manualshive.com logo in svg

FireBrick FB6402, User Manual

Share
Download
FireBrick FB6402 User Manual Download Page 84

Tunnels

67

11.1.1.6. Identities and the Authentication Mechanism

To fully appreciate the mechanism of authentication, it is necessary to understand the concept of IKE Identities.
Each  end  of  an  IPsec/IKE  peering  has  an  identity,  and  the  purpose  of  the  IKE  authentication  process  is  to
establish the identity to the peer - ie prove to the peer that you are the identity you proclaim to be. An IKE
identity can take one of a variety of forms - it may be an IP address (IPv4 or IPv6), an email address, a domain
name or a key identifier. It is important to understand that these forms are, in a sense, notional - you do not have
to actually be addressable using a particular IP to proclaim it as your identity, nor do you have to be contactable
by an email address if that form is used, nor does a domain name need to be resolvable to your IP address (or,
indeed, resolvable at all). This is not unlike the use of personal names, at least in the UK, where you do not
have to use your official birth certificate name - you can use any name provided that you can prove that you
are associated with that name.

Each end of an IKE connection authenticates itself to its peer by signing a block of data which includes its
identity along with other connection-specific data. Depending on the authentication method, the signature is
generated  using  a  pre-shared  secret,  a  private  key  associated  with  an  X.509  end-entity  certificate,  or  a  key
determined by an EAP exchange.

If  a  peer  authenticates  using  a  pre-shared  secret,  you  trust  he  is  who  he  says  he  is  simply  by  virtue  of  his
knowledge of the secret. With certificates the situation is more complex: a successful signature verification
using a certificate simply proves that the peer has the private key associated with the certificate used. To accept
the authentication you also need to trust the certificate - ie you need to believe that the certificate does indeed
belong to the peer. One way to do this is to use a self-signed end-entity certificate - in this case your peer gives
you a copy of his certificate in advance, and you choose to trust it on this basis. To avoid needing to install a
separate certificate for every peer you may need to authenticate with, it is more normal to have a chain of trust
- you elect to trust a certificate from a certificate authority (CA), and you then implicitly trust any certificates
which have been signed by that authority using that certificate (and in turn any subordinate certificates signed
by these) without needing to explicitly install any of them beforehand. In other words, you are trusting that the
CA (and any intermediates) who issued the certificate checked that the intended owner was entitled to use the
certificate before issuing it. A certificate includes various data items including the identity of the owner, so the
final step in the authentication check using a certificate is to confirm that the certificate used is valid, and its
owner identity matches the IKE identity claimed by the peer.

11.1.2. Setting up IPsec connections

First, an IPsec configuration section needs to be added to the configuration if not already present, or edited if
present. Select "Add: New: IPsec connection settings" or edit the exiting entry on the tunnel setup page.

11.1.2.1. Global IPsec parameters

There are some global parameters affecting all connections which can be set on the main IPsec entry.

The logging options loglog-error, and log-debug can be used to steer logging information which is not specific
to a particular connection to a selected logging target.

The allow and trusted entries can be used to restrict IKE connections to particular IPs and/or IP ranges. An
IKE connection setup request can potentially be received from any device, and setting up a connection involves
some CPU-intensive calculations. The IKE implementation attempts to guard against the possibility of Denial-
of-Service attacks from rogue devices requesting bogus connections by limiting the initial connection rate, but
for added security allow and trusted settings are also provided. Connections from IPs in either of the two lists
are always accepted, and those in the trusted list are processed at higher priority. If an allow list has been set,
connection attempts from IPs not in the allow or trusted lists are not accepted.

There is also a Force-NAT option which will force the FireBrick to assume that remote devices on the list are
behind NAT boxes. IKE has built-in NAT detection so this option is rarely needed. See the separate section
on NAT Traversal for more details.

Summary of Contents for FB6402

Page 1: ...FireBrick FB6402 User Manual FB6000 Versatile Network Appliance...

Page 2: ......

Page 3: ...FireBrick FB6402 User Manual This User Manual documents Software version V1 46 100 Copyright 2012 2017 FireBrick Ltd...

Page 4: ...Object Hierarchy 9 3 2 The Object Model 9 3 2 1 Formal definition of the object model 10 3 2 2 Common attributes 10 3 3 Configuration Methods 10 3 4 Web User Interface Overview 10 3 4 1 User Interfac...

Page 5: ...o Flash memory 29 5 1 1 2 Logging to the Console 30 5 2 Enabling logging 30 5 3 Logging to external destinations 30 5 3 1 Syslog 30 5 3 2 Email 31 5 3 2 1 E mail process logging 32 5 4 Factory reset c...

Page 6: ...rrier grade NAT 53 7 4 9 Using NAT setting on subnets 53 8 Routing 55 8 1 Routing logic 55 8 2 Routing targets 56 8 2 1 Subnet routes 56 8 2 2 Routing to an IP address gateway route 56 8 2 3 Special t...

Page 7: ...5 Choice of algorithms 74 11 1 6 NAT Traversal 75 11 1 7 Configuring a Road Warrior server 76 11 1 8 Connecting to non FireBrick devices 77 11 1 8 1 Using StrongSwan on Linux 77 11 1 8 2 Setting up a...

Page 8: ...97 15 2 2 Standards 97 15 2 3 Simple example setup 98 15 2 4 Peer type 98 15 2 5 Route filtering 99 15 2 5 1 Matching attributes 99 15 2 5 2 Action attributes 99 15 2 6 Well known community tags 100 1...

Page 9: ...ps 115 E 2 6 See DHCP allocations 116 E 2 7 Clear DHCP allocations 116 E 2 8 Lock DHCP allocations 116 E 2 9 Unlock DHCP allocations 116 E 2 10 Name DHCP allocations 116 E 2 11 Show ARP ND status 116...

Page 10: ...ical port controls 137 H 2 17 sampling Packet sampling configuration 137 H 2 18 portdef Port grouping and naming 138 H 2 19 interface Port group VLAN interface settings 138 H 2 20 subnet Subnet settin...

Page 11: ...log severity 167 H 3 7 syslog facility Syslog facility 167 H 3 8 month Month name 3 letter 168 H 3 9 day Day name 3 letter 168 H 3 10 port Physical port 169 H 3 11 Crossover Crossover configuration 16...

Page 12: ...FireBrick FB6402 User Manual xii H 3 38 dynamic graph Type of dynamic graph 175 H 3 39 firewall action Firewall action 175 H 4 Basic types 175 Index 178...

Page 13: ...tegories 12 3 4 The Setup category 13 3 5 Editing an Interface object 14 3 6 Show hidden attributes 14 3 7 Attribute definitions 14 3 8 Navigation controls 15 4 1 Setting up a new user 21 4 2 Software...

Page 14: ...types 98 15 2 Communities 100 15 3 Network attributes 101 B 1 DHCP client names used 109 D 1 iso 3 6 1 4 1 24693 1 111 D 2 iso 3 6 1 4 1 24693 179 111 F 1 File types 120 F 2 Colours 121 F 3 Text 122...

Page 15: ...152 H 51 ipsec ike Attributes 152 H 52 ipsec ike Elements 153 H 53 ike connection Attributes 153 H 54 ike connection Elements 154 H 55 ipsec route Attributes 155 H 56 ike roaming Attributes 155 H 57...

Page 16: ...100 LinkPower PHY power saving options 170 H 101 LinkFault Link fault type to send 171 H 102 sampling protocol Sampling protocol 171 H 103 trunk mode Trunk port more 171 H 104 ramode IPv6 route announ...

Page 17: ...tware and ensures FireBrick are able to maximise performance from the hardware and maintain exceptional levels of quality and reliability The result is a product that has the feature set performance a...

Page 18: ...factory The procedure requires physical access to the FB6000 and can be applied if you have made configuration changes that have resulted in loss of access to the web user interface or any other situa...

Page 19: ...case a single physical connection can be made between a VLAN capable switch and the FB6000 and with the switch configured appropriately this physical connection will carry traffic to from multiple VLA...

Page 20: ...e like to dive in hands on working with examples and tweaking them until they work the way they want referring to documentation as required Other people prefer to build their knowledge up from first p...

Page 21: ...tware see Section 4 3 and are using the latest revision of the manual applicable to that software version and have attempted to answer your query using the material in this manual Many FireBrick resel...

Page 22: ...e training courses for the FB2x00 series products and also training course on general IP networking that are useful if you are new to networking with IP To obtain information about upcoming courses pl...

Page 23: ...your LAN and it will get an address Port 4 is configured by default not to give out any addresses and as such it should not interfere with your existing network You would need to check your DHCP serve...

Page 24: ...age for managing the configuration 2 2 1 Add a new user You now need to add a new user with a password in order to gain full access to the FireBrick s user interface Click on the Users icon then click...

Page 25: ...e a new configuration that includes your new user definition You should now see a page showing the progress of storing the new configuration in Flash memory Figure 2 4 Configuration being stored On th...

Page 26: ...locally attached subnet is a child of an object that defines an interface and as such defines that the subnet is accessible on that specific interface Since multiple interfaces can exist other interf...

Page 27: ...to avoid confusion 3 3 Configuration Methods The configuration objects are created and manipulated by the user via one of two configuration methods web based graphical User Interface accessed using a...

Page 28: ...d showing the current software version the remaining page area contains the content for the selected part of the user interface Figure 3 1 shows the main menu when it is set to display horizontally No...

Page 29: ...to set up FireBricks in a style and branding of their choice 3 4 2 Config pages and the object hierarchy The structure of the config pages mirrors the object hierachy and therefore they are themselve...

Page 30: ...factory reset configuration You can push down into the hierarchy by clicking the Edit link in a table row This takes you to a page to edit that specific object The page also shows any child objects of...

Page 31: ...ox is show the attribute name this is a compact string that exactly matches the underlying XML attribute name a short description of the attribute Tip If there is no default shown for an attribute the...

Page 32: ...The configuration pages are generated on the fly using JavaScript within your web browser environment i e client side scripting As such the browser is essentially unaware of changes to page content an...

Page 33: ...L 3 5 1 Introduction to XML An XML file is a text file i e contains human readable characters only with formally defined structure and content An XML file starts with the line xml version 1 0 encoding...

Page 34: ...lement which contains the entire element hierarchy In the FB6000 the root element is config and it contains top level configuration elements that cover major areas of the configuration such as overall...

Page 35: ...hfront co uk resolvers 81 187 42 42 81 187 96 96 services port name WAN ports 1 port name LAN ports 2 interface name WAN port WAN subnet name ADSL ip 81 187 106 73 30 interface interface name LAN port...

Page 36: ...ploaded to the FireBrick using HTTP transfers done via tools such as curl Using these methods configuration of the FB6000 can be integrated with existing administrative systems Note Linebreaks are sho...

Page 37: ...type multi part form data An example of doing this using curl run on a Linux box is shown below curl http FB6000 IP address or DNS name config config user username password form config filename Note Y...

Page 38: ...As with any such object erase operation the object will not actually be erased until the configuration is saved Once you have added a new user or are editing an existing user the object editing page w...

Page 39: ...access unless explicitly listed view View only access no passwords or hashes read Read only access with passwords and hashes full Full view and edit access DEFAULT 4 1 3 Login idle timeout To improve...

Page 40: ...the old password and the new password twice and the password is updated If you have OTP set up on a user then you cannot change the password simply using the configuration editor unless also setting...

Page 41: ...ork The hostname is set using the name attribute 4 2 2 Administrative details The attributes shown in Table 4 3 allow you to specify general administrative details about the unit Table 4 3 General adm...

Page 42: ...AT to drop However the FB6000 reboots very quickly and in many cases users will be generally unaware of the event You can also use a profile to restrict when software upgrades may occur for example yo...

Page 43: ...current software version is displayed on the main Status page shown when you click the Status main menu item itself i e not a submenu item The main software application version is shown next to the w...

Page 44: ...upgrades are attempted see Chapter 9 for details on profiles The current setting of sw update in descriptive form can be seen on the main Status page adjacent to the word Upgrade as shown in Figure 4...

Page 45: ...nning After power up the normal power LED indication sequence is therefore to go through the 1 second period flashing phase and then if at least one Ethernet port is connected to an active device or a...

Page 46: ...erface or command line which can show the history in the buffer and then follow the log in real time even when viewing via a web browser with some exceptions see Section 5 6 1 In some cases it is esse...

Page 47: ...ebug This is extra detail and is normally only used when diagnosing a problem Debug logging can be a lot of information for example in some cases whole packets are logged e g PPP It is generally best...

Page 48: ...sending another Having a hold off period means you don t get an excessive number of e mails since the logging system is initially storing event messages in RAM the e mail that is sent after the hold o...

Page 49: ...actory reset configuration also has a log target named fb support which is referenced by the log panic attribute of the system object see Section 5 7 This allows the FireBrick to automatically email t...

Page 50: ...al Ethernet hardware messages log eth debug Ethernet hardware debug messages log eth error Ethernet hardware error messages log panic System Panic events log stats One second stats messages Specifying...

Page 51: ...set up Until them the first active port is used on its own If you do not wish to use LACP for the trunk static config you can edit the individual ethernet port settings to set lacp to false If lacp mo...

Page 52: ...is associated with a broadcast domain therefore multiple subnets existing in a single broadcast domain are not isolated at layer 2 from each other Effective firewalling at layer 3 cannot be establish...

Page 53: ...the routing table of the interface However it is possible to set a source filter table which allows the check to be done in a different routing table This usually only makes sense when used with the...

Page 54: ...o omitted as are any other addresses not within a subnet on the same interface Every allocation made by the DHCP server built in to the FB6000 is stored in non volatile memory and will survive power c...

Page 55: ...turer which is registered to allocate that MAC address to an Ethernet device By specifying only these first three bytes six hexadecimal characters no colon delimiters in the mac attribute you can ensu...

Page 56: ...o be set up for specific relays The table and allow allow you to limit the use of the DHCP Remote server to requests from specific sources note that renewal requests come from the allocated IP or NAT...

Page 57: ...ason to restrict the operation to either of these modes you can set the duplex attribute to either half or full This will cause the port to only advertise the specified mode if the auto negotiate capa...

Page 58: ...identifiers used to do the multiplexing For both UDP and TCP this identifier is a port number whose scope is local to the end point and is therefore usually different at each end point for a given fl...

Page 59: ...essor load so in practice it can easily handle very large session tables hundreds of thousands of entries Note that TCP sessions also have time outs this is necessary since the connection may not be c...

Page 60: ...ibute of the rule set is taken The available actions are the same as for a session rule Table 7 1 Action attribute values action attribute Action taken drop immediately cease rule processing quietly d...

Page 61: ...he FB6000 s session rule specifications you may interpret the no match action as specifying what happens if the rule set s entry criteria are not met i e at the beginning of processing a rule set no m...

Page 62: ...owed Yes no match action is accept No No no match action is drop reject ignore No action is continue Yes action is drop reject ignore No No action is continue or accept Rule criteria met Yes Session A...

Page 63: ...milarly click the Edit link next to the rule set you want to modify As described in Section 7 3 2 a rule set can optionally specify entry criteria in the web user interface these come under the headin...

Page 64: ...set per interface with the interface specified as the target interface in the entry criteria such that the rule set relates to sessions to that interface implement a default drop policy on each firewa...

Page 65: ...c Normally a session table entry holds enough information to allow return traffic to reach its destination without potentially being firewalled However a session rule can specify certain changes to be...

Page 66: ...ngoing timeout attribute Ongoing time out this time out period begins when each subsequent packet of the session arrives at the FB6000 it is specified by the set initial timeout attribute Note The act...

Page 67: ...rules as normal but as it is already mapped it allows the firewall rules to consider the target typically a private IP address and port This allows much finer control than would be possible otherwise...

Page 68: ...t connection Tip It is strongly recommended that you make use of PPPoE to connect to such an Internet connection thereby affording the FireBrick itself with the single public IPv4 address assigned to...

Page 69: ...ort in a rule which causes the next rule set to see the new changed setting the NAT setting does not actually make these changes until the end of the processing of the rule sets i e a subsequent rule...

Page 70: ...h cases Using this arrangement ensures that traffic internally between RFC1918 and public IP addresses can continue without using NAT internally Tip For fallback arrangements such as a dongle where al...

Page 71: ...f to another subnet on the same FireBrick and this is often not the case This can be useful in very simple configurations where the FireBrick only has the one private subnet but in most cases it is be...

Page 72: ...s but routes can only use prefixes There are two cases that deserve special attention A routing destination may be a single IP address in which case it is a 32 in CIDR notation for IPv4 The 32 part fo...

Page 73: ...s a very specific single IP a 32 for IPv4 or a 128 for IPv6 route for the IP address of the FB6000 itself on that subnet This is a separate loop back route which effectively internally routes traffic...

Page 74: ...k comes up when the link goes down these routes are removed automatically Refer to Chapter 11 for details on how to achieve this via the routes attribute on the tunnel definition objects This can be u...

Page 75: ...r to Chapter 7 When establishing a session it is possible to scan an ordered list of rules which can consider not only the target IP but also source IP protocol ports and interfaces being used The res...

Page 76: ...OT allowing for some complex profile logic to be defined that determines a final profile state from several conditions When considering the state of another profile it is the previous second s state t...

Page 77: ...ol port state with a profile so you could have a port come up if another port is down to create a fallback arrangement If more than one of these general tests is selected corresponding attribute speci...

Page 78: ...itch is not part of the config The switch state is automatically stored in the dynamic peristent data along with DHCP settings etc so survives a power cycle restart The control switch uses initial as...

Page 79: ...m the FB6000 via the web User Interface to view a graph click the PNG item in the Graphs menu This will display all the graphs that are currently configured it is not currently possible to show a sing...

Page 80: ...Multiple objects can share the same graph Graphs can sometimes be created automatically and may have speeds applied 10 1 4 Long term shapers If defining a shaper using the shaper object there are a nu...

Page 81: ...ntly sent This depends on the length of packets sent and the speed of the shaper This is essentially tracking how much is likely to be queued at a bottleneck further on The FB6000 does not delay sendi...

Page 82: ...etween a roaming client and a server providing security for working at home or on the road scenarios This usage is usually known as a Road Warrior connection The FireBrick can be used as the server fo...

Page 83: ...mechanisms to select the keys to be used using the Diffie Hellman key exchange mechanism IKE also performs authentication between the two link endpoints using for example X 509 certificates pre shared...

Page 84: ...need to authenticate with it is more normal to have a chain of trust you elect to trust a certificate from a certificate authority CA and you then implicitly trust any certificates which have been si...

Page 85: ...range of 16 or a single IPv6 range of 112 11 1 2 4 IKE connections To set up a new IKE connection select Add New IKE connections on the IPsec configuration page There are a large number of options ava...

Page 86: ...f ID are used there is no requirement for the domain or email address to actually be associated with the peer or even to exist at all If the prefix IP FQDN etc is omitted in the identity the FireBrick...

Page 87: ...or more complex routing a number of separate route elements can be added to the tunnel config Metrics and the routing tables to be used may also be specified The blackhole option can be set to ensure...

Page 88: ...mplementation when using manual keying the same key is used for both incoming and outgoing traffic The same keys and algorithms must be configured at the remote end of the link The above keys are exam...

Page 89: ...ween the client and server These take place using the IKE control channel so although at this stage the server does not yet know the identity of the client connecting indeed it is purpose of the EAP i...

Page 90: ...ess the certificate is self signed the certificate s used as CAs to provide a trust chain must also be installed though private keys are not required for these and for security should not be installed...

Page 91: ...e company Paradigm Ltd who wish to set up a certificate suitable for authenticating one of their servers using IKE identity FQDN vpn server42 paradigm co uk To make a suitable CA and end entity certif...

Page 92: ...ntrol Data none DHGroup Data Yes MODP 1024 DHGroup Control Data MODP 2048 DHGroup Control Data Yes HMAC MD5 PRF Control HMAC SHA1 PRF Control Yes AES XCBC 128 PRF Control Yes HMAC SHA256 PRF Control Y...

Page 93: ...nset in order to allow connections from any client Certificates An end entity certificate identifying the FireBrick should be created along with its private key and signed with a suitable CA certifica...

Page 94: ...Several vendors have released IKEv2 support only recently it is worth checking with your vendor for firmware upgrades The FireBrick is known to interoperate well with StrongSwan implementations and w...

Page 95: ...hould be configured as described earlier using certificate authentication for the FireBrick and EAP for the peers Install the StrongSwan app on the Android device this is a free app available from the...

Page 96: ...ves multiple IP addresses or IPv6 addresses Symptoms of this include being unable to connect at all for varying periods of time and connections dropping shortly after establishing while appearing to s...

Page 97: ...1415 A hmac sha1 0x0123456789012345678901234567890123456789 add 192 168 1 1 192 168 2 2 esp 2000 m tunnel E rijndael cbc 0x00010203040506070809101112131415 A hmac sha1 0x012345678901234567890123456789...

Page 98: ...IP addresses to a network but it is either impossible to route the addresses directly to the network e g it is behind a NAT ing router or is connected via networks e g a 3rd party ISP that you have n...

Page 99: ...o not need to manually change routing information to suit A dynamic route is defined by setting the routes attribute on the tunnel definition specifying one or more routing destinations in CIDR format...

Page 100: ...nds on whether the FB6000 behind the router has a far end IP address specified in tunnel definition s as follows If it does then it will be sending tunnel wrapper packets via the NAT router such that...

Page 101: ...ier network In addition the extra latency may cause problems with devices expecting LAN speed responses for example switches running LACP Configuring an ETUN connection is very simple Select Add New E...

Page 102: ...not present the service is disabled Clicking on the Edit link next to the services object will take you to the lists of child objects Where a service object is not present the table in that section wi...

Page 103: ...s purpose is to serve the HTML and supporting files that implement the web based user interface for the FB6000 It is not a general purpose web server that can be used to serve user documents and so th...

Page 104: ...s attribute However DNS resolvers are also learned automatically via various systems such as DHCP In most cases you do not need to set the resolvers 12 5 1 Blocking DNS names You can configure names s...

Page 105: ...NTP client service typically only requires setting the timeserver attribute to specify one or more NTP servers using either DNS name or IP address 12 7 SNMP configuration The SNMP service allows othe...

Page 106: ...ollows a defined processing flow when it comes to deciding whether to establish a new session see Section 7 2 for an overview of session tracking and its role in implementing firewalling The processin...

Page 107: ...is the name of an IP address group that does not include 1 2 3 4 dns local only true DNS resolver access This address is not on a local Ethernet subnet and so not allowed access 13 3 Packet Dumping Th...

Page 108: ...ackets self Include my IP By default any traffic to or from the IP which is connecting to the web interface to access pcap is excluded This option allows such traffic Use with care else you dump your...

Page 109: ...PPP protocol bytes and then have fake PPPoE and Ethernet headers added A snaplen value of 0 has special meaning it causes logging of just IP TCP UDP and ICMP headers as well as headers in ICMP error p...

Page 110: ...rname name and password pass to log in to a FireBrick on address 1 2 3 4 obviously you would change the IP address or host name and credentials to something suitable for your FB6000 We have asked for...

Page 111: ...tems do not work well and get confused about the same MAC appearing on different interfaces and VLANs As such it is generally a good idea to avoid doing this unless you are sure your network will cope...

Page 112: ...ult Devices have to be using the same version IPv4 and IPv6 can co exist with one using VRRP2 and the other VRRP3 Setting the same config apart from priority on all devices ensures they have the same...

Page 113: ...nd is selected It can also be specifically set in the config by setting the attribute version3 to the value true Caution If you have devices that are meant to work together as VRRP but one is version...

Page 114: ...case Even though IPv4 address space has already run out it is possible to obtain IPv6 PI address space and an AS number to announce your own IPv6 addresses to multiple providers for extra resilience...

Page 115: ...lements that apply are defined in the XML XSD documentation for your software release 15 2 4 Peer type The type attribute controls some of the behaviour of the session and some of the default settings...

Page 116: ...hen the default actions from the import export object are used In addition the top level import export has a prefix list If present then this will limit the prefixes processed at a top level dropping...

Page 117: ...k hole routes The FireBrick allows black hole routes to be defined using the the blackhole object Routing for such addresses is simply dropped with no ICMP error Such routes can be marked for BGP anno...

Page 118: ...around this have by default ignore bad optional partial set to true The effect is that if a path attribute we understand is wrong and it is optional and trhe router that sent it to us did not underst...

Page 119: ...lpref prefix stuffed and then a delay allows these to propagate This is a configurable option per peer and the maximum delay of all active peers is used as the delay Setting to zero will not do the lo...

Page 120: ...ssed command history memory the CLI remembers a number of previously typed commands and these can be recalled using the Up and Down cursor keys Once you ve located the required command you can edit it...

Page 121: ...CIDR The prefix notation introduced by CIDR was in the simplest sense to make explicit which bits in a 32 bit IPv4 address are interpreted as the network number or prefix associated with a site and wh...

Page 122: ...IPv4 subnet on the LAN interface after factory reset is 10 0 0 1 24 the address of the FB6000 on this subnet is therefore 10 0 0 1 and the prefix length is 24 bits leaving 8 bits for host addresses o...

Page 123: ...useful on some cable modem type installations where multiple IPs are only available if the FireBrick appears to be multiple devices at once Whilst DHCP theoretically does not need separate MAC address...

Page 124: ...he port group and VLAN tag of the interface This is used for dynamic IPv6 allocation on the interface using router announcements RA and any other interface specific uses that are not relates to a subn...

Page 125: ...s range In this example the range is specified as 000397 147C F this is interpreted as All addresses in the range start with 00 03 97 14 7 the next digit then ranges from C through to F the first addr...

Page 126: ...the system name is set on the FB6000 as shown in Table B 1 Refer to Section 4 2 1 for details on setting the system name Table B 1 DHCP client names used System name Client name used not set e g fact...

Page 127: ...ach group from the others Where more than one switch is used with an uplink connection between switches VLAN tagging is used to multiplex packets from different VLANs across these single physical conn...

Page 128: ...eger mV Voltage 1 1V reference 1 8 Integer mV Voltage 3 3V fan power if present 1 9 Integer mV Voltage 1 2V fan power if present 2 1 Integer mC Temperature Fan controller 2 2 Integer mC Temperature CP...

Page 129: ...FireBrick specific SNMP objects 112 IP 4 Integer Received IPv4 prefixes IP 5 Integer Seconds since last state change IP 6 Integer Received IPv6 prefixes...

Page 130: ...uptime Shows how long since the FB6000 restarted E 1 4 General status show status Shows general status information including uptime who owns the FireBrick etc This is the same as the Status on the we...

Page 131: ...using this command as you can use the web interface and tools like curl to load configtations This command is provided as a last resort for emergency use so use with care E 1 11 Show profile status s...

Page 132: ...onse hops There are a number of controls allowing you to fine tune what is sent Obviously you should only send from a source address that will return to the FB6000 correctly You can also ask for the r...

Page 133: ...ress even if long expired E 2 9 Unlock DHCP allocations unlock dhcp ip IP4Addr table routetable Unlocks a DHCP allocation allowing the address to be re used if the expired E 2 10 Name DHCP allocations...

Page 134: ...in as a user set with DEBUG level access E 5 1 Panic panic string confirm string This causes the FB6000 to crash causing a panic event with a specified message You need to specify confirm yes for the...

Page 135: ...l if you know you have left a telnet connected from somewhere else Telnet sessions usually have a timeout but this can be overridden in the configuration for each user E 5 7 Flash memory list show fla...

Page 136: ...nd line reference 119 The logging system can log to flash for a permanent record This is done automatically for some system events and when booting You can specify the number of bytes of recent log to...

Page 137: ...terface This can be used as a direct link from a web browser or using common tools such as curl and wget The web management interface services http define the port and allowed user list and also a tru...

Page 138: ...te These attributes apply to both png and svg output however it is also possible to override the svg style and use a css style sheet from a URL instead In such cases none of the colour settings from t...

Page 139: ...ndwidth and scale axis shown based on space provided left and right R Defines a number of pixels to be provided on the right of the graph Bandwidth and scale axis is shown based on space provided left...

Page 140: ...name png as a relative link thereby ensuring all graphs appear in this directory The options list can include separators rather separators to make apparent subdirectories ext The file extension can be...

Page 141: ...nd up to 20 characters Only letters numbers and are allowed All other characters are removed It is recommended that names complying with this are used Any graph name that you try and use that is too l...

Page 142: ...unctions for passwords but on any successful login may change the config to use the current preferred password hash function This allows FireBrick to move to more secure password hash functions in fut...

Page 143: ...ion if needed without ever having to know the seed or password itself Caution This means that if someone knows or finds out the password and has access to the configuration file then they could extrac...

Page 144: ...seed XOR with the hash made from the password with salt appended If seed is longer than hash then only initial hash length bytes are XOR d S bytes Seed bytes should be random 1 byte 2 s complement ch...

Page 145: ...p relay dhcp relay Optional unlimited DHCP server settings for remote relayed requests eap eap Optional unlimited User access control via EAP ethernet ethernet Optional unlimited Ethernet port setting...

Page 146: ...for idle eth rx qsize unsignedInt 2000 Size of eth driver Rx queue eth tx qsize unsignedInt 2000 Size of eth driver Tx queue intro string Home page text location string Location description log NMTOK...

Page 147: ...Comment name string Link name profile NMTOKEN Profile name source string Source of data used in automated config management text string Link text url string Link address H 2 3 user Admin users User n...

Page 148: ...n automated config management subsystem eap subsystem Not optional Access controlled subsystem H 2 5 log Log target controls Named logging target Table H 8 log Attributes Attribute Type Default Descri...

Page 149: ...11 log email Attributes Attribute Type Default Description comment string Comment delay duration 1 00 Delay before sending since first event to send from string One made up using serial number Source...

Page 150: ...13 snmp service Attributes Attribute Type Default Description allow List of IPNameRange Allow from anywhere List of IP ranges from which service can be accessed comment string Comment community string...

Page 151: ...date in month tz12 day day Sun Timezone 1 to 2 day of week of change tz12 month month Mar Timezone 1 to 2 month tz12 time time 01 00 00 Timezone 1 to 2 local time of change tz2 name string BST Timezon...

Page 152: ...connected Ethernet subnets only log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors port unsignedShort 80 Service port profile NMTOKEN...

Page 153: ...Instances Description block dns block Optional unlimited Fixed local DNS host blocks host dns host Optional unlimited Fixed local DNS host entries H 2 14 dns host Fixed local DNS host settings DNS for...

Page 154: ...neg boolean auto negotiate unless manual 10 100 speed and duplex are set Perform link auto negotiation clocking LinkClock prefer slave Gigabit clock setting crossover Crossover auto Port crossover con...

Page 155: ...p IPAddr Source IP address to use source port unsignedShort Use collector port UDP source port stats interval duration 60 Stats export interval table unsignedByte 0 99 routetable 0 Routing table numbe...

Page 156: ...group name profile NMTOKEN Profile name ra client boolean true Accept IPv6 RA and create auto config subnets and routes restrict mac boolean Use only one MAC on this interface sampling sampling mode...

Page 157: ...experimental profile NMTOKEN Profile name proxy arp boolean false Answer ARP ND by proxy if we have routing ra ramode false If to announce IPv6 RA for this subnet ra dns List of IP6Addr List of recurs...

Page 158: ...ig management test List of IPAddr List of IPs to which routing must exist else low priority deprecated use vmac boolean true Whether to use the special VMAC or use normal MAC version3 boolean v2 for I...

Page 159: ...Optional unlimited Additional attributes to send numeric send string dhcp attr string Optional unlimited Additional attributes to send string H 2 23 dhcp attr hex DHCP server attributes hex Additiona...

Page 160: ...hcp attr ip DHCP server attributes IP Additional DHCP server attributes IP Table H 33 dhcp attr ip Attributes Attribute Type Default Description comment string Comment force boolean Send even if not r...

Page 161: ...up to 10 unsignedInt Custom AS path as if network received bgp bgpmode true BGP announce mode for routes comment string Comment ip List of IPPrefix Not optional One or more network prefixes localpref...

Page 162: ...PAddr Not optional One or more local network addresses localpref unsignedInt 4294967295 Localpref of network highest wins name string Name profile NMTOKEN Profile name source string Source of data use...

Page 163: ...f IPFilter Prefixes that this rule applies to source string Source of data used in automated config management tag List of Community List of community tags to add H 2 33 bgp Overall BGP settings The B...

Page 164: ...ean true If supporting Graceful Restart capability mpe ipv4 boolean true If supporting MPE for IPv4 capability mpe ipv6 boolean true If supporting MPE for IPv6 capability route refresh boolean true If...

Page 165: ...used in automated config management timer idle unsignedInt 60 Idle time after error timer openwait unsignedInt 10 Time to wait for OPEN on connection timer retry unsignedInt 10 Time to retry the neig...

Page 166: ...Default Description ave Colour 08f Colour for average latency axis Colour black Axis colour background Colour white Background colour bottom unsignedByte 11 Pixels space at bottom of graph dateformat...

Page 167: ...200 Score for high latency and low usage latency score1 unsignedByte 10 Score for on above level 1 latency score2 unsignedByte 20 Score for on above level 2 latency usage unsignedInt 128000 Usage bel...

Page 168: ...nstantly send keep alive packets local id unsignedByte Not optional Unique local end tunnel ID local ip IP4Addr Force specific local end IP localpref unsignedInt 4294967295 Localpref for route highest...

Page 169: ...d Routes to apply to tunnel when up H 2 38 fb105 route FB105 routes Routes for prefixes that are sent to the FB105 tunnel when up Table H 50 fb105 route Attributes Attribute Type Default Description b...

Page 170: ...g ike roaming Optional unlimited IKE roaming IP pools H 2 40 ike connection connection configuration IPsec IKE connection settings Table H 53 ike connection Attributes Attribute Type Default Descripti...

Page 171: ...l list lifetime duration 1 00 00 max lifetime before renegotiation local ID string Local IKE ID local ts List of IPRange Allow any Valid outgoing source incoming destination IPs for tunnelled traffic...

Page 172: ...vers available to clients comment string Comment ip List of IPRange Not optional List of IP ranges for allocation to road warrior clients name NMTOKEN Not optional Name nat boolean false NAT incoming...

Page 173: ...utes Attribute Type Default Description bgp bgpmode Not announced BGP announce mode for routes comment string Comment graph token graphname Graph name internal ipv4 IP4Addr local ip Internal IPv4 for...

Page 174: ...Security Parameters Index Table H 60 ipsec manual Elements Element Type Instances Description route ipsec route Optional unlimited Routes to apply to tunnel when up H 2 46 profile Control profile Gen...

Page 175: ...able for ping route timeout duration 10 Time before timeout i e how long test has been failing vrrp List of NMTOKEN VRRP state any of these is master Table H 62 profile Elements Element Type Instances...

Page 176: ...racking if set ip IPAddr Not optional Target IP source string Source of data used in automated config management source ip IPAddr Source IP ttl unsignedByte Time to live Hop limit H 2 50 shaper Traffi...

Page 177: ...ofile name rx unsignedInt Rx rate limit target b s rx max unsignedInt Rx rate limit max rx min unsignedInt Rx rate limit min rx min burst duration Rx minimum allowed burst time rx step unsignedInt Rx...

Page 178: ...le Routing override rule Routing override rule Table H 72 session route rule Attributes Attribute Type Default Description comment string Comment cug List of PortRange Closed user group ID s hash bool...

Page 179: ...source IP and port to local for NAT weight positiveInteger 1 Weighting of load share H 2 56 rule set Firewall mapping rule set Firewalling rule set with entry criteria and default actions Table H 75...

Page 180: ...individual firewall rules are checked in order within the rule set and the first match applied The default action for a rule is continue so once matched the next rule set is considered Table H 77 ses...

Page 181: ...ource mac List up to 12 hexBinary macprefix Source MAC check if from Ethernet source port List of PortRange Source port s target interface List of NMTOKEN Target interface s target ip List of IPNameRa...

Page 182: ...profile NMTOKEN Profile name source ip IPAddr Our IP address table unsignedByte 0 99 routetable 0 Routing table number H 2 60 dhcp relay DHCP server settings for remote relayed requests Settings for D...

Page 183: ...access unless explicitly listed view View only access no passwords read Read only access with passwords full Full view and edit access H 3 3 user level User login level User login level commands avail...

Page 184: ...Critical conditions ERR Error conditions WARNING Warning conditions NOTICE Normal but significant events INFO Informational DEBUG Debug level messages NO LOGGING No logging H 3 7 syslog facility Syslo...

Page 185: ...8 month Month name 3 letter Table H 90 month Month name 3 letter Value Description Jan January Feb February Mar March Apr April May May Jun June Jul July Aug August Sep September Oct October Nov Novem...

Page 186: ...speed Value Description 10M 10Mbit sec 100M 100Mbit sec 1G 1Gbit sec auto Speed determined by autonegotiation H 3 13 LinkDuplex Physical port duplex setting Table H 95 LinkDuplex Physical port duplex...

Page 187: ...Collision On when full duplex blink when half duplex and collisions detected Activity Blink when Tx or Rx activity Fault On when autonegotiation mismatch Tx Blink when Tx activity Off Permanently off...

Page 188: ...P protocol ipfix legacy Use legacy Cisco style IPFIX H 3 21 trunk mode Trunk port more Table H 103 trunk mode Trunk port more Value Description false Not trunking random Random trunking l2 hash L2 has...

Page 189: ...orted from local AS confederation local as Not exported from local AS no peer Exported with no peer community tag true Exported as normal with no special tags added H 3 25 sampling mode Sampling mode...

Page 190: ...pe IPsec encapsulation type Value Description AH Authentication Header ESP Encapsulating Security Payload H 3 29 ike authmethod authentication method Table H 111 ike authmethod authentication method V...

Page 191: ...602 with 24 byte key AES 256 CBC AES CBC Rijndael RFC 3602 with 32 byte key H 3 33 ike PRF IKE Pseudo Random Function Table H 115 ike PRF IKE Pseudo Random Function Value Description HMAC MD5 HMAC MD5...

Page 192: ...dynamic graph Type of dynamic graph Table H 120 dynamic graph Type of dynamic graph Value Description false No dynamic graph ip Use source IP address mac Use source MAC address H 3 39 firewall action...

Page 193: ...Range IPv4 address bitlen or range IP4Prefix IPv4 address bitlen IP6Prefix IPv6 address bitlen IPSubnet IP address bitlen IP4Subnet IPv4 address bitlen IPFilter Route filter Password Password OTP OTP...

Page 194: ...ity filterlist List of IP Prefix filters IPFilter bgp prefix limit Maximum prefixes accepted on BGP session 1 10000 unsignedInt fb105 reorder timeout Maximum time to queue out of order packet ms 10 50...

Page 195: ...relationship with interfaces 34 sequenced flashing of LEDs 28 Event logging external logging 30 overview 29 viewing logs 32 F Firewall definition of 41 Firewalling recommended method 47 G Graphs 62 H...

Page 196: ...5 System name see Hostname System services checking access to 90 configuring 85 definition of 85 list of 85 T Telnet service configuration 86 Time out login sessions 22 Traffic shaping overview 62 Tun...

Reviews:

No comments

Brands by name

Popular brands

Load more brands