Freedom9 freeGuard Slim 100 User Manual Download

Page: 52 / 170

C O N F I G U R I N G A T T A C K P R E V E N T I O N

4-2

User Guide

Attacks that fall in this category are syn-fin, tcp-no-flag, Land attack, IP Spoof, IRDP, Teardrop

attack, Ping of Death, UDP Bomb, and other unknown IP Protocols.

Valid But Potentially Dangerous Packets

These packets are valid packets according to the official networking standards. However, since

these packets rarely occur, their presence could be classified as suspicious and they could be part

of a DoS attack or fingerprinting operation. The AntiDoS feature detects these packets, blocks

them, and logs the event.
Known attacks that fall in this category are: Fin-no-ack, icmp-fragment, icmp-large, ip-bad-opt,

ip-filter-src, ip-loose-src-route, ip-strict-source-route, ip-record-route, ip-security-opt,

ip-stream-opt, ip-timestamp-opt, reverse-route-check and syn-frag.

Enabling DDoS Prevention

Because of the different nature of the attack categories, the antiDoS features are enabled in

different location in the CLI/GUI.

Flooding Attacks

The flooding attacks prevention features are grouped under the zone command and can be set

per zone. (Typically you expect DDoS attacks from the untrust side of the network.) Use the

following CLI command to enable and disable the flooding commands:

Set zone {zone_name} screen {attack_name} threshold {integer}

The default is to set the threshold to the maximum value, which means that no flooding detection

is taking place.

Port Attacks

The port-attack prevention features are grouped under the policy command. Set a policy in the

global zone to prevent a port attack:

Set policy global port-attack {port_attack_name}

The default is to disable Port attack prevention.

Attacks Through Malformed Packets

By default, the attack prevention for attacks through malformed packets is enabled and cannot

be turned off.

Attacks Through Valid But Potentially Dangerous Packets

This category is grouped under the zone command and can be set per zone. The CLI command

to enable this feature is:

set zone {zone_name} screen {attack_name}

The default is to enable All attack prevention in this category.

Summary of Contents for freeGuard Slim 100

Page 1: ...freeGuard Slim Appliances User Guide Part No FSL100 FSL300M Version V4R2 Network Traffic and Security Management ...

Page 2: ...ot allow copies to be made for others whether or not sold but all of the materials purchased can be sold given or loaned to another person Under the law copying includes translating this information into another language or format Information contained in this document is subject to change without notice Trademarks Hyper Terminal is a registered trademark of Hillgraeve Inc SecureCRT is a registere...

Page 3: ... 1 7 Configuring the Appliance 1 7 Connecting the Console Cable 1 7 Slim 100 Appliance Specifications 1 8 Slim 100 Appliance 1 8 LED Activity for Slim 100 1 9 Console Interface for Slim 100 1 9 Slim 300 Appliance Specifications 1 10 Slim 300 Appliance 1 10 LED Activity for Slim 300 1 10 Slim 300 Console Interface 1 11 Configuring the Software for Freedom9 Network Appliances 1 11 Default Configurat...

Page 4: ... Configuration File 2 8 View the Running Configuration 2 8 View the Saved Configuration 2 8 Resetting and Restarting the Freedom9 Network Appliance 2 10 Resetting the Freedom9 Network Appliance 2 10 Resetting the Software To Use the Original Filename 2 10 Restarting the Freedom9 Network Appliance 2 10 Additional System Management Tasks 2 11 Viewing System Information 2 11 Configuring Domain Names ...

Page 5: ...Table 4 3 Logging Command Index 4 6 Ch 5 Traffic Flow Reporting 5 1 Top Talkers 5 1 Logging Overview 5 1 Logging 5 1 Logging Levels 5 1 Log Modules 5 2 Traffic and Event Log Management 5 3 Log Module Settings 5 3 Setting Log Modules 5 3 Disabling Log Module Settings 5 3 Viewing the Log Module Settings 5 3 Viewing the Traffic and Event Log 5 4 Admin Mail Server 5 5 Configuring Freedom9 Network Appl...

Page 6: ...uring Global Policies 6 3 Configuring Policies 6 3 Creating Policies 6 3 Naming Policies 6 5 Reordering Policies 6 5 Disabling Policies 6 6 Re enabling Policies 6 6 Deleting Policies 6 6 Viewing Policies 6 6 Enable Policy Logging 6 8 Using the Set Alert Command 6 8 Configuring Address Objects 6 9 Creating Address Objects 6 9 Deleting Address Objects 6 10 Modifying Address Objects 6 11 Creating Add...

Page 7: ... 1 Scenario Description 7 2 Initializing the Freedom9 Network Appliance 7 3 Setting Up Alerts 7 3 Setting Up the Logging Infrastructure 7 4 Setting Up Policies 7 4 Analyzing Traffic and Sending Alerts 7 6 Using the Set Alert Frequency Advanced Option 7 6 Traffic Analysis Using NetFlow 7 6 Overview 7 6 Network Layout 7 7 Initializing the Freedom9 Network Appliance 7 8 Setting Up the NetFlow Infrast...

Page 8: ...eleting the SNMP System Name 8 7 Configuring the SNMP System Locations 8 7 Deleting the SNMP location 8 7 Configuring the SNMP System Contact 8 7 Deleting the SNMP System Contact 8 7 Viewing the SNMP Settings 8 8 View the SNMP Community Settings 8 8 View the SNMP Statistics 8 8 Viewing the Interface Statistics 8 9 Ch 9 Security Zones and Interfaces 9 1 Security Zones 9 1 Creating and Modifying Cus...

Page 9: ...ttings 9 16 Configuring Maximum Transmission Unit MTU Settings 9 16 Configuring Interface Link Up Down 9 16 Enabling Interface Management 9 18 Disabling Interface Management 9 18 Setting the Interface Speed 9 18 Ch 10 Routing 10 1 Static Routes 10 1 Adding Static Routes 10 1 Deleting Static Routes 10 2 Modifying Static Routes 10 2 Setting the Default Route 10 2 Displaying Route Information 10 3 Ap...

Page 10: ...FSL100 User Guide x ...

Page 11: ...Guard Slim 100 appliance This chapter includes the following topics Document Conventions on page 1 2 Introduction to FSL100 Appliances on page 1 4 Before You Install the FSL100 Appliance on page 1 6 Installing the FSL100 Appliance on page 1 7 See also the Quick Start Guide which is provided with your FreeGuard Slim 100 appliance ...

Page 12: ...ept for variables which are always in italic For example Use the get system command to display general information about the Freedom9 Network appliance Variable CLI values are described in Table 1 1 Table 1 1 Variable CLI Values Used in This Guide Browser Based Graphical User Interface WebGUI Conventions Values inside square brackets are optional Values inside braces are required For commands that...

Page 13: ...ent it is in bold except for variables which are always in italic For example Use click on the XXXX command to display general information about the Freedom9 Network appliance Figure 1 1 shows the graphics used in illustrations in this guide Illustration Conventions Figure 1 1 Illustration Conventions Freedom9 Appliance ...

Page 14: ...rusive solution for managing bandwidth abuse or attacks against network infrastructure Based on RDX technology the FSL100 appliances support monitoring network flows at 2Gbps throughput while maintaining line quality and low latency The appliances are configured using granular user defined policies identifying thresholds for session creation per flow bandwidth and aggregate bandwidth Applications ...

Page 15: ...om9 Network appliance refer to the following documentation Quick Start Guide User Guide CLI Reference Guide Network Functions Supported Features Values Static Routes 32 Dynamic ARP Entries 2K System Supported Features Values Concurrent Sessions 192K TCP Sessions per second Route Mode 15 500 Security Zones 254 VLANs 20 VLANs in Transparent Mode 4095 Poli cy Supported Features Values Access Control ...

Page 16: ...t Allow HTTP management Freedom9 appliance thresholds not configured Local logging not configured Default policy Allow Default Behavior Allow any traffic Before You Install the Freedom9 Appliance Familiarize yourself with the following topics before installing the Freedom9 appliance What You Must Know Before You Install the Freedom9 Appliance on page 1 7 Installing the Freedom9 Appliance on page 1...

Page 17: ...nto the DC power receptacle on the back of the appliance 2 Plug the AC adapter end into a surge protected AC power source 3 The Freedom9 appliance is now powered ON Connecting the Appliance to Other Network Devices Once the power is connected to the appliance you can connect it to other network devices Use either of the two Ethernet interfaces labeled eth0 and eth1 Use these interfaces to connect ...

Page 18: ...ype admin 7 At the password prompt type admin FSL100 Appliance Specifications This section describes the physical attributes electrical information and environmental require ments to properly install and run the FSL100 appliance It includes the following topics FSL100 Appliance LED Activity for FSL100 Console Interface for FSL100 FSL100 Appliance Figure 1 2 is an diagram of the FSL100 appliance po...

Page 19: ... back of the FSL100 appliance Figure 1 3 Console Back For additional information on console interface management refer to User Guide Power Supply 100 to 240V AC 50 60Hz Operational Temperature 0 to 45ºC Storage Temperature 25º to 70ºC Humidity 5 to 85 Max Power Consumption 15 Watts Safety Compliance UL60950 I EN60950 TUV EMC Compliance FCC Class A EN55022 Class A VCCI Class A VCCI Class A C Tick I...

Page 20: ...lists information about the physical interfaces on the Slim 300M appliance Table 1 11 Physical Interfaces Table Table 1 10 Hardware Specifications Parameter Value Interfaces 2 mini GBIC SFP Hardware Bypass Power failure hardware or software failure feature Two interfaces eth0 and eth1 Dimensions H W D 5 x 10 x 1 5 Weight 2 lbs Power Supply 100 to 240V AC 50 60Hz Operational Temperature 0 to 45ºC S...

Page 21: ... the Policy Configuration Changing the Admin Password Because all freedom9 s appliances are preconfigured with the same password you must change the admin password Use the set admin command to change the password set admin password password_str save Default Configuration The freedom9 s appliance is configured to monitor a network such as the one displayed in Figure 1 5 In this configuration the et...

Page 22: ...forward packets from that interface Using the network in Figure 1 5 as an example use the set route command to configure the Freedom9 appliance to use the address of 192 168 2 254 for the default route of all traffic set route 0 0 0 0 0 interface br0 gateway 192 168 2 254 save Optional To verify the default route settings execute the get route summary command get route summary Viewing the Policy C...

Page 23: ...1 13 Route set route 0 0 0 0 0 interface br0 gateway 192 168 1 254 Configuring a Policy The default policy behavior is set policy default permitted See Advanced Policy Configuration on page 6 1 for more information about policy configuration ...

Page 24: ...G E T T I N G ST A R T E D 1 1 14 User Guide ...

Page 25: ... The following topics are included in this chapter Using the Console to Manage the freedom9 s Appliance Using SSH to Manage the freedom9 s Appliance Managing Users for the freedom9 s Appliance Managing Software for the freedom9 s Appliance Resetting and Restarting the freedom9 s Appliance Additional System Management Tasks Using Network Time Protocol NTP Using Domain Name Service DNS Using Ping Us...

Page 26: ... current console interface settings including users who are logged in and to display information for the console interface use the get console command get console Setting the Console Display Use the set console command to set the number of lines to display without a break If the page display number is set to 0 no page breaks are used when information is displayed The default display number is 22 l...

Page 27: ...the following then click Apply Management Option SSH Example Enable SSH on a VLAN Interface eth0 100 set interface eth0 100 manage ssh save GUI Example Enable SSH on a VLAN Interface ETH0 100 1 Select Network Interface Edit for ethernet0 100 2 Select the following then click Apply Management Option SSH Disabling SSH on a Specific Interface To disable SSH on a specific interface use the unset ssh c...

Page 28: ...t change the admin password to create a unique password for your organization Use the set admin command set admin password password_str NOTE You cannot change the administrator user name admin GUI Example Changing the Administrator password 1 Select System Admin Administrators 2 Enter the following password information and click Apply 3 Select the admin user 4 Type old password 5 Type new password...

Page 29: ... SY S T E M M A NA G E M E N T User Guide 2 5 2 Enter the following password information and click Apply 3 Select the admin r user 4 Type old password 5 Type new password 6 Confirm new password ...

Page 30: ...l for the latest software images Uploading New Software To upload new software for the appliance 1 Make sure you have the latest version of software for the appliance This can be obtained from your sales representative 2 Place a copy of the latest software for the appliance into the root directory of the TFTP server program 3 Make sure a TFTP server is running on a PC and the appliance can access ...

Page 31: ...ple Ping www Yahoo com 1 Select System Tools 2 Enter the following then click Apply Diagnostic Tool Ping Ping www yahoo com Using Traceroute You can use traceroute to trace packets from your machine to an Internet host showing you the number of hops and time required to reach the host along the path To execute the trace route command trace route ip_addr dom_name Example Traceroute www yahoo com tr...

Page 32: ...t save config from tftp 192 168 0 3 filename txt to flash GUI Example Saving the configuration file for export 1 Select System Configuration 2 Click on Download Configuration 3 Select Save as the action for the file 4 Select Location c temp 5 Click Save Executing the Configuration File From the TFTP Server To import from the tftp server and execute the configuration file use the exec config comman...

Page 33: ... SY S T E M M A NA G E M E N T User Guide 2 9 GUI Example View the saved configuration 1 Select System Configuration 2 Select the Display Configuration button ...

Page 34: ...sing the factory default configuration You can access the appliance using the default login credentials Performing a hardware reset to the appliance removes the current firmware image along with the current configuration file If you have not saved a backup configuration file to the local flash or a workstation on your network you will have to reconfigure the appliance Resetting the Software To Use...

Page 35: ...mation about the appliance hardware and firmware Software Version System Uptime Vendor Name Vendor Contact Product Model Product Serial Number MAC Addresses To view system information use the get system command get system GUI EXAMPLE Viewing System Information System Status Configuring Domain Names To configure the appliance to respond to a specifically configured domain use the set domain command...

Page 36: ...gure a host name on the Freedom9 appliance use the set host command set host appliance Example Configuring the Host Name appliance name set host appliance name save GUI Example Configuring the Host Name 1 Network DNS add Host Name 2 Enter the following then click Apply Host Name appliance Deleting Host Names To delete a previously configured host name use the unset hostname command unset host ...

Page 37: ...o configure the NTP settings used to update the date and time for the appliance use the set ntp server command set ntp server ip_addr dom_name backkup1 backup2 ip addr dom name Example Setting the Primary NTP Server IP as 207 245 143 147 set ntp server 207 245 143 147 save GUI Example Setting the Primary NTP Server IP as 207 245 143 147 1 Select System Date Time 2 Enter the following then click Ap...

Page 38: ... then click Apply Primary NTP Server IP Name 207 245 143 147 NOTE You can configure multiple NTP server IP addresses to ensure the Freedom9 appliance always displays the correct date and time Configuring Manual Update Using NTP To initiate a manual NTP update use the exec ntp command exec ntp update Before you can manually update you must configure the clock to use NTP which is described in the ne...

Page 39: ...resented by 8 set clock timezone number Example Configuring the Clock Time Zone to Pacific Time Zone GMT 8 set clock timezone 8 save GUI Example Configuring the Clock Time Zone to Pacific Time Zone GMT 8 1 Select System Date Time 2 Select the following then click Apply Set Time Zone 8 hours Example Configuring the Clock Time Zone to Daylight Savings Time DST 1 Select System Date Time 2 Select the ...

Page 40: ...t IP Address as 206 13 31 12 1 Select Interface DNS 2 Enter the following then click Apply Primary DNS Server IP Address 206 13 31 12 Example Setting a Secondary DNS Host IP Address as 206 13 28 12 set dns host dns2 206 13 28 12 save GUI Example Setting the Secondary DNS Host IP Address as 206 13 28 12 1 Select Interface DNS 2 Enter the following then click Apply Secondary DNS Server IP Address 20...

Page 41: ...ple Ping www Yahoo com 1 Select System Tools 2 Enter the following then click Apply Diagnostic Tool Ping Ping www yahoo com Using Traceroute You can use traceroute to trace packets from your machine to an Internet host showing you the number of hops and time required to reach the host along the path To execute the trace route command trace route ip_addr dom_name Example Traceroute www yahoo com tr...

Page 42: ...SY S T E M M A NA G E M E N T 2 2 18 User Guide ...

Page 43: ...n page 7 1 Shaping Traffic Flow Overview Freedom9 appliances have the ability to not only monitor but also to shape to control the volume of traffic being sent and the rate at which the traffic is being sent different types of traffic based on bandwidth usage You can specify a traffic limit based on connection rate connection bandwidth or total number of connections Shaping traffic in this way pre...

Page 44: ...rmal traffic http and https exceeds 100 Mpbs the connection rate exceeds 2000 connections per second non web traffic exceeds 10 Mbps or when one individual connection exceeds 10 Mbps This scenario also sets up two policies allows http and https traffic and alerts allows other traffic Use the following steps described in the following section to set up your appliance for this scenario Initializing ...

Page 45: ...t zone This setting should be your address server unset interface eth0 manage http Required command to set transparent mode set interface eth0 transparent Set eth0 interface in transparent mode set interface eth0 zone trust Assigns eth0 to the trust zone set interface eth1 transparent Set eth1 interface in transparent mode set interface eth1 zone untrust Assigns eth1 to the untrust zone set interf...

Page 46: ...reshold 100000 action shape log always Creates an alert that throttles the aggregate bandwidth traffic and generates a log message when bandwidth usage reaches 100 Mbps set alert aggr bandwidth ab shape alert2 threshold 10000 action log always Creates an alert that will drop a connection when its bandwidth usage reaches 10 Mbps Specifies that a log be created every time this happens Command Descri...

Page 47: ...r policy permitting traffic from zone B to zone A For this scenario the policy will specify not only which traffic is allowed but also the action to be taken to alert when traffic or a connection rate reaches certain parameters and prevent further traffic from going through The components of a policy are Source zone Destination zone Source address Destination address Service Action set log module ...

Page 48: ...cord is passed The alert record counters can be reset by the command clear alert record all Analyzing and Shaping Traffic This section explains the internal processes that are used to analyze traffic send alerts and deny its passage 1 Connection rate monitoring involves the following process The packet arrives at the interface of the appliance Validate whether a flow can be identified with the inc...

Page 49: ...for the policy matching with this packet If the aggregate bandwidth alert is specified create the flow with the alert information If the aggregate bandwidth alert is not specified create the flow with the alert information If the flow exists and the aggregate bandwidth is specified compute the number of octets which arrived in the last second If this number exceeds the threshold perform the specif...

Page 50: ...M A N A G I N G T R A F F IC F L O W 3 3 8 User Guide ...

Page 51: ...ed packets are used The remedy against flooding attacks is to only allow a certain amount of packets to pass Packets below the threshold are allowed to pass packets above the threshold are dropped This way the network infrastructure behind the DDoS appliance will not be flooded with packets Attacks that fall in this category are syn flood block frag icmp flood and udp flood Port Attacks Ports atta...

Page 52: ...abled in different location in the CLI GUI Flooding Attacks The flooding attacks prevention features are grouped under the zone command and can be set per zone Typically you expect DDoS attacks from the untrust side of the network Use the following CLI command to enable and disable the flooding commands Set zone zone_name screen attack_name threshold integer The default is to set the threshold to ...

Page 53: ... Attacks through valid but potentially dangerous packets Use the following commands for this category set log module reconn deter level information set log module dos level information Some attacks require the use of only one of the above commands See Table 4 1 for details Attack Overview Table The following table lists the attack prevention features that the AntiDoS feature supports Use the Index...

Page 54: ...one_name screen fin flood threshold integer set log module dos level information See B TCP FIN flood drop Block frag flooding attack set zone zone_name screen block frag threshold integer set log module dos level information See B IP Fragments arriving over rate limit icmp flood flooding attack set zone zone_name screen icmp flood threshold integer set log module dos level information See B ICMP p...

Page 55: ...ame screen ip record route set log module reconn deter level information See C IP option Record Route dropped ip security opt Valid but potentially dangerous set zone zone_name screen ip security opt set log module reconn deter level information See C IP option Security dropped ip stream opt Valid but potentially dangerous set zone zone_name screen ip stream opt set log module reconn deter level i...

Page 56: ...dropped Land Attack Malformed or invalid packet always enabled No IP Spoof Malformed or invalid packet same as reverse route check See B No IRDP ICMP Router Discovery Protocol Malformed or invalid packet always enabled set log module ip level information See D Invalid IP packet received Teardrop attack Malformed or invalid packet always enabled No Ping of Death Malformed or invalid packet always e...

Page 57: ...evel information E Although this feature is always enabled in order to enable logging the command has to be enabled by the command set zone zone_name screen syn fin F Although this feature is always enabled in order to enable logging the command has to be enabled by the command set zone zone_name screen tcp no fin Index Logging Command ...

Page 58: ...C O N F IG U R I N G A TT A C K PRE VE N T I O N 4 4 8 User Guide ...

Page 59: ...etic Listing of Log Messages on page C 1 Logging Logging is the process of recording and storing information about a specific event On the Freedom9 Network appliances a single activity that occurs such as denying a packet from passing through a zone is considered an individual event Since it will be used to protect network infra structures it becomes extremely important to record all events showin...

Page 60: ...ork appliance Critical Messages Events that could affect functionality of the Freedom9 Network appliances Alert Messages Events that require immediate attention by you that include attacks against the appliance Emergency Messages Messages that may need immediate attention by the administrator Debug Messages Message information used to diagnose or troubleshooting specific issues with the appliances...

Page 61: ...le internal email syslog ssh Example Set the log module for ARP using the log level all with a destination of the console set log module arp level all destination console save GUI Example Set the Log Module for ARP Using the Log Level All with a Destination of the Console 1 Select Logging Log Settings 2 Select the following then click Apply Module arp Destination Console All Disabling Log Module S...

Page 62: ...ll include date and time To view the event log you will use the get log messages command to show the event logs to show all events logged cli get log message Jun 09 20 28 58 2007 Freedom9 id security_appliance policy 117 INFO id 1 proto 1 src 64 62 250 2 0 dst 64 79 127 67 0 packet dropped due to policy deny Jun 09 20 29 05 2007 Freedom9 id security_appliance policy 117 INFO id 1 proto 1 src 64 62...

Page 63: ...ver IP address or name and the administrators e mail addresses set admin mail server name ip_addr name set admin mail mail addr1 mail addr2 e mail_addr Example Sending E mail messages to the administrator of the appliance using the SMTP server IP 10 0 0 5 and the e mail address admin yourcompany com Mail server 10 0 0 5 Recipient address1 admin yourcompany com save GUI Example Sending E Mail Messa...

Page 64: ...e set syslog command You must enable syslog prior to configuring it set syslog enable set syslog config ip_address set syslog config ip_address log all event traffic set syslog config ip_address facilities local0 local1 local2 local3 local4 local5 local6 local7 set syslog config ip_address port port_number Command Line Example Configure both traffic and event messages to be sent using syslog to a ...

Page 65: ...Description Jun 02 Month and Day Stamp Displays the month and day when the message was generated 12 13 54 Time stamp Displays the time stamp when the message was generated The format is as follows HH MM SS 2007 Year Stamp Displays the year when the message was generated Vendor name Device name Displays the vendor name Security_Appliance Device id Displays the hostname for the appliance Policy Soft...

Page 66: ...sages see Alphabetic Listing of Log Messages on page C 1 Conventions Freedom9 network publications use the following conventions to indicate optional and required elements variables and options A parameter inside square brackets is optional This element might appear in the message A parameter inside braces is required This element must appear in the message Anything inside angle brackets is a vari...

Page 67: ...n Protocol DIP Dynamic IP DN Distinguished Name DNS Domain Name System DOI Domain of Interpretation DoS Denial of Service DSA Digital Signature Authority DSS Digital Signature Standard EE End Entity ESP Encapsulating Security Payload FQDN Fully Qualified Domain Name HA High Availability HDLC High Level Data Link Control HTTP HyperText Transfer Protocol HTTPS HypterText Transfer Protocol Secure ICM...

Page 68: ...RSA Rivest Shamir Adelman authors of RSA security standard RTO Run Time Objects SA Security Association SCEP Simple Certificate Enrollment Protocol SHA Secure Hash Algorithm SIP Session Initiation Protocol SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SPI Security Parameter Index SSH Secure Shell SSL Secure Socket Layer TFTP Trivial File Transfer Protocol UDP User Data...

Page 69: ...when the administrator performed an action In the example the administrator login name is Freedom9 Levels Explanation of Levels 0 Emergency Messages on SYN attacks Tear Drop attacks and Ping of Death attacks 1 Alert Messages about conditions that require immediate attention such as firewall attacks and the expiration of license keys 2 Critical Messages about conditions that affect the functionalit...

Page 70: ...stamp Displays the month and day when the message was generated 12 13 42 Time stamp Displays the time when message was generated This value is displayed in the following format HH MM SS 2007 Year stamp Displays the year when the message was generated spu Module name Displays module name that generated the log message 117 Module process id Displays module process Id that generated the log message I...

Page 71: ...recommended action Message TCP FIN flood drop Meaning TCP FIN flood drop Action No recommended action Message TCP FIN no ACK packet dropped Meaning TCP FIN no ACK packet dropped Action No recommended action Message Large ICMP 1Kbyte packet dropped Meaning ICMP packet size exceeded Action No recommended action Message ICMP Fragment dropped Meaning ICMP Fragment was dropped Action No recommended act...

Page 72: ...t dropped due to policy reject Meaning Policy was rejected Action No recommended action Message Packet dropped due to DoS rate limit to management CPU reached Meaning Denial of Service rate limit error Action No recommended action Message Temporary policy table full Meaning Temporary policy table full Action No recommended action SESSION Message Packet dropped due to exhaustion of session table Me...

Page 73: ...ustom DPI Session Detected Meaning One of the above P2P or DPI session is detected with the specified protocol number for traf fic originating from src ip addr src port to dest ip addr dest port Action No recommended action Reviewing Event Logs MCPU modules ifmgr pmgr route arp cfg rip rib fup srmmgr snmp etc use the following format to log the event IP Address date time device name device id modu...

Page 74: ...leted the specified address from the address group in the named security zone Action No recommended action Message Address group grp_name in zone zone name has been added deleted modified Meaning An admin added deleted or modified the specified address group in the named security zone 11 05 19 Time stamp Displays the time when message was generated This value is displayed in the following format H...

Page 75: ...ason Action Determine the reason for the failure and resolve the problem Verify the admin user name and password then the admin should try to log in again ARP The following messages relate to the Address Resolution Protocol ARP Critical Message arp req arp reply detected an IP conflict IP ip_addr MAC mac_addr on interface interface Meaning An ARP request or reply reveals that the specified device ...

Page 76: ...ed from ip_addr1 to ip_addr2 Meaning An admin has changed the IP address for the specified interface Action No recommended action Message The interface interface operational mode has been changed to NAT Route Meaning An admin has changed the operational mode for the specified interface to Route NAT Action Check access policy configurations to ensure that they function properly in the new opera tio...

Page 77: ...ssages relate to the configuration of access policies Notification Message Default policy of the device has been changed to permit deny Meaning An admin changed the default policy of the device Action Confirm that the action was appropriate and performed by an authorized admin Message Policy id_num zone1 zone2 global src_addr dst_addr svc_name permit deny reject tunnel was added deleted enabled di...

Page 78: ...y matches traffic received Permitting traffic to pass Denying traffic Message CONN_RATE_ALERT alert id for alert alert name generated for policy Meaning Connection Rate Alert is logged for the policy id for the TCP UDP traffic originating from src ip addr src port to dest ip addr dest port Message BW_AGGR_ALERT alert id id for alert alert name generated for policy Meaning The specified profile nam...

Page 79: ...rno Meaning Unable to connect to the socket used by the PPP PPPoE module Message Out of memory in timeout Meaning Unable to allocate a structure for use in the timeout routine Message Failed to get time of day Meaning Unable to get the time of day while determining what timeout routines should be invoked Message Bogus PPPoE length filed length Meaning The number of bytes received is less than the ...

Page 80: ...kets Message Ignoring PADO packet with no AC Name tag Meaning Discarding a PPP PPPoE packet that needed but didn t have an access concentrator field Message Ignoring PADO packet with no Service Name tag Meaning Discarding a PPP PPPoE packet that needed but didn t have a service name field Message Ignoring PADO packet with wrong AC Name or Service Name Meaning Discarding a PPP PPPoE packet that had...

Page 81: ...se the number of route entries exceeds the maximum number of routes Action Rearrange the memory allocation for static routes in the TCAM or check the network topology and try to reduce the number of routes Message An error occurred while removing route route_address subnetwork_mask from the static route table Meaning While attempting to remove a route in the route table an error occurred that prev...

Page 82: ...to initialize service management Meaning Service management initialization fails Action No recommended action Message Failed to set rtc time Meaning Set system time fails Action No recommended action Message Time zone setting is out of range Meaning Time zone setting is out of range 12 12 Action No recommended action Message Time Zone minute setting is out of range Meaning Time zone minute setting...

Page 83: ...ecurity zones Notification Message New zone zone ID id_num was created Meaning An admin successfully created a new zone with the indicated ID number Action No recommended action Message Zone zone ID id_num was modified Meaning An admin successfully modified the specified zone Action No recommended action Message Zone zone ID id_num was deleted Meaning An admin successfully deleted the specified zo...

Page 84: ...T R A F F I C F LO W R E P O R T I N G 5 5 26 User Guide ...

Page 85: ...affic To permit communi cation from one zone to another you must configure a policy After you use the set policy command to create a policy the policy enters the policy database and is immediately active The source zone destination zone and order of a policy within the database are important The appliance software assigns each policy an ID number which numerically orders all policies in ascending ...

Page 86: ... An interzone policy controls traffic between zones These policies can allow deny or reject traffic that is to pass from one zone and destined for another For example in Figure 6 2 the appliance is configured with a policy that allows HTTP traffic initiated from Host A in the trust zone to Server B in the untrust zone using the following command set policy from trust to untrust Host_A Server_B htt...

Page 87: ...lements of a policy Use the set policy command to create a policy set policy from src_zone to dst_zone src_addr dst_addr srvc permit deny reject alert netflow dpi profile top talkers Table 6 1 explains the parameters in the above command See also the CLI Reference Guide that comes with your appliance Table 6 1 Addresses and Zones Parameter De s c ri p t i o n src_zone dst_zone The src_zone and dst...

Page 88: ... any FTPtrust ftp permit save GUI Example Create a Policy 1 Select Objects Add Address Object 2 Enter the following then click Apply Name FTP Trust IP Address Netmask 4 4 4 4 24 Zone Trust 3 Select Policy Add Policy 4 Enter the following then click Apply Location Action Permit Source Zone Untrust Destination Zone Trust Source Address Any Destination Address FTPTrust netflow The netflow action coll...

Page 89: ...ing then click Apply Enable Policy Name ftpcorp Action permit Source Zone untrust Destination Zone trust Source Address any Destination 4 4 4 4 Service FTP Reordering Policies Because the policy database is searched from top to bottom when matching against traffic you should order polices in the database from most specific to least specific Doing this ensures that a more general policy does not bl...

Page 90: ...id_num number specifies the policy number that is moved the target_id is the policy number that the policy is moved before or after Disabling Policies Use the set policy command with the disable option to disable a policy rather that delete it from the policy database set policy id id_num disable Re enabling Policies Use the unset policy command with the disable option to enable a policy that has ...

Page 91: ...icy command with the id option to display a specific policy Using this command returns information about the policy with the specified ID number get policy id number Use the get policy command with from or to option to display all policies that match the src_zone and dst_zone parameters in table format get policy from src_zone to dst_zone The table appears with the following columns ID From To Src...

Page 92: ...traffic The set alert command consists of the alert name the threshold value the interval value and the action when the threshold is exceeded Using the network in Figure 6 3 as an example use the set alert command to configure the appliance to alert when the connection threshold exceeds 100 connection per second for any pair of source and destination IP addresses on port 80 HTTP set alert conn rat...

Page 93: ... multiple address objects This section describes how to create modify and delete address objects The following topics are included in this section Creating Address Objects Deleting Address Objects Modifying Address Objects Creating Address Groups Adding Objects to an Address Group Deleting Address Groups Adding Objects to an Address Group Creating Address Objects All address objects bind to a secu...

Page 94: ... 10 0 0 250 32 set address trust Trust_Network 10 0 0 0 24 save GUI Example Creating an Address Object 1 Select Objects Add Address Object 2 Enter the following then click Apply Name John IP Address Netmask 10 0 0 100 32 Zone Trust 3 Select Objects Add Address Object 4 Enter the following then click Apply Name Matt IP Address Netmask 10 0 0 101 32 Zone Trust 5 Select Objects Add Address Object 6 E...

Page 95: ...hen click Apply Name MailServerNY IP Address Netmask 10 200 0 0 24 Zone Trust 5 Use the get address command to view all address objects and address groups get address The command displays all objects grouped by their zone membership 6 Use the get address command and specify a zone to view all address objects and address groups in that zone get address zone 7 Use the get address command and specify...

Page 96: ...jects and address group in Figure 6 5 follow these steps set address trust Finance_Subnet 10 0 1 0 24 set address trust Mktg_Subnet 10 0 2 0 24 set address trust Sales_Subnet 10 0 3 0 24 set group address trust New_York_Office set group address trust New_York_Office add Finance_Subnet set group address trust New_York_Office add Mktg_Subnet set group address trust New_York_Office add Sales_Subnet s...

Page 97: ...Address Objects from an Address Group Use the unset group command with the address and remove options to remove an address object from an address group unset group address zone grp_name remove adr_obj NOTE If you remove all of the address objects out of an address group the address group name is not deleted Adding Comments to Address Groups Use the set group command with the address and comment op...

Page 98: ...Viewing Predefined Service Objects Configuring Custom Service Objects Modifying Service Objects Modifying Service Objects Configuring Service Timeouts Viewing Predefined Service Objects To view predefined service objects use the get service command get service pre defined For a list of predefined services refer to Pre defined Services on page A 1 Configuring Custom Service Objects Use the set serv...

Page 99: ... Change the destination port on Telnet_Custom to port 24000 unset service Telnet_Custom set service Telnet_Custom protocol tcp src port 1 65535 dst port 24000 24000 save GUI Example Modifying a Custom Service 1 Select Objects Custom Service 2 Select the following then click Apply Remove telnet_custom 3 Select Objects Add Custom Service 4 Enter the following then click Apply Name telnet_custom TCP ...

Page 100: ...on A service group can consist of pre defined services or custom services Service groups have the following limitations Service groups cannot have the same name as a pre defined or custom service You cannot delete a service group until you first remove it from the policy A service group cannot have another service group as a member The all inclusive service term ANY cannot be added to groups This ...

Page 101: ...Enter the following then click Apply Name Web_Services Add http https dns Deleting Service Groups Use the unset group command with the service option to delete a service group unset group service name_str Removing Service Objects from Groups Use the unset group command with the service and remove options to remove a specific service from the group unset group service name_str remove name_str To re...

Page 102: ... the service and comment options to add a comment that describes the address group set group service grp_name comment text NOTE If you remove all of the services in a service group that service group name is not deleted About Schedules A schedule is an object that defines the day and time a policy is action takes place This section describes how to create add view and delete schedules The followin...

Page 103: ...field assigns a name to the schedule Schedules are assigned to policies by referring to the schedule name once The once option is used to define a one time event start Use the start option and specify a day and time to allow traffic matching the policy to pass through stop Use the stop option and specify a day and time stop traffic matching the policy to pass through date The date field requires a...

Page 104: ...dule Create a recurring schedule to block Internet access on the weekend for all machines on the trust zone start Use the start option and specify a time to allow traffic matching the policy to pass through You can have up to 2 start stop sets in a single command For example set scheduler start 10 00 stop 11 00 start 13 00 stop 14 30 stop Use the stop option and specify a time stop traffic matchin...

Page 105: ... Example Create a Recurring Schedule 1 Select Objects Add Schedule 2 Enter the following then click Apply Name weekend Comment Block weekend Internet access Recurring Sunday start 00 00 Sunday end 23 59 Saturday start 00 00 Saturday end 23 59 3 Select Policy Add Policy 4 Enter the following then click Apply Location Action Deny Source Zone Trust Destination Zone Untrust Source Address any Destinat...

Page 106: ... O N FI G U R A T I O N 6 6 22 User Guide Viewing Schedules Use the get scheduler command with the once recurrent or name options to view all configured schedules get scheduler once get scheduler recurrent get scheduler name_str ...

Page 107: ...etwork appliances have the ability to monitor and shape different types of traffic based on bandwidth usage You can set an alert to trigger when anomalous traffic such as an unusual surge in the number of connections or a dramatic increase in bandwidth usage is detected by a particular user If desired you can set the bandwidth limit to include only non critical traffic The following scenario shows...

Page 108: ...ttp and https exceeds 100 Mpbs connection rates exceed 2000 connections per second non web traffic exceeds 10 Mbps one individual connection exceeds 10 Mbps This scenario also sets up two policies http and https traffic and alerts other traffic Use the following CLI commands and steps to set up your appliance Initializing the Appliance Initializing the Appliance Setting Up Alerts Setting Up the Lo...

Page 109: ...ould be your server address unset interface eth0 manage http Required command to set transparent mode set interface eth0 transparent Set eth0 interface in transparent mode set interface eth0 zone trust Assigns eth0 to the trust zone set interface eth1 transparent Set eth1 interface in transparent mode set interface eth1 zone untrust Assigns eth1 to the untrust zone set interface br0 ip 192 168 65 ...

Page 110: ...erated every time this happens Command Description set syslog enable Enables sending log messages to a syslog server set syslog config 192 168 65 199 Specifies the IP Address of the syslog server This setting should be your log server address The appliance supports two syslog servers The second server can be configured using the same command set log module policy level notification destination sys...

Page 111: ... many times a set threshold is passed This counter is called an alert record and can be viewed by the command get alert record all Two possible actions can be specified as part of an alert If the action is set as log once then an alert record counter is incremented the first time the set threshold is passed If the action is set as log always then the alert record counter reflects the total number ...

Page 112: ...he policy matching with this packet If the aggregate bandwidth alert is specified create the flow with the alert information If the aggregate bandwidth alert is not specified create the flow with the alert information If the flow exists and the aggregate bandwidth is specified compute the number of octets which arrived in the last second If this number exceeds the threshold perform the specified a...

Page 113: ...urn on NetFlow from the router however this can affect performance by slowing significantly a network Table 7 5 shows the original network setup Table 7 5 Original Network Setup without NetFlow Since the appliance is in transparent to the network it does not affect perfor mance See Table 7 6 Table 7 6 Network SetupUsing NetFlow ...

Page 114: ...bserver in the trust zone This setting should be your address server unset interface eth0 manage http Required command to set transparent mode set interface eth0 transparent Sets eth0 interface in transparent mode set interface eth0 zone trust Assigns eth0 to the trust zone set interface eth1 transparent Sets eth1 interface in transparent mode set interface eth1 zone untrust Assigns eth1 to the un...

Page 115: ...ith your appliance Table 7 9 Commands to Set Up Policies Performing Traffic Analysis Using NetFlow The following describes the procedure to analyze traffic using NetFlow The packet arrives at the interface of the appliance The appliance validates whether the flow associated with this packet has NetFlow enabled This information is obtained from a prior policy lookup timestamp The timestamp is updat...

Page 116: ...yout Table 7 10 Peer to peer Scenario Network Layout Initializing the Appliance Use the following commands in Table 7 11 to initialize the appliance make it transparent to the rest of the network and prepare it to monitor traffic For more information about CLI commands see the CLI Command Reference Guide provided with your Freedom9 Networks appliance Table 7 11 Commands to Initialize the Appliance...

Page 117: ...Assigns eth0 to the trust zone set interface eth1 zone untrust Set eth1 interface in transparent mode set interface br0 ip 192 168 65 31 24 Assigns eth1 to the untrust zone set interface br0 manage http Assigns an IP address to the management interface Command Description unset interface eth0 ip Unbinds the IP address from the eth0 interface This is a pre requisite for transparent mode unset inter...

Page 118: ...ture directconnecttcp2 alert p2p cb alert set dpi profile p2p profile add signature directconnectudp alert p2p cb alert Assigns direct connect signatures to p2p profile and associates with the p2p cb alert set dpi profile p2p profile add signature edonkeytcp1 alert p2p cb alert set dpi profile p2p profile add signature edonkeytcp2 alert p2p cb alert set dpi profile p2p profile add signature edonke...

Page 119: ... not resolved If the flow does exist then P2P determination is not done and the following occurs Wait for the first 16 bytes of the packet payload Scan the 16 bytes if it matches any signature from the signature list in the profile or if the port number of the packet is within the port range of the signature then mark the session p2p and perform the specified alert action If not then mark the sess...

Page 120: ...uration the system will count the individual connection attempts from the combined source zone IP Address to destination zone IP Address configured on the policy After the specified interval threshold is reached an alarm will be triggered with the configured alert action The alert message content will specify which source IP address to which destination IP address the connection threshold was met ...

Page 121: ...d table Policy Configurator After an alert is configured the user can now tie the alert to a specific policy In the policy command the following configuration option has been added Example CLI Command set policy from untrust to trust any any any permit alertname conn rate aggr bw bw_conn NOTE alert name options are conn rate aggr bw bw_conn For each option you use you must list them in this order ...

Page 122: ...M O N I T O R I N G T R A FF I C 7 7 16 User Guide ...

Page 123: ...Translation group 1 3 6 1 2 1 3 IP group 1 3 6 1 2 1 4 RFC 2011 ICMP group 1 3 6 1 2 1 5 RFC 1213 Transmission group Ethernet 1 3 6 1 2 1 10 RFC 1643 SNMP group 1 3 6 1 2 1 11 RFC 1213 SNMP System Object ID OID The SNMP system OID is 1 3 6 1 4 1 29047 The Sub OIDs for Slim 100 and FlowLine are Table 8 1 SlimLine and FlowLine Sub IDs Example For SlimLine 100 the SNMP system OID is 1 3 6 1 4 1 29047...

Page 124: ...Group sysUpTime TimeTicks sysContact DisplayString sysName DisplayString sysLocation DisplayString sysServices DisplayString Object Name Value Type ifNumber Integer32 Object Name V a l u e T y p e atIfIndex INTEGER atPhysAddress PhysAddress atNetAddress NetworkAddress Object Name V a l u e T y p e ipInReceives Counter32 ipInUnknownProtos Counter32 ipInDiscards Counter32 ipOutNoRoutes Counter32 ipR...

Page 125: ...R ipAdEntNetMask IpAddress ipAdEntBcastAddr INTEGER ipAdEntReasmMaxSize INTEGER Object Name Value Type ipRouteDest IpAddress ipRouteIfIndex INTEGER ipRouteMetric1 INTEGER ipRouteMetric2 INTEGER ipRouteMetric3 INTEGER ipRouteMetric4 INTEGER ipRouteNextHop IpAddress ipRouteType INTEGER ipRouteProto INTEGER ipRouteAge INTEGER ipRouteMask IpAddress ipRouteMetric5 INTEGER Object Name Value Type ipNetTo...

Page 126: ...unter32 snmpInASNParseErrs Counter32 snmpInTooBigs Counter32 snmpInNoSuchNames Counter32 snmpInBadValues Counter32 snmpInReadOnlys Counter32 snmpInGenErrs Counter32 snmpInTotalReqVars Counter32 snmpInTotalSetVars Counter32 snmpInGetRequests Counter32 snmpInGetNexts Counter32 snmpInSetRequests Counter32 snmpInGetResponses Counter32 snmpInTraps Counter32 snmpOutTooBigs Counter32 snmpOutNoSuchNames C...

Page 127: ...ystem Name Allows the administrator to set the SNMP system name System Location Sets the Freedom9 Networks appliance system location snmpEnableAuthenTraps INTEGER snmpSilentDrops Counter32 snmpProxyDrops Counter32 Object Name Value Type dot3StatsIndex INTEGER dot3StatsAlignmentErrors Counter32 dot3StatsFCSErrors Counter32 dot3StatsSingleCollisionFrames Counter32 dot3StatsMultipleCollisionFrames Co...

Page 128: ...ce To allow the SNMP monitoring system to contact and pull the SNMP information from the Freedom9 Network appliance SNMP must be enabled on that specified interface set interface interface name manage snmp Example To enable SNMP on the eth0 interface set interface eth0 manage snmp GUI Example To Enable SNMP On The Eth0 Interface 1 Select Network Interface Edit for ethernet0 2 Enter the following t...

Page 129: ...pecify the name to be used as the system name set snmp name name_str Deleting the SNMP System Name To delete the SNMP system name use the unset snmp name command unset snmp name Configuring the SNMP System Locations To configure the SNMP system location use the set snmp location command and specify the physical location of the appliance set snmp location location Deleting the SNMP location To dele...

Page 130: ...nd with the community option This will display the current SNMP community settings cli get snmp community Community string public Host name 192 168 1 1 View the SNMP Statistics To view the SNMP statistics use the get snmp command with the statistics option This will display the current SNMP statistics cli get snmp statistics In pkts 0 Out pkts 0 In bad versions 0 In bad community names 0 In bad co...

Page 131: ...Example View the SNMP Statistics 1 Select Logging SNMP 2 Select the Get SNMP Statistics button Viewing the Interface Statistics To view the interface statistics for a specific physical interface use the get counter command and specify the specific interface get counter statistics interface interface name Example To view the Interface Statistics for the eth0 interface get counter statistics interfa...

Page 132: ...kts 0 in policy deny 1000 in no route 0 in no sa with policy 0 in policy permit 6 in no dip 0 in bad policy 0 in ipsec sa fail 0 in ipsec crypto err 0 in ipsec esp only 0 in ipsec esp na 0 in ipsec esp auth 0 in ipsec ah 0 in ipsec replay fail 0 in ipsec auth fail 0 out pkts 1821 out bytes 725315 out arp pkts 163 out icmp pkts 0 out tcp pkts 654 out udp pkts 1004 out vlan pkts 0 out gre pkts 0 out...

Page 133: ... U SI N G SN M P User Guide 8 11 GUI Example View the Interface Statistics for the eth0 interface 1 Select Reports Counters Hardware 2 Select the Interface Eth0 3 Select the Go button ...

Page 134: ...U SI N G S N M P 8 8 12 User Guide ...

Page 135: ...nd logical interfaces on a Freedom9 Networks appliance A security zone can consist of one physical interface or a group of many physical and logical interfaces Security policies incorporate security zones to efficiently manage access control policies of traffic that traverses zones and interfaces Figure 9 1 displays the interface eth0 configured in the trust zone with two subinterfaces VLAN 100 an...

Page 136: ...N and Demilitarized Zone DMZ Untrust The untrust zone is commonly used for the WAN The untrust zone has default security enabled to prevent Denial of Service Attacks DoS DMZ The DMZ zone is commonly used to segment publicly accessible servers from the local area network LAN and WAN Global The global zone is used to apply policies independent of zones Figure 9 3 displays the appliance with two secu...

Page 137: ...rity zone This section includes the following topics Creating Custom Security Zones Deleting Custom Security Zones Viewing Zone Configurations Creating Custom Security Zones Use the set zone command with the name_str option to create a custom security zone set zone name name_str Example Creating the Sales Security Zone set zone name sales save GUI Example Creating the Sales Security Zone 1 Network...

Page 138: ...terfaces and Subinterfaces Viewing Zone Configurations Use the get zone command to display information on all security zones The following information appears for each zone Zone name The name assigned to the interface Zone ID The ID number assigned to the zone Type The security settings on the zone Interfaces bound Lists all physical and logical interfaces bound to the zone Use the get zone comman...

Page 139: ...ss and netmask to the interfaces on the appliance set interface interface name ip ip_addr mask Example Configuring the eth0 Interface with the IP Address 10 0 0 1 24 set interface eth0 ip 10 0 0 1 24 save GUI Example Configuring the eth0 interface with the IP address 10 0 0 1 24 1 Select Network Interface Edit eth0 2 Enter the following address information then click Apply Type Interface IP 10 0 0...

Page 140: ...lect the following then click Apply Zone Name Trust Configuring Subinterfaces A subinterface is a logical interface that uses an 802 1q tag to identify membership to a specific VLAN on a physical interface After you configure a subinterface and assign it to a zone traffic can pass from VLANs associated with the subinterface to other physical or logical interfaces on the appliance Additionally secu...

Page 141: ...mask 192 168 100 1 24 Zone Name Trust Deleting Subinterfaces You must remove all policies bound to a subinterface before you can delete a subinterface After you remove all policies use the unset interface command to delete the subinterface unset interface interface name Example Deleting the Subinterface eth0 120 unset interface eth0 120 save GUI Example Deleting the subinterface ETH0 120 1 Network...

Page 142: ...on the Internet the source IP address of all traffic from that host is translated to the IP address of the egress interface In this case the new translated source IP address is 128 196 10 2 Figure 9 6 NAT Enabled Mode Example Configuring NAT Enabled Mode Configure NAT enabled mode on the eth0 interface of the appliance in Figure 9 6 set interface eth0 nat save GUI Example Configuring Nat Enabled M...

Page 143: ...Mode Route Figure 9 7 Route Mode All traffic from eth0 to eth1 and from eth1 to eth0 maintains their original source IP addresses Viewing Interface Information Use the get interface command to display interface information The following information appears for each physical and logical interface Name The name assigned to the interface IP address subnet The IP address and subnet assigned to the int...

Page 144: ...l GUI Example Getting Interface ETH0 1 Select Network Interface Edit for ETH0 2 This displays the interface for ETH0 Configuring Transparent Mode This section describes the Transparent Mode feature It includes the following topics Transparent Mode Overview Transparent Mode Simple Deployment Transparent Mode Simple ACL Functions Transparent Mode Overview When the appliance is configured to run in T...

Page 145: ...st to www yahoo com the workstation performs a DNS query for www yahoo com the return address for the site will be a routable Internet address The host then performs an arp for its default gateway and sends the packet to the router 10 0 0 1 The appliance inspects the outgoing request and runs the packet through its Policy engine Due to the permit policy created earlier this packet will be left int...

Page 146: ...m9 network appliance can be deployed in such environments and be utilized as a VLAN policy enforcer The Freedom9 network appliance can be placed directly between the VLAN switch trunk and the external VLAN router it can then intercept recognize various VLAN tagged packets and apply zone based policies to these types of traffic This is possible through the additional lookup parameter activated in t...

Page 147: ...n set interface eth0 transparent set interface eth0 zone trust set interface eth0 transparent set interface eth1 zone untrust set zone name ManageNet set zone name Engineering set zone name Accounting set zone name Finance set zone name Lab set zone name Sales Routed Mode L2 Switch 802 1q Trunk Port VLAN 100 500 802 1q Trunk Port VLAN 100 500 VLAN 5 VLAN Zone Table VLAN br0 5 10 2 1 0 24 Zone Mana...

Page 148: ...om Sales to Accounting any SQLserver sql permit Transparent Mode Simple ACL Functions As firewalls are placed deeper within high speed transmission points many network integrators are looking for simple methods of applying ACLs to specific types of traffic without causing disruption to their existing network topology ISPs and Telcos are seeking methods to restrict various protocols or IP address t...

Page 149: ... non ip Broadcast Multicast traffic set transparent bypass bmcast This command will bypass i e drop non ip broadcast and multicast packets The default behavior of the Freedom9 network appliance is to pass i e allow such packets GUI Example Pass Non IP Broadcast packets in Transparent Mode Check the Non IP Broadcast option and click Apply Ability to bypass pass DDOS traffic unset transparent bypass...

Page 150: ... packets that do not exceed the MTU limit You can only configure MTU settings on the physical interfaces of the appliance Use the set interface command with the mtu option to set the MTU size for a specific interface set interface interface name mtu size Example Setting the MTU Size on the eth1 Interface to 1450 set interface eth1 mtu 1450 save GUI Example Setting the MTU Size on the ETH1 Interfac...

Page 151: ...arp ip_addr all Adding Static ARP Entries Use the set arp command to add a static ARP entry set arp ip_addr mac_addr Example Adding a Static ARP Entry Use the set arp command to add a static ARP entry for a host connected on the eth0 interface with an IP address of 10 0 0 1 and a MAC address of aa bb cc dd ee ff set arp 10 0 0 1 aabbccddeeff save GUI Example Adding a Static ARP Entry 1 Select Netw...

Page 152: ...nterface Management Use the unset interface interface name with the management option to turn off the specific interface management options Example Allow the eth0 interface to respond to ping set interface eth0 manage ping GUI Example Allow the ETH0 Interface to Respond to Ping 1 Select Network Interface Edit for eth0 2 Select the following then click Apply Management Option Ping Setting the Inter...

Page 153: ...thout an implicit route require a static route that identifies the next hop gateway and interface to forward traffic going to the destination network In Figure 10 1 a static route is configured on the appliance to forward traffic from workstations on the 10 0 0 0 24 network to a server on the 10 0 100 0 24 network The static route identifies 10 0 0 100 as the gateway address for all traffic going ...

Page 154: ...ute entry with the desired route changes Example Modifying a Static Route Modify the gateway on a previously created static route from 10 0 0 100 to 10 0 0 20 unset route 10 0 100 0 24 set route 10 0 100 0 24 interface eth0 gateway 10 0 0 200 save GUI Example Modifying a Static Route 1 Select Network Routing 2 Select the following then click Apply Remove 10 0 100 0 3 Network Routing Add 4 Enter th...

Page 155: ...ing the Default Route 1 Select Network Routing Add 2 Enter the following then click Apply Network address 0 0 0 0 Netmask 0 Interface etho1 Gateway 4 4 4 1 Displaying Route Information Use the get route command to display all routes on the appliance get route Figure 10 2 shows an example of the output that appears when you use the get route command Figure 10 2 Get Route Command Output get route De...

Page 156: ...lect Network Routing Route 2 Shows current routing information Figure 10 3 displays an example of the output that appears when you use the get route command with the ip_addr option Figure 10 3 Get Route Command with ip_addr option Output get route 192 168 65 0 24 Dest Routes for 1 entries C Connected S Static A Auto Exported I Imported R RIP P Permanent iB IBGP eB EBGP O OSPF E1 OSPF external type...

Page 157: ...e defined GOPHER 6 70 info seeking Default Pre defined HTTP 6 80 info seeking Default Pre defined HTTPS 6 443 security Default Pre defined ICMP INFO 1 0 65535 other Default Pre defined ICMP TIMESTAMP 1 0 65535 other Default Pre defined Internet Locator Service 6 389 info seeking Default Pre defined IRC 6 6660 6669 remote Default Pre defined L2TP 6 1701 remote Default Pre defined LDAP 6 389 info se...

Page 158: ...defined TCP ANY 6 0 65535 other Default Pre defined TELNET 6 23 remote Default Pre defined TFTP 17 69 remote Default Pre defined TRACEROUTE 1 0 65535 other Default Pre defined UDP ANY 17 0 65535 other Default Pre defined UUCP 17 540 remote Default Pre defined VDO Live 6 7000 7010 info seeking Default Pre defined WINFRAME 6 1494 remote Default Pre defined X WINDOWS 6 6000 6063 remote Default Pre de...

Page 159: ...the use of Triple DES or 3DES By enabling CBC the DES encryption occurs three times enabling generation of the 56 bit key three times The 3DES standard uses a key length of 168 bits Datagram A self contained data packet sent over an IP network Default Route A standard entry in a routing table that enables traffic to be forwarded for destination networks that are not explicitly defined on a specifi...

Page 160: ...l other network devices can view that traffic Internet Control Message Protocol ICMP An extension of IP used to report packet errors and control or transmit information Ping is an example of an ICMP message that is used to test connectivity of a device Internet A network that allows millions of computers to be connected as a single global network Originally developed by the U S Defense Department ...

Page 161: ...e used with IPSec instead of PSK and Manual Key It provides a higher level of security Port Address Translation PAT Translates the original source port number to a different randomly assigned port number Port Mapping Changes the original destination port number on a packet to a different prede termined port number PPPoE Point to Point Protocol over Ethernet Used to allow ISPs the use of their exis...

Page 162: ...cation protocols that defines how a host communicates with another host Hosts can be located on the same local area network LAN or across a wide area network WAN TCP IP allows machines to communicate even if they do not use the same operating system Trivial File Transfer Protocol TFTP A simple form of the File Transfer Protocol FTP that uses User Datagram Protocol UDP to transfer data and provides...

Page 163: ...dress group grp_name in zone zone name has added deleted member mbr_name 5 16 Address group grp_name in zone zone name has been added deleted modified 5 16 An error occurred while removing route route_address subnetwork_mask from the static route table 5 23 ARP always on destination enabled 5 18 ARP detected IP conflict IP address ip_addr changed from interface interface to interface interface 5 1...

Page 164: ...ed string 5 17 Message proto protocol number src src ip addr src port dst dest ip addr dest port BitTorrent EDonkey Fasttrack Gnutella Ares DirectConnect MP2P Winny Custom DPI Session Detected 5 15 Modify clock setting 5 24 New zone zone ID id_num was created 5 25 Out of memory in timeout 5 21 Packet allowed due to policy permit 5 14 Packet dropped due to DoS rate limit to management CPU reached 5...

Page 165: ...ntry added to deleted from interface interface with IP ip_address and MAC mac_addr 5 18 TCP FIN flood drop 5 13 TCP FIN no ACK packet dropped 5 13 TCP SYN flood drop 5 13 Temporary policy table full 5 14 The interface interface operational mode has been changed to NAT Route 5 18 The interface interface was removed 5 18 The physical state of interface interface has changed to up down 5 19 Time Zone...

Page 166: ...A L PH AB E T I C LI S T I NG OF LO G M E SS AG E S C C 4 User Guide ...

Page 167: ...ons Statements Canada Industry Canada Compliance Statement This Class A digital apparatus complies with Canadian ICES 003 Cet appareil numérique de la classe A est conforme à la norme NMB 003 du Canada Warning This is a Class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Korea Class A Digital Device St...

Page 168: ...t in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense Battery Statement Taiwan Battery Recycling Statement Waste batteries please recycle This product contains a Lithium battery This battery is not to be removed or replaced by the user If the battery needs to be replaced contact your Freedom9 network R...

Page 169: ...ty to operate the equipment Battery Statement Perchlorate Material special handling may apply See www dtsc ca gov hazardouswaste perchlorate NOTE This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesir...

Page 170: ...N O TI F I C A T I O N A N D S A F E T Y ST A TE M E N T S Battery Statement D D 4 User Guide ...

Search results

Summary of Contents for freeGuard Slim 100

Reviews:

Related manuals for freeGuard Slim 100

Brands by name

Popular brands

Freedom9 freeGuard Slim 100, User Manual

Search results

Summary of Contents for freeGuard Slim 100

Reviews:

Related manuals for freeGuard Slim 100

Brands by name

Popular brands