telnet, SSH, or a console terminal is connected.

activate This command activates a downloaded and unpacked Alteon Switched Firewall software upgrade package. If serious problems occur while running the new software version, you may revert to using the previous version by activating the software version labeled as old. Note that you will be logged out after confirming the activate command.

download This command lets you download an Alteon Switched Firewall software upgrade package from an FTP server that allows anonymous login. You need to provide the host name or IP address of the FTP server, as well as the file name of the software upgrade package. In order to use this feature, you must install a firewall rule that allows FTP traffic to pass to and from the Firewall Directors.

del After confirmation, this command lets you remove a software upgrade package that has been downloaded using the ftp command.

patch The Software Patches Menu is used to is install minor, corrective software elements on the ASF. See page 314 for menu items.

Chapter 7: Command Reference n 313 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/boot/software/patch Software Patches Menu

[Software Patches Menu] install - Install a software patch remove - Remove an installed patch cur - List currently installed patches

The Software Patches Menu is used to install or remove small Alteon Switched Firewall software patches.

Table 7-93 Software Patches Menu (/boot/software/patch)

Command Syntax and Usage

install This command lets you download an Alteon Switched Firewall software patch from an FTP server. You need to provide the host name or IP address of the FTP server, as well as the file name of the software patch.

remove After confirmation, this command lets you remove a software upgrade package that has been installed using the install command.

cur This command lists the names of the ASF software patches currently installed.

314 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/maint The Maintenance Menu

[Maintenance Menu] diag - Diagnostic Tools Menu debug - Debug Information Menu tsdump - Tech Support Dump Menu swfc - SFA Flow Control Configuration Menu

The Maintenance Menu is used for system diagnostic and for sending a technical support dump to an FTP server.

CAUTION—All commands in the Maintenance menu and its submenus are not commonly used, ! and should not be used without proper guidance from Nortel Networks Technical Support.

Table 7-94 Maintenance Menu (/maint)

Command Syntax and Usage

diag The Diagnostic Tools Menu is used run diagnostic tools on the ASF. See page 316 for menu items.

debug The Debug Information Menu displays debug information on ASF. See page 317 for menu items.

tsdump The Tech Support Dump Menu is used to provide dumps for Technical Support. See page 323 for menu items.

swfc The Firewall Accelerator Flow Control Configuration Menu is used to set software flow control settings to protect the Accelerator from DOS attacks. See page 324 for menu items.

Chapter 7: Command Reference n 315 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/maint/diag Diagnostics Tools Menu

[Diagnostics Tools Menu] sync - Test sync network ldplcy - Load Check Point policy uldplcy - Unload Check Point policy

The Diagnostics Tools Menu is used to run diagnostic tools on the ASF.

Table 7-95 Diagnostics Tools Menu (/maint/diag)

Command Syntax and Usage

sync This command allows you to run the diagnostic utility to check connectivity in sync network. It will ARP for each IP address in the sync network and notify you if that IP address can be connected over the sync net.

ldplcy This command uses the Check Point’s fw fetch localhost command to load the installed policy. You can load the policy on a specific Director or all Directors in the cluster.

uldplcy This command uses Check Point’s fw unloadlocal command to unload the installed policy. You can unload the policy on a specific Director or all Directors in the cluster.

316 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/maint/debug Debug Information Menu

[Debug Information Menu] aim - AIM Statistics fw - FW-1 Statistics ac1 - Accelerator 1 Information ac2 - Accelerator 2 Information ospf - OSPF Debug Menu rip - RIP Debug Menu

The Debug Information Menu is used to display debug information on ASF.

Table 7-96 Debug Information Menu (/maint/debug)

Command Syntax and Usage

aim This command displays debugging information for the Accelerator Interface Module.

fw This command displays the FW-1 Statistics menu, which allows you to run certain Check Point Firewall commands and view the results. This menu is useful for users already familiar with the Check Point Firewall. See page 319 for menu items.

ac1 This command displays debugging information for Firewall Accelerator 1, and allows you to run certain commonly used commands on the Firewall Accelerator. See page 320 for menu items.

ac2 This command displays debugging information for Firewall Accelerator 2, and allows you to run certain commonly used commands on the Firewall Accelerator. This menu is the same as ac1 but displays information about the second Firewall Accelerator (if present). See page 320 for menu items.

Chapter 7: Command Reference n 317 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table 7-96 Debug Information Menu (/maint/debug)

Command Syntax and Usage

ospf This command displays information on OSPF. See page 321 for menu items.

rip This command displays information on RIP. See page 322 for menu items.

318 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/maint/debug/fw FW-1 Statistics Menu

[FW-1 Statistics Menu] ver - CheckPoint Version stat - FW-1 Statistics lic - CheckPoint Licenses ctlpstat - FW-1 Kernel Statistics

The FW-1 Statistics Menu allows you to run some Check Point Firewall commands and view the results.

Table 7-97 FW-1 Statistics Menu (/maint/debug/fw)

Command Syntax and Usage

ver This command displays version information and is equivalent to Check Point’s fw ver command.

stat This command displays information about the installed policy, and is equivalent to Check Point’s fw stat command.

lic This command displays the installed licenses, and is equivalent to Check Point’s cplic print -x command.

ctlpstat This command displays Check Point Firewall internal statistics, and is equivalent to Check Point’s fw ctl pstat command.

Chapter 7: Command Reference n 319 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/maint/debug/ac1 Accelerator 1 Information Menu

[Accelerator 1 Information Menu] sys - System information for SFA1 boot - Boot settings for SFA1 naap - NAAP statistics for SFA1 vrrp - VRRP info for SFA1 sess - Session table dump for SFA1 prtstat - Port statistics for SFA1 clear - Clear all statistics on SFA1

The Accelerator 1 Information Menu allows you to run CLI commands on the Firewall Accel- erator and see the output.

Table 7-98 Accelerator 1 Information Menu (/maint/debug/ac1)

Command Syntax and Usage

sys This command displays the output of the /info/sys (system information) command from the Firewall Accelerator.

boot This command displays the output of the /boot/cur (boot settings) command from the Firewall Accelerator.

naap This command displays the output of the /info/naap/dump (NAAP status) command from the Firewall Accelerator.

vrrp This command displays the output of the /info/vrrp (VRRP status) command from the Firewall Accelerator.

sess This command displays the output of the /info/slb/sess/dump (session table) command from the Firewall Accelerator.

prtstat This command displays the output of the /stats/slb/port <#>/maint (port maintenance status) command from the Firewall Accelerator.

clear This command clears all statistics on Firewall Accelerator 1.

320 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/maint/debug/ospf OSPF Debug Menu

[OSPF Debug Menu] events - Set log OSPF generic events ism - Set log OSPF ISM events lsa - Set log OSPF LSA events nsm - Set log OSPF NSM events packets - Set log OSPF packets msgs - View last 100 debug messages cur - Display current setting

The OSPF Debug Information Menu provides information to troubleshoot OSPF.

Table 7-99 OSPF Debug Menu (/maint/debug/ospf)

Command Syntax and Usage

events This command allows you to turn on debugging for OSPF events.

ism This command allows you to turn on debugging for the interface state machine.

lsa This command allows you to turn on debugging for link state advertisements.

nsm This command allows you to turn on debugging for the neighbor state machine.

packets This command allows you to turn on debugging for OSPF packets.

msgs This command displays the last 100 messages from the log file.

cur This command displays current settings in the OSPF Debug menu.

Chapter 7: Command Reference n 321 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/maint/debug/rip RIP Debug Menu

[RIP Debug Menu] events - Set log RIP events packets - Set log RIP packets msgs - View last 100 debug messages cur - Display current setting

The RIP Debug Information Menu is used to display debug information for RIP.

Table 7-100 RIP Debug Menu (/maint/debug/rip)

Command Syntax and Usage

events This command allows you to turn on RIP events.

packets This command displays details on RIP packets.

msgs This command displays the last 100 messages from the log file.

cur This command displays current settings in the RIP menu.

322 n Chapter 7: Command Reference 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/maint/tsdump Tech Support Dump Menu

[Tech Support Menu] dump - Create a Tech Support dump exdump - Create a Tech Support dump including logs floppy - Copy Tech Support Dump to Floppy cur - Current Tech Support Information

The Tech Support Dump Menu is used to create dumps for Technical support.

Table 7-101 Tech Support Dump Menu (/maint/tsdump)

Command Syntax and Usage

dump This command creates a Technical support dump without including the logs. The size of the dump is typically small enough to fit on a floppy diskette.

exdump This command creates a Technical support dump including all available logs. The size of of the dump is typically more than 1 MB.

ftp

[] [] This command allows you to FTP the created tsdump to an FTP server. A file called asfdump.tgz is created on the FTP server.

floppy This command copies the tsdump file to a floppy diskette.

cur This command displays information about the last tsdump created.

Chapter 7: Command Reference n 323 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

/maint/swfc SFA Flow Control Configuration Menu

[SFA Flow Control Configuration Menu] window - Set Window Size sync - Set Sync Interval ena - Enable SFA Flow Control dis - Disable SFA Flow Control cur - Display current settings

The SFA (switched firewall accelerator) Flow Control Configuration Menu is used to configure settings to protect the Firewall from a DOS attack.

Table 7-102 SFA Flow Control Configuration Menu (/maint/swfc)

Command Syntax and Usage

window This command sets the “window” size for flow control. This is similar to the window concept for TCP transmission. The Firewall Accelerator makes sure that the outstanding requests to the Director are within this limit. If it exceeds the limit, the Firewall Acceler- ator starts dropping packets destined to that Firewall Director. The default value is 1000.

sync This command sets the interval at which the Firewall Accelerator and the Firewall Direc- tor exchange flow control information. The default value is 1 second.

ena This command enables the SFA flow control.

dis This command disables the SFA flow control.

cur This command displays current settings for the SFA flow control.

324 n Chapter 7: Command Reference 212535-E, April 2003 CHAPTER 8 Expanding the Cluster

This chapter describes how to expand the Alteon Switched Firewall cluster beyond the basic configuration. The cluster can be expanded in a variety of ways:

n A redundant Firewall Accelerator and extra Firewall Directors can be added to create a high-availability firewall. With a high-availability solution, the failure of any single component or network link will not cause the firewall to fail. n Firewall Directors can be added seamlessly to the cluster, increasing firewall processing capacity without taking the system offline. n Firewall Directors can be synchronized to provide stateful failover of sessions. With synchronization, if a Firewall Director fails, its open sessions will be transparently reassigned to a healthy Firewall Director. Each of these avenues for expansion is discussed in detail in the following sections.

325 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Adding a Second Firewall Accelerator

As part of a high-availability firewall, a redundant Firewall Accelerator must be added to the cluster. The network topology for a typical high-availability firewall is shown below:

Alteon Switched Firewall High-Availability Cluster

Trusted Network & Internet Server Farm

Routers with Layer 2 VRRP & Layer 2 Switches Interfaces

Two Firewall Accelerators Four Firewall Directors

Check Point EMC Figure 8-1 High-Availability Firewall Topology

For high-availability, each Firewall Accelerator is attached to the same networks using the same ports, and each has at least one Firewall Director. One of the Firewall Accelerators in this network acts as the master, and the other acts as a backup. Selection of the master is performed using Virtual Router Redundancy Protocol (VRRP).

The master Firewall Accelerator performs load balancing and firewall acceleration services for all active Firewall Directors in the cluster, including those that are attached to the backup. While the master Firewall Accelerator is healthy, the backup is passive and merely provides connectivity between its attached Firewall Directors and the master Firewall Accelerator. The backup mirrors sessions on the master, and will take over if the master fails.

326 n Chapter 8: Expanding the Cluster 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Requirements The installation of a redundant Firewall Accelerator is handled as an expansion to an existing cluster and requires the following:

n A basic cluster (one Firewall Director and one Firewall Accelerator) must be already be physically installed as described in Chapter 2, “Hardware Installation.” n The basic cluster must already be configured with basic parameters as described in Chap- ter 3, “Initial Setup.” n Optionally, the basic cluster can include additional Firewall Directors (attached to the master Firewall Accelerator), installed as described in “Adding Firewall Directors” on page 331. n The redundant Firewall Accelerator being added must be identical to the existing Firewall Accelerator. You cannot mix different models of Firewall Accelerator in the same cluster.

Installing the New Firewall Accelerator

NOTE – No Firewall Directors should be attached to the redundant Firewall Accelerator while it is being initially installed and configured.

The redundant Firewall Accelerator should be physically installed as follows:

1. Make sure that the basic cluster is on and operational.

2. Rack mount the new Firewall Accelerator hardware. Heed the rack-mounting precautions noted on page 35, and mount the new Firewall Accelera- tor as described in “Rack-Mounting the Firewall Accelerator” on page 36.

3. Connect the power cable for the new Firewall Accelerator, but do not turn it on yet. Heed the power precautions noted on page 65, and attach power as described in “Connecting AC Power for the Firewall Accelerator” on page 65.

Chapter 8: Expanding the Cluster n 327 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

4. Connect the Inter-Accelerator Ports (IAP) together. By default, port 9 on each Firewall Accelerator is the IAP. If using the default, connect port 9 of the master Firewall Accelerator to port 9 of the redundant Firewall Accelerator. To change the IAP, see “Configuring the Inter-Accelerator Port” on page 343.

If dual physical connectors are available on the IAP, the connection can be made using either the gigabit SC fiber optic connector, the 10/100 Mbps RJ-45 copper connector, or both. If both are connected, then the gigabit optical link is used as the preferred link and the copper link is used as the backup. The active link is then selected according to the redundant connector rules (see “Automatic Selection of Redundant Connections” on page 63).

5. Connect the trusted, untrusted and semi-trusted network feeds to the new Firewall Accel- erator.

NOTE – For redundant operation, the same networks which are connected to the master Fire- wall Accelerator must be connected to the redundant Firewall Accelerator. Be sure to use connect each network to the same port on both Firewall Accelerators.

In this example, since Network A is on port 1 and Network B is on port 2 of the master Fire- wall Accelerator, we must connect Network A to port 1 and Network B to port 2 on the backup as well.

6. Turn the new Firewall Accelerator on.

328 n Chapter 8: Expanding the Cluster 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Configuring the New Firewall Accelerator

NOTE – The Firewall Accelerator cannot be configured through its own console port. Instead, configuration is performed using the Command Line Interface (CLI) as discussed in Chapter 5, or the Browser-Based Interface (BBI) as discussed in Chapter 6. The following procedures focus on the CLI method.

1. Connect to the CLI and log in as the administrator. Access the cluster CLI locally from any Firewall Director serial port, or remotely by establishing a Telnet or SSH session to the cluster Management IP (MIP) address.

2. Verify that the redundant Firewall Accelerator’s MAC address has been detected. Use the following command to verify whether auto-discovery is enabled and to display the detected MAC addresses:

>> # /cfg/acc/cur

If the MAC addresses have been correctly detected, proceed to Step 3. However, if auto-discovery is disabled, you can set the MAC address of the new Firewall Accelerator using the following command:

>> Accelerator Configuration# ac2/mac

where MAC address is specified in hexadecimal XX:XX:XX:XX:XX format.

3. Enable high-availability for the cluster:

>> Accelerator Configuration# /cfg/acc/ha y

4. Configure the new Firewall Accelerator IP address.

>> Accelerator Configuration# ac2/addr

The redundant Firewall Accelerator IP address must be a unique address on the same subnet as the master Firewall Accelerator.

Chapter 8: Expanding the Cluster n 329 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

5. Configure VRRP on each IP interface. During initial setup of the cluster, IP interfaces were configured for each trusted, untrusted, or semi-trusted network attached to the Firewall Accelerator. In this step, each IP interface is being given its own unique Virtual Router ID (VRID), and is assigned a Virtual Router IP (VRIP) address for each of the two Firewall Accelerators. Each VRIP address must be a unique IP address in the same subnet as the IP interface.

For example, continuing with the network shown in Figure 3-1 on page 73, there are two IP interfaces: IP Interface #1 uses 10.1.1.1 on Network A, and IP interface #2 uses 10.2.0.1 on Network B. The following configuration commands could be used:

>> # /cfg/net/if 1/vrrp (VRRP menu for interface 1) >> VRRP Configuration# vrid 1 (Set unique VRID to 1) >> VRRP Configuration# ip1 10.1.1.100 (Set VRIP for Accelerator 1) >> VRRP Configuration# ip2 10.1.1.101 (Set VRIP for Accelerator 2) >> VRRP Configuration# /cfg/net/if 2/vrrp (VRRP menu for interface 2) >> VRRP Configuration# vrid 2 (Set unique VRID to 2) >> VRRP Configuration# ip1 10.2.0.100 (Set VRIP for Accelerator 1) >> VRRP Configuration# ip2 10.2.0.101 (Set VRIP for Accelerator 2)

Make sure that all virtual routers have unique VRRP group IDs. The VRRP group ID is set using the command cfg/net/adv/vrrp/vrid. For more information on the command, see “Advanced VRRP Configuration Menu” on page 306.

6. Apply the changes.

>> VRRP Configuration# apply

330 n Chapter 8: Expanding the Cluster 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Adding Firewall Directors

Multiple Firewall Directors can be added seamlessly to the cluster, increasing firewall processing capacity without taking the system offline. Firewall traffic is load balanced among all Fire- wall Directors within the cluster, regardless of whether attached to the master or backup Firewall Accelerator.

Requirements The installation of additional Firewall Directors is handled as an expansion to the existing cluster and requires the following:

n A basic cluster (one Firewall Director and one Firewall Accelerator) must already be physically installed as described in Chapter 2, “Hardware Installation.” n The basic cluster must already be configured with basic parameters as described in Chap- ter 3, “Initial Setup.” n Optionally, the cluster can include a redundant Firewall Accelerator installed and configured as described in “Adding a Second Firewall Accelerator” on page 326. n The redundant Firewall Director being added must be identical to the existing Firewall Director. You cannot mix different models of Firewall Director in the same cluster. The following criteria are required to facilitate proper integration of the new equipment with the established cluster:

CAUTION—Any Firewall Director being added to the cluster must have the same version of ! Firewall OS as the other Firewall Directors in the cluster. See Chapter 9, “Upgrading the Soft- ware,” for more information. CAUTION—Also, any Firewall Director being added to the cluster must be set to the factory default mode. If moving a previously configured Firewall Director from another established cluster, you must first delete the Firewall Director from the old cluster to reset its configuration. For more information, see the delete command in the iSD Host menu on page 204.

Chapter 8: Expanding the Cluster n 331 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Installing the New Firewall Director The additional Firewall Director should be physically installed as follows:

1. Make sure that the basic cluster is on and operational. 2. Rack mount the new Firewall Director hardware. Heed the rack-mounting precautions noted on page 35 and mount the new Firewall Accelerator as described in “Rack-Mounting the Firewall Director” on page 39.

3. Connect the power cable for the new Firewall Director, but do not turn it on yet. Heed the power precautions noted on page 65 and attach power as described in “Connecting AC Power for the Firewall Director” on page 65.

4. Connect the new Firewall Director to the Firewall Accelerator. By default, Firewall Accelerator ports 6 through 8 are reserved for Firewall Director connections. If using the defaults, connect the Firewall Director uplink port to an available port 6, 7, or 8 on any Firewall Accelerator. To change the Firewall Director uplink ports, see “Changing the Firewall Accelerator Ports” on page 343.

Firewall Accelerator ports 6 through 8 are reserved for Firewall Director connections. In our example, the new Firewall Director is attached to port 7 on the redundant Firewall Accelerator.

n Connecting an ASF 5010 Firewall Director To sustain high levels of throughput, the high-capacity ASF 5010 Firewall Director should be connected only to a high-capacity ASF 5700 or 5600 Firewall Accelerator. Connect any of Firewall Accelerator ports 6 through 8 to the dedicated Firewall Director uplink port. The uplink port uses the gigabit fiber optic SC connector. The RJ-45 connector is not normally supported for ASF 5010 Firewall Director connections. n Connecting an ASF 5008 Firewall Director To avoid overwhelming the Firewall Director, the economy class ASF 5008 Firewall Direc- tor should be connected only to an economy class ASF 5400 or 5300 Firewall Accelerator. Connect any of Firewall Accelerator ports 6 through 8 to Firewall Director uplink port 1. The dedicated link uses a 10/100 Mbps RJ-45 connector.

NOTE – See “Network Connector and Cable Specifications” on page 59 for cable information.

5. Turn the new Firewall Director on.

NOTE – The newly added Firewall Director will not become fully operational until configuration is complete (see “Configuring the New Firewall Director” on page 333), trust is established with the Check Point management console, and firewall policies are loaded.

332 n Chapter 8: Expanding the Cluster 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Configuring the New Firewall Director

Configure Cluster Properties Newly installed Firewall Directors can be configured manually, or they can be configured automatically using Plug N Play processes on the established cluster.

To utilize Plug N Play, the cluster must be pre-configured with resource information, consisting of a list of available IP addresses. If local licensing is used, Check Point licenses must be also be added. Then, when each new Firewall Director is detected, the cluster will automatically assign the pre-configured resources and bring the new device into the cluster.

By default, the Plug N Play feature is enabled without resources. The following procedure is used to enable Plug N Play and add resources. If you instead wish to configure the new Fire- wall Director manually, see “Manually Adding a Firewall Director” on page 338.

1. Log in to the cluster MIP address as an administrator. Although configuration can be performed using either the Command Line Interface (CLI) as discussed in Chapter 5, or the Browser-Based Interface (BBI) as discussed in Chapter 6, the following procedures focus on the CLI method.

NOTE – When using Plug N Play, do not log in to the newly installed Firewall Director’s serial port. Instead, connect to the cluster MIP address using established equipment.

2. Verify Plug N Play is enabled. The following command will show you whether Plug N Play is enabled and if any unused resources are available:

>> # /cfg/pnp/cur

If Plug N Play is enabled, and valid IP addresses and Check Point licenses are listed as unused, pre-configuration of resources has already been done and you can proceed to “Add Policies for the New Firewall Director” on page 335.

If Plug N Play is disabled, you must either enable it or configure the new Firewall Director manually. See “Manually Adding a Firewall Director” on page 338 for manual configuration. Otherwise, to enable Plug N Play, use the following command:

>> iSD IP and Firewall License# ena

Chapter 8: Expanding the Cluster n 333 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Add resources for a new Firewall Director. Enter the following command:

>> iSD IP and Firewall License# add

You will be prompted for the following information: n IP address. Enter an IP address for a new Firewall Director. The IP address must be in the same subnet as the cluster MIP address. n One-time password. The one-time password entered here will be required later when establishing Secure Internal Communications (SIC) between the management station and the Firewall Director. n Add a license: This is covered in the next step.

4. If local licensing is used, enter Check Point licensing information for the new Firewall Director. You will be prompted whether to add a Check Point license at this time:

Do you want to add a license (y/n)?

NOTE – If central licensing is used, enter n at the prompt. With central licensing, the license must be pushed from the management server before the firewall policy can be installed. For more information, see Chapter 3, “Initial Setup,” Step on page 94.

If local licensing is used, enter y at the prompt. You will then be asked to specify the following information:

Enter the Expiry date for the License: Enter the Feature string: Enter the License string: Cannot validate this license now because the target host is not up and running now. Do you want to add it any way? y Successfully added License/IP...

The license information will be part of your Check Point package. The expected information will appear similar to the following example: n Expiry date: 02aug2001 n Feature string: CPSUITE-EVAL-3DES-NG CK-CHECK-POINT n License string: aBZUeTWHR-FyxGGcdej-QiiS89a6N-isMP6Ywnn Be sure to enter the information exactly as shown on your specific Check Point license.

NOTE – Each Firewall Director requires a separate license.

334 n Chapter 8: Expanding the Cluster 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Add Policies for the New Firewall Director 1. Launch the Policy Editor software on your Check Point management client and log in using an administrator account. 2. Create a new workstation object to represent the newly installed Firewall Director. From the Policy Editor menu bar, select Manage | Network Objects. When the Network Objects window appears, click on the New button and select Workstation from the pop-up list. 3. Define the Firewall Director object parameters:

Enter the following information: n Name: Any name to represent the newly installed Firewall Director. n IP Address: The address of the newly installed Firewall Director. In this example, the address is 192.168.1.5 n Version: Select NG Feature Pack-2. n FireWall-1: Check this item from the list window.

NOTE – Only FireWall-1 is currently supported on this product. VPN-1 is not used.

Leave the Workstation Properties window open for use in the next step.

Chapter 8: Expanding the Cluster n 335 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

4. Establish trust between the Policy Editor and the Firewall Director. Check Point FireWall-1 NG uses a one-time password to initiate Secure Internal Comminu- tions (SIC) between configured objects and the management station. To establish SIC, click on the Communication button in the Workstation Properties window. The Communications window will appear:

Enter the same one-time SIC password that was defined when adding the new Firewall Direc- tor to the cluster in Step 3 on page 334 and click on the Initialize button. The management station will attempt to contact the Firewall Director and exchange security information. When successful, the window will indicate “Trust established.”

NOTE – Trust cannot be established if the cluster firewall software has been disabled (/cfg/fw/dis).

5. Close the Communications window and Workstation Properties window. 6. From the Policy Editor menu bar, select File | Save. 7. If using central licensing, install a license for the Firewall Director object.

NOTE – If local licensing was used when adding the new Firewall Director to the cluster in Step 4 on page 334, skip this step.

There are two ways to enter central licenses: using the Windows NT command line or the Secure Update portion of the management tools. Edit the c:\winnt\system32\drivers\etc\hosts file on the management server and add one line with the new Firewall Director IP address and name. For example: 192.168.1.5 isd2 Next, click on your desktop Start button and select Run. When the Run window appears, specify cmd as the program to open and click on the OK button. In the command window, enter the license installation command in the following format: c:\winnt\fw1\5.0\bin\cprlic put

336 n Chapter 8: Expanding the Cluster 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Use the Firewall Director name as entered in the hosts file earlier in this step. Be sure to enter the information exactly as shown on your specific Check Point license.

To verify that the central license is installed properly, login as root on the Firewall Director and issue the following command:

cplic print -x -type The output of this command should display the installed license information.

8. If necessary, create a gateway cluster object. The same policies must be installed on all the Firewall Directors in the cluster. Using a gateway cluster object, the administrator ensures that all Firewall Directors in the cluster are updated as a group.

If this is the first time you are adding a Firewall Director to an established cluster, you must create a gateway cluster object. If you created the gateway cluster object during a previous installation, there is no need to repeat this step.

To create a new gateway cluster object, right click on “Check Points”, “New”, and then “Gate- way Cluster.”

Enter the following information:

n Name: Any name of your choosing to represent the gateway cluster. n IP Address: The Interface IP address of external network. n Version: Select NG Feature Pack-2

9. Add Firewall Director members to the gateway cluster object. Access the Gateway Cluster properties window. If not already displayed, right-click on the gateway cluster object and select Properties from the pop-up menu.

Click on the Cluster Members tab to add Firewall Directors as cluster members.

Select a Firewall Director and click OK. This process has to be repeated until all the Firewall Directors in the cluster are added as members.

Select the Security - Standard tab and right click on INSTALL ON column in the table. Select Add | Targets to show a list of gateway clusters.

Select the Alteon Switched Firewall gateway cluster object and click OK.

Chapter 8: Expanding the Cluster n 337 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Manually Adding a Firewall Director If Plug N Play is disabled on the cluster, newly installed Firewall Directors must be configured manually. To enable it for the cluster, use the /cfg/pnp/ena command. To disable it, use the /cfg/pnp/dis command. Plug N Play is enabled by default, but you must manually configure the IP addresses. To check the status of the Plug N Play feature on the cluster, use the /cfg/pnp/cur command.

The following procedure requires the Firewall Director to be physically installed as described in “Installing the New Firewall Director” on page 332. This includes mounting the device, powering it on, and connecting it to an existing cluster.

1. Connect directly to the new Firewall Director’s serial port.

NOTE – A new Firewall Director cannot be configured manually through the cluster MIP address. Access the CLI directly through the serial port of the device being installed (see “Con- necting a Console Terminal” on page 68).

2. Log in using the default administrator account. Press on the console terminal to establish the connection. When the login prompt appears enter the default login name (admin) and the default password (admin):

NOTE – Since the new Firewall Director is still set to factory defaults, you must use the default admin password regardless of whether the password has been changed on the rest of the cluster.

The special Setup utility menu should appear:

Welcome to the Alteon Switched Firewall initialization. ------[Setup Menu] join - Join an existing iSD cluster new - Initialize iSD as a new installation offline - Initialize iSD for offline switchless maintenance boot - Boot Menu exit - Exit

>> Setup#

338 n Chapter 8: Expanding the Cluster 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Join the new Firewall Director to the existing cluster:

>> Setup# join

4. Follow the onscreen prompts to manually configure the new Firewall Director.

Enter cluster admin user password: admin (not displayed) Enter password again: admin (not displayed) Enter this SFD’s IP: 192.168.1.5 Enter the cluster Master IP (MIP): 192.168.1.1 Enter Check Point SIC one-time password: (not displayed) Enter password again: ...... Cluster has been joined successfully. Please relogin if any further setup is necessary.

5. If local licensing is used, enter the Check Point License. For example:

>> # /cfg/pnp/add Enter the IP Address: 192.168.1.5 Enter the Expiry date for the License :25Oct2001 Enter the Feature string :cpsuite-eval-3des-ng CK-FDFA9AA20D27 Enter the License string :aWkxm4Pj6-zbcfsY7Ju-AUsu8FKvS-KrsokXokv

6. Complete the configuration by installing policies. Once the new Firewall Director has been manually added, policies must be installed. See “Add Policies for the New Firewall Director” on page 335 for the next steps in this process.

Chapter 8: Expanding the Cluster n 339 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Synchronizing Firewall Directors

Firewall Directors can be synchronized to provide stateful failover of sessions. With synchronization, if a Firewall Director fails, its open sessions will be transparently reassigned to a healthy Firewall Director. There are two methods of synchronization. The first method uses the NAAP connection that already exists between the Firewall Director and Firewall Accelerator. This requires no additional cabling, but can impact ASF performance under heavy traffic. The second method iso- lates synchronization traffic using dedicated ports (10/100 Mbps port 2) on the Firewall Directors. Using the dedicated ports requires additional cabling, but can provide better performance under heavy traffic.

To achieve stateful failover, synchronization must be configured both on the Alteon Switched Firewall and on the Check Point management server as follows:

1. Make sure Alteon Switched Firewall synchronization is off. Log in to the Alteon Switched Firewall cluster MIP address using an administrator account and enter the following commands:

>> # /cfg/fw/sync/cur

2. Depending on your synchronization method, define a network for use with synchronization traffic. n Synchronizing with NAAP Specify the base cluster network address. This is the unmasked portion of the IP addresses being used for the clustered Firewall Directors. Based on our previous examples, the Fire- wall Director IP addresses belong to the 192.168.1.0/24 network. To configure this example for synchronization with NAAP, you would enter the following command:

>> Sync Configuration# net 192.168.1.0

n Synchronizing with dedicated ports When using the dedicated ports, a unique network address should be used for synchronization traffic. This network should not be on the same subnet as the MIP. For example:

>> Sync Configuration# net 192.168.2.0

NOTE – The synchronization network uses the same subnet mask specified in the System Menu netmask option (see page 202) to define the synchronization network range.

340 n Chapter 8: Expanding the Cluster 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Enable the synchronization network and apply the changes:

>> Sync Configuration# ena >> Sync Configuration# apply

4. From the Check Point Policy Editor, update the firewall interface information. Start the Policy Editor application on your management client station. From within the Policy Editor, select a Firewall Director in the cluster and edit its properties. Select the Topology tab in the Properties window and click on the Get Interfaces button. Verify that the list of detected interfaces includes the appropriate Ethernet device with an IP address on the synchronization network defined in Step 2:

n For the ASF 5010: eth2 n For the ASF 5008: eth1 Repeat this step for each Firewall Director in the cluster.

5. From the Policy Editor, enable Check Point firewall synchronization. Select the Gateway Cluster in the Network Objects tree on the left side of the Policy Editor window. If necessary, click on the minus ( - ) icon in front of the Gateway Cluster to reveal its objects.

Check for a gateway cluster object representing the Alteon Switched Firewall. This object should have been created when a new Firewall Director was initially added to the existing cluster. If no object exists, see Step 8 through Step 9 starting on page 337.

Right click on the gateway cluster object and select Edit from the pop-up menu. When the properties dialog appears, select the Synchronization tab and check the “Use State Synchroni- zation” box.

If there are already any synchronization networks defined, delete them.

Next, click on the Add button to add a synchronization network and enter the following information:

n Network Name: Enter your choice of network name to represent the synchronized network. n IP Address: Enter the base network IP address which will be used for synchronization. This should be the same address specified in Step 2. Click OK to add the configured synchronization network.

Chapter 8: Expanding the Cluster n 341 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

6. From the Policy Editor, re-install the security policies on the firewall cluster.

7. If using the dedicated synchronization ports, connect all Firewall Director SyncNet ports together.

NOTE – Skip this step if using NAAP for firewall synchronization traffic.

Connect synchronization port 2 on all Firewall Directors in the cluster. If connecting the ports directly together, use a crossover network cable. If connecting the ports through a hub or layer- 2 switch, use a straight-through network cable.

If there are more than two Firewall Directors in the cluster, connect all of them together through a hub or layer-2 switch using straight-through network cables. In such a case, synchronization port 2 of all the Firewall Directors should be connected to the hub or layer-2 switch.

342 n Chapter 8: Expanding the Cluster 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Changing the Firewall Accelerator Ports

Configuring the Inter-Accelerator Port

Changing the Port Number The Inter-Accelerator Port (IAP) is used to connect the master and backup Firewall Accelera- tors together in a high-availability cluster. By default, Firewall Accelerator port 9 is used as the IAP. However, the IAP can be configured to use a different Firewall Accelerator port.

Although it is possible, it is not recommended to use ports 1 through 5 for the IAP. By default, ports 1 through 5 are reserved for network connections.

The IAP number must be the same for both Firewall Accelerators. Use the following commands:

>> # /cfg/acc/ac1/iap >> # /cfg/acc/ac2/iap >> # /cfg/net/port /naap y

NOTE – Since port 9 is the default IAP, NAAP is enabled on that port by default. If you use port 9 for network traffic, be sure to disable NAAP on port 9.

Changing the Link Settings Where dual physical connectors are available on the Inter-Accelerator Port (IAP), connection can be made using either the gigabit SC fiber-optic connector, the 10/100 Mbps RJ-45 copper connector, or both. If both are connected, then the gigabit optical link is used as the preferred link and the 10/100 Mbps copper link is used as the backup. The active link is then selected according to the redundant connector rules (see “Automatic Selection of Redundant Connec- tions” on page 63).

If the device does not support auto-negotiation, then you may change the default behavior and specify which of the dual links can be used as the preferred link, and which can be used as the backup. However, it is recommended to use the gigabit link on the ASF 5010 to reach the maximum number of sessions per second.

Chapter 8: Expanding the Cluster n 343 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

n To select the preferred link:

>> # /cfg/net/port /pref gig|fast

where gig specifies the gigabit optical link and fast specifies the 10/100 Mbps copper link. n To select the backup link:

>> # /cfg/net/port /back gig|fast

Configuring the Firewall Director Uplink Ports By default, Firewall Accelerator ports 6, 7, and 8 are reserved for connecting Firewall Direc- tors. However, Firewall Directors can be attached to the Firewall Accelerator on any port that has NAAP enabled.

To configure any Firewall Accelerator port for use with a Firewall Director, use the following commands:

>> # /cfg/net/port /naap y >> # /cfg/net/port /ena

Configuring the Network Ports By default, Firewall Accelerator ports 1 through 5 are reserved for connecting trusted, untrusted, and semi-trusted networks. However, network traffic can be attached to the Firewall Accelerator on any port where NAAP is disabled.

To configure any Firewall Accelerator port for use with a trusted, untrusted, or semi-trusted networks, use the following command to disable NAAP:

>> # /cfg/net/port /naap n

344 n Chapter 8: Expanding the Cluster 212535-E, April 2003 CHAPTER 9 Upgrading the Software

This chapter describes the steps involved to upgrade a previous version of ASF to version 3.0 and upgrading from ASF version 3.0 to a higher version of the software.

Upgrading to Version 3.0

To upgrade your Alteon Switched Firewall to version 3.0, you will need the following:

n An Alteon Switched Firewall running software version 1.0.41.0 or higher n Command Line Interface (CLI) access to the Alteon Switched Firewall via local console terminal or to the cluster MIP address through a remote Telnet or SSH connection. n The version 3.0 software upgrade package (identified by the .pkg extension) loaded on an FTP server on your network. The FTP server must allow anonymous login. n The host name or IP address of the FTP server. If you choose to specify the host name, please note that the DNS parameters must have been configured. For more information, see the “DNS Servers Menu” on page 201. n See your release notes for any other upgrade limitations or restrictions. Typically, the cluster FireWall Accelerator software is automatically upgraded along with the cluster Firewall Directors. However, to manually upgrade the Firewall Accelerator, see “Man- ually Upgrading the Firewall Accelerator” on page 396.

To install the upgrade, use the following procedure.

1. Begin with a fully operational system. Ensure that trust is established between the Alteon Switched Firewall and the Check Point Enterprise Management Console or Policy Editor. Verify that network traffic passes properly through the firewall.

2. If necessary, upgrade your Check Point EMC and management clients.

345 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

If you will be using Check Point Feature Pack-2 on the Alteon Switched Firewall, you must upgrade any stations running the Check Point EMC or management clients to use Feature Pack-2. See your complete Check Point documentation for upgrade procedures.

3. Load the Alteon Switched Firewall 3.0.2.0 upgrade package into the Alteon Switched Firewall. To load the software package, log in to the Alteon Switched Firewall Command Line Interface (CLI) and issue to following menu command:

>> Main# /boot/software/download

4. When prompted, enter the protocol FTP to download the upgrade package. TFTP will not work because the upgrade package file is greater than 32MB.

Select TFTP or FTP [tftp/ftp]: ftp

5. When prompted, enter the host name or IP address of the server.

Enter FTP server host:

6. Enter the name of the new software file on the server.

Enter filename on server:

7. Wait for the software to complete loading. If no problems are encountered, when the download is complete, the size of the downloaded file will be reported, followed by an “ok” message and the CLI menu prompt.

Received 13056048 bytes in 27.2 seconds

>> Software Management#

8. Inspect the status of the software:

>> Software Management# cur Version Name Status ------3.0.2.0 tng unpacked 2.0.3.0 tng permanent

346 n Chapter 9: Upgrading the Software 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The downloaded software upgrade package is indicated with the status unpacked. In this example, version 3.0.2.0 is being installed.

9. Activate the desired upgrade package:

>> Software Management# activate (in this example: 3.0.2.0) Confirm action ’activate’? [y/n]: y Activate ok, relogin Restarting system.

NOTE – After activating the new version, the Firewall Directors will reboot. When they have rebooted, there may be a brief period of time during which the new menus may not yet be initialized. It this occurs, log out and then log back in again after a brief wait.

10. When the system reboots, log in again and check the software status:

>> Main# /boot/software/cur Version Name Status ------3.0.2.0 tng permanent 2.0.3.0 tng old

In this example version 3.0.2.0 is now operational and will survive a reboot of the system, while the software version previously indicated as permanent now is marked as old.

NOTE – At this point, your firewall will still be running, but may have turned firewall acceleration off.

Chapter 9: Upgrading the Software n 347 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

11. Use the CLI to upgrade the Alteon Switched Firewall to the appropriate Feature Pack. Use the Firewall Software Menu to see the firewall upgrade options for the current release. For example:

>> Main# /cfg/fw/software ------[Firewall Software Menu] fp2 - Upgrade to Check Point Feature Pack 2 fp2hf - Upgrade to Check Point Feature Pack 2 Hotfix 1 fp3 - Upgrade to Check Point Feature Pack 3 cur - Display current version of firewall software

>> Firewall Software#

Select the upgrade you wish to install. When the software is upgraded, wait for the cluster to reboot.

12. In the Check Point Policy Editor on your management client, change the version ID of the firewall cluster object.

13. If you have upgraded to Feature Pack-1, re-establish trust between the management station and the firewall cluster.

14. Push your policies to the upgraded Alteon Switched Firewall cluster.

15. Verify that traffic again passes through firewall.

348 n Chapter 9: Upgrading the Software 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Upgrading Version 3.0 to a Higher Version

Proper operation of the Alteon Switched Firewall relies on the software running on the Fire- wall Accelerators and Firewall Directors, as well as on the Check Point management devices. From time to time, it may become necessary to upgrade one or more of the software components. This chapter describes the different types of software upgrades and provides detailed procedures as necessary.

Overview of Upgrade Tasks Upgrading the software on your Alteon Switched Firewall consists of the following tasks:

n Verifying compatibility n Identifying the type of upgrade you wish to install n Loading the new software upgrade package or install image onto an FTP server on your network n Downloading the new software from the FTP server to your Alteon Switched Firewall n Activating the new software image on your Alteon Switched Firewall cluster.

Compatibility When upgrading any software component, take care to ensure that appropriate and compatible versions of software are installed. Be sure to check any accompanying release notes for software compatibility and special installation instructions.

The following versions of software are required for this release:

n Alteon Switched Firewall Release 3.0 This software resides on each Firewall Director and Firewall Accelerator in the cluster. A version is included on CD-ROM with each Alteon Switched Firewall component and is pre-installed on the devices. Upgrades are performed using the Alteon Switched Firewall Single System Image (SSI), where all cluster software is updated simultaneously. The SSI includes the Firewall OS, Accelerator OS, and built-in Check Point firewall software. n Check Point Enterprise Management Console This software resides on administrator workstations in your network (not on the Alteon Switched Firewall). It is used to install, maintain, and monitor security policies for all your network’s firewalls. One Check Point Enterprise Management Console (EMC) is required, along with one or more Check Point Management Clients such as the Policy Editor. n Check Point Feature Pack-2 This is a software upgrade required for the workstations running the Check Point EMC and Management Clients.

Chapter 9: Upgrading the Software n 349 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Types of Upgrade There are three major classes of software upgrades that may be required for maintaining the Alteon Switched Firewall: those that affect the Alteon Switched Firewall SSI, those that target only the Alteon Switched Firewall’s built-in Check Point firewall software, and those are installed on Check Point management stations outside the cluster.

Alteon Switched Firewall SSI Upgrades The following upgrades affect the Alteon Switched Firewall SSI.

n Major Releases: This type of upgrade may contain important software corrections an feature enhancements for the Alteon Switched Firewall. It may affect any or all SSI components: the Firewall OS, Accelerator OS, or built-in Check Point firewall software. The Alteon Switched Firewall will automatically reboot after a major upgrade, in order to initialize new features. All configuration data is retained. n Minor Releases: This type of upgrade typically corrects minor software problems on the Alteon Switched Firewall. Minor upgrades can usually be installed without rebooting the cluster. All configuration data is retained. n Patches: This type of upgrade corrects individual software issues on the Alteon Switched Firewall. Patches are usually extremely small and target specific sub-files in the SSI. Patches can usually be installed without rebooting the cluster, retaining normal operational traffic flow. All configuration data is retained.

Built-In Firewall Software Upgrades The following upgrades are obtained separately from Check Point and can be used to enhance the Alteon Switched Firewall’s built-in Check Point software:

n Check Point Feature Pack: This type of upgrade may contain important firewall software corrections an feature enhancements. This may be necessary to ensure compatibility with the Check Point software installed on the supporting management stations. The Alteon Switched Firewall may automatically reboot after installation of a feature pack. All configuration data is retained. n Check Point Hotfix: This type of upgrade corrects minor software problems in the Check Point software built into the Alteon Switched Firewall. Hotfixes can usually be installed without rebooting the cluster, retaining normal operational traffic flow. All configuration data is retained.

350 n Chapter 9: Upgrading the Software 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Check Point Software Tool Station Upgrades n EMC or management client Check Point Feature Pack n EMC or management client Hotfix

Installing a Minor/Major Release Upgrade To install a minor or major release upgrade on your Alteon Switched Firewall, you will need the following:

n CLI access via local console terminal or to the cluster MIP address through a remote Tel- net or SSH connection. n The software upgrade package loaded on an FTP server on your network. The FTP server must allow anonymous login. n The host name or IP address of the FTP server. If you choose to specify the host name, please note that the DNS parameters must have been configured. For more information, see the “DNS Servers Menu” on page 201. n A firewall rule that allows FTP traffic (and DNS traffic if using a host name) to pass to and from the Firewall Directors. n The name of the software upgrade package (upgrade packages are identified by the .pkg extension). All of the cluster components cooperate to provide a single system view. Thus, you need only to connect to the cluster MIP address to perform a cluster-wide software upgrade. The upgrade will be automatically extended to all the cluster components which are in operation at the time of the upgrade. All configuration data is retained.

Access can be accomplished via local serial port, or remote Telnet or SSH (Secure Shell) connection. Note, however, that Telnet and SSH connections are disabled by default, and if desired, must be manually configured after you have set up the initial cluster. For more information about enabling Telnet and SSH connections, see Chapter 5, “The Command Line Inter- face,” on page 101.

Once you have logged in to the CLI, use the following procedure.

1. At the Main menu prompt, enter the following command:

>> Main# /boot/software/download

Chapter 9: Upgrading the Software n 351 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

2. When prompted, enter the protocol FTP to download the upgrade package.

Select TFTP or FTP [tftp/ftp]: ftp

3. When prompted, enter the host name or IP address of the FTP server.

Enter FTP server host:

4. Enter the name of the new software file on the FTP server.

Enter filename on server:

5. Wait for the software to complete loading. If no problems are encountered, when the download is complete, the size of the downloaded file will be reported, followed by an “ok” message and the CLI menu prompt.

Received 13056048 bytes in 27.2 seconds

>> Software Management#

Once the upgrade is loaded, it must be activated.

352 n Chapter 9: Upgrading the Software 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Activating the Software Upgrade Package The Alteon Switched Firewall can hold up to two versions of the same major software release simultaneously (version 3.0 and version 3.1 for example). To view the current software status, use the /boot/software/cur command. When a new version of the software is downloaded to the Alteon Switched Firewall, the software package is decompressed automatically and marked as unpacked. After you activate the unpacked software version (which may cause the Alteon Switched Firewall to reboot), the software version is marked as permanent. The software version previously marked as permanent will then be marked as old.

For minor and major releases, the software change will take part synchronously among the components in a cluster. If one or more components are not operational when the software is upgraded, they will be automatically upgraded with the new version when they are started.

NOTE – If more than one software upgrade has been performed to a cluster while a Firewall Accelerator or Firewall Director has been out of operation, the device must be reinstalled with the software version currently in use in that cluster. For more information see “Reinstalling the Software” on page 355.

When you have downloaded the software upgrade package, you can inspect its status and activate it using the following commands.

1. Inspect the status of the software:

>> Main# /boot/software/cur Version Name Status ------3.1.6.0 tng unpacked 3.0.32.0 tng permanent

The downloaded software upgrade package is indicated with the status unpacked. The software versions can be marked with one out of four possible status values. The meaning of these status values are as follows:

n unpacked means that the software upgrade package has been downloaded and automatically decompressed. n current means that a software version marked as old or unpacked has been activated. As soon as the system has performed the necessary health checks, the current status changes to permanent.

Chapter 9: Upgrading the Software n 353 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

n permanent means that the software is operational and will survive a reboot of the system. n old means the software version has been permanent but is not currently operational. If a software version marked old is available, it is possible to switch back to this version by activating it again.

2. Activate the desired software package:

>> Software Management# activate 3.1.6.0 Confirm action ’activate’? [y/n]: y Activate ok, relogin Restarting system.

As a result of running the activate command, you will be logged out and have to log in again. The reason for this is the CLI menus may be upgraded. Wait until the login prompt appears again, which may take up to two minutes depending on whether the system reboots.

3. Log in again and check the software status again:

>> Main# /boot/software/cur Version Name Status ------3.1.6.0 tng permanent 3.0.32.0 tng old

In this example version 3.1.6.0 is now operational and will survive a reboot of the system, while the software version previously indicated as permanent now is marked as old.

NOTE – If you encounter serious problems while running the new software version, you can revert to the previous software version (now indicated as old). To do this, activate the software version number indicated as old. When you log in again after having activated the old software version, its status is indicated as current for a short while. After about one minute, when the system has performed the necessary health checks, the current status is changed to permanent.

354 n Chapter 9: Upgrading the Software 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Reinstalling the Software

Reinstalling the software is seldom required. It is usually only necessary after a serious mal- function, or when adding a new Firewall Director to a cluster with a different software version.

Reinstallation resets the Firewall Director configuration to factory defaults. All previous data and software is erased, including old software image versions and upgrade packages.

Follow this procedure to reinstall the Firewall OS software:

1. Log in to the Firewall Director using the administrator account.

2. Obtain an Alteon Switched Firewall bootable CD-ROM and place it in the Firewall Director CD-ROM drive.

3. Reboot the Firewall Director issue and confirm the following command:

>> # /boot/reboot

4. When the system reboots, login as root (no password is necessary when booting from the CD-ROM).

root

5. Issue the following installation command, depending on the Firewall Director. For example,

install-tng asf-5008-1650 (For the ASF 5008) or install-tng asf-5010-1650 (For the ASF 5010)

NOTE – The command must be entered in lower case.

6. Wait for the installation script to finish. If the Firewall Director doesn’t reboot automatically, take the software CD-ROM out and reboot the Firewall Director.

7. Log in using the administrator account. The installation is complete. The new Firewall Director is now ready to be installed as part of a new cluster (see Chapter 3, “Initial Setup,” on page 71) or added to an existing cluster (see Chapter 8, “Expanding the Cluster,” on page 325).

Chapter 9: Upgrading the Software n 355 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

356 n Chapter 9: Upgrading the Software 212535-E, April 2003 CHAPTER 10 Routing Information Protocol

In a routed environment, routers communicate with one another to keep track of available routes. Routers can learn about available routes dynamically using the Routing Information Protocol (RIP).

Distance Vector Protocol RIP is known as a distance vector protocol. The vector is the network number and next hop, and the distance is the cost associated with the network number. RIP identifies network reach- ability based on cost, and cost is defined as hop count. One hop is considered to be the distance from one device to the next which is typically 1. This cost or hop count is known as the metric.

When a Firewall Director holding the MIP receives a routing update that contains a new or changed destination network entry, the Firewall Director holding the MIP adds 1 to the metric value indicated in the update and enters the network in the routing table. The IP address of the sender is used as the next hop.

Stability RIP version 1 was distributed in the early years of the Internet and advertised default class address without subnet masking. RIP is stable, widely supported, and easy to configure. Use RIP in stub networks and in small autonomous systems that do not have many redundant paths.

RIP includes a number of other stability features that are common to many routing protocols. For example, RIP implements the split horizon and holddown mechanisms to prevent incorrect routing information from being propagated.

RIP prevents routing loops from continuing indefinitely by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops in a path is 15. The network destination network is considered unreachable if increasing the metric value by 1 causes the metric to be 16 (that is infinity). This limits the maximum diame- ter of a RIP network to less than 16 hops.

357 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

RIP and ASF In ASF 3.0, Nortel has added support for the RIP v1 and v2 routing protocols. This feature allows you to enable or disable RIP globally and on a per interface basis. You can also select the version of RIP to be enabled per interface and or globally.

This implementation of RIP currently allows for up to 2048 total routes, which include the default routes, interfaces, static routes, and dynamically learned routes from RIP and or OSPF. In order for RIP to be turned on, the auto local routes function must be disabled via the /cfg/net/adv/local/auto no command.

Loop prevention is performed through the use of Split Horizon algorithm to prevent the re- broadcast of a route on the same interface that it was received on. Poison Reverse is used to send routing updates with a hop count of 16 for dead routes.

Routing Updates RIP sends routing-update messages at regular intervals and when the network topology changes. RIP uses broadcast User Datagram Protocol (UDP) data packets to exchange routing information. Each router “advertises” routing information by sending a routing information update every 30 seconds. If a router does not receive an update from another router within 90 seconds, it marks the routes served by the non-updating router as being unusable. If no update is received within 240 seconds, the router removes all routing table entries for the non-updating router.

When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route. The metric value for the path is increased by 1, and the sender is indicated as the next hop. RIP routers maintain only the best route (the route with the lowest metric value) to a destination.

358 n Routing Information Protocol 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Configuring for Route Redistribution Alteon Switched Firewall can redistribute routes from other protocols into RIP or OSPF domains. ASF can redistribute connected, OSPF, static, default gateway, and fictitious routes into RIP routes. In this example, ASF is redistributing OSPF routes into a RIP domain.

OSPF Domain RIP Domain Area 0.0.0.0 ASBR

100.100.2.1 100.100.3.1

Router 1 Router 2 100.100.2.80 Alteon Switched 100.100.3.150 Firewall

OSPF routes RIP routes

Figure 10-1 Redistributing OSPF Routes into RIP

In Figure 10-1 the Alteon Switched Firewall is configured as an ASBR between two domains, OSPF and RIP. The ASF is connected to two routers, Router 1 in the OSPF domain and Router 2 in the RIP domain. ASF is required to advertise the OSPF routes from the OSPF domain into the RIP domain. In this example, two IP interfaces are needed on the ASF: one for the OSPF domain on 100.100.2.0/24 and one for the RIP domain on 100.100.3.0/24.

1. Configure the IP interface to the backbone router for the OSPF domain that is connected to port 1 of the Alteon Switched Firewall.

>> # /cfg/net/if 1 (Select menu for IP interface 1) >> Interface 1 # addr 100.100.2.1 (Set IP address on backbone network) >> Interface 1 # mask 255.255.255.0 (Set subnet mask) >> Interface 1 # broad 100.100.2.255 (Set broadcast address) >> Interface 1 # ena (Enable IP interface 1) >> Interface 1 # port/add 1 (Add port 1 to interface 1)

Routing Information Protocol n 359 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

2. Configure the IP interface for the RIP domain that is connected to port 2 of the Alteon Switched Firewall.

>> # /cfg/net/if 2 (Select menu for IP interface 2) >> Interface 2 # addr 100.100.3.1 (Specify IP address for RIP domain) >> Interface 2 # mask 255.255.255.0 (Set subnet mask) >> Interface 2 # broad 100.100.3.255 (Set broadcast address) >> Interface 2 # ena (Enable IP interface 2) >> Interface 2 # port/add 2 (Add port 2 to interface 2)

3. Configure the IP address for the Accelerator.

>> # /cfg/acc/ac1/addr 10.10.1.45 (Specify IP address for accelerator)

4. Disable auto for local network.

>> # /cfg/net/adv/local/auto n (Disable auto for local networks)

5. Enable OSPF for interface 1.

>> # /cfg/net/route/ospf/if 1/ena (Enable OSPF for interface 1)

6. Enable OSPF globally.

>> # /cfg/net/route/ospf/ena (Enable OSPF globally)

7. Enable RIP in interface 2 and specify the RIP version if required.

>> # /cfg/net/route/rip/if 2/ena (Enable RIP for interface 2)

8. Enable RIP globally.

>> # /cfg/net/route/rip/ena (Enable RIP globally)

Configure OSPF in Router 1 and verify if the Alteon Switched Firewall and Router 1 are able to send and receive routes between them. Configure Router 1 to send OSPF routes to the Alteon Switched Firewall. Verify the routing table on Router 2 and confirm that these routes are not advertised and installed in Router 2, because it is not a OSPF router.

360 n Routing Information Protocol 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

9. Configure the ASF to convert the OSPF routes into RIP routes.

>> # /cfg/net/route/rip/redist/ospf/ena (Redistribute OSPF routes into RIP)

When routes are redistributed, you must define a metric that is understands the receiving protocol. If you want to change the metric of the redistributed route, then enter the new metric under /cfg/net/route/rip/redist/ospf/metric.

10. Apply the configuration changes.

>> RIP OSPF Route Redistribution# apply

Verify if Router 2 is able to see all the routes from the OSPF domain.

Routing Information Protocol n 361 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

362 n Routing Information Protocol 212535-E, April 2003 CHAPTER 11 Open Shortest Path First

The Alteon Switched Firewall supports the Open Shortest Path First (OSPF) routing protocol. This implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. The following sections discuss current OSPF support:

n “OSPF Overview” on page 363. This section provides information on OSPF concepts: Types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database, authentication, and internal versus external routing. n “Alteon Switched Firewall OSPF Implementation” on page 368. This section gives you information specific to the Alteon Switched Firewall implementation of OSPF: Configu- ration parameters, electing the designated router, summarizing routes and so forth. n “OSPF Configuration Examples” on page 374. This section provides step-by-step instructions on configuring four different configuration examples: o Creating a simple OSPF domain o Creating virtual links o Summarizing routes o Redistributing routes

OSPF Overview

OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas.

All routing devices maintain link information in their own Link State Database (LSDB). The LSDB for all routing devices within an area is identical but is not exchanged between different areas. Only routing updates are exchanged between areas, thereby significantly reducing the overhead for maintaining routing information on a large, dynamic network.

The following sections describe key OSPF concepts.

363 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Types of OSPF Areas An AS can be broken into logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed.

As shown in Figure 11-1, OSPF defines the following types of areas:

n Stub Area—an area that is connected to only one other area. External route information is not distributed into stub areas. n Not-So-Stubby-Area (NSSA)—similar to a stub area with additional capabilities. Routes originating from within the NSSA can be propagated to adjacent transit and backbone areas. External routes from outside the AS can be advertised within the NSSA but are not distributed into other areas. n Transit Area—an area that allows area summary information to be exchanged between routing devices. The backbone (area 0), any area that contains a virtual link to connect two areas, and any area that is not a stub area or an NSSA are considered transit areas.

Backbone Area 0 (Also a Transit Area)

ABR ABR ABR

Internal LSA Routes Virtual Stub Area Transit Area Link Not-So-Stubby Area No External Routes from Backbone (NSSA) ABR

External LSA Routes ASBR Stub Area, NSSA, ABR = Area Border Router or Transit Area ASBR = Autonomous System Connected to Backbone Non-OSPF Area Boundary Router via Virtual Link RIP/BGP AS

Figure 11-1 OSPF Area Types

364 n Chapter 11: Open Shortest Path First 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Types of OSPF Routing Devices As shown in Figure 11-2, OSPF uses the following types of routing devices:

n Internal Router (IR)—a router that has all of its interfaces within the same area. IRs maintain LSDBs identical to those of other routing devices within the local area. n Area Border Router (ABR)—a router that has interfaces in multiple areas. ABRs maintain one LSDB for each connected area and disseminate routing information between areas. n Autonomous System Boundary Router (ASBR)—a router that acts as a gateway between the OSPF domain and non-OSPF domains, such as RIP, BGP, and static routes.

OSPF Autonomous System

BGP Backbone Area 3 Area 0

Inter-Area Routes External ABR ASBR (Summary Routes) Routes

RIP ABR ABR

Internal ASBR Router Area 1 Area 2

Figure 11-2 OSPF Domain and an Autonomous System

Neighbors and Adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed.

Neighbors are routing devices that maintain information about each others’ health. To establish neighbor relationships, routing devices periodically send hello packets on each of their interfaces. All routing devices that share a common network segment, appear in the same area, and have the same health parameters (hello and dead intervals) and authentication parameters respond to each other’s hello packets and become neighbors. Neighbors continue to send peri- odic hello packets to advertise their health to neighbors. In turn, they listen to hello packets to determine the health of their neighbors and to establish contact with new neighbors.

Adjacencies are neighbors that exchange OSPF database information. In order to limit the number of database exchanges, not all neighbors in an area (IP network) become adjacent to each other. Instead, the hello process is used for electing one of the neighbors as the area’s Des- ignated Router (DR) and one as the area’s Backup Designated Router (BDR).

Chapter 11: Open Shortest Path First n 365 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The DR is adjacent to all other neighbors and acts as the central contact for database exchanges. Each neighbor sends its database information to the DR, which relays the information to the other neighbors.

Because of the overhead required for establishing a new DR in case of failure, the hello process also elects a Backup Designated Router (BDR). The BDR is adjacent to all other neighbors (including the DR). Each neighbor sends its database information to the BDR just as with the DR, but the BDR merely stores this data and does not distribute it. If the DR fails, the BDR will take over the task of distributing database information to the other neighbors.

The Link-State Database OSPF is a link-state routing protocol. A link represents an interface (or routable path) from the routing device. By establishing an adjacency with the DR, each routing device in an OSPF area maintains an identical Link-State Database (LSDB) describing the network topology for its area.

Each routing device transmits a Link-State Advertisement (LSA) on each of its interfaces. LSAs are entered into the LSDB of each routing device. OSPF uses flooding to distribute LSAs between routing devices.

When LSAs result in changes to the routing device’s LSDB, the routing device forwards the changes to the adjacent neighbors (the DR and BDR) for distribution to the other neighbors.

OSPF routing updates occur only when changes occur, instead of periodically. For each new route, if an adjacency is interested in that route (for example, if configured to receive static routes and the new route is indeed static), an update message containing the new route is sent to the adjacency. For each route removed from the route table, if the route has already been sent to an adjacency, an update message containing the route to withdraw is sent.

The Shortest Path First Tree The routing devices use a link-state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination.

The cost of an individual interface in OSPF is an indication of the overhead required to send packets across it. The cost is inversely proportional to the bandwidth of the interface. A lower cost indicates a higher bandwidth.

366 n Chapter 11: Open Shortest Path First 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Authentication OSPF also allows packet authentication and uses IP multicast when sending and receiving packets. This ensures less processing on routing devices that are not listening to OSPF packets.

Internal Versus External Routing To ensure effective processing of network traffic, every routing device on your network needs to know how to send a packet (directly or indirectly) to any other location/destination in your network. This is referred to as internal routing and can be done with static routes or using active internal routing protocols, such as OSPF, RIP, or RIPv2.

It is also useful to tell routers outside your network (upstream providers or peers) about the routes you have access to in your network. Sharing of routing information between autonomous systems is known as external routing.

Typically, an AS will have one or more border routers (peer routers that exchange routes with other OSPF networks) as well as an internal routing system enabling every router in that AS to reach every other router and destination within that AS.

When a routing device advertises routes to boundary routers on other autonomous systems, it is effectively committing to carry data to the IP space represented in the route being advertised. For example, if the routing device advertises 192.204.4.0/24, it is declaring that if another router sends data destined for any address in the 192.204.4.0/24 range, it will carry that data to its destination.

Chapter 11: Open Shortest Path First n 367 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Alteon Switched Firewall OSPF Implementation

The following sections describe issues specific to the OSPF implementation in the Alteon Switched Firewall:

n “Configurable Parameters” on page 368 n “Defining Areas” on page 369 n “Interface Cost” on page 371 n “Electing the Designated Router and Backup” on page 371 n “Summarizing Routes” on page 371 n “Virtual Links” on page 372 n “Virtual Links” on page 372 n “Router ID” on page 372 n “Authentication” on page 373 n “OSPF Features Not Supported in This Release” on page 374

Configurable Parameters In the Alteon Switched Firewall, OSPF parameters can be configured through the Command Line Interface (CLI) or Browser-Based Interface (BBI).

The CLI supports the following parameters: interface output cost, interface priority, dead and hello intervals, retransmission interval, and interface transmit delay.

In addition, you can specify the following:

n Shortest Path First (SPF) interval—Time interval between successive calculations of the shortest path tree using the Dijkstra’s algorithm. n Stub area metric—A stub area can be configured to send a numeric metric value such that all routes received via that stub area carry the configured metric to potentially influence routing decisions.

368 n Chapter 11: Open Shortest Path First 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Defining Areas If you are configuring multiple areas in your OSPF domain, one of the areas must be designated as area 0, known as the backbone. The backbone is the central OSPF area and is usually physically connected to all other areas. The areas inject routing information into the backbone which, in turn, disseminates the information into other areas.

Since the backbone connects the areas in your network, it must be a contiguous area. If the backbone is partitioned (possibly as a result of joining separate OSPF networks), parts of the AS will be unreachable, and you will need to configure virtual links to reconnect the partitioned areas (see “Virtual Links” on page 372).

Up to 16 OSPF areas can be connected to an Alteon Switched Firewall cluster. To configure an area, the OSPF number must be defined and then attached to a network interface on the Alteon Switched Firewall. The full process is explained in the following sections.

An OSPF area is defined by assigning two pieces of information—an area index and an area ID. The command to define an OSPF area is as follows:

>> # /cfg/net/route/ospf/aindex /id

NOTE – The aindex option above is an arbitrary index used only on the Alteon Switched Firewall and does not represent the actual OSPF area number. The actual OSPF area number is defined in the id portion of the command as will be explained below.

Assigning the Area Index The aindex option is actually just an arbitrary index (1-16) used only by the Alteon Switched Firewall. This index does not necessarily represent the OSPF area number.

For example, the following commands define OSPF area 1 because that information is held in the area ID portion of the command, even though the arbitrary area indexes do not agree with the area IDs:

>> # /cfg/net/route/ospf/aindex 2/id 0.0.0.1 (Use index 2 to set area 1)

NOTE – The backbone area 0 (aindex 1) is automatically configured as a transit area with id 0.0.0.0.

Chapter 11: Open Shortest Path First n 369 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Using the Area ID to Assign the OSPF Area Number The OSPF area number is defined in the id option. The octet format is used in order to be compatible with two different systems of notation used by other OSPF network vendors. There are two valid ways to designate an area ID:

n Placing the area number in the last octet (0.0.0.n) Most common OSPF vendors express the area ID number as a single number. For example, the Cisco IOS-based router command “network 1.1.1.0 0.0.0.255 area 1” defines the area number simply as “area 1.” On an Alteon Switched Firewall, using the last octet in the area ID, “area 1” is equivalent to “id 0.0.0.1”. n Multi-octet (IP address) Some OSPF vendors express the area ID number in multi-octet format. For example, “area 2.2.2.2” represents OSPF area 2 and can be specified directly on an Alteon Switched Firewall as “id 2.2.2.2”.

NOTE – Although both types of area ID formats are supported, be sure that the area IDs are in the same format throughout an area.

Attaching an Area to a Network Once an OSPF area has been defined, it must be associated with a network. To attach the area to a network, you must assign the OSPF area index to an IP interface that participates in the area. The format for the command is as follows:

>> # /cfg/net/route/ospf/if /aindex

For example, the following commands could be used to configure IP interface 14 for a presence on the 10.10.10.1/24 network, to define OSPF area 1 using index 2 on the Alteon Switched Firewall, and to attach the area to the network:

>> # /cfg/net/if 14 (Select menu for IP interface 14) >> Interface 14# addr 10.10.10.1 (Define IP address on the backbone) >> Interface 14# ena (Enable IP interface 14) >> Interface 14# ../route/ospf/aindex 2 (Select menu for area index 2) >> OSPF Area Index 2 # id 0.0.0.1 (Define area ID as OSPF area 1) >> OSPF Area Index 2 # ena (Enable area index 2) >> OSPF Area Index 2 # ../if 14 (Select OSPF menu for interface 14) >> OSPF Interface 14# aindex 2 (Attach area to network interface 14) >> OSPF Interface 14# ena (Enable interface 14 for area index 2)

370 n Chapter 11: Open Shortest Path First 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Interface Cost The OSPF link-state algorithm (Dijkstra’s algorithm) places each routing device at the root of a tree and determines the cumulative cost required to reach each destination. Usually, the cost is inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth. You can manually enter the cost for the output route with the following commands:

>> # /cfg/net/route/ospf/if >> # cost

Electing the Designated Router and Backup In any area with more than two routing devices, a Designated Router (DR) is elected as the central contact for database exchanges among neighbors, and a Backup Designated Router (BDR) is elected in case the DR fails.

DR and BDR elections are made through the hello process. The election can be influenced by assigning a priority value to the OSPF interfaces. The commands are as follows:

>> # /cfg/net/route/ospf/if >> # prio

A priority value of 255 is the highest, and 1 is the lowest. A priority value of 0 specifies that the interface cannot be used as a DR or BDR. In case of a tie, the routing device with the lowest router ID wins.

Summarizing Routes Route summarization condenses routing information. Without summarization, each routing device in an OSPF network would retain a route to every subnet in the network. With summarization, routing devices can reduce some sets of routes to a single advertisement, reducing both the load on the routing device and the perceived complexity of the network. The impor- tance of route summarization increases with network size.

Summary routes can be defined for up to 256 IP address ranges using the following command:

>> # /cfg/net/route/ospf/range >> # addr /mask

where range number is a number from 1 to 256, IP address is the base IP address for the range, and subnet mask is the IP address mask for the range. For a detailed configuration example, see “Example 3: Summarizing Routes” on page 380.

Chapter 11: Open Shortest Path First n 371 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Virtual Links Usually, all areas in an OSPF AS are physically connected to the backbone. In some cases where this is not possible, you can use a virtual link. Virtual links are created to connect one area to the backbone through another non-backbone area (see Figure 11-1 on page 364).

The area which contains a virtual link must be a transit area and have full routing information. Virtual links cannot be configured inside a stub area or NSSA. The area type must be defined as transit using the following command:

>> # /cfg/net/route/ospf/aindex >> # type transit

The virtual link must be configured on the routing devices at each endpoint of the virtual link, though they may traverse multiple routing devices. To configure an Alteon Switched Firewall as one endpoint of a virtual link, use the following commands:

>> # /cfg/net/route/ospf/virt >> # aindex >> # nbr

where link number is a value between 1 and 64, area index is the OSPF area index of the transit area, and router ID is the IP address of the virtual neighbor (nbr), the routing device at the target endpoint. Another router ID is needed when configuring a virtual link in the other direction. To provide the Alteon Switched Firewall with a router ID, see the following section Router ID configuration example.

For a detailed configuration example, see “Example 2: Virtual Links” on page 376.

Router ID Routing devices in OSPF areas are identified by a router ID. The router ID is expressed in IP address format. The IP address of the router ID is not required to be included in any IP interface range or in any OSPF area.

The router ID can be configured in one of the following two ways:

n Statically—Use the following command to manually configure the router ID:

>> # /cfg/net/route/ospf/rtrid

n Dynamically—OSPF protocol configures the lowest IP interface IP address as the router ID. This is the default. To use a dynamic router ID after having set it statically, set the router ID to 0.0.0.0 and reboot the Alteon Switched Firewall.

372 n Chapter 11: Open Shortest Path First 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Authentication OSPF protocol exchanges are authenticated so that only trusted devices can participate. The Alteon Switched Firewall supports simple authentication (type 1 plain text passwords) and MD5 authentication (encrypted data and passwords) among neighboring routing devices in an area.

Simple Authentication OSPF simple passwords are configured and enabled individually for each defined interface and virtual link. The plain text passwords up to eight characters long

For interfaces, the following CLI commands can be used:

>> # /cfg/net/route/ospf/if (Select OSPF interface) >> OSPF Interface# auth password|none (Set simple authentication on/off) >> OSPF Interface# key (Set type 1 password)

For virtual links, the following CLI commands can be used:

>> # /cfg/net/route/ospf/virt (Select OSPF virtual link) >> OSPF Virtual Link# auth password|none (Set simple authentication on/off) >> OSPF Virtual Link# key (Set type 1 password)

MD5 Authentication OSPF MD5 passwords use strong cryptographic to protect data and passwords. To preserve security, MD5 passwords should be changed frequently.

MD5 passwords are configured and enabled individually for each defined interface and virtual link. MD5 passwords are defined with a key ID (1-255) and a password up to 16 characters.

For interfaces, the following CLI commands can be used:

>> # /cfg/net/route/ospf/if (Select OSPF interface) >> OSPF Interface# auth md5|none (Set MD5 on/off) >> OSPF Interface# md5key (Set MD5 ID & password)

Similarly, for virtual links the following CLI commands can be used:

>> # /cfg/net/route/ospf/virt (Select virtual link) >> OSPF Virtual Link# auth md5|none (Set MD5 on/off) >> OSPF Virtual Link# md5key (Set MD5 password)

Chapter 11: Open Shortest Path First n 373 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

OSPF Features Not Supported in This Release n Filtering OSPF routes n Load balancing equal cost routes During traffic forwarding if the first configured equal cost route is deleted, the next in line is selected. n Using OSPF to forward multicast routes

OSPF Configuration Examples

A summary of the basic steps for configuring OSPF on the Alteon Switched Firewall is listed here. Detailed instructions for each of the steps is covered in the following sections:

1. Configure IP interfaces. One IP interface is required for each desired network (range of IP addresses) being assigned to an OSPF area on the Alteon Switched Firewall.

2. (Optional) Configure the router ID. The router ID is required only when configuring virtual links.

3. Enable OSPF on the Alteon Switched Firewall.

4. Define the OSPF areas.

5. Configure OSPF interface parameters. IP interfaces are used for attaching networks to the various areas.

6. (Optional) Configure route summarization between OSPF areas.

7. (Optional) Configure virtual links.

374 n Chapter 11: Open Shortest Path First 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Example 1: Simple OSPF Domain In this example, two OSPF areas are defined—one area is the backbone and the other is a stub area. A stub area does not allow advertisements of external routes, thus reducing the size of the database. Instead, a default summary route of IP address 0.0.0.0 is automatically inserted into the stub area. Any traffic for IP address destinations outside the stub area will be forwarded to the stub area’s IP interface, and then into the backbone.

Backbone Stub Area Area 0 Area 1 (0.0.0.0) (0.0.0.1)

IF 1 IF 2 10.10.7.1 10.10.12.1

Network Network 10.10.7.0/24 10.10.12.0/24

Figure 11-3 A Simple OSPF Domain

Follow this procedure to configure OSPF support as shown in Figure 11-3:

1. Configure IP interfaces on each network that will be attached to OSPF areas. In this example, two IP interfaces are needed: one for the backbone network on 10.10.7.0/24 and one for the stub area network on 10.10.12.0/24.

>> # /cfg/net/if 1 (Select menu for IP interface 1) >> Interface 1 # addr 10.10.7.1 (Set IP address on backbone network) >> Interface 1 # mask 255.255.255.0 (Set IP mask on backbone network) >> Interface 1 # broad 10.10.7.255 (Set the broadcast address) >> Interface 1 # ena (Enable IP interface 1) >> Interface 1 # ../if 2 (Select menu for IP interface 2) >> Interface 2 # addr 10.10.12.1 (Set IP address on stub area network) >> Interface 2 # mask 255.255.255.0 (Set IP mask on stub area network) >> Interface 2 # broad 10.10.7.255 (Set the broadcast address) >> Interface 2 # ena (Enable IP interface 2)

2. Enable OSPF.

>> Interface 2 # /cfg/net/route/ospf/ena (Enable OSPF on the ASF)

Chapter 11: Open Shortest Path First n 375 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Define the stub area.

>> OSPF Area index 1 # ../aindex 1 (Select menu for area index 2) >> OSPF Area index 2 # id 0.0.0.1 (Set the area ID for OSPF area 1) >> OSPF Area index 2 # type stub (Define area as stub type) >> OSPF Area index 2 # ena (Enable the area)

4. Attach the network interface to the backbone.

>> OSPF Area 2 # ../if 1 (Select OSPF menu for IP interface 1) >> OSPF Interface 1 # ena (Enable the backbone interface)

5. Attach the network interface to the stub area.

>> OSPF Interface 1 # ../if 2 (Select OSPF menu for IP interface 2) >> OSPF Interface 2 # aindex 1 (Attach network to stub area index) >> OSPF Interface 2 # ena (Enable the stub area interface)

6. Apply the configuration changes.

>> OSPF Interface 2 # apply

Example 2: Virtual Links In the example shown in Figure 11-4, area 2 is not physically connected to the backbone as is usually required. Instead, area 2 will be connected to the backbone via a virtual link through area 1. The virtual link must be configured at each endpoint.

Backbone Transit Area Stub Area Area 0 ASF 1Area 1 ASF 2 Area 2 (0.0.0.0) (0.0.0.1) (0.0.0.2) IF 1 IF 2 IF 1 IF 2 10.10.7.1 10.10.12.1 10.10.12.2 10.10.24.1 Virtual Link 1

10.10.7.0/24 Router ID: 10.10.12.0/24 Router ID: 10.10.24.0/24 Network 10.10.10.1 Network 10.10.14.1 Network

Figure 11-4 Configuring a Virtual Link

376 n Chapter 11: Open Shortest Path First 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Configuring OSPF for a Virtual Link on ASF 1

1. Configure IP interfaces on each network that will be attached to the Alteon Switched Firewall. In this example, two IP interfaces are needed on ASF 1: one for the backbone network on 10.10.7.0/24 and one for the transit area network on 10.10.12.0/24.

>> # /cfg/net/if 1 (Select menu for IP interface 1) >> Interface 1 # addr 10.10.7.1 (Set IP address on backbone network) >> Interface 1 # mask 255.255.255.0 (Set subnet mask) >> Interface 1 # broad 10.10.7.255 (Set broadcast address) >> Interface 1 # ena (Enable IP interface 1) >> Interface 1 # ../if 2 (Select menu for IP interface 2) >> Interface 2 # addr 10.10.12.0 (Set IP address on transit area) >> Interface 2 # mask 255.255.255.0 (Set subnet mask) >> Interface 2 # broad 10.10.12.255 (Set broadcast address) >> Interface 2 # ena (Enable interface 2)

2. Configure the router ID. A router ID is required when configuring virtual links. Later, when configuring the other end of the virtual link on ASF 2, the router ID specified here will be used as the target virtual neighbor (nbr) address.

>> Interface 2 # /cfg/net/route/ospf (Select the OSPF menu) >> OSPF # rtrid 10.10.10.1 (Set static router ID on ASF 1)

3. Enable OSPF.

>> OSPF # ena (Enable OSPF on ASF 1)

4. Configure the transit area. Set the area ID for the area that contains the virtual link.

>> OSPF Area index 1 # ../aindex 2 (Select menu for area index 2) >> OSPF Area index 2 # id 0.0.0.1 (Set the area ID for OSPF area 1) >> OSPF Area index 2 # ena (Enable the area)

Chapter 11: Open Shortest Path First n 377 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

5. Attach the network interface to the backbone.

>> OSPF Area index 2 # ../if 1 (Select OSPF menu for IP interface 1) >> OSPF Interface 1 # ena (Enable the backbone interface)

6. Attach the network interface to the transit area.

>> OSPF Interface 1 # ../if 2 (Select OSPF menu for IP interface 2) >> OSPF Interface 2 # aindex 2 (Attach network to transit area index) >> OSPF Interface 2 # ena (Enable the transit area interface)

7. Configure the virtual link.

>> OSPF Interface 2 # ../virt 1 (Specify a virtual link number) >> OSPF Virtual Link 1 # aindex 2 (Specify transit area for virtual link) >> OSPF Virtual Link 1 # nbr 10.10.14.1 (Specify the router ID of the recipient) >> OSPF Virtual Link 1 # ena (Enable the virtual link)

The nbr router ID configured in this step must be the same as the router ID that will be configured for ASF 2 in Step 2 on page 379.

8. Apply the configuration changes.

>> OSPF Virtual Link 1 # apply

Configuring OSPF for a Virtual Link on ASF 2

1. Configure IP interfaces on each network that will be attached to OSPF areas. Two IP interfaces are needed on ASF 2: one for the transit area network on 10.10.12.0/24 and one for the stub area network on 10.10.24.0/24.

>> # /cfg/net/if 1 (Select menu for IP interface 1) >> IP Interface 1 # addr 10.10.12.2 (Set transit area network IP address) >> IP Interface 1 # mask 255.255.255.0 (Set transit area network mask) >> IP Interface 1 # broad 10.10.12.255 (Set transit area network broadcast) >> IP Interface 1 # ena (Enable IP interface 1) >> IP Interface 1 # ../if 2 (Select menu for IP interface 2) >> IP Interface 2 # addr 10.10.24.1 (Set IP address on stub area network) >> IP Interface 1 # mask 255.255.255.0 (Set transit area network mask) >> IP Interface 1 # broad 10.10.24.255 (Set transit area network broadcast) >> IP Interface 2 # ena (Enable IP interface 2)

378 n Chapter 11: Open Shortest Path First 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

2. Configure the router ID. A router ID is required when configuring virtual links. This router ID should be the same one specified as the target virtual neighbor (nbr) on ASF 1 in Step 7 on page 378.

>> IP Interface 2 # /cfg/net/route/ospf (Select the OSPF menu) >> OSPF # rtrid 10.10.14.1 (Set static router ID on ASF 2)

3. Enable OSPF.

>> OSPF # ena (Enable OSPF on ASF 2)

4. Configure the transit area.

>> OSPF Area Index 0 # ../aindex 1 (Select menu for area index 1) >> OSPF Area Index 1 # id 0.0.0.1 (Set the area ID for OSPF area 1) >> OSPF Area Index 1 # ena (Enable the area)

5. Define the stub area.

>> OSPF Area Index 1 # ../aindex 2 (Select the menu for area index 2) >> OSPF Area Index 2 # id 0.0.0.2 (Set the area ID for OSPF area 2) >> OSPF Area Index 2 # type stub (Define area as stub type) >> OSPF Area Index 2 # ena (Enable the area)

6. Attach the network interface to the backbone.

>> OSPF Area Index 2 # ../if 1 (Select OSPF menu for IP interface 1) >> OSPF Interface 1 # aindex 1 (Attach network to transit area index) >> OSPF Interface 1 # ena (Enable the transit area interface)

7. Attach the network interface to the transit area.

>> OSPF Interface 1 # ../if 2 (Select OSPF menu for IP interface 2) >> OSPF Interface 2 # aindex 2 (Attach network to stub area index) >> OSPF Interface 2 # ena (Enable the stub area interface)

Chapter 11: Open Shortest Path First n 379 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

8. Configure the virtual link. The nbr router ID configured in this step must be the same as the router ID that was configured for ASF 1 in Step 2 on page 377.

>> OSPF Interface 2 # ../virt 1 (Specify a virtual link number) >> OSPF Virtual Link 1 # aindex 1 (Specify the transit area for the virtual link) >> OSPF Virtual Link 1 # nbr 10.10.10.1 (Specify the router ID of the recipient) >> OSPF Virtual Link 1 # ena (Enable the virtual link)

9. Apply and save the configuration changes.

>> OSPF Interface 2 # apply

Only the endpoints of the virtual link are configured. The virtual link path may traverse multiple routers in an area as long as there is a routable path between the endpoints.

Example 3: Summarizing Routes By default, ABRs advertise all the OSPF routes from one area into another area. Route summarization can be used for consolidating advertised addresses and reducing the perceived complexity of the network.

If the network IP addresses in an area are assigned to a contiguous subnet range, you can configure the ABR to advertise a single summary route that includes all the individual IP addresses within the area.

The following example shows one summary route from area 1 (stub area) injected into area 0 (the backbone). The summary route consists of all IP addresses from 36.128.192.0 through 36.128.254.255.

Backbone Stub Area Area 0 Area 1 (0.0.0.0) (0.0.0.1) IF 1 IF 2 10.10.7.1 36.128.192.1 Summary 36.128.192.0/24 to Route 36.128.254.0/24 ABR 10.10.7.0/24 36.128.192.0/18 Network Network

Figure 11-5 Summarizing Routes

380 n Chapter 11: Open Shortest Path First 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

NOTE – You can also specify an address range to prevent advertising by using the hide option on the OSPF Summary Range Menu.

Follow this procedure to configure OSPF support as shown in Figure 11-5:

1. Configure IP interfaces for each network which will be attached to OSPF areas.

>> # /cfg/net/if 1 (Select menu for IP interface 1) >> Interface 1 # addr 10.10.7.1 (Set IP address on backbone network) >> Interface 1 # mask 255.255.255.0 (Set subnet mask) >> Interface 1 # broad 10.10.7.255 (Set broadcast address) >> Interface 1 # ena (Enable IP interface 1) >> Interface 1 # ../if 2 (Select menu for IP interface 2) >> Interface 2 # addr 36.128.192.1 (Set IP address on stub area network) >> Interface 2 # ena (Enable IP interface 2)

2. Enable OSPF.

>> IP Interface 2 # /cfg/net/route/ospf/ena (Enable OSPF on the ASF)

3. Define Area 1 (stub area).

>> OSPF Area index 1 # ../aindex 2 (Select menu for area index 2) >> OSPF Area index 2 # id 0.0.0.1 (Set the area ID for OSPF area 1) >> OSPF Area index 2 # type stub (Define area as stub type) >> OSPF Area index 2 # ena (Enable the area)

4. Attach the network interface to the backbone.

>> OSPF Area index 2 # ../if 1 (Select OSPF menu for IP interface 1) >> OSPF Interface 1 # ena (Enable the backbone interface)

5. Attach the network interface to the stub area.

>> OSPF Interface 1 # ../if 2 (Select OSPF menu for IP interface 2) >> OSPF Interface 2 # aindex 2 (Attach network to stub area index) >> OSPF Interface 2 # ena (Enable the stub area interface)

Chapter 11: Open Shortest Path First n 381 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

6. Configure route summarization by specifying the starting address and mask of the range of addresses to be summarized.

>> OSPF Interface 2 # ../range 1 (Select menu for summary range) >> OSPF Range 1 # addr 36.128.192.0 (Set base IP address of range) >> OSPF Range 1 # mask 255.255.192.0 (Set mask address for summary range) >> OSPF Range 1 # aindex 1 (Inject summary route into backbone) >> OSPF Range 1 # ena (Enable summary range)

7. Apply the configuration changes.

>> OSPF Summary Range 1 # apply

Example 4: Redistributing Routes Alteon Switched Firewall can redistribute routes from other protocols into RIP or OSPF domains. ASF can redistribute connected, OSPF, static, default gateway, and fictitious routes into RIP routes. ASF can also redistribute connected, static, RIP, default gateway routes into OSPF routes. In this example, ASF is redistributing RIP routes into an OSPF domain.

OSPF Domain RIP Domain Area 0.0.0.0 ASBR

100.100.2.1 100.100.3.1

Router 1 Router 2 100.100.2.80 Alteon Switched 100.100.3.150 Firewall

OSPF routes RIP routes

Figure 11-6 Redistributing RIP Routes into OSPF

In Figure 11-6 the Alteon Switched Firewall is configured as an ASBR between two domains, RIP and OSPF. The ASF is connected to two routers, Router 1 in the OSPF domain and Router 2 in the RIP domain. ASF is required to advertise the RIP routes from the RIP domain into OSPF. In this example, two IP interfaces are needed on the ASF: one for the OSPF domain on 100.100.2.0/24 and one for the RIP domain on 100.100.3.0/24.

382 n Chapter 11: Open Shortest Path First 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

1. Configure the IP interface to the backbone router for the OSPF domain that is connected to port 1 of the Alteon Switched Firewall.

2. Configure the IP interface for the RIP domain that is connected to port 2 of the Alteon Switched Firewall.

3. Configure the IP address for the Accelerator.

>> # /cfg/acc/ac1/addr 10.10.1.45 (Specify IP address for accelerator)

4. Disable auto for local network to enable OSPF.

>> # /cfg/net/adv/local/auto n (Disable auto for local networks)

5. Enable OSPF for interface 1.

>> # /cfg/net/route/ospf/if 1/ena (Enable OSPF for interface 1)

6. Enable OSPF globally.

>> # /cfg/net/route/ospf/ena (Enable OSPF globally)

7. Enable RIP in interface 2 and specify the RIP version if required.

>> # /cfg/net/route/rip/if 2/ena (Enable RIP for interface 2)

Chapter 11: Open Shortest Path First n 383 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

8. Enable RIP globally.

>> # /cfg/net/route/rip/ena (Enable RIP globally)

Configure RIP in Router 2 and verify if the Alteon Switched Firewall and Router 2 are able to send and receive routes between them. Configure Router 2 to send RIP routes to the Alteon Switched Firewall. Verify the routing table on Router 1 and confirm that these routes are not advertised and installed in Router 1, because it is not a RIP router.

9. Configure the ASF to redistribute the RIP routes it learned.

>> # /cfg/net/route/ospf/redist/rip/ena (Redistribute RIP routes into OSPF)

10. Apply the configuration changes.

>> OSPF RIP Route Redistribution# apply

Verify if Router 1 is able to see all the routes from the RIP domain.

Verifying OSPF Support Use the following commands to verify the OSPF information on your ASF:

n /info/net/route/ospf/routes n /info/net/route/ospf/lsa n /info/net/route/ospf/neigh n /info/net/route/ospf/if n /info/net/route/ospf/fib

384 n Chapter 11: Open Shortest Path First 212535-E, April 2003 APPENDIX A Event Logging API

The Alteon Switched Firewall Event Logging API (ELA) is an OPSEC application that allows system log messages to be sent to a Check Point management station for display through the Check Point Log Viewer. Log messages are transported to the management server through a secure, encrypted channel.

For information on configuring and administering OPSEC applications in Check Point, please refer to your complete Check Point FireWall-1 NG documentation.

ELA configuration requires steps at both the Check Point management server and at the Alteon Switched Firewall. For each Firewall Director in the cluster, you must create a new OPSEC application at the Check Point management server, and initialize Secure Internal Communica- tion (SIC). For each Firewall Director, the certificate associated with the SIC must be pulled to the Firewall Director before the ELA will operate.

This chapter details the steps required to use ELA.

Configure the Check Point Management Server

At the management server, use the following procedure to create a different ELA OPSEC application for each of the Firewall Directors in the cluster.

385 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

1. Create a new OPSEC application. In the tabbed menu on the left, click on the OPSEC Applications tab and choose New OPSEC Application.

2. Initialize the OPSEC application.

386 n Appendix A: Event Logging API 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Fill in the following fields:

n The Name field should be given an appropriate identifier. You will need to use this name when pulling the certificate to the Firewall Director. n The Host field should refer to the management station. n The Vendor should be “User defined.” n “ELA” should be checked in the Client Entries box. n Secure Internal Communication needs to be initialized (see next step).

3. Initialize Secure Internal Communication (SIC). Click on the Communication button and choose a Password in the box provided. You will need to use this password later when pulling the certificate to an Firewall Director.

NOTE – When initialized, the trust state will be displayed as “Initialized but trust not established.” This is normal and will not change even after an SIC certificate is pulled from the Check Point management server (see Step 5 on page 391).

Appendix A: Event Logging API n 387 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

4. Repeat for all Firewall Directors in the cluster. You should see the OPSEC Application listed in the Policy Manager when the OPSEC tab is chosen. One application should be created for each Firewall Director in the cluster.

5. Install the policy rulebase to the Firewall Director. From the menu bar, select Policy | Install:

When the Install Policy window appears, select the cluster object and click on the OK button.

388 n Appendix A: Event Logging API 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

NOTE – If the Check Point antispoofing feature is not enabled, a warning message will appear. See your Check Point documentation to determine whether antispoofing is necessary for your firewall.

Click on the OK button to initiate installing the rulebase.

Close the Install Policy window when the process is complete.

Appendix A: Event Logging API n 389 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Configure the Firewall Directors

Configuration of all Firewall Directors is performed through the CLI or the BBI. The following steps use the BBI method. For configuring the ELA using the CLI, see “ELA Logging Menu” on page 227.

1. Log on to the BBI using the cluster MIP address.

2. Select the Cluster / ELA form and define the general settings.

Set the following items:

n Set Status to “enabled.” n Set Management Station IP to the IP address of the Check Point management station, in dotted decimal notation. n Set Minimum Severity if a different level is desired. All messages at the specified level of severity or higher will be logged to ELA. n Set the Server Distinguished Name (see the next section to find out how to determine it).

390 n Appendix A: Event Logging API 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Get Distinguished Name of server. In the Check Point Policy Editor, access the properties of the management server by double clicking on its displayed icon. The distinguished name (DN) is found in the Secure Internal Communication area.

Be sure to set the Server Distinguished Name in the BBI window.

4. In the BBI Cluster / ELA form, save and apply the settings. Click on the Save Settings button to submit your changes. Then use the global apply button to make your changes take effect.

5. Pull the SIC certificate from the management server. In order for ELA to function, a separate certificate for SIC communication needs to be installed on each of the individual Firewall Directors.

In the Pull SIC Certificate section of the Cluster / ELA form, set the following parameters:

n Set the Host IP to the IP address of the individual Firewall Director being updated (not the MIP address). n Set the Client SIC Name to match the name specified when creating an OPSEC application in the Check Point Policy Editor. Each host should map to a unique OPSEC application. In the example, we set host 10.10.1.1 to the OPSEC application “ela1.” n Set the Password to match that specified when configuring SIC for the OPSEC application.

6. Click the Update Certificate button to finish.

Appendix A: Event Logging API n 391 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

The Check Point Log Viewer

To view the logs, open the Check Point Log Viewer.

In this release of Check Point FireWall-1 NG, the “Origin” of the logs may be incorrect in the Log Viewer. The text of the log messages themselves (which contains the source Firewall Director) may be more reliable in determining from which Firewall Director the log message originated.

The logging will not occur unless the firewall and registry are up and running on the Firewall Director. This happens late in the booting process. Messages are cached locally until they can be sent to the ELA logging server. It therefore may take a few moments before messages begin appearing after a reboot.

392 n Appendix A: Event Logging API 212535-E, April 2003 APPENDIX B Common Tasks

This appendix describes the most common Alteon Switched Firewall management tasks.

Managing Check Point Central Licenses

Installing Central Licenses with Secure Update Installing Check Point central licenses is best done using the Check Point tools on your management client. The license will be automatically sent to the EMC license repository and then installed to the Firewall Director. For detailed information on Check Point licenses or the tools such as the Policy Editor and Secure Update, see your complete Check Point documentation.

Use the following procedure to install a central license onto the Firewall Director:

1. Launch the Policy Editor on the management client Start menu. 2. Create a new gateway object for the Firewall Director. Select Network Objects | New | Gateway and assign and assign its IP address.

3. Establish trusted communication. Click on the Communication button and type the Check Point SIC one-time password.

4. Click OK to save the object. 5. Launch the Secure Update program from the Start menu. 6. When Secure Update starts, select the object that represents the target Firewall Director from the Managed Modules window. 7. Import the license file. From the menu bar, select Licenses | New License | Import File and then choose the license file (for example, 172.21.9.200_module.lic).

8. Follow onscreen prompts until the installation is complete. 9. When the license is installed, load the firewall policy to the Firewall Director.

393 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Deleting or Reinstalling Central Licenses The Secure Update tool is best used for managing Check Point central licenses. See your complete Check Point documentation for details on using Secure Update or any other Check Point management tool.

Mounting a Floppy Disk on the Firewall Director

The following procedure can be used for mounting a floppy disk to read or write files on the Firewall Director.

1. Insert a DOS-formatted floppy into the Firewall Director.

2. Login as root.

root

3. Enter the following command:

# mount /mnt/floppy

4. Copy files (if you need the log files). For example:

# cp /var/log/message /mnt/floppy

5. To unmount the floppy disk, enter the following command:

# umount /mnt/floppy

6. Remove the floppy disk from the Firewall Director by pressing the eject button.

394 n Appendix B: Common Tasks 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Mounting a CD-ROM on the Firewall Director

The following procedure can be used for mounting a CDROM to read files on the Firewall Director.

1. Insert a CDROM into the Firewall Director.

2. Login as root.

root

3. Enter the following command:

# mount /mnt/cdrom

4. To unmount the CDROM enter the following command:

# umount /mnt/cdrom

Appendix B: Common Tasks n 395 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Manually Upgrading the Firewall Accelerator

Normally, the cluster Firewall Accelerator software is automatically upgraded along with the cluster Firewall Directors. However, if required, the Firewall Accelerator software can be manually upgraded or reloaded. To manually install Firewall Accelerator software, the following is required: n A computer running ASCII terminal emulation software. n A standard serial cable with a male DB9 connector (included with the Firewall Director). See page 46 of the manual for cable specifications. n A binary upgrade image for the Firewall Accelerator. To install the upgrade image, perform the following steps:

1. Connect a terminal directly to the Firewall Accelerator console port. Set the communications parameters as shown in the table below:

Table 3 Console Configuration Parameters

Parameter Value

Baud Rate 9600 Data Bits 8 Parity None Stop Bits 1 Flow control None

2. Turn off the Firewall Accelerator and then turn it back on.

3. Press while the Firewall Accelerator is attempting to boot (while the “AceSwitch BootMon...” message is displayed).

4. Reconfigure your terminal to use a baud rate of 57600.

5. Transfer the binary upgrade image from the terminal to the Firewall Accelerator using Xmodem protocol. For example, if using Hyperterminal, select the Transfer | Send File command and select Xmo- dem or 1K-Xmodem (faster) as the protocol.

6. When the transfer is complete, return your terminal to a baud rate of 9600.

7. Turn off the Firewall Accelerator and then turn it back on.

8. If using a high-availability configuration, repeat this process on the redundant Firewall Accelerator.

396 n Appendix B: Common Tasks 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Tuning Check Point NG Performance

The following parameters can be adjusted to meet your specific needs:

n connections_limit n connections_hashsize If a NAT policy is being used by a large number of concurrent sessions, then the following two parameters should be modified:

n nat_hash_size: The default 16,384 (16K). It should be increased to 131,072. n nat_limit: The default is 25,000. It should be increased to 180,000.

Increasing Connections By default, CheckPoint sets the connection limit of the firewall to 25000 and the default connection hash size is 65536 (64K). The values for the connection limit and connection hash size fields is dependent on the ASF model as shown in the Table B-1.

Table B-1 Increasing Connections

ASF Model Connections_limit Connections_hashsize

ASF 5700 500000 2097152

ASF 5600 180000 1048576

ASF 5400 180000 1048576

ASF 5300 45000 262144

Using FP-2 Management Server If you are using FP-2 management server, the connection limit can be increased from the Check Point Policy Editor. Edit each gateway object representing the SFDs, go to the “Advanced” tab and increase the “Maximum concurrent connections” parameter. The “Calcu- late connections hash size and memory pool” parameter should be set to “Automatically.”

Appendix B: Common Tasks n 397 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Using FP-3 Management Server If you are using FP-3 management server, you must edit the gateway cluster object property to increase connection limit. Edit the gateway cluster object representing the ASF cluster, go to the “Capacity Optimization” tab and increase the “Maximum concurrent connections” parameter. The “Calculate connections hash size and memory pool” parameter must be set to “Auto- matically.”

398 n Appendix B: Common Tasks 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Using FP-1 Management Server If you are using FP-1 management server, use the dbedit utility provided by Check Point to increase the connection limit from the default value of 25000.

1. Close all GUI clients.

2. Run dbedit on the Check Point management station at the MS DOS prompt:

c:\> dbedit Enter Server name: Enter User name: Enter User password: dbedit> modify properties firewall_properties connections_limit 180000 dbedit> modify properties firewall_properties connections_hashsize 1048576 dbedit> update properties firewall_properties dbedit> quit

Appendix B: Common Tasks n 399 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. Reinstall the policy.

4. Login to the ASF and stop and start the firewall.

5. Verify the new connection limit by running “fw tab -t connections.”

Increasing NAT Connections By default, CheckPoint sets the NAT connection limit of the firewall to 25000. To increase the value, use the dbedit utility provided by CheckPoint. You can increase the NAT limit up to the connection limit that you set for your ASF.

1. Close all GUI clients.

2. Run dbedit on the Check Point management station at the MS DOS prompt:

c:\> dbedit Enter Server name: Enter User name: Enter User password: dbedit> modify properties firewall_properties nat_limit 180000 dbedit> modify properties firewall_properties nat_hashsize 1048576 dbedit> update properties firewall_properties dbedit> quit

3. Reinstall the policy

4. Login to the ASF. Stop and start the firewall.

NOTE – You may set the nat_limit parameter to be less than the connection_limit. Make sure the nat_hashsize value is close to the nat_limit and a power of 2. For example, if nat_limit is 50000, nat_hashsize should be 65535.

400 n Appendix B: Common Tasks 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Partially Accelerated Connections

The maximum concurrent connections is limited by the memory in the Firewall Accelerator. The ASF Director however, has more memory and, therefore, it can hold more connections than the Accelerator. Partially Accelerated Connection allows you to take advantage of this feature and increase the maximum concurrent connections.

Acceleration in ASF is implemented using three different connection tables: firewall connection table, Accelerator Interface Module (AIM) connection table, and Accelerator connection table. The firewall and AIM connection tables are maintained in the Director. The maximum concurrent connections supported by ASF is decided by the smallest of the above three tables, which is the accelerator table. Because there is only one active accelerator in an ASF, adding more directors does not change the maximum concurrent connection limit.

When the accelerator session table is full, new connections cannot be added to the Accelerator. The connections that cannot be added to accelerator table are kept in the AIM table and the packets for these connections are accelerated by the AIM module. This increases the maximum concurrent connections beyond the limit of the accelerator. The connections, which are accelerated by AIM module, are called partially accelerated connections. The connections that are accelerated by the accelerator are called fully accelerated connections.

The maximum number of partially accelerated connections that is supported depends on the memory available in the director to hold the AIM connection table and the firewall connection table. However, with the support for partially accelerated connections, the maximum concurrent connection in ASF is the sum of the fully accelerated connections supported by the Accel- erator and the partially accelerated connections supported by the Directors.

The maximum concurrent connections increase with number of Directors in ASF. Without firewall synchronization, this number will scale linearly with the number of Directors. With firewall session synchronization, this number will be less than that without firewall synchronization.

Acceleration using a partially accelerated connection will work only if the packets for this connection are forwarded to the same director that owns the connection. Because this cannot be guaranteed for NATed connections, partial acceleration cannot be used to increase the maximum concurrent connections with NAT.

Appendix B: Common Tasks n 401 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Table B-2 shows recommended values for increasing concurrent connections for two different Director models. The value for “max_connections” in aim.conf file should be smaller than or equal to the maximum concurrent connections specified in the following table.

Table B-2 Partially Accelerated Connections

ASF Model Maximum Connections

ASF 5010 700000

ASF 5008 450000

Reading System Memory Information

General Linux memory information:

free or vmstat or cat /proc/meminfo or top

Kernel modules information:

lsmod

NG memory information:

fw ctl pstat

Verifying VNIC Configuration

A VNIC is a virtual network interface card.

1. Dump information about all the VNICs

/opt/tng/bin/vnic dump

2. Dump information about VNIC 1

/opt/tng/bin/vnic info v1

402 n Appendix B: Common Tasks 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Recovering from a Lock-Out

If all Firewall passwords are changed or lost and you are locked out from the Firewall, then you must use the boot user account and reinstall the Firewall Director software. Because the boot user password cannot be changed, this one avenue of access is always available. To maintain security, boot user access is limited to direct connection to the console port.

When the reinstallation is performed, the Firewall Director is reset to its factory default configuration. All previous configuration data and software are erased, including old software image versions or upgrade packages.

NOTE – Because a reinstallation erases all configuration data (including network settings), it is recommended that you first save all configuration data to a file on an FTP server. Using the Configuration Menu ptcfg command, installed keys and certificates are included in the configuration data and can later be restored by using the gtcfg command. For more information about these commands, see the “Configuration Menu” on page 194.

To reinstall software on an Firewall Director, you will need the following:

n Access to the target Firewall Director through a direct connection to its serial port. Remote Telnet or SSH connections cannot be used for reinstalling software. n An install image must be loaded on an FTP server on your network. n The host name or IP address of the FTP server. If you choose to specify the host name, please note that the DNS parameters must have been configured. For more information, see the “DNS Servers Menu” on page 201. n The name of a valid .img Firewall Director installation image. Software reinstallation is performed using the following procedure.

1. Log in as the boot user. The password is ForgetMe.

2. After a successful login, follow the onscreen prompts and provide the required information. If the Firewall Director has not been configured for network access previously, you must provide information about network settings such as IP address, network mask, and gateway IP address. After the new boot image has been installed, the Firewall Director will reboot and you can log in again using default passwords when the login prompt appears.

The new Firewall Director is now ready to be installed as part of a new cluster (see Chapter 3, “Initial Setup,” on page 71) or added to an existing cluster (see Chapter 8, “Expanding the Cluster,” on page 325).

Appendix B: Common Tasks n 403 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

404 n Appendix B: Common Tasks 212535-E, April 2003 APPENDIX C Troubleshooting

Firewall Director Cannot Locate the Firewall Accelerator

In this scenario, when the Firewall Director boots up, it is not able to discover the Firewall Accelerator (when auto discovery is on) within 50 seconds. The /cfg/acc/det command does not display the MAC address of the Firewall Accelerator.

Actions n Power on the Firewall Accelerator. n Make sure the Firewall Accelerator has the Firewall Accelerator software installed. n Connect the Firewall Director to one of the NAAP ports. Ports 6, 7, and 8 are pre-set as NAAP ports—the factory default ports—on the Firewall Accelerator. n Enable NAAP ports to which the Firewall Director is connected. The link and active indicator lights on the Firewall Accelerator should be on and not blinking. n Switch the power off and on, on both the Firewall Director and the Firewall Accelerator.

405 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Configuration Did Not Update

In this scenario, the Firewall Accelerator’s configuration did not get updated until Firewall Director was rebooted.

The following critical message displays in the syslog as well as on the console:

“failed to update the primary switch”.

Actions n Make sure there are no error messages. If entering the apply command returns error messages, the configuration changes will not be applied. Make appropriate changes to remove all the error messages. n Change the configurations so that there are no warning messages. n Log in to the Firewall Director as root and enter the following command:

# ifconfig -a

The output of this command should display an entry for virtual NIC eth0. The entry should be listed as “up” and should have the IP address of the Firewall Director.

406 n Appendix C: Troubleshooting 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Failed to Establish Trust between Management Station and Firewall Director

In this scenario, the user is unable to establish trust between the management station and the Firewall Director.

Actions Use the following procedure to verify the trust status:

n Check the communication status. In the Check Point Policy Editor, view the Firewall Director properties and click on the “Communication” button. Continue if the “Trust Status” does not display “Trust Estab- lished.” n Test the SIC status. Click on “Test-Sic-Status.” Continue if the result displays “communicating.” n Verify network connectivity. n If using host names, verify that the Firewall Director name is resolved to the correct IP address. n Verify that the firewall software is enabled on the Firewall Director. Log in to the Firewall Director using the administrator account and enter the following CLI command:

>> # /cfg/fw/cur

If the firewall is not enabled, enter the following CLI commands:

>> # /cfg/fw/ena >> # apply

NOTE – After enabling the firewall, it may take several minutes before it is fully operational.

Once the firewall is operational, recheck the communication status and SIC status in the Policy Editor.

Appendix C: Troubleshooting n 407 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

n Verify that theFirewall Director is not too busy to process the SIC request from the management station. If traffic is under excessive load, decrease the traffic and try to establish trust again. n Verify whether theFirewall Director is dropping the traffic from management station. Log in to the Firewall Director using the root account. From the root account, run the following command:

# fw monitor

If the packets from the management station are being dropped, log in as admin and unload the firewall policy using the following CLI command:

>> # /maint/diag/unldplcy

Once the firewall policy is unloaded, try to establish trust again. n Reset the SIC. Reboot the Firewall Director, the Check Point EMC, and the Check Point management client. When all systems have rebooted, unload the firewall policy again and try to establish trust again.

408 n Appendix C: Troubleshooting 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Cannot Check Communication or Download Policy on Firewall Director

After downloading the policy into Firewall Director, it cannot check the communication or download the policy again.

Actions n Reboot the Firewall Accelerator or do the following: Log in to the Firewall Director using the admin account and use the following CLI command to delete the existing policy on the firewall:

>> # /maint/diag/unldplcy

Then get the interfaces on the management client.

NOTE – Often, the users forget to update the policy editor after add/delete interfaces from Firewall Director console. As a result, anti-spoofing blocks the traffic because incorrect interfaces were used.

Low Performance with Other Devices

In this scenario, you are seeing a decrease in performance when using the Alteon Switched Firewall with other routers.

Actions n From the Firewall Accelerator console, manually configure the link parameters for the ports that connect to the other devices. Turn auto negotiation off. Set the right speed (10,100) and set to duplex mode (full, half). Do the same on the other router/Firewall Accelerator. Reboot the Firewall Accelerators.

Appendix C: Troubleshooting n 409 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Cannot Log in to EMC Station from Management Client

The management client can not log in to the Check Point EMC station.

Actions n If the management client and EMC station are not in the same network, add a rule to allow Check Point Management Interface (CPMI) to go through these two networks. n Enter the cpconfig command on the EMC station to see if the management client IP address is on the approved list.

Check Point Sends Connection Failed Messages to Firewall Director

In this scenario, you receive fwconn_record_conn: Id_set_wto(connections) failed messages during the session. This occurs when the session limit of Check Point is reached. The default is 25000 connections.

Action Increase the session limit on the EMC station and reduce the TCP end timeout limit in the Pol- icy | Global Properties menu, under the Stateful Inspection tab. Also see “Tuning Check Point NG Performance” on page 397.

Low Performance Under Heavy Traffic

In this scenario, you notice some reduced performance under heavy traffic.

n Make sure the EMC station is configured as explained in “Tuning Check Point NG Perfor- mance” on page 397. n Log in using the administrator account and run the command from the CLI: /info/clu. If the firewall status of the Firewall Director is not accelerating, run the command: /cfg/fw/accel on. This will restart the acceleration.

410 n Appendix C: Troubleshooting 212535-E, April 2003 APPENDIX D Software Licenses

The Alteon Switched Firewall includes software which is covered by the following licenses. Apache Software Licence

The Apache Software License, Version 1.1

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foun- dation. For more information on the Apache Software Foundation, please see .

Portions of this software are based upon public domain software originally written at the National Center for Super- computing Applications, University of Illinois, Urbana-Champaign.

411 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

mod_ssl License

LICENSE

The mod_ssl package falls under the Open-Source Software label because it’s distributed under a BSD-style license. The detailed license information follows.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

412 n Appendix D: Software Licenses 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

OpenSSL and SSLeay Licenses

LICENSE ISSUES

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected].

OpenSSL License

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)” 4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl- [email protected]. 5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)” THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABIL- ITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPE- CIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCURE- MENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

Appendix D: Software Licenses n 413 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

This package is an SSL implementation written by Eric Young ([email protected]).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]).

If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used.

This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes cryptographic software written by Eric Young ([email protected])” The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related. 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson ([email protected])” THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRAN- TIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFT- WARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

414 n Appendix D: Software Licenses 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

PHP License

The PHP License, version 2.02

Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name “PHP” must not be used to endorse or promote products derived from this software without prior permission from the PHP Group. This does not apply to add-on libraries or tools that work in conjunction with PHP. In such a case the PHP name may be used to indicate that the product supports PHP. 4. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License. 5. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes PHP, freely available from http://www.php.net/”. 6. The software incorporates the Zend Engine, a product of Zend Technologies, Ltd. (“Zend”). The Zend Engine is licensed to the PHP Association (pursuant to a grant from Zend that can be found at http://www.php.net/license/ZendGrant/) for distribution to you under this license agreement, only as a part of PHP. In the event that you separate the Zend Engine (or any portion thereof) from the rest of the software, or modify the Zend Engine, or any portion thereof, your use of the separated or modified Zend Engine software shall not be governed by this license, and instead shall be governed by the license set forth at http://www.zend.com/license/ZendLicense/. THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER- CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIM- ITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the PHP Group.

The PHP Group can be contacted via E-mail at [email protected].

For more information on the PHP Group and the PHP project, please see .

Appendix D: Software Licenses n 415 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

SMTPclient License

LICENSE

SMTPclient—simple SMTP client

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License in the file COPYING along with this program; if not, write to:

Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Notice, that “free software” addresses the fact that this program is distributed under the term of the GNU General Public License and because of this, it can be redistributed and modified under the conditions of this license, but the software remains copyrighted by the author. Don't intermix this with the general meaning of Public Domain software or such a derivative distribution label.

The author reserves the right to distribute following releases of this program under different conditions or license agreements.

Ralf S. Engelschall [email protected] www.engelschall.com

416 n Appendix D: Software Licenses 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

GNU General Public License

GNU GENERAL PUBLIC LICENSE Version 2, June 1991

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation’s software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surren- der the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.

Also, for each author’s protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors’ reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone’s free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.

Appendix D: Software Licenses n 417 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The “Program”, below, refers to any such program or work, and a “work based on the Program” means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is addressed as “you”. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Pro- gram, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

418 n Appendix D: Software Licenses 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Pro- gram), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients’ exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Pro- gram. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

Appendix D: Software Licenses n 419 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geo- graphical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Founda- tion, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PRO- GRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUD- ING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GEN- ERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAIL- URE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS

420 n Appendix D: Software Licenses 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found.

Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Pub- lic License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type ‘show w’. This is free software, and you are welcome to redistribute it under certain conditions; type 'show c' for details. The hypothetical commands ‘show w’ and ‘show c’ should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than ‘show w’ and ‘show c’; they could even be mouse-clicks or menu items--whatever suits your program.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright disclaimer” for the program, if necessary. Here is a sample; alter the names:

Yoyodyne, Inc., hereby disclaims all copyright interest in the program 'Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.

Appendix D: Software Licenses n 421 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

422 n Appendix D: Software Licenses 212535-E, April 2003 APPENDIX E Specifications

Alteon Firewall Accelerator Specifications

The following describes the specifications, standards, and certifications for the ASF 5300, ASF 5400, ASF 5600, and ASF 5700 Firewall Accelerators.

Physical Characteristics

Characteristic Measurement Width 43.18 cm (17.00 inches) (Standard 19" EIA rack mountable) Height 8.81 cm (3.47 inches) Depth 45.72 cm (18.00 inches) Weight 8 kg (18 lb.) maximum

Power Requirements

Specification Measurement Auto-ranging power supply 100-240VAC @ 50-60 Hz, 3A Maximum power consumption 90 Watts

Supported Standards n Logical Link Control (IEEE 802.2) n 10Base-T/100Base-TX (IEEE 802.3, 802.3u) n 1000Base-SX (IEEE 802.3z) n Flow Control (IEEE 802.3x) n Link Negotiation (IEEE 802.3z) n Frame Tagging (IEEE 802.1Q) on all ports when VLANs are enabled n SNMP Version 2c support

423 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Port Specifications

Port Connector Media Maximum Distance 10Base-T RJ-45 UTP Cat. 3, 4, or 5 100 meters (325 feet) 100Base-TX RJ-45 UTP Cat. 5 100 meters (325 feet) 1000Base-SX SC full-duplex Shortwave (850 nm): 62.5 micron MM fiber 2 to 275 meters 50 micron MM fiber 2 to 550 meters (6.5 to 1804 feet) Console (DCE) Female DB-9 RS-232C (serial) 25 meters (82 feet)

Environmental Specifications

Condition Operating Specification Storage Specification Temperature 0° to 40° C (+32° to +104° F) –40° to +85° C (–40° to +185° F) Relative humidity 5 to 85% non-condensing 5 to 95% non-condensing (40° C, 16 hour dwells at extremes) 10° C/hour Altitude up to 3,050 meters (10,000 feet) up to 10,750 meters (35,000 feet) Shock 10g, 1/2 sine wave, 11 msec 60g, 1/2 sine wave, 11 msec Vibration, peak to 0.005 in. max (5 to 32 Hz) 0.1 in. max (5 to 17 Hz) peak displacement Vibration, peak 0.25g (5 to 500 Hz) 0.25g (5 to 500 Hz) acceleration (Sweep Rate = 1 octave/minute) (Sweep Rate = 1 octave/minute)

Certifications

Category Compliance Emissions FCC, CFR 47 Part 15, Subpart B ANSI C63.4-1992, Class A FCC OST 55 VCCI Class A CISPR 22 CSA C108.8-M1983 (R1989) EN55022 CE EN61000-3-2, EN61000-3-3 Safety UL 1950, CUL DIN/VDE 0805 CSA 22.2, No. 950-93 IEC 950 EN 60950 TUV EMKO-TSE (74-SEC) 207/94 Nordic Deviations to EN 60950

424 n Appendix E: Specifications 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Alteon Firewall Director Specifications

The following describes the specifications, standards, and certifications for the ASF 5010 and ASF 5008 Firewall Directors.

Physical Characteristics

Characteristic Measurement Height 43.2 mm (1.7 inches), 1U Width 447.3 mm (17.61 inches) Depth 711.2 mm (28 inches) Weight 9.97 kg (22 pounds) minimum 11.80 kg (26 pounds) maximum Memory ASF 5010: 1 GB ASF 5008: 512 MB Storage 2 x 18 GB

Power Requirements

Specification Measurement AC Power Wattage 240 Watts maximum Voltage 100-240 VAC, 3.6-1.8 A, 60-50 Hz System battery CR2032 3-V lithium coin cell

Environmental Specifications

Condition Operating Specification Storage Specification Temperature 10º C to 35º C (50º F to 95º F) –40º C to 65º C (–40º F to 149º F) Relative humidity 8% to 80% (non-condensing) with a 5% to 95% (non-condensing) humidity gradation of 10% per hour Altitude –16m to 3,048m (–50 ft. to 10,000 ft.) –16m to 10,600m (–50 ft. to 35,000 ft.) Shock 6 shock pulses of 41G for up to 2ms 6 shock pulses of 71G for up to 2ms Vibration 0.25G at 3Hz to 200Hz for 15 minutes 0.5G at 3Hz to 200Hz for 15 minutes

Appendix E: Specifications n 425 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

Port Specifications

Connector Port Media Maximum Distance 10Base-T RJ-45 Category 3, 4, or 5 UTP 100 meters (325 feet) 100Base-TX RJ-45 Category 5 UTP 100 meters (325 feet) 1000Base-SX SC full-duplex* Shortwave (850 nm): 62.5 micron MM fiber 2 to 275 meters 50 micron MM fiber 2 to 550 meters (6.5 to 1804 feet) Console (DCE) Female DB-9 RS-232C (serial) 25 meters (82 feet) USB two 4-pin USB cable 5 meters (20 feet) Video 15-pin Standard cable N/A PS/2 keyboard 6-pin mini-DIN Standard cable N/A PS/2 mouse 6-pin mini-DIN Standard cable N/A

*Not available on the ASF 5008

Certifications

Category Compliance

EMC CISPR22, CISPR24 FCC CFR 47, Part 15, Class A VCCI, Class A ICES, Class A CE EN-55022, EN-55024, EN-61000-4-2, EN-61000-4-3, EN-61000-4-4, EN-61000-4-5, EN-61000-4-6, EN-61000-4-8, EN-61000-4-11 BSMI CNS 13438 Class A AS/NZS 3548 Class A

Safety UL 1950 CSA 22.2 No. 950 IEC 60950, with all NCB Member Differences* EN 60950 IEC 60825-1

*NCB (National Certified Bodies) Member countries: Austria, Australia, Belgium, Canada, Switzer- land, China, Czech Republic, Germany, Denmark, Spain, Finland, France, United Kingdom, Greece, Hungary, Ireland, Israel, India, Italy, Japan, Republic of Korea, The Netherlands, Norway, Poland, Rus- sia, Sweden, Singapore, Slovenia, Slovakia, United States of America, South Africa

426 n Appendix E: Specifications 212535-E, April 2003 Index

Symbols commands abbreviations ...... 114 ...... 359 shortcuts ...... 114 /...... 111 stacking ...... 114 ? (help)...... 111 tab completion ...... 114 [ ]...... 16 configuration basic...... 74 A firewall policies ...... 89 abbreviating commands (CLI) ...... 114 flow control...... 247, 249 accelerated connections...... 401 licenses and interfaces ...... 78 actio (SLB filtering option) ...... 300 operating mode ...... 247 activate OSPF examples ...... 374 software upgrade package ...... 353 port link speed ...... 247 software version ...... 353 route redistribution, OSPF...... 382 Address Resolution Protocol (ARP) route redistribution, RIP...... 359 interval ...... 236 troubleshooting ...... 406 ARP. See Address Resolution Protocol. connect auto-negotiation via console ...... 68 enable/disable on port...... 248, 249 connections autonomous systems (AS) ...... 367 maximum concurrent...... 401 connectors iSD310-SSL terminal pin assignments ...... 69 B console connection...... 68 BBI...... 368 Browser-Based Interface ...... 368 D dip (destination IP address for filtering) ...... 301 C disconnect idle timeout...... 110 cable-management arm dmask installing...... 55 destination mask for filtering ...... 301 certifications ...... 426 DNS servers Check Point add to configuration...... 201 management tools...... 81 list configured...... 201 Check Point components remove configured ...... 201 Enterprise Management Console...... 19 doors management clients...... 19 removing...... 42 Command Line Interface...... 368 replacing ...... 56 Command-Line Interface (CLI) ...... 101

427 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

E M EtherChannel mounting as used with port trunking...... 246 equipment rack ...... 36 external routing...... 367 N F NTP servers factory default configuration add to configuration ...... 200, 213, 214 after reinstalling software ...... 355, 403 list configured ...... 200, 213, 214 filters remove configured ...... 200, 213, 214 IP address ranges...... 301 NTP setting menu...... 200 flow control configuring ...... 247, 249 O four-post kit installing cable-management arm...... 55 online help ...... 111 front panel ...... 31 operating mode, configuring ...... 247 ports ...... 31 OSPF configuration examples...... 374 G creating a virtual link...... 376 defining an OSPF domain ...... 375 global commands route redistribution...... 359, 382 nslookup...... 111 summarizing routes ...... 380

H P help ...... 111 partially accelerated connections...... 401 passwords ...... 98 I pin assignments iSD310-SSL...... 69 idle timeout ping...... 111 overview ...... 110 port trunking installing description ...... 246 cable-management arm...... 55 ports stiffening bracket...... 47 physical. See switch ports. two-post slide assemblies...... 44 RJ-45 ...... 31 VersaRails slide assemblies ...... 51 serial ...... 31 installing in rack pwd...... 111 system...... 53, 54 installing system two-post rack ...... 53 Q internal routing ...... 367 quiet (screen display option)...... 112 IP address filter ranges...... 301 R rear panel...... 32 L receive flow control ...... 247, 249 lines (display option) ...... 111 Redistributing routes, OSPF ...... 359 link redistributing routes, OSPF...... 382 speed, configuring ...... 247 redistributing routes, RIP...... 359 reinstalling software...... 355

428 n Index 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

RIP (Routing Information Protocol) two-post kit advertisements...... 358 installing slide assemblies ...... 44 distance vector protocol ...... 357 installing system ...... 53 hop count...... 357 metric...... 357 U routing table...... 358 UDP...... 358 UDP version 1...... 357 RIP...... 358 routers source and destination ports...... 300 border...... 367 upgrade peer...... 367 activate software package...... 353 routes, advertising ...... 367 handling software versions ...... 353 routing internal and external...... 367 V Routing Information Protocol. See RIP verbose ...... 112 virtual link S configuration example ...... 376 serial cable connection...... 70 Virtual Router Redundancy Protocol (VRRP) shortcuts (CLI)...... 114 virtual router options ...... 258 SIP (source IP address for filtering)...... 301 VLAN tagging smask port restrictions ...... 253 source mask for filtering ...... 301 VLANs SNMP port members...... 251 menu options...... 210, 213, 214, 215, 216 tagging ...... 251, 253 software activate downloaded upgrade package ...... 353 reinstall ...... 355 version handling when upgrading...... 353 stacking commands (CLI) ...... 114 stiffening bracket...... 47 summarizing routes example...... 380 switch ports VLANs membership ...... 251

T tab completion (CLI) ...... 114 TCP source and destination ports ...... 300 terminal connecting to iSD ...... 70 iSD310-SSL connectors...... 69 timeouts idle connection ...... 110 traceroute...... 112 transmit flow control...... 247, 249

Index n 429 212535-E, April 2003 Alteon Switched Firewall Installation and User’s Guide

430 n Index 212535-E, April 2003