Nortel 5100 Series Release 2.3.3 Скачать руководство пользователя страница 120 | Manualshive

Страница: 120 / 430

Nortel 5100 Series Release 2.3.3 Скачать руководство пользователя страница 120

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

120

Redundant Firewalls

213455-L, October 2005

Active link is down.

Port is down.

High traffic spreads advertisement packets beyond the specified

adint

interval.

A device on the virtual router LAN blocks the advertisement packets or ARP traffic.

N

OTE

–

VRRP miss-handles failures due to externally blocked multicast traffic. It results in

both units assuming the active role. Note also that backups do not block traffic.

VRRP failover

VRRP failover occurs when the backup fails to receive advertisement packets at pre-set
intervals from each interface on the active master.

If VRRP multicast advertisement packets to group address 224.0.0.18 are not
received by any virtual router on the backup, all of the backup virtual routers will
send four ARP requests (one per second) to the active master virtual router IP
addresses. The intention is to give the active master ample opportunity to respond, to
ensure that it is down before going on to the next step.

If ARP replies from the active master are not received, failover occurs (the backup
virtual router assumes the role of active master).

If ARP replies from the active master are received, no failover occurs.

This phenomenon may indicate that traffic on the active master is too heavy for it to
send advertisement packets within the

adint

window. If you believe this is the case,

increase the

adint

value (see the

/cfg/net/vrrp/adint

command on

page 335

).

N

OTE

–

When a virtual router comes up from the fault state, it will ARP for an active master.

If the virtual router receives an ARP response, it will assume the role of backup. The backup
will continue sending ARP messages to the virtual router until it does not receive a response. It
will then initiate the failover process.

If the MIP ownership is assigned to the VRRP master and a failover takes place, the SSI
restarts to allow the MIP ownership to migrate to the new VRRP master. MIP ownership need
not be assigned to the VRRP master. System error messages appear at the CLI and the BBI
until MIP migration completes.

«
...
118
119
120
121
122
...
»

Содержание 5100 Series Release 2.3.3

Страница 1: ...Great America Parkway Santa Clara CA 95054 Phone 1 800 4Nortel http www nortel com Nortel Switched Firewall 5100 Series Release 2 3 3 User s Guide and Command Reference TM part number 213455 L October...

Страница 2: ...Nortel Networks Inc assumes no responsibility or liability arising from the use of products described herein except as expressly agreed to in writing by Nortel Networks Inc The use and purchase of thi...

Страница 3: ...g help over the telephone from a Nortel Solutions Center 17 Using an Express Routing Code to get help from a specialist 17 Getting help through a Nortel distributor or reseller 17 Chapter 1 Introducti...

Страница 4: ...e SmartDashboard 58 Creating a Firewall policy test rule 64 Creating and installing Firewall security rules 66 SecurID authentication 67 Topology of SecurID authentication 68 Configuring RSA authentic...

Страница 5: ...meters 101 Defining areas 102 Assigning the area index 102 Using the area ID to assign the OSPF area number 103 Attaching an area to a network 103 Interface cost 104 Electing the designated router and...

Страница 6: ...ring Check Point software for active standby 133 Configuration dump for VRRP active standby failover 139 Configuring VRRP active active failover 145 Configuration overview 145 Requirements 147 Install...

Страница 7: ...ible Power Supply 216 Configuring UPS support 216 Displaying UPS configuration 220 RADIUS authentication 221 VPN support 223 ISP redundancy 225 User Authority 226 Chapter 8 Upgrading and reinstalling...

Страница 8: ...255 Starting the SSH session 257 Using the Command Line Interface 258 Basic operation 258 The Main Menu 259 Idle time out 259 Multiple administration sessions 260 Global commands 260 Command Line his...

Страница 9: ...nu 300 CA Certificate Management Menu 301 SNMP Administration Menu 302 SNMP Users Menu 304 Trap Hosts Menu 305 SNMP System Information Menu 306 Advanced SNMP Settings Menu 307 Audit Menu 308 Radius Au...

Страница 10: ...3 Proxy Arp List Menu 354 DHCP Relay Menu 355 DHCP Relay Interface number Menu 356 DHCP Server number Menu 357 Firewall License Menu 358 Firewall Configuration Menu 359 Sync Configuration Menu 361 Por...

Страница 11: ...4 Mounting a floppy disk on the Firewall 397 Mounting a CD ROM on the Firewall 398 Mounting the USB port 399 Tuning Check Point NGX performance 400 Connection parameters 400 NAT parameters 401 Reading...

Страница 12: ...tus check reveals an interface is down 414 Actions 414 VRRP configuration tips 415 VRRP active master backup fails 416 Actions 416 VRRP both masters are active 417 Actions 417 Poor performance under h...

Страница 13: ...configuring and maintaining a network It is assumed that users of this guide are familiar with Ethernet concepts and IP addressing How this book is organized The chapters in this book are organized a...

Страница 14: ...ware describes how to upgrade or reinstall the Nortel Switched Firewall system component software Chapter 9 Basic system management describes the various tools used for managing the system and explain...

Страница 15: ...bol Meaning Example AaBbCc123 This fixed width type is used for names of commands files and directories used within the text View the readme txt file It also depicts on screen computer output and prom...

Страница 16: ...documentation product bulletins search the Technical Support web site and the Nortel Knowledge Base for answers to technical questions sign up for automatic notification of new software and documenta...

Страница 17: ...tside North America go to the following web site to obtain the telephone number for your region www nortel com callus Using an Express Routing Code to get help from a specialist You can find Express R...

Страница 18: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 18 Preface 213455 L October 2005...

Страница 19: ...functions Nortel Switched Firewall components and features The following topics are included in this section New features and basic functions Initial setup DHCP Relay and OSPF Layer 2 and Layer 3 fir...

Страница 20: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 20 Getting started 213455 L October 2005...

Страница 21: ...rity applications and networking technology It addresses the needs for security performance and ease of use The software is a combination of NSF Single System Image SSI software and the Firewall 1 NGX...

Страница 22: ...with Application Intelligence R60 and Hotfix Accumulator 14 HFA_14 software Reliability and redundancy Nortel Switched Firewall Series 5100 Release 2 3 3 provides the following reliability and redunda...

Страница 23: ...e from the CLI using the following commands info monitor curdata for current data info monitor histdata for historical data based on the time interval specified by the user Current statistics and hist...

Страница 24: ...Model Supported Ports RAM 5111 NE1 Two embedded 10 100 1000 Mbps Copper Ethernet ports One quad Copper Ethernet Four 10 100 1000 Mbps Copper Ethernet ports 512 MB 5114 NE1 Two embedded 10 100 1000 Mb...

Страница 25: ...Firewall Figure 1 Nortel Switched Firewall network elements Table 3 Nortel Switched Firewall 5100 Series Hardware Performance Model Throughput Concurrent Sessions New Connections per Second 5114 NE1...

Страница 26: ...tel Switched Firewall The Nortel Switched Firewall is placed in the path between your various trusted semi trusted and untrusted networks It examines all traffic moving between the connected networks...

Страница 27: ...management station running the SmartCenter Server see Note below Check Point SmartCenter Server management station The management station running the SmartCenter Server holds the master policy databas...

Страница 28: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 28 Introduction 213455 L October 2005...

Страница 29: ...0 hardware as described in the Nortel Switched Firewall 5100 Series Hardware Installation Guide 216382 D including mounting the components attaching network cables turning on power and connecting a co...

Страница 30: ...statically configured on the firewall for internal networks plus the IP address of the internal router that handles routes for these networks The IP address of the default gateway for data moving thro...

Страница 31: ...in the following sections Firewall management network The management network is automatically configured when you run Setting up the basic configuration on page 37 NOTE The management network port is...

Страница 32: ...n The Check Point management station IP address is 192 168 1 3 Management of non NGX modules for example NG AI NG AI R55W and Edge modules is not supported by the SmartCenter server configuration NOTE...

Страница 33: ...ser s Guide and Command Reference Initial setup 33 213455 L October 2005 The following figure illustrates the Check Point window with Smart Portal option and user authentication Figure 3 Check Point G...

Страница 34: ...L October 2005 To register the Smart Portal user name and password do the following 1 From the Manage menu select Users and Administrators as illustrated in Figure 4 Figure 4 Check Point Users and Adm...

Страница 35: ...e in the Login entry field 5 Type password in the Password field and confirm 6 Click OK 7 Apply the necessary policies to allow remote users to log in through Smart Portal 8 Open a web browser and log...

Страница 36: ...network The IP address range of the Trusted Network is 10 3 0 0 16 The trusted network connects to port 3 Interface 1 NSF 5109 port 3 Interface 1 The Interface address is 10 3 0 1 Untrusted network I...

Страница 37: ...Enter the default login name admin and the default password admin If the Nortel Switched Firewall is set to factory defaults a special Setup utility menu appears Use the clone command to restore the...

Страница 38: ...subnet In this example the network spans 192 168 1 0 24 6 Enter the VLAN tag ID information Specify a VLAN tag ID for SSI management traffic NOTE NSF 2 3 3 does not support multiple interfaces on the...

Страница 39: ...uay 2 Antigua Barbuda 19 El Salvador 36 Peru 3 Argentina 20 French Guiana 37 Puerto Rico 4 Aruba 21 Greenland 38 St Kitts Nevis 5 Bahamas 22 Grenada 39 St Lucia 6 Barbados 23 Guadeloupe 40 St Pierre M...

Страница 40: ...9 Indiana Marengo Eastern Standard Time Indiana Crawford County 10 Indiana Vevay Eastern Standard Time Indiana Switzerland Cnty 11 Indianapolis Eastern Standard Time Indiana most locations 12 Juneau A...

Страница 41: ...in a cluster with this firewall In that case you must enter 1 or 3 at the prompt and install the SmartCenter Server on the management station See Check Point documentation for more information about...

Страница 42: ...when the following message is displayed Once this Setup process is complete you will need to log in and configure Check Point licenses as shown in the following section 16 Install the firewall licens...

Страница 43: ...s a notification of how many days are left before the trial period ends If local licensing is used enter Check Point licensing information for the Firewall NOTE If central licensing is used skip this...

Страница 44: ...IP address The port that you assign to this interface may be used to attach network devices such as a management console as long as the device is in the same IP network as the firewall s host IP addre...

Страница 45: ...configuration on page 37 Interface 1 is for trusted internal network traffic and resides on port 3 Interface 2 is for untrusted external network traffic and resides on port 4 1 Optional Reset the fir...

Страница 46: ...ion changes This command applies the configuration changes on the Firewall Main cfg net port 3 Select the Port 3 Menu Port 3 name if_1 Name this port for Interface 1 Port 3 apply Apply the setting to...

Страница 47: ...rewall SMART Clients can be implemented on a separate workstation or on the same workstation as the SmartCenter Server For other commands that allow you to delete members or reorder the list see cfg f...

Страница 48: ...for creating editing updating and monitoring firewall security policies The SMART Client software can be installed on administrative workstations in your network or on the same workstation as the Sma...

Страница 49: ...ents listed below Operating System Refer to the Check Point Release Notes at http www checkpoint com Processor Intel Pentium II 300 MHz or better Disk space 40 MB Memory 256 MB Check Point Management...

Страница 50: ...may choose either Check Point Enterprise Pro or Check Point Express but be sure you match the selection you made in Step 12 on page 41 during the initial setup procedure for the firewall host For a de...

Страница 51: ...pe page 8 When prompted select SmartCenter optional and SmartConsole then click Next see Figure 11 Figure 11 Check Point three tier architecture page Check SmartCenter if you selected 1 or 3 in Step 1...

Страница 52: ...ry management workstation For these instances do not select SmartCenter 9 When prompted select Primary SmartCenter then click Next see Figure 12 Figure 12 Check Point SmartCenter type selection page N...

Страница 53: ...installs the SVN Foundation software standard SmartCenter if selected and SmartConsole components The installation status is displayed in the Installation Status box see Figure 14 Figure 14 Installat...

Страница 54: ...R60 installation page 13 When prompted specify the SmartConsole components to be installed see Figure 17 Figure 17 Check Point SmartConsole component installation page Check Point Enterprise Pro pres...

Страница 55: ...d Reference Initial setup 55 213455 L October 2005 14 When prompted click the Add button see Figure 18 Figure 18 Administrator s Permissions page 15 Enter the login information for SmartCenter adminis...

Страница 56: ...st IP address if the GUI client is on the same host as the Smart Center Server 20 Specify the DNS hostname or IP address of other management clients to interface with this management station 21 Click...

Страница 57: ...al setup 57 213455 L October 2005 When the Internal CA Status changes to Initialized click Next see Figure 21 Figure 21 Certificate Authority page 24 Record the SmartCenter Server fingerprint by click...

Страница 58: ...llation of the SmartCenter Server and SmartConsole are complete 27 Use the SmartDashboard to define a firewall object See Defining a Firewall Object in the SmartDashboard on page 58 28 Create a firewa...

Страница 59: ...Server tools during Step 14 on page 55 Also specify the IP address of the SmartCenter Server and click OK NOTE Be sure you have added this IP address in the client access list to allow SMART Client a...

Страница 60: ...the Management Server tools during Step 24 on page 57 4 Create a new Gateway object to represent the newly installed Firewall From the SmartDashboard Network Objects pane right click the Check Point...

Страница 61: ...ollowing information Name If this is a Windows machine use the name you specified in Editing the Windows hosts file on page 48 Otherwise type a name for example isd1 IP Address The address of the newl...

Страница 62: ...page 58 The Communications dialog box appears see Figure 28 Figure 28 Communications page uninitialized Enter the Activation Key the SIC password and click Initialize The SmartCenter Server will cont...

Страница 63: ...ll members topology to retrieve the interfaces you configured on the firewall and the topology information under the IP Addresses behind interfaces header NOTE The topology information is needed to in...

Страница 64: ...ou can remove this test policy and create firewall security rules that will restrict undesirable traffic From the SmartDashboard menu bar select Rules Add Rule Top see Figure 31 A new rule will be add...

Страница 65: ...OK NOTE If your system has a active standby high availability or active active configuration go to Policy Global Properties NAT Network Address Translation and deselect Automatic ARP configuration be...

Страница 66: ...ct the SmartView Tracker Active Mode Use a client station to ping the firewall If the SmartView Tracker displays an entry for the ping traffic the configuration is good NOTE The SmartView Tracker is a...

Страница 67: ...100 Release 2 3 3 Browser Based Interface User s Guide Part number 216383 D SecurID requires the following token authenticator password Token authenticators generate one time passwords that are synchr...

Страница 68: ...n a stand alone system Following are the configuration details iSD1 host IP address 10 10 1 1 interface 2 port 2 address1 172 25 3 1 for Check Point management station interface3 port3 address1 10 8 9...

Страница 69: ...ure 36 SecurID authentication on an HA system Following are the configuration details iSD1 host IP address 10 10 1 1 iSD2 host IP address 10 10 1 2 Port 1 is used for synchronization Interface 2 port...

Страница 70: ...s 10 8 90 205 Configuring RSA authentication manager Perform the following steps to configure the agent host on the ACE server 1 Go to Start 2 Select Program 3 Select RSA ACE Server 4 Select Database...

Страница 71: ...Add Agent Host window Figure 37 Add Agent Host window 9 Resolve the host name and IP address by editing the hosts file in C WINNT system32 drivers etc Following is an example of host name and IP addr...

Страница 72: ...vers dialog box is depicted in Figure 38 Figure 38 Assign Acting Servers page NOTE All names must be resolved with their IP addresses 10 From the User menu select Add User 11 In the Add User dialog bo...

Страница 73: ...etup 73 213455 L October 2005 The Add User window is depicted in Figure 39 Figure 39 Add User page 12 Click Agent Host Activations The Agent Hosts Activations window appears The Agent Hosts Activation...

Страница 74: ...re 41 Figure 41 Add Group window Type the group name Select the user name to add to the group NOTE The user group must be identical to the user group specified in Check Point 14 To activate users retu...

Страница 75: ...re 43 Figure 43 Group Activations window 18 To import a token go to the Token menu and import a token range number from the floppy disk 19 To edit a token select Edit Token from the Token menu 20 The...

Страница 76: ...ndow appears see Figure 45 Figure 45 Resynchronize Token window In the entry field type the code displayed on the token Click OK The Resynchronize Token window re appears see Figure 46 Figure 46 Resyn...

Страница 77: ...Select Token dialog box Click Select Token from List Click OK 25 To generate a configuration file perform the following steps Open the Agent Host menu Click Generate Configuration File to generate the...

Страница 78: ...agent host to generate the configuration file as depicted in Figure 49 Figure 49 Select Agent Host window 26 Start the RSA ACE server by performing the following steps Go to Start Select Programs Sel...

Страница 79: ...ated file to the var ace folder on the Firewall using the Browser Based Interface perform the following steps 1 Select Firewall 2 Select SecurID 3 Click Browse 4 Select the filed named sdconf rec 5 Cl...

Страница 80: ...the firewalls or the Check Point service TIP To stop Check Point use the command cpstop To start Check Point use the command cpstart Configuring partner RSA authentication agent The RSA SecurID authen...

Страница 81: ...eID Rule 1 challenges users from any location trying to access any service Rule 2 is not required if the Firewall is configured to allow outgoing packets as part of the Global Policy Properties Rule 3...

Страница 82: ...ck Point Firewall 1 session authentication support can be used instead of RSA SecurID However use of Firewall 1 session authentication support requires additional client software If the additional sof...

Страница 83: ...h this rule With session authentication passwords can be cached Authentication for every connection is not required when passwords are cached TIP Caching of passwords is not supported for one time pas...

Страница 84: ...IP addresses on port 2 The DMZs are connected to the Switched Firewall using a single 802 1Q VLAN Tagged Trunk The VLANs are used to isolate traffic from different security zones A Layer 2 switch is...

Страница 85: ...en TAG is always enabled However Windows PCs must be tagged if they are connected directly to the interface Or you can add a 802 1q capable Layer 2 switch between the PC and the firewall SmartDashboar...

Страница 86: ...box To create a network object for the public web server in DMZ 2 perform the following steps 1 Right click the Network Topology window The shortcut menu appears 2 Select New Network Object Workstatio...

Страница 87: ...255 255 0 cfg sys adm idle 10m cfg sys adm telnet ena n cfg sys adm ssh ena n cfg sys adm web cfg sys adm web http port 80 ena y cfg sys adm web ssl port 443 ena n tls y sslv2 y sslv3 y cfg sys adm we...

Страница 88: ...addr2 0 0 0 0 mask 255 255 255 0 vlanid 0 port 4 ena y cfg net if 1 vrrp vrid 1 ip1 0 0 0 0 ip2 0 0 0 0 cfg net if 2 addr1 192 168 0 1 addr2 0 0 0 0 mask 255 255 255 0 vlanid 10 port 2 ena y cfg net i...

Страница 89: ...net adv route ospf rtrid 0 0 0 0 spf 5 10 ena n cfg net adv route ospf if 1 Identical cfg ospf configurations for if 1 2 3 33 aindex 0 prio none cost none hello 10 dead 40 trans 1 retra 5 auth none md...

Страница 90: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 90 Initial setup 213455 L October 2005...

Страница 91: ...nal capability of being able to dynamically allocate reusable network addresses and configuration parameters for client operation Built on the client server model DHCP allows hosts or clients on an IP...

Страница 92: ...P IP network In the DHCP environment the Nortel Switched Firewall acts as a relay agent The DHCP relay feature cfg net dhcprl enables the firewall to forward a client request for an IP address to DHCP...

Страница 93: ...figured on the firewall The use of two servers provides failover redundancy but you can configure up to eight DHCP servers However no health checking is supported DHCP Relay functionality is assigned...

Страница 94: ...ration 5 Apply and save the changes cfg net dhcprl server 1 DHCP Server 1 addr 10 1 1 1 Set IP address of 1st DHCP server DHCP Server 1 ena Enable the DHCP server DHCP Server 1 server 2 Set IP address...

Страница 95: ...of routing devices neighbors adjacencies link state database authentication and internal versus external routing NSF 2 3 3 OSPF implementation on page 101 This section gives you information specific...

Страница 96: ...e following sections describe key OSPF concepts Types of OSPF areas An AS can be broken into logical units known as areas In any AS with multiple areas one area must be designated as area 0 known as t...

Страница 97: ...er IR a router that has all of its interfaces within the same area IRs maintain LSDBs identical to those of other routing devices within the local area Area Border Router ABR a router that has interfa...

Страница 98: ...parameters respond to each other s hello packets and become neighbors Neighbors continue to send periodic hello packets to advertise their health to neighbors In turn they listen to hello packets to...

Страница 99: ...red into the LSDB of each routing device OSPF uses flooding to distribute LSAs between routing devices When LSAs result in changes to the routing device s LSDB the routing device forwards the changes...

Страница 100: ...RIP or RIPv2 It is also useful to tell routers outside your network upstream providers or peers about the routes you have access to in your network Sharing of routing information between autonomous s...

Страница 101: ...4 Authentication on page 105 GRE Tunnel support on page 106 OSPF features not supported in this release on page 106 Configurable parameters In the Nortel Switched Firewall 2 3 3 OSPF parameters can be...

Страница 102: ...nterface on the Nortel Switched Firewall The full process is explained in the following sections An OSPF area is defined by assigning two pieces of information an area index and an area ID The command...

Страница 103: ...2 NOTE Although both types of area ID formats are supported be sure that the area IDs are in the same format throughout an area Attaching an area to a network Once an OSPF area has been defined it mus...

Страница 104: ...y assigning a priority value to the OSPF interfaces The commands are as follows A priority value of 255 is the highest and 1 is the lowest A priority value of 0 specifies that the interface cannot be...

Страница 105: ...ters long For interfaces the following CLI commands can be used MD5 authentication OSPF MD5 passwords use strong cryptographic to protect data and passwords To preserve security MD5 passwords should b...

Страница 106: ...to the Management IP address MIP If GRE packets are IPSec IPSec GRE OSPF encrypted packets are decrypted by Check Point software and then forwarded by GRE to the MIP In this release static GRE routes...

Страница 107: ...areas 4 Configure OSPF interface parameters IP interfaces are used for attaching networks to the various areas Example 1 configuring a simple OSPF domain In this example two OSPF areas are defined one...

Страница 108: ...Interface 1 mask 255 255 255 0 Set IP mask on backbone network Interface 1 ena Enable IP interface 1 Interface 1 if 2 Select menu for IP interface 2 Interface 2 addr1 10 10 12 1 Set IP address on tra...

Страница 109: ...unnel OSPF packets in a GRE tunnel so other routers on the internet do not need to learn about OSPF In Figure 56 the OSPF network is on the GRE interface 50 1 1 0 24 the GRE tunnel end points is on ph...

Страница 110: ...face for GRE 1 GRETunnel 1 remoteaddr 20 1 1 1 Assign GRE tunnel end point of NSF New York GRETunnel 1 ena Enable GRE 1 GRETunnel 1 host1 sip 50 1 1 1 Assign source IP address GREHost 1 dip 50 1 1 2 A...

Страница 111: ...Switched Firewall 9 Configure Check Point GUI for GRE support To support GRE on the firewall you need special configurations and rules from Check Point For more information refer to the document 5100_...

Страница 112: ...the OSPF subnet 20 0 0 0 subnet have the same destination i n gre GRE Tunnel Information Num GRETunnel Phylcl Phyrmte GRElcl GRErmte GREMask 1 tunnel_one 30 1 1 1 20 1 1 1 50 1 1 1 50 1 1 2 255 255 2...

Страница 113: ...ls NSF 1 and NSF 2 2 Log in to firewall NSF 1 as admin and type new for initializing the firewall as a new installation Sync net 10 10 1 0 NSF 1 10 10 1 1 2 3 2 3 1 Check Point Management Station Smar...

Страница 114: ...e VRRP on the client interface join Join the cluster Management network port 1 Firewall NSF 2 IP 10 10 1 2 MIP IP 10 10 1 10 Check Point Gateway Installation Type 1 Main info clu IP addr type MIP Loca...

Страница 115: ...tware to support failover on the OSPF network Main cfg net if 4 addr1 200 200 200 1 Main cfg net if 4 addr2 200 200 200 2 Main cfg net if 4 mask 255 255 255 0 Main cfg net if 4 port 4 Main cfg net if...

Страница 116: ...m the Topology page specify the cluster IPs for the interfaces External interface Name External_If IP 10 8 90 200 Internal interface Name Internal_If IP 200 200 200 4 15e Add a new rule to allow OSPF...

Страница 117: ...over type VRRP active standby also referred to as high availability VRRP active active or ClusterXL Check Point failover solution VRRP on the Switched Firewall on page 118 Configuring VRRP active stan...

Страница 118: ...ion that deviates from RFC 2338 in some details The VRRP router controlling the IP addresses associated with the virtual router is called the active master and it forwards packets intended for these I...

Страница 119: ...r is independent of the default condition For more information see Active master determination on page 119 Active master determination VRRP ensures that one virtual router or the other assumes the rol...

Страница 120: ...tunity to respond to ensure that it is down before going on to the next step If ARP replies from the active master are not received failover occurs the backup virtual router assumes the role of active...

Страница 121: ...availability and active active configurations Active Standby High Availability The active master uses its vrid to set a unique virtual router MAC address according to this formula 0x00005E0001 vrid Th...

Страница 122: ...86 VRRP router parameters VRRP router parameters are defined globally using the CLI VRRP Settings Menu on page 335 or the BBI see the Network VRRP form in the Nortel Switched Firewall 5100 Series BBI...

Страница 123: ...dress IP address mapping Then the backup delays a period of time defined by the cfg net vrrp garp GARP delay value before sending continuous GARP messages at intervals defined by the cfg net vrrp gbca...

Страница 124: ...page 330 The virtual router IP address and the sub addresses must be unique but all three IP addresses must belong to the same subnet Advanced failover check If Advanced Failover Check AFC cfg net vr...

Страница 125: ...an effective high availability network that reduces the chance that a single point of failure can bring down the system The following topics are addressed in this section Configuration overview on pa...

Страница 126: ...to the firewalls hubs may also be used for the same purpose The default data path is through link3 and link4 since the VRRP Election process see page 119 default designates the firewall with the highe...

Страница 127: ...add the second firewall NOTE If access lists are configured on the firewall 1 make sure that an access list entry for firewall 2 is added on firewall 1 or add an access list entry for the SSI network...

Страница 128: ...redundant network feeds to the Switched Firewalls NOTE Be sure to connect each network to the same port interface on both Switched Firewalls Configuration check list 1 Check Point sync network should...

Страница 129: ...a unique IP address but enter the same MIP you used for firewall 1 3 Reboot and log back into NSF 1 to complete the VRRP configuration on both Switched Firewalls NOTE The Nortel Single System Image S...

Страница 130: ...ses 6 Enter the virtual router ID vrid Each virtual router interface gets a unique vrid which is used to generate the virtual router MAC address see MAC address mapping on page 121 NOTE Vrids must be...

Страница 131: ...p ip2 are both set to 0 0 0 0 For additional information about the Sync interface see Synchronizing Nortel Switched Firewalls on page 186 Configure the real addresses for the router interface and enab...

Страница 132: ...ive failover Refer to Configuration dump for Check Point ClusterXL failover on page 179 13 Launch the Check Point SmartDashboard tool to manage both firewalls as a cluster Active Standby failover Refe...

Страница 133: ...ve standby Use the following procedure to configure Check Point software for active standby mode 1 Enter the IP address of the external interface as shown in Figure 59 Check Point Gateway Cluster IP a...

Страница 134: ...uide and Command Reference 134 Redundant Firewalls 213455 L October 2005 2 Perform the following steps to select Cluster Members and to verify the firewalls in the cluster see Figure 60 Figure 60 Gate...

Страница 135: ...135 213455 L October 2005 2a Check for third party configuration see Figure 61 Figure 61 Gateway Cluster Properties Third party configuration NOTE For more information about third party configuration...

Страница 136: ...mand Reference 136 Redundant Firewalls 213455 L October 2005 2b To enable synchronization select 1st Synch from the Network Objective list on the Edit Topology page see Figure 62 Figure 62 Edit Topolo...

Страница 137: ...137 213455 L October 2005 3 Ensure that the Automatic ARP configuration check box on the NAT page is not checked Do not let Check Point handle ARP in Active Standby mode see Figure 63 Figure 63 Globa...

Страница 138: ...ls 213455 L October 2005 5 If you are using Check Point SmartDefence TTL fingerprint scrambling set TTL to 255 as shown in Figure 64 Figure 64 Check Point SmartDashboard SmartDefense TTL page The rema...

Страница 139: ...g sys dns cfg sys cluster cfg sys cluster host 1 cfg sys cluster host 2 cfg sys accesslist add 172 25 3 0 255 255 255 0 cfg sys adm idle 10m cfg sys adm telnet ena n cfg sys adm ssh ena n cfg sys adm...

Страница 140: ...rtype 2 ena false cfg sys adm audit servers cfg sys adm auth timeout 10s fallback on ena false cfg sys adm auth servers cfg sys log debug n srcip auto cfg sys log syslog cfg sys log ela ena n addr 0 0...

Страница 141: ...0 mode full cfg net port 4 name none autoneg on speed 0 mode full cfg net port 5 name none autoneg on speed 0 mode full cfg net port 6 name none autoneg on speed 0 mode full cfg net if 1 addr1 10 10 1...

Страница 142: ...200 1 1 1 addr2 200 1 1 2 mask 255 255 255 0 vlanid 0 port 4 mgmt n ena y cfg net if 3 vrrp vrid 192 ip1 200 1 1 100 ip2 0 0 0 0 cfg net vrrp ha y aa n clusterxl n adint 3 garp 1 gbcast 2 afc y prefma...

Страница 143: ...ad 40 trans 1 retra 5 auth none ena n cfg net ospf if 4 aindex 0 prio none cost1 none cost2 200 hello 10 dead 40 trans 1 retra 5 auth none ena n cfg net ospf if 5 aindex 0 prio none cost1 none cost2 2...

Страница 144: ...ultgw metric 10 t1 ena n cfg net parp enable n cfg net parp list cfg net dhcprl ena n cfg net dhcprl if 2 ena n cfg net dhcprl if 3 ena n cfg net dhcprl if 4 ena n cfg net dhcprl if 5 ena n cfg fw ena...

Страница 145: ...active active failover on page 154 Configuration overview An active active configuration is similar to a active standby configuration see Configuring VRRP active standby failover on page 125 with the...

Страница 146: ...te layer 7 switches to supply separate data feeds for the firewall hosts The synchronization connection on port 2 supports stateful failover see Synchronizing Nortel Switched Firewalls on page 186 for...

Страница 147: ...terface then make sure cfg net if vrrp ip1 and cfg net if vrrp ip2 settings for the sync interface is 0 0 0 0 3 VLAN is not supported on the sync interface 4 Make sure the routers are pointing to the...

Страница 148: ...figuring Check Point software Use the following procedure to configure Check Point software 1 On the Gateway Cluster Properties General Properties page type the IP address for the external interface s...

Страница 149: ...Guide and Command Reference Redundant Firewalls 149 213455 L October 2005 1a To view the members of the gateway cluster select Cluster Members from the Gateway Cluster Properties list Figure 67 Cluste...

Страница 150: ...arty Configuration from the Gateway Cluster Properties list and check for proper third party configuration see Figure 68 Figure 68 Gateway Cluster Properties 3rd Party Configuration NOTE For more info...

Страница 151: ...2 3 3 User s Guide and Command Reference Redundant Firewalls 151 213455 L October 2005 3 From the Gateway Cluster Properties list select the Edit Topology page and enable Synchronization see Figure 69...

Страница 152: ...alls 213455 L October 2005 4 Select Global Properties FireWall NAT and ensure that the Automatic ARP configuration check box is not checked see Figure 70 Do not let Check Point handle ARP in Active Ac...

Страница 153: ...3455 L October 2005 6 If you are using Check Point SmartDefence TTL fingerprint scrambling then set TTL to 255 as shown in Figure 71 Figure 71 Check Point SmartDashboard SmartDefense TTL The remaining...

Страница 154: ...ys time ntp cfg sys dns cfg sys cluster cfg sys cluster host 1 cfg sys cluster host 2 cfg sys accesslist add 172 25 3 0 255 255 255 0 cfg sys adm idle 10m cfg sys adm telnet ena n cfg sys adm ssh ena...

Страница 155: ...cfg sys adm audit vendorid 1872 alteon vendortype 2 ena false cfg sys adm audit servers cfg sys adm auth timeout 10s fallback on ena false cfg sys adm auth servers cfg sys log debug n srcip auto cfg s...

Страница 156: ...none autoneg on speed 0 mode full cfg net port 3 name none autoneg on speed 0 mode full cfg net port 4 name none autoneg on speed 0 mode full cfg net port 5 name none autoneg on speed 0 mode full cfg...

Страница 157: ...0 port 3 mgmt y ena y cfg net if 2 vrrp vrid 11 ip1 100 1 1 100 ip2 100 1 1 200 cfg net if 3 addr1 200 1 1 1 addr2 200 1 1 2 mask 255 255 255 0 vlanid 0 port 4 mgmt n ena y cfg net if 3 vrrp vrid 192...

Страница 158: ...hello 10 dead 40 trans 1 retra 5 auth none ena n cfg net ospf if 3 aindex 0 prio none cost1 none cost2 200 hello 10 dead 40 trans 1 retra 5 auth none ena n cfg net ospf if 4 aindex 0 prio none cost1 n...

Страница 159: ...redist static metric 10 t1 rmap 0 ena n cfg net ospf redist defaultgw metric 10 t1 ena n cfg net parp enable n cfg net parp list cfg net dhcprl ena n cfg net dhcprl if 2 ena n cfg net dhcprl if 3 ena...

Страница 160: ...terXL is Check Point implementation of failover For more information about ClusterXL refer to the Check Point documentation Figure 72 illustrates the topology for configuring Check Point ClusterXL fai...

Страница 161: ...XL Server 100 1 1 150 gw 200 1 1 100 Client 100 1 1 150 gw 100 1 1 100 Eth0 172 25 3 1 24 Management Eth1 10 10 1 1 24 Sync Eth3 200 1 1 1 24 Eth2 100 1 1 1 24 Clean Eth0 172 25 3 2 24 Management Eth1...

Страница 162: ...in unicast mode as some routers may not support Multicast mac address 2 Select the multicast mode of ClusterXL if your router supports Multicast Mac address see page 176 3 Select IPs in the Advanced L...

Страница 163: ...213455 L October 2005 Step by step configuration procedure Use the following procedure to configure the management station 1 Select the Host Node General Properties page and perform the following ste...

Страница 164: ...ewall 2 3 3 User s Guide and Command Reference 164 Redundant Firewalls 213455 L October 2005 1b Establish the security policy on the Check Point SmartDashboard see Figure 74 Figure 74 Check Point Smar...

Страница 165: ...Guide and Command Reference Redundant Firewalls 165 213455 L October 2005 1c Specify the Cluster IP address of the external interface and select the ClusterXL check box see Figure 75 Figure 75 Gateway...

Страница 166: ...Reference 166 Redundant Firewalls 213455 L October 2005 2 Click Communication see Figure 76 Figure 76 Cluster Member Properties General key 1 3 Provide the activation key see Figure 77 4 Click Initial...

Страница 167: ...ndow appears showing the Trust state Figure 78 Figure 78 Communication In Figure 78 the Trust state shows Trust established TIP If trust is not established there is no communication between the manage...

Страница 168: ...ser s Guide and Command Reference 168 Redundant Firewalls 213455 L October 2005 6 From the Gateway Cluster Properties menu select Topology The Edit Topology page appears see Figure 79 Figure 79 Edit T...

Страница 169: ...Reference Redundant Firewalls 169 213455 L October 2005 The Interface Properties window appears see Figure 80 See Figure 81 Figure 82 and Figure 83 for examples of the Interface Properties for eth1 et...

Страница 170: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 170 Redundant Firewalls 213455 L October 2005 Figure 81 Interface Properties General eth1 Figure 82 Interface Properties General eth2...

Страница 171: ...rewall 2 3 3 User s Guide and Command Reference Redundant Firewalls 171 213455 L October 2005 Figure 83 Interface Properties General eth3 9 Click Communication see Figure 84 Figure 84 Cluster Member P...

Страница 172: ...tialize see Figure 85 Figure 85 Communication Activation Key The Communication window indicating the Trust state appears see Figure 86 Figure 86 Communication window Trust state In Figure 86 the Trust...

Страница 173: ...ewall 2 3 3 User s Guide and Command Reference Redundant Firewalls 173 213455 L October 2005 The DN details appear in the Cluster Members property window 13 Select the Topology tab see Figure 87 Figur...

Страница 174: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 174 Redundant Firewalls 213455 L October 2005 Figure 88 Interface Properties General eth0 Figure 89 Interface Properties General eth1...

Страница 175: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference Redundant Firewalls 175 213455 L October 2005 Figure 90 Interface Properties General eth2 Figure 91 Interface Properties General eth3...

Страница 176: ...s Guide and Command Reference 176 Redundant Firewalls 213455 L October 2005 14 On the Gateway Cluster Properties ClusterXL page select Load Sharing for ClusterXL properties see Figure 91 Figure 92 Ga...

Страница 177: ...2 3 3 User s Guide and Command Reference Redundant Firewalls 177 213455 L October 2005 The Advanced Load Sharing Configuration window appears see Figure 93 Figure 93 Advanced Load Sharing Configuratio...

Страница 178: ...nce 178 Redundant Firewalls 213455 L October 2005 15 Enable proxy ARP Figure 95 Figure 95 Global Properties NAT Complete the remaining configuration to add the necessary rules and push the policy to t...

Страница 179: ...p clusterxl 4 The IP address for individual member interfaces are configured using cfg net if addr1 and cfg net if addr2 5 Set cfg net if vrrp ip1 and cfg net if vrrp ip2 to 0 0 0 0 6 Port1 is used fo...

Страница 180: ...y cfg sys adm web ssl certs cfg sys adm web ssl certs serv cfg sys adm web ssl certs ca cfg sys adm snmp ena y model v2c level auth access d events y alarms y rcomm public cfg sys adm snmp users cfg s...

Страница 181: ...tp 0 0 0 0 int 1 0 size 0 cfg sys user expire 0 cfg sys user adv cfg sys ups type usb snmphost 0 0 0 0 snmpport 161 snmpcomm none level 5 master 0 0 0 0 ena n cfg net gateway 0 0 0 0 cfg net port 1 na...

Страница 182: ...net if 2 vrrp vrid 1 ip1 0 0 0 0 ip2 0 0 0 0 cfg net if 3 addr1 100 1 1 1 addr2 100 1 1 2 mask 255 255 255 0 vlanid 0 port 3 mgmt n ena y cfg net if 3 vrrp vrid 1 ip1 0 0 0 0 ip2 0 0 0 0 cfg net if 4...

Страница 183: ...ospf if 2 aindex 0 prio none cost1 none cost2 200 hello 10 dead 40 trans 1 retra 5 auth none ena n cfg net ospf if 3 aindex 0 prio none cost1 none cost2 200 hello 10 dead 40 trans 1 retra 5 auth none...

Страница 184: ...1 rmap 0 ena n cfg net ospf redist defaultgw metric 10 t1 ena n cfg net parp enable n cfg net parp list cfg net dhcprl ena n cfg net dhcprl if 2 ena n cfg net dhcprl if 3 ena n cfg net dhcprl if 4 ena...

Страница 185: ...behind the Firewall perform the following steps 1 Open a DOS window on the management station and enter a static route between addr1 and the host 1 IP address For this example the management station...

Страница 186: ...5 Push the policy 6 Use the following CLI command to turn on HA cfg net vrrp ha y apply Synchronizing Nortel Switched Firewalls Two Switched Firewalls can be synchronized to provide stateful failover...

Страница 187: ...ple Host 2 3 From the Check Point SmartDashboard update the firewall interface information See page 136 4 From the Check Point SmartDashboard re install the security policies on both Nortel Switched F...

Страница 188: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 188 Redundant Firewalls 213455 L October 2005...

Страница 189: ...an configure your firewall in bridge mode This chapter describes how to configure the Nortel Switched Firewall for Layer 2 and Layer 3 firewalls Overview on page 190 Configuring Layer 2 bridge mode Fi...

Страница 190: ...ransparently through a bridge because forwarding is done at Layer 2 Packets are forwarded based on the Ethernet address rather than the IP address An Ethernet bridge distributes Ethernet frames from o...

Страница 191: ...e up to 25 bridges and add any physical port other than SSI management port to these bridges If you define bridges for specific VLANs then the ports attached to the bridge listen to those VLANs only I...

Страница 192: ...e mode firewall The Layer 2 bridge is configured on interfaces eth2 and eth3 on ports 3 and 4 The sync and management 172 16 2 144 145 networks are configured on the port 1 Figure 96 Configuring Layer...

Страница 193: ...ort To support failover on Layer 2 firewalls you must configure VRRP in one of the following two ways Pure Layer 2 mode Configure at least one non bridge interface with VRRP and a bridge interface wit...

Страница 194: ...aces configured on the firewall The management network and sync configuration is connected through Interface 1 Proceed to the next section to configure Check Point software to support Layer 2 bridge m...

Страница 195: ...itched Firewall NSF 2 perform the following steps 1a Select General Properties from the Gateway Cluster Properties menu The Gateway Cluster Properties General Properties page appears see Figure 97 Fig...

Страница 196: ...oducts area select the following Firewall SmartView Monitor 1h Click OK 2 From the Gateway Cluster Properties menu select Cluster Members The Gateway Cluster Properties Cluster Members page appears se...

Страница 197: ...s Guide and Command Reference Layer 2 and Layer 3 Firewalls 197 213455 L October 2005 The Cluster Member Properties page appears see Figure 99 Figure 99 Cluster Member Properties 3 Repeat steps 2 thr...

Страница 198: ...select Topology The Edit Topology page appears see Figure 100 TIP Check Point cannot identify a pure Layer 2 bridge device because the bridge interface does not hold a valid IP address Figure 100 Edi...

Страница 199: ...n the Specify Cluster operating mode area select High Availability 6c From the 3rd Party Solution list select Other OPSEC 6d Select Use State Synchronization 6e Consult the OPSEC documentation to dete...

Страница 200: ...ewalls 213455 L October 2005 Check Point disables address spoofing on bridge ports unless they are manually added to the configuration eth2 and eth3 are bridge ports Figure 102 Gateway Cluster Propert...

Страница 201: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference Layer 2 and Layer 3 Firewalls 201 213455 L October 2005 8a Edit the topology for the cluster Figure 103 Edit Topology 8b Click OK...

Страница 202: ...se the following procedures 1 Configuring the Firewall software 2 Configuring the Check Point software to support a Layer 3 Firewall Configuring the Firewall software Figure 104 shows the network topo...

Страница 203: ...rewall Figure 104 Configuring Layer 3 Firewall Host 1 Host 2 Host 3 Host 4 172 16 5 11 172 16 5 12 172 16 5 13 172 16 5 14 eth3 eth2 eth3 eth2 Internal eth1 Host 5 Host 6 192 168 1 5 172 16 2 147 2 1...

Страница 204: ...firewall see Setting up the basic configuration on page 37 specify port 1 for the management network and the firewall IP address 172 16 2 144 Specify VLAN tag ID 0 for the management traffic Configur...

Страница 205: ...nfigured on the firewall The management network and sync configuration is connected through Interface 1 and the external network is connected through interface 2 Proceed to the next section to configu...

Страница 206: ...irewall NSF 2 perform the following steps 1a Select General Properties from the Gateway Cluster Properties menu The Gateway Cluster Properties General page appears see Figure 105 Figure 105 Gateway Cl...

Страница 207: ...ducts area select the following Firewall SmartView Monitor 1h Click OK 2 From the Gateway Cluster Properties menu select Cluster Members The Gateway Cluster Properties Cluster Members page appears see...

Страница 208: ...appears see Figure 107 Figure 107 Cluster Member Properties 3 Type the IP Address for NSF 1 in the IP Address field TIP Select Get Address to browse for and select the IP Address 3a Click OK 4 Repeat...

Страница 209: ...3 device because the bridge interface holds a valid IP address Figure 108 Edit Topology 6 Manually add the cluster IP address for the bridge interface with VRRP IP addresses 172 16 5 1 255 255 255 0...

Страница 210: ...ty 7c Select Other OPSEC from the 3rd Party Solution list 7d Select Use State Synchronization 7e Consult the OPSEC documentation to determine the settings for the OPSEC check boxes 7f Click OK NOTE Th...

Страница 211: ...er Properties menu select Topology The Gateway Cluster Properties Topology page appears see Figure 110 8b Select Enable Extended Cluster Anti Spoofing The Check Point software disables Address Spoofin...

Страница 212: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 212 Layer 2 and Layer 3 Firewalls 213455 L October 2005 9a Edit the topology for the cluster Figure 111 Edit Topology 9b Click OK...

Страница 213: ...ot have different VLAN tags TCP proxies NAT VPN and Syndefender are not supported on a Layer 2 firewall If VLANs are configured on the bridge then TAG is always enabled for that interface If you confi...

Страница 214: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 214 Layer 2 and Layer 3 Firewalls 213455 L October 2005...

Страница 215: ...escribes several applications including Check Point applications that Nortel Switched Firewall 2 3 3 supports Uninterruptible Power Supply on page 216 RADIUS authentication on page 221 VPN support on...

Страница 216: ...system shutdown follows when one of the following occurs the battery is exhausted a timeout in seconds expires a runtime expires based on internal APC calculations Sometimes power returns during the...

Страница 217: ...ure 112 Configuring UPS in stand alone mode Use the following commands to configure the firewall for the configuration shown in Figure 112 1 Select UPS type 2 Specify the battery level 0 100 of the UP...

Страница 218: ...UPS type 2 Specify the Master firewall for the UPS device NOTE Master Firewall refers to the Firewall that is physically connected to the UPS USB 3 Specify the battery level 0 100 of the UPS device a...

Страница 219: ...se for SNMP based support Use the following commands to configure the firewall for the configuration shown in Figure 114 1 Select UPS type 2 Specify the Master firewall for the UPS device NOTE Master...

Страница 220: ...7 Enable UPS Monitor Displaying UPS configuration Verify UPS configuration with the following command cfg sys ups snmphost Current value 0 0 0 0 Enter IP address of the UPS Set IP address of SNMP UPS...

Страница 221: ...thentication applies to both stand alone and cluster configurations Use the following commands to configure the firewall for the RADIUS support 1 Add a user 2 Select a group Edit the user created in S...

Страница 222: ...CLI The RADIUS server can also be set up in a high availability configuration The console session in the current master takes over and login is possible through the console and the BBI If failover oc...

Страница 223: ...es running third party VPN software VPN support is entirely configured by the Check Point management tools To enable VPN support do the following 1 Open the SmartDashboard 2 Double click the firewall...

Страница 224: ...and Command Reference 224 Applications 213455 L October 2005 7 On the VPN Advanced page select the appropriate options for your system Figure 116 Figure 115 Gateway Cluster Properties General Figure...

Страница 225: ...lable modes are Load Sharing In this mode the load is distributed between the ISPs for all outgoing connections New connections are randomly assigned to a link If a link fails all new outgoing connect...

Страница 226: ...IIS servers The user authority feature is used by two kinds of users LAN users Users on the LAN use user authority to access the external resources to provide various authentication and authorization...

Страница 227: ...on the firewall module 4 Configure user authority web access FP3 installed on top of Microsoft IIS webserver 4 0 or 5 0 in Windows 2000 or Windows NT server Refer to your Check Point documentation for...

Страница 228: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 228 Applications 213455 L October 2005...

Страница 229: ...on page 231 Nortel Switched Firewall SSI upgrades on page 231 Built in Firewall software upgrades on page 231 Check Point Management Station upgrades on page 232 Upgrade and reinstall images on page...

Страница 230: ...the Firewall OS and built in Check Point firewall software The latest released version is factory installed and a copy of the software on CD ROM is included with each shipment Check Point Firewall 1 N...

Страница 231: ...e in order to initialize new features All configuration data is retained Minor Releases This type of upgrade typically corrects minor software problems on the Nortel Switched Firewall Minor upgrades m...

Страница 232: ...tion of this reinstall see Reinstalling software on page 240 The img image is installed from an ftp tftp scp sftp server using the boot user login with the ForgetMe password The img image overwrites t...

Страница 233: ...CDROM The server must allow anonymous login NOTE Make certain that your FTP TFTP SCP SFTP server is on a secure trusted network One way to ensure FTP security is to implement the server on the SmartC...

Страница 234: ...ount and check the current version of the software as shown below 2 FTP or TFTP download If you downloaded the upgrade image to the FTP TFTP SCP SFTP server do the following only anonymous ftp is supp...

Страница 235: ...rent status changes to permanent permanent means that the software is operational and will survive a reboot of the system NSF 2 3 3 does not support downgrading from 2 3 3 to previous releases You can...

Страница 236: ...e status of the software package 2 Activate the new unpacked software package 3 Wait for the firewall to reboot As a result of running the activate command the system reboots and you have to re login...

Страница 237: ...l with the in the MIP column 2 Login into one of the firewalls with the MIP using the admin account 3 Upgrade the Check Point software on the Management station fro R55 to NGX R60 4 Select the version...

Страница 238: ...using Smart Update 14 Push the Policy to both of the firewalls and make sure both firewalls are UP in the info summary menu It takes a longer time for NSF 2 3 3 version to come up because of the vari...

Страница 239: ...ic is forwarding properly by watching the Check Point logs using SmartView Tracker on the Check Point SMART Client Table 4 shows the time it takes to complete an upgrade procedure Main info net vrrp s...

Страница 240: ...can later be restored by using the gtcfg command For more information about these commands see the Configuration Menu on page 279 There are two methods of reinstalling software on the firewall Using t...

Страница 241: ...must provide access to your tftp ftp server To do this use the maint diag fw unldplcy command but exercise caution the command provides access to all Follow up with a policy push from your SmartCente...

Страница 242: ...the boot user The password is ForgetMe 3 After a successful login follow the onscreen prompts and provide the required information For example login boot Password Available network interfaces br0 00...

Страница 243: ...mation about network settings such as IP address network mask and gateway IP address After the new boot image has been installed the Firewall will reboot and you can log in again when the login prompt...

Страница 244: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 244 Upgrading and reinstalling the software 213455 L October 2005...

Страница 245: ...ss has been granted see Defining the remote access list on page 252 For additional details see The Command Line Interface on page 251 The Browser Based Interface BBI The BBI allows management through...

Страница 246: ...bility four levels of user access have been implemented on the Nortel Switched Firewall The default user names and password for each access level are listed in Table 5 User names and passwords are cas...

Страница 247: ...f this documentation CAUTION The root login on this system is only intended for debugging and emergency repair typically under the direction of support personnel All modifications to the system includ...

Страница 248: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 248 Basic system management 213455 L October 2005...

Страница 249: ...mand Line Interface CLI commands and menu items organized in the same way as the CLI The section starts with listing the global commands which can be used at any menu prompt and then explains the rema...

Страница 250: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 250 Command reference 213455 L October 2005...

Страница 251: ...ub menus Each menu displays a list of commands and or sub menus that are available along with a summary of what each command does Below each menu is a prompt where you can enter any command appropriat...

Страница 252: ...remote access list The remote access list allows the administrator to specify IP addresses or address ranges that are permitted remote access to the system There is only one remote access list which i...

Страница 253: ...he access list are permitted to access any enabled management feature You cannot enable SSH for some and Telnet for others 3 Apply the changes Using Telnet A Telnet connection allows convenient manage...

Страница 254: ...es are configured during the initial setup see Chapter 2 Initial setup on page 29 3 Enable Telnet For security purposes Telnet is initially disabled To enable Telnet sessions on the Firewall issue the...

Страница 255: ...ected to the network SSH access provides the same management options as those available through the local serial port SSH access provides the following security benefits Server host authentication Enc...

Страница 256: ...and When reconnecting to the Nortel Switched Firewall after having generated new host keys your SSH client will display a warning that the host identification or host keys has been changed 5 Use the a...

Страница 257: ...e following SSH command where the l lower case L option is followed by the user name admin oper and so on being logged in and the host IP address NOTE You cannot log in as boot or root using SSH Once...

Страница 258: ...hanges and make them take effect the administrator must use the global apply command This allows the administrator to make an entire series of changes and then put them into effect all at once The glo...

Страница 259: ...e minutes of inactivity This function is controlled by the idle time out parameter as shown in the following command where the time out period is specified in seconds as an integer from 300 604800 sec...

Страница 260: ...command Provides more information about a specific command on the current menu When used without the command parameter a summary of the glo bal commands is displayed Redisplay the current menu or up...

Страница 261: ...illiseconds between attempts The DNS parameters must be configured if specifying hostnames see DNS Servers Menu on page 285 pwd Display the command path used to reach the current menu revert Cancel al...

Страница 262: ...h the last 10 commands The recalled command can be entered as is or edited using the options below Ctrl n Also the down arrow key Recall the next command from the history list This can be used multipl...

Страница 263: ...rs that distinguish the command from the others in the same menu or sub menu For example the command shown above could also be entered as follows Tab completion By entering the first letter of a comma...

Страница 264: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 264 The Command Line Interface 213455 L October 2005...

Страница 265: ...Configuration Menu boot Boot Menu maint Maintenance menu diff Show pending config changes global command validate Validate configuration global command security Display security status global command...

Страница 266: ...rading Nortel Switched Firewall software and for reboot ing if necessary The Boot Menu is accessible using an administrator login See page 365 for menu items maint The Maintenance Menu is used for sen...

Страница 267: ...disabled for remote management fea tures such as Telnet SSH and the BBI for the cluster It also lists which users if any are still using default passwords which should be changed apply This global com...

Страница 268: ...tor copy the information and paste it to the CLI window When pasted the configuration content is batch processed by the Nortel Switched Fire wall The pasted commands are entered as pending and any in...

Страница 269: ...cs brmac Show a list of bridge mac entries sensor Show sensor information ssh Show SSH configuration web Show Web configuration log Show Log configuration ups Show UPS configuration about Show informa...

Страница 270: ...isplays the current network configuration This is the same information that is displayed using the cfg net cur command To view menu items see page 274 fw This command displays the Firewall status enab...

Страница 271: ...r to the brctl show command from the root prompt brmac This command displays the list of mac addresses learned dynamically by the bridges configured on the Switched Firewall This command is similar to...

Страница 272: ...command lists the alarms generated in the system The sensor module is responsible for generating the alarm events when the fan rpm values reaches the critical level or when the temperature reaches th...

Страница 273: ...ormation includes CPU use hard disk use and status of important applications such as Webserver Check Point Firewall SNMP and Inet Server link This command displays the status information for all netwo...

Страница 274: ...ays the current statistics for the following parameters CPU use memory use hard disk use total connections and connections per second rate and throughput histdata This command displays historical data...

Страница 275: ...n from the root prompt gw This command displays the default gateway configured in the cluster When no gateway is configured this command displays the following log message no default gateway has been...

Страница 276: ...tic and OSPF routes info net route ospf OSPF Router Information Menu info_net_route Menu static Show static routes configuration ospf OSPF Router Menu Table 14 Route Information Menu info net route Co...

Страница 277: ...tables which includes the link ID ADV router age sequence checksum and link count neigh This command displays information about the cluster s OSPF neighbors Neighbors are routing devices that maintai...

Страница 278: ...Show VRRP status cfg Show VRRP configuration Table 16 VRRP Information Menu info net vrrp Command and Usage status This command displays the status of the VRRP virtual router cfg This command display...

Страница 279: ...paste Table 17 Configuration Menu cfg Command Syntax and Usage sys The System Menu is used for configuring system wide parameters See page 281 for menu items net The Network Configuration Menu is use...

Страница 280: ...st reboot the Switched Firewall after restoring a configuration using the cfg gtcfg command misc The Miscellaneous Settings Menu is used to turn on or off configuration warning mes sages See page 364...

Страница 281: ...s dns The DNS Servers Menu lets you change Domain Name System DNS parameters See page 285 for menu items cluster This command displays the Host Information menu which allows you to configure the host...

Страница 282: ...m Logging Menu is used to configure system message logging features Mes sages can be logged to the system console terminal ELA facility and archived to a file that can be automatically e mailed See pa...

Страница 283: ...date YYYY MM DD This command sets the system date according to the specified format time HH MM SS This command sets the system time using a 24 hour clock format NOTE It is recommended that you reboot...

Страница 284: ...mmand lists all configured NTP servers by their index number and IP address del index number This command lets you remove an NTP server from the configuration by specifying the server s index number U...

Страница 285: ...r and IP address del index number This command lets you remove a DNS server by index number Use the list command to display the index numbers and IP addresses of added DNS servers add DNS server IP ad...

Страница 286: ...u The Host Information Menu allows you to configure the Firewall s host IP address Cluster Menu host Cluster Host Menu Table 22 Cluster Menu cfg sys host Command Syntax and Usage host cluster host num...

Страница 287: ...me This command allows you to give a user friendly name to each firewall When you login as admin the name of the firewall is displayed as part of the banner This allows you to easily identify the fire...

Страница 288: ...command To view the host number type and IP address for both hosts in a cluster use the cfg sys cluster cur command Once you have removed a host from the cluster using the delete command you can only...

Страница 289: ...cess list You can ping the firewall host from an IP address not listed in the access list however When a client s IP address is added to the access list that client is permitted to access all enabled...

Страница 290: ...an remain inac tive before being automatically logged out The time period is specified in seconds from 300 to 3600 The default is 600 seconds 10 minutes NOTE If you make changes to the Firewall config...

Страница 291: ...Network Management Proto col SNMP read access and to enable or disable SNMP event and alarm messages for the Nortel Switched Firewall This menu is also used for defining SNMP information permission l...

Страница 292: ...lnet on page 253 Telnet Administration Menu ena Enable Telnet dis Disable Telnet Table 26 Telnet Administration Menu cfg sys adm telnet Command Syntax and Usage ena This command enables the Telnet man...

Страница 293: ...By default SSH is disabled For more information about the SSH feature see Using Secure Shell on page 255 SSH Administration Menu ena Enable SSH dis Disable SSH sshkeys SSH host keys menu Table 27 SSH...

Страница 294: ...generate Generate new SSH host keys for the cluster show Show current SSH host keys for the cluster knownhosts SSH known host keys menu Table 28 SSH Host Keys Menu cfg sys adm ssh sshkeys Command Syn...

Страница 295: ...known SSH keys of remote hosts del Delete known SSH host key by index add Add a new SSH host key import Retrieve SSH key from remote host Table 29 SSH Known Host keys Menu cfg sys adm ssh sshkeys know...

Страница 296: ...S with Secure Socket Layer SSL or both For more information see the NSF 2 3 3 Browser Based Interface User s Guide 216383 D Web Administration Menu http HTTP Configuration Menu ssl SSL Configuration M...

Страница 297: ...rmation see the NSF 2 3 3 Browser Based Interface User s Guide 216383 D HTTP Configuration Menu port Set HTTP Port number ena Enable HTTP dis Disable HTTP Table 31 HTTP Configuration Menu cfg sys adm...

Страница 298: ...isable SSL tls Set TLS sslv2 Set SSL version 2 sslv3 Set SSL version 3 certs Certificate Management Menu Table 32 SSL Configuration Menu cfg sys adm web ssl Command Syntax and Usage port HTTPS port nu...

Страница 299: ...Authority certificates required for SSL See page 299 for menu items Certificate Management Menu serv Server Certificate Management Menu ca Certificate Authority Management Menu Table 33 Certificate M...

Страница 300: ...erate a certificate request or a self signed certificate exp This command is used for exporting certificate requests to an external Certificate Authority CA This command produces output that can be co...

Страница 301: ...a CA certificate add Add a CA certificate Table 35 CA Certificate Management Menu cfg sys adm web ssl certs ca Command Syntax and Usage list This command lists all configured CA certificates del This...

Страница 302: ...Based Interface User s Guide 216383 D SNMP Administration Menu ena Enable SNMP dis Disable SNMP model Set security model level Set usm security level access Set read access control events Set trap ev...

Страница 303: ...ages to the SNMP trap hosts When enabled messages regarding general occurrences such as detection of a new components are sent alarms y n This command is used to enable or disable sending alarm messag...

Страница 304: ...system The SNMP System Information Menu is used to configure basic identification informa tion such as support contact name system name and system location See page 306 for menu items adv The Advanced...

Страница 305: ...ord and confirmation password the user must enter for access encryption string and confirmation if the level encrypt option is used on the SNMP Administration Menu cfg sys adm snmp the encryption stri...

Страница 306: ...enter port number community string and trap user information insert index number IP address This command lets you add a new trap host IP address to the access list at the specified index position All...

Страница 307: ...Advanced Settings Menu trapsrcip Set source ip of traps Table 40 Advanced SNMP Settings Menu cfg sys adm snmp adv Command and Usage trapsrcip auto unique mip This command is used to configure which s...

Страница 308: ...6 RADIUS Accounting Audit Menu servers RADIUS Servers Menu vendorid Set vendor id for audit attribute vendortype Set vendor type for audit attribute ena Enable server dis Disable server Table 41 Audit...

Страница 309: ...ries in the RADIUS server log can be made easier by defining a suitable string in the RADIUS server dictionary for example Nortel NSF Audit Trail and mapping this string to the vendor type value Note...

Страница 310: ...ration Specify the IP address a TCP port number and the shared secret The next available index number is assigned automatically by the system For backup purposes several RADIUS audit servers can be ad...

Страница 311: ...k Use local password as fallback ena Enable RADIUS Authentication dis Disable RADIUS Authentication Table 43 Authentication Menu cfg sys adm auth Command Syntax and Usage servers This command displays...

Страница 312: ...onfiguration Specify the IP address a TCP port number and the shared secret The next available index number is assigned automatically by the system For backup purposes several RADIUS authentication se...

Страница 313: ...le 45 Platform Logging Menu cfg sys log Command Syntax and Usage syslog The System Logging Menu is used to configure syslog servers The Nortel Switched Firewall software can send log messages to speci...

Страница 314: ...of the outgoing interface is used This is the default unique The IP address of the individual Switched Firewall is used mip The IP address of the cluster MIP is used This setting is useful with applic...

Страница 315: ...uding its IP address and local facil ity number The local facility number can be used to uniquely identify syslog entries For more information see the UNIX manual page for syslog conf insert index num...

Страница 316: ...k Point SmartCenter Server to which log messages will be sent Specify the IP address in dotted decimal notation sev emerg alert crit err warning notice info debug This command is used to set the minim...

Страница 317: ...archived log Table 48 Log Archiving Menu cfg sys log arch Command Syntax and Usage email e mail address This command is used in conjunction with smtp to set the e mail address where log files will be...

Страница 318: ...ys user Command Syntax and Usage passwd admin password new admin password confirm new admin password This command lets you change the administrator password The password can contain spaces and is case...

Страница 319: ...d a user account Only the admin user can perform this action After adding a user account you must also assign the account to a group using the User Admin Menu edit edit user name This command opens th...

Страница 320: ...d Usage password admin password new user password confirm new user password This command lets you change the password for the selected user The password can contain spaces and is case sensitive There...

Страница 321: ...pubkey Set RSA DSA Public Key for User ena Enable User Account dis Disable User Account del Remove SSH User Table 51 SSH User Admin Menu cfg sys user adv user user name Command Syntax and Usage name...

Страница 322: ...e Table 52 Groups Menu cfg sys user edit groups Command Syntax and Usage list This command lists all group members by index number and name for example 1 admin 2 oper del Index number of entry to dele...

Страница 323: ...to configure the UPS support in the Cluster Select USB type when the Switched Firewall has been connected to the UPS through an USB cable Select SNMP when the UPS is communi cating with the Switched...

Страница 324: ...o communicate with the UPS system When the UPS type is selected as USB configure the master to be the firewall that is directly connected to the UPS via the USB cable If the UPS type is configured as...

Страница 325: ...ll In addition to enabling or disabling ports this menu is used to create and apply port filters and specify port link characteristics To view menu items see page 327 NOTE The 5106 and 5114 have four...

Страница 326: ...re GRE tunneling in the Nortel Switched Firewall See page 339 for menu items ospf The OSPF Menu is used to configure Open Shortest Path First OSPF routing protocol See page 340 for menu items parp The...

Страница 327: ...or 100Base TX segments For physical port specifications and LED behavior see the Nortel Switched Firewall 5100 Series Hardware Installation Guide Port 1 Menu name Set port name autoneg Set autonegotia...

Страница 328: ...an integer representing Mb second For Fast Ethernet ports speed can be set to 10 or 100 For Gigabit Ethernet ports speed is fixed at 1000 mode This command is used to set the port duplex mode to eith...

Страница 329: ...r2 interface IP address e g 192 4 17 102 This command configures the real second IP address for host 2 interface using dotted decimal notation Addr2 should not be configured unless the interface is pa...

Страница 330: ...igned to an interface To config ure a port see Port Menu cfg net port on page 327 vrrp The VRRP Menu is used for configuring an interface for high availability when redun dant firewall hosts are in a...

Страница 331: ...uter ID 1 255 This command assigns an ID for the virtual router interface The vrid on this interface must be configured the same for both the active master and the backup Separate inter faces must hav...

Страница 332: ...s on the bridge for host 1 interface using dotted decimal notation addr2 bridge interface IP address e g 192 4 17 102 This command configures the second IP address on the bridge for host 2 interface u...

Страница 333: ...e page 334 for menu items ena This command enables this bridge dis This command disables this bridge del This command removes the bridge from the firewall configuration Bridge 1 Ports Menu list List a...

Страница 334: ...ents host 1 and ip2 represents host 2 Each virtual IP addresses must be on the same network as the real router IP address The virtual router IP address cfg net bridge bridge number vrrp ip1 becomes th...

Страница 335: ...be configured the same for both the active master and the backup Separate inter faces must have unique vrids NOTE Vrids must be at least one number apart e g vrids 1 and 2 are not acceptable vrids 1...

Страница 336: ...erify static routes against ip1 and ip2 addresses adint 1 3600 This command displays the current advertisement interval in seconds and provides the option to change it A VRRP advertisement message is...

Страница 337: ...alue to determine the interval in seconds between GARP messages For example if your adint value is 10 and your gbcast value is 3 the interval between GARP messages will be 30 10 x 3 seconds The defaul...

Страница 338: ...lets you remove a route from the configuration by specifying the route index number Use the list command to display the index numbers of configured routes add destination IP address destination mask g...

Страница 339: ...mand Syntax and Usage name gre_tunnel name This command allows you to define a unique name of up to 16 characters phyif physical interface_number This command is used to define the local GRE tunnel en...

Страница 340: ...nations based on the cumulative cost required to reach the destination The routers then select the least cost path for each routing request which optimizes traffic speed and efficiency in the network...

Страница 341: ...ted for use with OSPF See page 349 for menu items rtrid1 router ID1 router IP address This command sets a static router ID 1 for this cluster The router ID is expressed in dot ted decimal IP address f...

Страница 342: ...ena Enable area dis Disable area del Remove OSPF Area Index Table 65 OSPF Area Index Menu cfg net ospf aindex Command Syntax and Usage id area ID such as 0 0 0 0 This command sets the OSPF area number...

Страница 343: ...This command deletes this area index from the configuration OSPF Interface 1 Menu aindex Set area index prio Set interface router priority cost1 Set Cost for first 5100 cost2 Set Cost for second 5100...

Страница 344: ...based on bandwidth Low cost indicates high bandwidth The default is 1 cost2 output cost 1 65535 This command sets the cost of output routes on this interface Cost is used in calculating the shortest p...

Страница 345: ...md5key option For more information see Authentication on page 100 key type 1 password This option is used with the previous OSPF auth option When the auth option is set to password the key option set...

Страница 346: ...et interface router priority cost1 Set Cost for first 5100 cost2 Set Cost for second 5100 hello Set hello interval in seconds dead Set dead interval in seconds trans Set transmit delay in seconds retr...

Страница 347: ...dead dead interval 1 65535 This command sets the router dead interval in seconds If the Firewall holding the MIP does not receive hello on the IP interface within the dead interval the Firewall holdin...

Страница 348: ...rocessing on routing devices that are not listening to OSPF packets key plain text password This option is used with the OSPF auth option When the auth option is set to pass word the key option sets t...

Страница 349: ...stribution Menu connected Connected Route Redistribution Menu static Static Route Redistribution Menu defaultgw Default Gateway Redistribution Menu Table 68 Route Redistribution Menu cfg net ospf redi...

Страница 350: ...tax and Usage metric Sets metric of advertised connected routes The metric cost range is 1 to 16777214 0 none and indicates the relative cost of this route The larger the cost the less preferable the...

Страница 351: ...Usage metric Sets metric of advertised static routes The metric cost range is 1 to 16777214 0 none and indicates the relative cost of this route The larger the cost the less preferable the route The d...

Страница 352: ...u cfg net ospf redist defaultgw Command Syntax and Usage metric Sets metric of advertised default gateway routes The metric cost range is 1 to 16777214 0 none and indicates the relative cost of this r...

Страница 353: ...nd to ARP requests intended for devices behind the firewall including VLAN and VRRP interfaces Table 72 Proxy ARP Menu cfg net parp Proxy Arp Menu list Proxy ARP List Menu enable Set Proxy ARP enable...

Страница 354: ...you add an address to the Proxy ARP list Use dotted decimal nota tion to specify the address The maximum number of addresses is 2 048 however the recommended limit is 256 Typically the IP addresses a...

Страница 355: ...sable DHCP Relay clrlocsts Clear local DHCP Relay stats Table 74 DHCP Relay Menu cfg net dhcprl Command Syntax and Usage if value 1 255 This command is used to specify the interface to allow DHCP requ...

Страница 356: ...y requests into the network The default value for DHCP Relay Interface is disabled DHCP Relay Interface 1 Menu ena Allow DHCP Relay on Interface dis Disable DHCP Relay on Interface Table 75 DHCP Relay...

Страница 357: ...s of DHCP server This command adds a DHCP server to the system configuration The DHCP server added here will supply clients entering the network with an IP address and a default gateway When the DHCP...

Страница 358: ...ration dates of the licenses Licenses configured using the Check Point central licensing mechanism will not be listed using this command del This command is used to remove an IP address and or Check P...

Страница 359: ...ll 1 NG processing on all healthy Firewalls dis Disable the Check Point Firewall 1 NG processing on the firewall and mark the Firewall as down The Check Point SmartCenter Server cannot be used to mana...

Страница 360: ...st of SMART Clients that can access the Firewall when the SmartCenter Server is enabled on the Firewall See page 363 for menu items smart The SmartUpdate Configuration Menu is used to enable disable C...

Страница 361: ...ble Sync Table 79 Sync Configuration Menu cfg fw sync Command Syntax and Usage ena This command enables session state synchronization in a redundant configuration For synchronization to work there mus...

Страница 362: ...ps on default port number 4433 This CLI command is used to change the default port number to any user defined port number in the range 1024 to 65534 Portal Configuration Menu portno Set Smart Portal p...

Страница 363: ...cfg fw client Command Syntax and Usage list Displays the list of SMART Clients with access to the Nortel Switched Firewall manage ment server del index value Allows you to delete a specified member fr...

Страница 364: ...turn on or off configuration warning messages SmartUpdate Configuration Menu ena Enable Smart Update Mode dis Disable Smart Update Mode Table 82 SmartUpdate Configuration Menu cfg fw smart Command Syn...

Страница 365: ...ed to a particular Firewall s individually assigned IP address WARNING If you do not enter the halt command before powering off the Firewall all configurations may be lost and the Firewall will be res...

Страница 366: ...e version This command activates a downloaded and unpacked Nortel Switched Firewall software upgrade package The unpacked software package will be labeled as permanent If serious problems occur while...

Страница 367: ...7 for menu items Software Patches Menu cur Display current software patches installed install Download software patch from FTP server uninstall Remove software upgrade package Table 86 Software Patche...

Страница 368: ...iguration ospf OSPF Debug Menu cplog Check Point Logs emc EMC Server s admin password change logdetail Obtain extensive detail about the log error code dumped Table 87 Maintenance Menu maint Command S...

Страница 369: ...gs peakconnec Peak connections policy Firewall policy status Firewall status Table 88 Firewall Maintenance Menu maint fw Command Syntax and Usage sync This command tests the session state synchronizat...

Страница 370: ...cies from the Check Point SmartDashboard after you have re established trust clearlog This command clears all firewall log files peakconnec This command is used to display the Check Point connection t...

Страница 371: ...onfiguration no logs to the default file tsdump tgz The size of the file is typically small enough to fit on a floppy disk NOTE The previous contents of the file are overwritten each time you use this...

Страница 372: ...taken from a firewall can be used only to restore that same firewall or a replacement for that firewall For more information about how to back up the firewall configuration see Backing Up a Configura...

Страница 373: ...ents packets Set log OSPF packets msgs View last 100 debug messages 2003 04 18 19 20 51 OSPF LSA Refresh ospf_lsa_refresh_walker start 2003 04 18 19 20 51 OSPF LSA Refresh ospf_lsa_refresh_walker next...

Страница 374: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 374 Command reference 213455 L October 2005...

Страница 375: ...213455 L October 2005 Part 3 Appendices Appendix A Event Logging API Appendix B Backing Up and Cloning Configurations Appendix C Common tasks Appendix D Troubleshooting Appendix E Software licenses...

Страница 376: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 376 Appendices 213455 L October 2005...

Страница 377: ...formation about configuring and administering OPSEC applications in Check Point refer to your complete Check Point Firewall 1 NGX documentation ELA configuration requires steps at both the Check Point...

Страница 378: ...ver Open the Check Point SmartDashboard to create an ELA OPSEC application for the Firewall To create a new OPSEC application use the following procedure 1 From the Check Point SmartDashboard main pag...

Страница 379: ...wing fields see Figure 118 Provide an identifier in the Name field to use when pulling the certificate to the Firewall Refer to the Nortel Switched Firewall in the Host field Select User Defined from...

Страница 380: ...e the Activation Key when you pull the certificate to the Firewall Figure 119 Communication page NOTE Once SIC is initialized the trust state displays as Initialized but trust not established This is...

Страница 381: ...olicy page appears see Figure 121 Select the object Click OK Figure 120 Check Point SmartDashboard Install Figure 121 Install Policy page NOTE If the Check Point antispoofing feature is not enabled a...

Страница 382: ...tched Firewall 5100 Series Release 2 3 3 Browser Based Interface User s Guide Part number 216383 D 2 Select the Cluster ELA form and define the general settings see Figure 122 Figure 122 BBI Cluster E...

Страница 383: ...SIC area The DN is specified in the SIC area of the Check Point Gateway General Properties page Figure 123 Check Point Gateway General Properties 4 Return to the BBI Cluster ELA form and do the follo...

Страница 384: ...on ela1 Set the password to match the OPSEC application SIC password 6 Click Update Certificate NOTE In order for ELA to function a separate certificate for SIC communication must be installed on each...

Страница 385: ...ix describes how to perform cluster backup and cloning on the Nortel Switched Firewall 5100 Series for Release 2 3 3 Overview on page 386 Backing Up and Cloning on page 387 Backing Up a Configuration...

Страница 386: ...using the clone command from the root login Clone Command The backup restore procedure can be used for cloning On a fresh Firewall you can use the clone command to restore the full configuration of a...

Страница 387: ...e then reset the SIC on both NSF Firewalls and install the policies again Reboot both the NSF Firewalls and proceed with the above step 2 Enter the backup command 3 Select the backup mode and provide...

Страница 388: ...be used Check Point should not drop packets sent to the TFTP FTP server Check whether FTP and TFTP access to the TFTP FTP server is working from root login Cloning a Configuration 1 Log in as root to...

Страница 389: ...f both Firewalls are not active disable sync cfg fw sync dis apply wait two minutes and again enable sync cfg fw sync ena apply This automatically reboots both Firewalls After the system is up again c...

Страница 390: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 390 Backing Up and Cloning Configurations 213455 L October 2005...

Страница 391: ...image from CD ROM on page 392 Enabling USB support on page 393 Mounting a floppy disk on the Firewall on page 397 Mounting a CD ROM on the Firewall on page 398 Mounting the USB port on page 399 Tunin...

Страница 392: ...h will take several minutes If the Firewall doesn t reboot automatically take the software CD out and reboot the Firewall 6 Log in as admin the password is admin The installation is complete NOTE If y...

Страница 393: ...wall operation Follow the procedures given in this section and contact Nortel Technical Support if you need more information Verify USB support on the Firewall Before modifying the BIOS settings verif...

Страница 394: ...d connected to your NSF 5100 Series firewall Refer to the Nortel Switched Firewall 5100 Series Hardware Installation Guide 216382 D for more information about how to connect a monitor and keyboard to...

Страница 395: ...Utility screen is displayed in Figure 126 Figure 126 Configuration Setup Utility screen 3 Select the Devices and I O Ports option The Devices and I O Ports screen is displayed in Figure 127 Figure 12...

Страница 396: ...in Figure 128 Figure 128 Devices and I O Ports USB Setup 6 Press Esc twice Pressing the escape key twice exits both the USB Setup Menu and the Configuration Setup Utility The Exit Setup dialog box app...

Страница 397: ...following procedure can be used for mounting a floppy disk to read or write files on the Firewall 1 Insert a DOS formatted floppy into the Firewall 2 Log in as root 3 Enter the following command 4 Co...

Страница 398: ...2005 Mounting a CD ROM on the Firewall The following procedure can be used for mounting a CD ROM to read files on the Firewall 1 Insert a CD ROM into the Firewall 2 Log in as root 3 Enter the followin...

Страница 399: ...y occur on USB ports When you request for an upload or download the USB port is mounted and dismounted automatically after the file is copied However if you need to manually mount the USB ports perfor...

Страница 400: ...e following steps 1 Right click the firewall object on the Check Point SmartDashboard 2 Select Edit 3 Open the Logs and Masters Capacity Optimization tab 4 Edit the Maximum concurrent sessions see Fig...

Страница 401: ...e of the Check Point NG by entering the following commands at the firewall CLI and at the Check Point management station command line 1 Log in to the local terminal as admin to disable the firewall Al...

Страница 402: ...tion Kernel modules information NG memory information Generating public private DSA key pair The following screen captures demonstrate the generation of the DSA key pair creating an SSH account on a f...

Страница 403: ...ation has been saved in tkey Your public key has been saved in tkey pub The key fingerprint is 2d 77 72 7d 35 58 2c 4b a4 f8 56 50 73 42 92 ae test Phantom test Phantom test cat tkey pub ssh dss AAAAB...

Страница 404: ...r RSA DSA public key for user ssh dss AAAAB3NzaC1kc3MAAACBAKEdba7LVbswXDoYDmQaPifvruRFxa465FffwsGmF LQ98t PYqwJvwLgtCyQVUL9GyUvAlECvPTlBCsAATnITo0KYL03axqqRr9PmdgaxrCcAkyQlL oOHcDzuhUXB0wYXc9ymDTP 4HF...

Страница 405: ...the firewall shell using SSH For a password enter the passphrase you entered when you generated the SSH keys in Step 1 on page 402 Main cfg sys accesslist add Enter network address 33 1 1 0 Enter netm...

Страница 406: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 406 Common tasks 213455 L October 2005...

Страница 407: ...0 Cannot download policy on Firewall on page 411 Poor performance with other devices on page 412 Cannot log in to the management station from the SMART Client on page 412 Check Point sends connection...

Страница 408: ...on page 410 Actions Verify that the management station is connected to the correct port by entering the following command on the Firewall Reset the Secure Internal Communication using the one time pas...

Страница 409: ...to see if ICMP reaches the Firewall from your source IP address Managing licenses Re installing an existing license If the Firewall crashed and was re imaged before the license was deleted from the F...

Страница 410: ...ing format Use the Firewall name as entered in the hosts file page 287 Be sure to enter the information exactly as shown on your specific Check Point license 2 To verify that the local license is inst...

Страница 411: ...om Firewall console As a result anti spoofing blocks the traffic because incorrect interfaces were used Action Delete the existing policies by entering the command below and retrieve the interfaces fr...

Страница 412: ...e adjacent device Cannot log in to the management station from the SMART Client The SMART Client cannot log into the management station Actions If the SMART Client and SmartCenter Server are not in th...

Страница 413: ...Invoke the Firewall CLI command cfg fw sync ena to verify that Check Point Sync is enabled Verify the cluster configuration on the SmartCenter Server and ensure that at least one interface is defined...

Страница 414: ...es installed on the firewalls do not drop the synchronization traffic If the problem persists disable and enable synchronization using the following Firewall CLI commands cfg fw sync dis TIP Wait for...

Страница 415: ...Series Hardware Installation Guide 216382 D 3 Establish trust with both units Make sure you can ping both iSD host IP addresses from the management station if the management station and iSD host IP ad...

Страница 416: ...he SIC status between the management station and the firewall If as suspected the devices are not communicating Reset SIC at the SMART Client see Re establishing SIC on page 410 and at the CLI see cfg...

Страница 417: ...ment packets multicast packets which indicate VRRP active master activity on the interface If you don t see VRRP advertisement packets check the firewall status If the Policy is DefaultFilter or Initi...

Страница 418: ...release 2 3 1 the real physical IP addresses are configured with the addr1 and addr2 commands in the Interface menu The virtual IP addresses are configured with the ip1 and ip2 commands in the VRRP I...

Страница 419: ...213455 L October 2005 419 APPENDIX E Software licenses The Nortel Switched Firewall includes software which is covered by the following licenses...

Страница 420: ...this software without prior written permission For written permission please contact apache apache org 5 Products derived from this software may not be called Apache nor may Apache appear in their nam...

Страница 421: ...he names mod_ssl must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact rse engelschall com 5 Products derive...

Страница 422: ...ssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission For written permission please contac...

Страница 423: ...above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features o...

Страница 424: ...ny form whatsoever must retain the following acknowledgment This product includes PHP freely available from http www php net 6 The software incorporates the Zend Engine a product of Zend Technologies...

Страница 425: ...AR PURPOSE See the GNU General Public License for more details You should have received a copy of the GNU General Public License in the file COPYING along with this program if not write to Free Softwa...

Страница 426: ...ch a program whether gratis or for a fee you must give the recipients all the rights that you have You must make sure that they too receive or can get the source code And you must show them these term...

Страница 427: ...cense Exception if the Program itself is interactive but does not normally print such an announcement your work based on the Program is not required to print an announcement These requirements apply t...

Страница 428: ...ponsible for enforcing compliance by third parties to this License 7 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues c...

Страница 429: ...D OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM I...

Страница 430: ...mouse clicks or menu items whatever suits your program You should also get your employer if you work as a programmer or your school if any to sign a copyright disclaimer for the program if necessary...

Отзывы:

Нет отзывов