manualshive.com logo in svg

FireBrick FB6402, Руководство пользователя

Поделиться
Скачать
FireBrick FB6402 Скачать руководство пользователя страница 90

Tunnels

73

Future FireBrick development will introduce TLS/HTTPS and when this is available private key upload will
be restricted to secure encrypted connections.

There are a number of different formats in use for holding certificates and private keys. The FireBrick accepts
standard DER-format (binary) and PEM-format (base64 armoured text) X.509 certificates, and DER-format
and unencrypted PEM-format private keys in raw or PKCS#8 form, as generated by utilities such as OpenSSL.
PKCS#7 and PKCS#12 format certificates and certificate bundles are not recognized by the FireBrick; these
should be split up into their component parts (eg using OpenSSL) before being uploaded to the FireBrick. Note
that private keys must not be encrypted (ie should not need a passphrase to access them). Again, OpenSSL
can be used to unencrypt and remove a passphrase from a private key before upload. When downloading a
certificate from the FireBrick, DER or PEM format can be selected.

For use with IPsec/IKEv2 end-entity certificates must hold an RSA or DSA public key. Currently the FireBrick
also only accepts RSA or DSA keys for CA certificates. This should not be a problem at present as the use
of newer style public keys in certificates used for signing other certificates is uncommon, and can always be
avoided if generating one's own CA certificatre.

As  mentioned  above,  part  of  the  authentication  of  a  peer  using  a  certificate  consists  of  confirming  that  the
peer's IKE ID matches the ID recorded in the certificate. Certificates can hold identity information in more
than one way, and cryptographic implementations do not always agree on how the identity should be stored.
The FireBrick accepts the CommonName (CN) field of the Subject DistinguishedName for a KEYID-type ID,
or, for IP, FQDN or EMAIL type IDs, any SubjectAltName field of the right type. A certificate usually holds
some information regarding its purpose, and again there is not universal agreement among implementations
on how this usage information should be checked. The FireBrick requires a certificate to be used for IPsec
authentication to be marked as allowing use for digitalSignature or nonRepudiation, and a certificate to be used
for signing certificates must be marked as allowing use for certificate signature.

For a FireBrick IKE connection which authenticates itself to a peer using a certificate, it is necessary to install
a suitable end-entity certificate along with its associated private key on the FireBrick. Unless the certificate is
self-signed the certificate(s) used as CAs to provide a trust chain must also be installed, though private keys
are not required for these (and for security should not be installed). During the IKE authentication procedure
the  FireBrick  sends  a  copy  of  the  certificate  identifying  itself  to  the  peer,  and  also  sends  the  trust  chain  of
certificate(s) used to sign the end-entity certificate. The peer does not need to have the end-entity certificate
installed, but must have a CA certificate (usually the self-signed "root" CA) installed so that it can check the
validity  of  the  certificate.  The  private  key  for  the  CA  certificate  should  be  stored  in  a  secure  manner  -  not
on the FireBrick, and ideally not on any machine with a permanent network connection - a memory stick is
recommended. The CA certificate can have any suitable subject identity, and the end-entity certificate must
have  a  CN  or  SubjectAltName  which  corresponds  with  the  local  IKE  identity  which  will  be  used  for  the
connection.  For  reliable  interworking  with  other  kit  it  is  recommended  that  this  is  set  using  a  FQDN  (aka
DNS) subjectAltName field. The certificate which the FireBrick will use to authenticate itself to the peer can
be specified in the connection certlist item, using the short local name set when the certificate was installed.
This can normally be left unset, however, as the FireBrick will then choose a certificate which matches the
local-ID setting.

certlist, if set, should be the end-entity certificate identifying the local FireBrick, and peer-certlist, if set, should
be a list of the certificates which provide the trust for authenticating the peer's certificate. These can normally
be left unset, in which case the FireBrick will choose any suitable certificate matching the IKE local-ID for
authenticating itself, and any certificate(s) in the store for providing the trust of the peer's certificate.

A FireBrick connection which expects its peer to authenticate using a certificate needs to have either the end-
entity certificate or a CA certificate providing trust installed. If the peer-certlist item is not set, the FireBrick
will use any suitable certificate in its store to validate the peer's certificate; if set (to a list of short local names),
only those certificate(s) listed are acceptable.

Note that it is not obligatory to create and use a self-signed certificate. A large organization may have a master
CA which has been signed by a CA authority, and which is trusted automatically by many devices which have
a built-in set of root CAs. This master CA be used to sign a subsidiary CA, which is then used to sign the end-
entity certificate to be used for IKE authentication.

Содержание FB6402

Страница 1: ...FireBrick FB6402 User Manual FB6000 Versatile Network Appliance...

Страница 2: ......

Страница 3: ...FireBrick FB6402 User Manual This User Manual documents Software version V1 46 100 Copyright 2012 2017 FireBrick Ltd...

Страница 4: ...Object Hierarchy 9 3 2 The Object Model 9 3 2 1 Formal definition of the object model 10 3 2 2 Common attributes 10 3 3 Configuration Methods 10 3 4 Web User Interface Overview 10 3 4 1 User Interfac...

Страница 5: ...o Flash memory 29 5 1 1 2 Logging to the Console 30 5 2 Enabling logging 30 5 3 Logging to external destinations 30 5 3 1 Syslog 30 5 3 2 Email 31 5 3 2 1 E mail process logging 32 5 4 Factory reset c...

Страница 6: ...rrier grade NAT 53 7 4 9 Using NAT setting on subnets 53 8 Routing 55 8 1 Routing logic 55 8 2 Routing targets 56 8 2 1 Subnet routes 56 8 2 2 Routing to an IP address gateway route 56 8 2 3 Special t...

Страница 7: ...5 Choice of algorithms 74 11 1 6 NAT Traversal 75 11 1 7 Configuring a Road Warrior server 76 11 1 8 Connecting to non FireBrick devices 77 11 1 8 1 Using StrongSwan on Linux 77 11 1 8 2 Setting up a...

Страница 8: ...97 15 2 2 Standards 97 15 2 3 Simple example setup 98 15 2 4 Peer type 98 15 2 5 Route filtering 99 15 2 5 1 Matching attributes 99 15 2 5 2 Action attributes 99 15 2 6 Well known community tags 100 1...

Страница 9: ...ps 115 E 2 6 See DHCP allocations 116 E 2 7 Clear DHCP allocations 116 E 2 8 Lock DHCP allocations 116 E 2 9 Unlock DHCP allocations 116 E 2 10 Name DHCP allocations 116 E 2 11 Show ARP ND status 116...

Страница 10: ...ical port controls 137 H 2 17 sampling Packet sampling configuration 137 H 2 18 portdef Port grouping and naming 138 H 2 19 interface Port group VLAN interface settings 138 H 2 20 subnet Subnet settin...

Страница 11: ...log severity 167 H 3 7 syslog facility Syslog facility 167 H 3 8 month Month name 3 letter 168 H 3 9 day Day name 3 letter 168 H 3 10 port Physical port 169 H 3 11 Crossover Crossover configuration 16...

Страница 12: ...FireBrick FB6402 User Manual xii H 3 38 dynamic graph Type of dynamic graph 175 H 3 39 firewall action Firewall action 175 H 4 Basic types 175 Index 178...

Страница 13: ...tegories 12 3 4 The Setup category 13 3 5 Editing an Interface object 14 3 6 Show hidden attributes 14 3 7 Attribute definitions 14 3 8 Navigation controls 15 4 1 Setting up a new user 21 4 2 Software...

Страница 14: ...types 98 15 2 Communities 100 15 3 Network attributes 101 B 1 DHCP client names used 109 D 1 iso 3 6 1 4 1 24693 1 111 D 2 iso 3 6 1 4 1 24693 179 111 F 1 File types 120 F 2 Colours 121 F 3 Text 122...

Страница 15: ...152 H 51 ipsec ike Attributes 152 H 52 ipsec ike Elements 153 H 53 ike connection Attributes 153 H 54 ike connection Elements 154 H 55 ipsec route Attributes 155 H 56 ike roaming Attributes 155 H 57...

Страница 16: ...100 LinkPower PHY power saving options 170 H 101 LinkFault Link fault type to send 171 H 102 sampling protocol Sampling protocol 171 H 103 trunk mode Trunk port more 171 H 104 ramode IPv6 route announ...

Страница 17: ...tware and ensures FireBrick are able to maximise performance from the hardware and maintain exceptional levels of quality and reliability The result is a product that has the feature set performance a...

Страница 18: ...factory The procedure requires physical access to the FB6000 and can be applied if you have made configuration changes that have resulted in loss of access to the web user interface or any other situa...

Страница 19: ...case a single physical connection can be made between a VLAN capable switch and the FB6000 and with the switch configured appropriately this physical connection will carry traffic to from multiple VLA...

Страница 20: ...e like to dive in hands on working with examples and tweaking them until they work the way they want referring to documentation as required Other people prefer to build their knowledge up from first p...

Страница 21: ...tware see Section 4 3 and are using the latest revision of the manual applicable to that software version and have attempted to answer your query using the material in this manual Many FireBrick resel...

Страница 22: ...e training courses for the FB2x00 series products and also training course on general IP networking that are useful if you are new to networking with IP To obtain information about upcoming courses pl...

Страница 23: ...your LAN and it will get an address Port 4 is configured by default not to give out any addresses and as such it should not interfere with your existing network You would need to check your DHCP serve...

Страница 24: ...age for managing the configuration 2 2 1 Add a new user You now need to add a new user with a password in order to gain full access to the FireBrick s user interface Click on the Users icon then click...

Страница 25: ...e a new configuration that includes your new user definition You should now see a page showing the progress of storing the new configuration in Flash memory Figure 2 4 Configuration being stored On th...

Страница 26: ...locally attached subnet is a child of an object that defines an interface and as such defines that the subnet is accessible on that specific interface Since multiple interfaces can exist other interf...

Страница 27: ...to avoid confusion 3 3 Configuration Methods The configuration objects are created and manipulated by the user via one of two configuration methods web based graphical User Interface accessed using a...

Страница 28: ...d showing the current software version the remaining page area contains the content for the selected part of the user interface Figure 3 1 shows the main menu when it is set to display horizontally No...

Страница 29: ...to set up FireBricks in a style and branding of their choice 3 4 2 Config pages and the object hierarchy The structure of the config pages mirrors the object hierachy and therefore they are themselve...

Страница 30: ...factory reset configuration You can push down into the hierarchy by clicking the Edit link in a table row This takes you to a page to edit that specific object The page also shows any child objects of...

Страница 31: ...ox is show the attribute name this is a compact string that exactly matches the underlying XML attribute name a short description of the attribute Tip If there is no default shown for an attribute the...

Страница 32: ...The configuration pages are generated on the fly using JavaScript within your web browser environment i e client side scripting As such the browser is essentially unaware of changes to page content an...

Страница 33: ...L 3 5 1 Introduction to XML An XML file is a text file i e contains human readable characters only with formally defined structure and content An XML file starts with the line xml version 1 0 encoding...

Страница 34: ...lement which contains the entire element hierarchy In the FB6000 the root element is config and it contains top level configuration elements that cover major areas of the configuration such as overall...

Страница 35: ...hfront co uk resolvers 81 187 42 42 81 187 96 96 services port name WAN ports 1 port name LAN ports 2 interface name WAN port WAN subnet name ADSL ip 81 187 106 73 30 interface interface name LAN port...

Страница 36: ...ploaded to the FireBrick using HTTP transfers done via tools such as curl Using these methods configuration of the FB6000 can be integrated with existing administrative systems Note Linebreaks are sho...

Страница 37: ...type multi part form data An example of doing this using curl run on a Linux box is shown below curl http FB6000 IP address or DNS name config config user username password form config filename Note Y...

Страница 38: ...As with any such object erase operation the object will not actually be erased until the configuration is saved Once you have added a new user or are editing an existing user the object editing page w...

Страница 39: ...access unless explicitly listed view View only access no passwords or hashes read Read only access with passwords and hashes full Full view and edit access DEFAULT 4 1 3 Login idle timeout To improve...

Страница 40: ...the old password and the new password twice and the password is updated If you have OTP set up on a user then you cannot change the password simply using the configuration editor unless also setting...

Страница 41: ...ork The hostname is set using the name attribute 4 2 2 Administrative details The attributes shown in Table 4 3 allow you to specify general administrative details about the unit Table 4 3 General adm...

Страница 42: ...AT to drop However the FB6000 reboots very quickly and in many cases users will be generally unaware of the event You can also use a profile to restrict when software upgrades may occur for example yo...

Страница 43: ...current software version is displayed on the main Status page shown when you click the Status main menu item itself i e not a submenu item The main software application version is shown next to the w...

Страница 44: ...upgrades are attempted see Chapter 9 for details on profiles The current setting of sw update in descriptive form can be seen on the main Status page adjacent to the word Upgrade as shown in Figure 4...

Страница 45: ...nning After power up the normal power LED indication sequence is therefore to go through the 1 second period flashing phase and then if at least one Ethernet port is connected to an active device or a...

Страница 46: ...erface or command line which can show the history in the buffer and then follow the log in real time even when viewing via a web browser with some exceptions see Section 5 6 1 In some cases it is esse...

Страница 47: ...ebug This is extra detail and is normally only used when diagnosing a problem Debug logging can be a lot of information for example in some cases whole packets are logged e g PPP It is generally best...

Страница 48: ...sending another Having a hold off period means you don t get an excessive number of e mails since the logging system is initially storing event messages in RAM the e mail that is sent after the hold o...

Страница 49: ...actory reset configuration also has a log target named fb support which is referenced by the log panic attribute of the system object see Section 5 7 This allows the FireBrick to automatically email t...

Страница 50: ...al Ethernet hardware messages log eth debug Ethernet hardware debug messages log eth error Ethernet hardware error messages log panic System Panic events log stats One second stats messages Specifying...

Страница 51: ...set up Until them the first active port is used on its own If you do not wish to use LACP for the trunk static config you can edit the individual ethernet port settings to set lacp to false If lacp mo...

Страница 52: ...is associated with a broadcast domain therefore multiple subnets existing in a single broadcast domain are not isolated at layer 2 from each other Effective firewalling at layer 3 cannot be establish...

Страница 53: ...the routing table of the interface However it is possible to set a source filter table which allows the check to be done in a different routing table This usually only makes sense when used with the...

Страница 54: ...o omitted as are any other addresses not within a subnet on the same interface Every allocation made by the DHCP server built in to the FB6000 is stored in non volatile memory and will survive power c...

Страница 55: ...turer which is registered to allocate that MAC address to an Ethernet device By specifying only these first three bytes six hexadecimal characters no colon delimiters in the mac attribute you can ensu...

Страница 56: ...o be set up for specific relays The table and allow allow you to limit the use of the DHCP Remote server to requests from specific sources note that renewal requests come from the allocated IP or NAT...

Страница 57: ...ason to restrict the operation to either of these modes you can set the duplex attribute to either half or full This will cause the port to only advertise the specified mode if the auto negotiate capa...

Страница 58: ...identifiers used to do the multiplexing For both UDP and TCP this identifier is a port number whose scope is local to the end point and is therefore usually different at each end point for a given fl...

Страница 59: ...essor load so in practice it can easily handle very large session tables hundreds of thousands of entries Note that TCP sessions also have time outs this is necessary since the connection may not be c...

Страница 60: ...ibute of the rule set is taken The available actions are the same as for a session rule Table 7 1 Action attribute values action attribute Action taken drop immediately cease rule processing quietly d...

Страница 61: ...he FB6000 s session rule specifications you may interpret the no match action as specifying what happens if the rule set s entry criteria are not met i e at the beginning of processing a rule set no m...

Страница 62: ...owed Yes no match action is accept No No no match action is drop reject ignore No action is continue Yes action is drop reject ignore No No action is continue or accept Rule criteria met Yes Session A...

Страница 63: ...milarly click the Edit link next to the rule set you want to modify As described in Section 7 3 2 a rule set can optionally specify entry criteria in the web user interface these come under the headin...

Страница 64: ...set per interface with the interface specified as the target interface in the entry criteria such that the rule set relates to sessions to that interface implement a default drop policy on each firewa...

Страница 65: ...c Normally a session table entry holds enough information to allow return traffic to reach its destination without potentially being firewalled However a session rule can specify certain changes to be...

Страница 66: ...ngoing timeout attribute Ongoing time out this time out period begins when each subsequent packet of the session arrives at the FB6000 it is specified by the set initial timeout attribute Note The act...

Страница 67: ...rules as normal but as it is already mapped it allows the firewall rules to consider the target typically a private IP address and port This allows much finer control than would be possible otherwise...

Страница 68: ...t connection Tip It is strongly recommended that you make use of PPPoE to connect to such an Internet connection thereby affording the FireBrick itself with the single public IPv4 address assigned to...

Страница 69: ...ort in a rule which causes the next rule set to see the new changed setting the NAT setting does not actually make these changes until the end of the processing of the rule sets i e a subsequent rule...

Страница 70: ...h cases Using this arrangement ensures that traffic internally between RFC1918 and public IP addresses can continue without using NAT internally Tip For fallback arrangements such as a dongle where al...

Страница 71: ...f to another subnet on the same FireBrick and this is often not the case This can be useful in very simple configurations where the FireBrick only has the one private subnet but in most cases it is be...

Страница 72: ...s but routes can only use prefixes There are two cases that deserve special attention A routing destination may be a single IP address in which case it is a 32 in CIDR notation for IPv4 The 32 part fo...

Страница 73: ...s a very specific single IP a 32 for IPv4 or a 128 for IPv6 route for the IP address of the FB6000 itself on that subnet This is a separate loop back route which effectively internally routes traffic...

Страница 74: ...k comes up when the link goes down these routes are removed automatically Refer to Chapter 11 for details on how to achieve this via the routes attribute on the tunnel definition objects This can be u...

Страница 75: ...r to Chapter 7 When establishing a session it is possible to scan an ordered list of rules which can consider not only the target IP but also source IP protocol ports and interfaces being used The res...

Страница 76: ...OT allowing for some complex profile logic to be defined that determines a final profile state from several conditions When considering the state of another profile it is the previous second s state t...

Страница 77: ...ol port state with a profile so you could have a port come up if another port is down to create a fallback arrangement If more than one of these general tests is selected corresponding attribute speci...

Страница 78: ...itch is not part of the config The switch state is automatically stored in the dynamic peristent data along with DHCP settings etc so survives a power cycle restart The control switch uses initial as...

Страница 79: ...m the FB6000 via the web User Interface to view a graph click the PNG item in the Graphs menu This will display all the graphs that are currently configured it is not currently possible to show a sing...

Страница 80: ...Multiple objects can share the same graph Graphs can sometimes be created automatically and may have speeds applied 10 1 4 Long term shapers If defining a shaper using the shaper object there are a nu...

Страница 81: ...ntly sent This depends on the length of packets sent and the speed of the shaper This is essentially tracking how much is likely to be queued at a bottleneck further on The FB6000 does not delay sendi...

Страница 82: ...etween a roaming client and a server providing security for working at home or on the road scenarios This usage is usually known as a Road Warrior connection The FireBrick can be used as the server fo...

Страница 83: ...mechanisms to select the keys to be used using the Diffie Hellman key exchange mechanism IKE also performs authentication between the two link endpoints using for example X 509 certificates pre shared...

Страница 84: ...need to authenticate with it is more normal to have a chain of trust you elect to trust a certificate from a certificate authority CA and you then implicitly trust any certificates which have been si...

Страница 85: ...range of 16 or a single IPv6 range of 112 11 1 2 4 IKE connections To set up a new IKE connection select Add New IKE connections on the IPsec configuration page There are a large number of options ava...

Страница 86: ...f ID are used there is no requirement for the domain or email address to actually be associated with the peer or even to exist at all If the prefix IP FQDN etc is omitted in the identity the FireBrick...

Страница 87: ...or more complex routing a number of separate route elements can be added to the tunnel config Metrics and the routing tables to be used may also be specified The blackhole option can be set to ensure...

Страница 88: ...mplementation when using manual keying the same key is used for both incoming and outgoing traffic The same keys and algorithms must be configured at the remote end of the link The above keys are exam...

Страница 89: ...ween the client and server These take place using the IKE control channel so although at this stage the server does not yet know the identity of the client connecting indeed it is purpose of the EAP i...

Страница 90: ...ess the certificate is self signed the certificate s used as CAs to provide a trust chain must also be installed though private keys are not required for these and for security should not be installed...

Страница 91: ...e company Paradigm Ltd who wish to set up a certificate suitable for authenticating one of their servers using IKE identity FQDN vpn server42 paradigm co uk To make a suitable CA and end entity certif...

Страница 92: ...ntrol Data none DHGroup Data Yes MODP 1024 DHGroup Control Data MODP 2048 DHGroup Control Data Yes HMAC MD5 PRF Control HMAC SHA1 PRF Control Yes AES XCBC 128 PRF Control Yes HMAC SHA256 PRF Control Y...

Страница 93: ...nset in order to allow connections from any client Certificates An end entity certificate identifying the FireBrick should be created along with its private key and signed with a suitable CA certifica...

Страница 94: ...Several vendors have released IKEv2 support only recently it is worth checking with your vendor for firmware upgrades The FireBrick is known to interoperate well with StrongSwan implementations and w...

Страница 95: ...hould be configured as described earlier using certificate authentication for the FireBrick and EAP for the peers Install the StrongSwan app on the Android device this is a free app available from the...

Страница 96: ...ves multiple IP addresses or IPv6 addresses Symptoms of this include being unable to connect at all for varying periods of time and connections dropping shortly after establishing while appearing to s...

Страница 97: ...1415 A hmac sha1 0x0123456789012345678901234567890123456789 add 192 168 1 1 192 168 2 2 esp 2000 m tunnel E rijndael cbc 0x00010203040506070809101112131415 A hmac sha1 0x012345678901234567890123456789...

Страница 98: ...IP addresses to a network but it is either impossible to route the addresses directly to the network e g it is behind a NAT ing router or is connected via networks e g a 3rd party ISP that you have n...

Страница 99: ...o not need to manually change routing information to suit A dynamic route is defined by setting the routes attribute on the tunnel definition specifying one or more routing destinations in CIDR format...

Страница 100: ...nds on whether the FB6000 behind the router has a far end IP address specified in tunnel definition s as follows If it does then it will be sending tunnel wrapper packets via the NAT router such that...

Страница 101: ...ier network In addition the extra latency may cause problems with devices expecting LAN speed responses for example switches running LACP Configuring an ETUN connection is very simple Select Add New E...

Страница 102: ...not present the service is disabled Clicking on the Edit link next to the services object will take you to the lists of child objects Where a service object is not present the table in that section wi...

Страница 103: ...s purpose is to serve the HTML and supporting files that implement the web based user interface for the FB6000 It is not a general purpose web server that can be used to serve user documents and so th...

Страница 104: ...s attribute However DNS resolvers are also learned automatically via various systems such as DHCP In most cases you do not need to set the resolvers 12 5 1 Blocking DNS names You can configure names s...

Страница 105: ...NTP client service typically only requires setting the timeserver attribute to specify one or more NTP servers using either DNS name or IP address 12 7 SNMP configuration The SNMP service allows othe...

Страница 106: ...ollows a defined processing flow when it comes to deciding whether to establish a new session see Section 7 2 for an overview of session tracking and its role in implementing firewalling The processin...

Страница 107: ...is the name of an IP address group that does not include 1 2 3 4 dns local only true DNS resolver access This address is not on a local Ethernet subnet and so not allowed access 13 3 Packet Dumping Th...

Страница 108: ...ackets self Include my IP By default any traffic to or from the IP which is connecting to the web interface to access pcap is excluded This option allows such traffic Use with care else you dump your...

Страница 109: ...PPP protocol bytes and then have fake PPPoE and Ethernet headers added A snaplen value of 0 has special meaning it causes logging of just IP TCP UDP and ICMP headers as well as headers in ICMP error p...

Страница 110: ...rname name and password pass to log in to a FireBrick on address 1 2 3 4 obviously you would change the IP address or host name and credentials to something suitable for your FB6000 We have asked for...

Страница 111: ...tems do not work well and get confused about the same MAC appearing on different interfaces and VLANs As such it is generally a good idea to avoid doing this unless you are sure your network will cope...

Страница 112: ...ult Devices have to be using the same version IPv4 and IPv6 can co exist with one using VRRP2 and the other VRRP3 Setting the same config apart from priority on all devices ensures they have the same...

Страница 113: ...nd is selected It can also be specifically set in the config by setting the attribute version3 to the value true Caution If you have devices that are meant to work together as VRRP but one is version...

Страница 114: ...case Even though IPv4 address space has already run out it is possible to obtain IPv6 PI address space and an AS number to announce your own IPv6 addresses to multiple providers for extra resilience...

Страница 115: ...lements that apply are defined in the XML XSD documentation for your software release 15 2 4 Peer type The type attribute controls some of the behaviour of the session and some of the default settings...

Страница 116: ...hen the default actions from the import export object are used In addition the top level import export has a prefix list If present then this will limit the prefixes processed at a top level dropping...

Страница 117: ...k hole routes The FireBrick allows black hole routes to be defined using the the blackhole object Routing for such addresses is simply dropped with no ICMP error Such routes can be marked for BGP anno...

Страница 118: ...around this have by default ignore bad optional partial set to true The effect is that if a path attribute we understand is wrong and it is optional and trhe router that sent it to us did not underst...

Страница 119: ...lpref prefix stuffed and then a delay allows these to propagate This is a configurable option per peer and the maximum delay of all active peers is used as the delay Setting to zero will not do the lo...

Страница 120: ...ssed command history memory the CLI remembers a number of previously typed commands and these can be recalled using the Up and Down cursor keys Once you ve located the required command you can edit it...

Страница 121: ...CIDR The prefix notation introduced by CIDR was in the simplest sense to make explicit which bits in a 32 bit IPv4 address are interpreted as the network number or prefix associated with a site and wh...

Страница 122: ...IPv4 subnet on the LAN interface after factory reset is 10 0 0 1 24 the address of the FB6000 on this subnet is therefore 10 0 0 1 and the prefix length is 24 bits leaving 8 bits for host addresses o...

Страница 123: ...useful on some cable modem type installations where multiple IPs are only available if the FireBrick appears to be multiple devices at once Whilst DHCP theoretically does not need separate MAC address...

Страница 124: ...he port group and VLAN tag of the interface This is used for dynamic IPv6 allocation on the interface using router announcements RA and any other interface specific uses that are not relates to a subn...

Страница 125: ...s range In this example the range is specified as 000397 147C F this is interpreted as All addresses in the range start with 00 03 97 14 7 the next digit then ranges from C through to F the first addr...

Страница 126: ...the system name is set on the FB6000 as shown in Table B 1 Refer to Section 4 2 1 for details on setting the system name Table B 1 DHCP client names used System name Client name used not set e g fact...

Страница 127: ...ach group from the others Where more than one switch is used with an uplink connection between switches VLAN tagging is used to multiplex packets from different VLANs across these single physical conn...

Страница 128: ...eger mV Voltage 1 1V reference 1 8 Integer mV Voltage 3 3V fan power if present 1 9 Integer mV Voltage 1 2V fan power if present 2 1 Integer mC Temperature Fan controller 2 2 Integer mC Temperature CP...

Страница 129: ...FireBrick specific SNMP objects 112 IP 4 Integer Received IPv4 prefixes IP 5 Integer Seconds since last state change IP 6 Integer Received IPv6 prefixes...

Страница 130: ...uptime Shows how long since the FB6000 restarted E 1 4 General status show status Shows general status information including uptime who owns the FireBrick etc This is the same as the Status on the we...

Страница 131: ...using this command as you can use the web interface and tools like curl to load configtations This command is provided as a last resort for emergency use so use with care E 1 11 Show profile status s...

Страница 132: ...onse hops There are a number of controls allowing you to fine tune what is sent Obviously you should only send from a source address that will return to the FB6000 correctly You can also ask for the r...

Страница 133: ...ress even if long expired E 2 9 Unlock DHCP allocations unlock dhcp ip IP4Addr table routetable Unlocks a DHCP allocation allowing the address to be re used if the expired E 2 10 Name DHCP allocations...

Страница 134: ...in as a user set with DEBUG level access E 5 1 Panic panic string confirm string This causes the FB6000 to crash causing a panic event with a specified message You need to specify confirm yes for the...

Страница 135: ...l if you know you have left a telnet connected from somewhere else Telnet sessions usually have a timeout but this can be overridden in the configuration for each user E 5 7 Flash memory list show fla...

Страница 136: ...nd line reference 119 The logging system can log to flash for a permanent record This is done automatically for some system events and when booting You can specify the number of bytes of recent log to...

Страница 137: ...terface This can be used as a direct link from a web browser or using common tools such as curl and wget The web management interface services http define the port and allowed user list and also a tru...

Страница 138: ...te These attributes apply to both png and svg output however it is also possible to override the svg style and use a css style sheet from a URL instead In such cases none of the colour settings from t...

Страница 139: ...ndwidth and scale axis shown based on space provided left and right R Defines a number of pixels to be provided on the right of the graph Bandwidth and scale axis is shown based on space provided left...

Страница 140: ...name png as a relative link thereby ensuring all graphs appear in this directory The options list can include separators rather separators to make apparent subdirectories ext The file extension can be...

Страница 141: ...nd up to 20 characters Only letters numbers and are allowed All other characters are removed It is recommended that names complying with this are used Any graph name that you try and use that is too l...

Страница 142: ...unctions for passwords but on any successful login may change the config to use the current preferred password hash function This allows FireBrick to move to more secure password hash functions in fut...

Страница 143: ...ion if needed without ever having to know the seed or password itself Caution This means that if someone knows or finds out the password and has access to the configuration file then they could extrac...

Страница 144: ...seed XOR with the hash made from the password with salt appended If seed is longer than hash then only initial hash length bytes are XOR d S bytes Seed bytes should be random 1 byte 2 s complement ch...

Страница 145: ...p relay dhcp relay Optional unlimited DHCP server settings for remote relayed requests eap eap Optional unlimited User access control via EAP ethernet ethernet Optional unlimited Ethernet port setting...

Страница 146: ...for idle eth rx qsize unsignedInt 2000 Size of eth driver Rx queue eth tx qsize unsignedInt 2000 Size of eth driver Tx queue intro string Home page text location string Location description log NMTOK...

Страница 147: ...Comment name string Link name profile NMTOKEN Profile name source string Source of data used in automated config management text string Link text url string Link address H 2 3 user Admin users User n...

Страница 148: ...n automated config management subsystem eap subsystem Not optional Access controlled subsystem H 2 5 log Log target controls Named logging target Table H 8 log Attributes Attribute Type Default Descri...

Страница 149: ...11 log email Attributes Attribute Type Default Description comment string Comment delay duration 1 00 Delay before sending since first event to send from string One made up using serial number Source...

Страница 150: ...13 snmp service Attributes Attribute Type Default Description allow List of IPNameRange Allow from anywhere List of IP ranges from which service can be accessed comment string Comment community string...

Страница 151: ...date in month tz12 day day Sun Timezone 1 to 2 day of week of change tz12 month month Mar Timezone 1 to 2 month tz12 time time 01 00 00 Timezone 1 to 2 local time of change tz2 name string BST Timezon...

Страница 152: ...connected Ethernet subnets only log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors port unsignedShort 80 Service port profile NMTOKEN...

Страница 153: ...Instances Description block dns block Optional unlimited Fixed local DNS host blocks host dns host Optional unlimited Fixed local DNS host entries H 2 14 dns host Fixed local DNS host settings DNS for...

Страница 154: ...neg boolean auto negotiate unless manual 10 100 speed and duplex are set Perform link auto negotiation clocking LinkClock prefer slave Gigabit clock setting crossover Crossover auto Port crossover con...

Страница 155: ...p IPAddr Source IP address to use source port unsignedShort Use collector port UDP source port stats interval duration 60 Stats export interval table unsignedByte 0 99 routetable 0 Routing table numbe...

Страница 156: ...group name profile NMTOKEN Profile name ra client boolean true Accept IPv6 RA and create auto config subnets and routes restrict mac boolean Use only one MAC on this interface sampling sampling mode...

Страница 157: ...experimental profile NMTOKEN Profile name proxy arp boolean false Answer ARP ND by proxy if we have routing ra ramode false If to announce IPv6 RA for this subnet ra dns List of IP6Addr List of recurs...

Страница 158: ...ig management test List of IPAddr List of IPs to which routing must exist else low priority deprecated use vmac boolean true Whether to use the special VMAC or use normal MAC version3 boolean v2 for I...

Страница 159: ...Optional unlimited Additional attributes to send numeric send string dhcp attr string Optional unlimited Additional attributes to send string H 2 23 dhcp attr hex DHCP server attributes hex Additiona...

Страница 160: ...hcp attr ip DHCP server attributes IP Additional DHCP server attributes IP Table H 33 dhcp attr ip Attributes Attribute Type Default Description comment string Comment force boolean Send even if not r...

Страница 161: ...up to 10 unsignedInt Custom AS path as if network received bgp bgpmode true BGP announce mode for routes comment string Comment ip List of IPPrefix Not optional One or more network prefixes localpref...

Страница 162: ...PAddr Not optional One or more local network addresses localpref unsignedInt 4294967295 Localpref of network highest wins name string Name profile NMTOKEN Profile name source string Source of data use...

Страница 163: ...f IPFilter Prefixes that this rule applies to source string Source of data used in automated config management tag List of Community List of community tags to add H 2 33 bgp Overall BGP settings The B...

Страница 164: ...ean true If supporting Graceful Restart capability mpe ipv4 boolean true If supporting MPE for IPv4 capability mpe ipv6 boolean true If supporting MPE for IPv6 capability route refresh boolean true If...

Страница 165: ...used in automated config management timer idle unsignedInt 60 Idle time after error timer openwait unsignedInt 10 Time to wait for OPEN on connection timer retry unsignedInt 10 Time to retry the neig...

Страница 166: ...Default Description ave Colour 08f Colour for average latency axis Colour black Axis colour background Colour white Background colour bottom unsignedByte 11 Pixels space at bottom of graph dateformat...

Страница 167: ...200 Score for high latency and low usage latency score1 unsignedByte 10 Score for on above level 1 latency score2 unsignedByte 20 Score for on above level 2 latency usage unsignedInt 128000 Usage bel...

Страница 168: ...nstantly send keep alive packets local id unsignedByte Not optional Unique local end tunnel ID local ip IP4Addr Force specific local end IP localpref unsignedInt 4294967295 Localpref for route highest...

Страница 169: ...d Routes to apply to tunnel when up H 2 38 fb105 route FB105 routes Routes for prefixes that are sent to the FB105 tunnel when up Table H 50 fb105 route Attributes Attribute Type Default Description b...

Страница 170: ...g ike roaming Optional unlimited IKE roaming IP pools H 2 40 ike connection connection configuration IPsec IKE connection settings Table H 53 ike connection Attributes Attribute Type Default Descripti...

Страница 171: ...l list lifetime duration 1 00 00 max lifetime before renegotiation local ID string Local IKE ID local ts List of IPRange Allow any Valid outgoing source incoming destination IPs for tunnelled traffic...

Страница 172: ...vers available to clients comment string Comment ip List of IPRange Not optional List of IP ranges for allocation to road warrior clients name NMTOKEN Not optional Name nat boolean false NAT incoming...

Страница 173: ...utes Attribute Type Default Description bgp bgpmode Not announced BGP announce mode for routes comment string Comment graph token graphname Graph name internal ipv4 IP4Addr local ip Internal IPv4 for...

Страница 174: ...Security Parameters Index Table H 60 ipsec manual Elements Element Type Instances Description route ipsec route Optional unlimited Routes to apply to tunnel when up H 2 46 profile Control profile Gen...

Страница 175: ...able for ping route timeout duration 10 Time before timeout i e how long test has been failing vrrp List of NMTOKEN VRRP state any of these is master Table H 62 profile Elements Element Type Instances...

Страница 176: ...racking if set ip IPAddr Not optional Target IP source string Source of data used in automated config management source ip IPAddr Source IP ttl unsignedByte Time to live Hop limit H 2 50 shaper Traffi...

Страница 177: ...ofile name rx unsignedInt Rx rate limit target b s rx max unsignedInt Rx rate limit max rx min unsignedInt Rx rate limit min rx min burst duration Rx minimum allowed burst time rx step unsignedInt Rx...

Страница 178: ...le Routing override rule Routing override rule Table H 72 session route rule Attributes Attribute Type Default Description comment string Comment cug List of PortRange Closed user group ID s hash bool...

Страница 179: ...source IP and port to local for NAT weight positiveInteger 1 Weighting of load share H 2 56 rule set Firewall mapping rule set Firewalling rule set with entry criteria and default actions Table H 75...

Страница 180: ...individual firewall rules are checked in order within the rule set and the first match applied The default action for a rule is continue so once matched the next rule set is considered Table H 77 ses...

Страница 181: ...ource mac List up to 12 hexBinary macprefix Source MAC check if from Ethernet source port List of PortRange Source port s target interface List of NMTOKEN Target interface s target ip List of IPNameRa...

Страница 182: ...profile NMTOKEN Profile name source ip IPAddr Our IP address table unsignedByte 0 99 routetable 0 Routing table number H 2 60 dhcp relay DHCP server settings for remote relayed requests Settings for D...

Страница 183: ...access unless explicitly listed view View only access no passwords read Read only access with passwords full Full view and edit access H 3 3 user level User login level User login level commands avail...

Страница 184: ...Critical conditions ERR Error conditions WARNING Warning conditions NOTICE Normal but significant events INFO Informational DEBUG Debug level messages NO LOGGING No logging H 3 7 syslog facility Syslo...

Страница 185: ...8 month Month name 3 letter Table H 90 month Month name 3 letter Value Description Jan January Feb February Mar March Apr April May May Jun June Jul July Aug August Sep September Oct October Nov Novem...

Страница 186: ...speed Value Description 10M 10Mbit sec 100M 100Mbit sec 1G 1Gbit sec auto Speed determined by autonegotiation H 3 13 LinkDuplex Physical port duplex setting Table H 95 LinkDuplex Physical port duplex...

Страница 187: ...Collision On when full duplex blink when half duplex and collisions detected Activity Blink when Tx or Rx activity Fault On when autonegotiation mismatch Tx Blink when Tx activity Off Permanently off...

Страница 188: ...P protocol ipfix legacy Use legacy Cisco style IPFIX H 3 21 trunk mode Trunk port more Table H 103 trunk mode Trunk port more Value Description false Not trunking random Random trunking l2 hash L2 has...

Страница 189: ...orted from local AS confederation local as Not exported from local AS no peer Exported with no peer community tag true Exported as normal with no special tags added H 3 25 sampling mode Sampling mode...

Страница 190: ...pe IPsec encapsulation type Value Description AH Authentication Header ESP Encapsulating Security Payload H 3 29 ike authmethod authentication method Table H 111 ike authmethod authentication method V...

Страница 191: ...602 with 24 byte key AES 256 CBC AES CBC Rijndael RFC 3602 with 32 byte key H 3 33 ike PRF IKE Pseudo Random Function Table H 115 ike PRF IKE Pseudo Random Function Value Description HMAC MD5 HMAC MD5...

Страница 192: ...dynamic graph Type of dynamic graph Table H 120 dynamic graph Type of dynamic graph Value Description false No dynamic graph ip Use source IP address mac Use source MAC address H 3 39 firewall action...

Страница 193: ...Range IPv4 address bitlen or range IP4Prefix IPv4 address bitlen IP6Prefix IPv6 address bitlen IPSubnet IP address bitlen IP4Subnet IPv4 address bitlen IPFilter Route filter Password Password OTP OTP...

Страница 194: ...ity filterlist List of IP Prefix filters IPFilter bgp prefix limit Maximum prefixes accepted on BGP session 1 10000 unsignedInt fb105 reorder timeout Maximum time to queue out of order packet ms 10 50...

Страница 195: ...relationship with interfaces 34 sequenced flashing of LEDs 28 Event logging external logging 30 overview 29 viewing logs 32 F Firewall definition of 41 Firewalling recommended method 47 G Graphs 62 H...

Страница 196: ...5 System name see Hostname System services checking access to 90 configuring 85 definition of 85 list of 85 T Telnet service configuration 86 Time out login sessions 22 Traffic shaping overview 62 Tun...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды