SafeNet HighAssurance 4000 Скачать руководство пользователя страница 29

Страница: 29 / 97

Prepare the Device for Operation

Chapter 3. Configuration

Set Layer 2 MAC Address Resolution on the Local Interface

1. At the

config-ifLocal>

prompt, enter this command:

macAddrResolutionMechanism {none | arp | {gateway <

ipAddress

>}}

For parameter descriptions, go to “macAddrResolutionMechanism” on page 77.

2. Return to configuration mode: enter the

exit

command.

Example

In this example, a local interface configuration on SG2, the HA4000 enters local

interface configuration mode, identifies the default gateway, and then exits local

interface configuration mode.

config>

interface local

config-ifLocal>

macAddrResolutionMechanism gateway 192.168.154.175

config-ifLocal>

exit

config>

Configure the PMTU

The path maximum transmission unit (PMTU) is the end-to-end MTU from target

to destination. Valid PMTU values on the HA4000 range from 128 through 12,160

bytes. The default PMTU size is 3072 bytes.
In these cases, adjust the PMTU size:

If jumbo frame processing capabilities are needed (2944-12,160 bytes),

If the local side devices has DF bit set, the PMTU size must be set to a number

smaller than the smallest MTU in the path

Older Layer 2 devices are more likely to require frames of a certain size than are

newer, Layer 3 devices. Check with your network administrator about the

configuration of the devices connected to the HA4000 on the local interface. If the

device on the WAN side of the HA4000 is dropping packets, it is an indication that

the PMTU size needs to be adjusted.

HA4000-MTU Interactions

When you set an MTU size, the HA4000 detects LAN packets that have the DF

bit set (see “Configure DF Bit Handling” on page 30) and exceed the MTU size

(minus encryption overhead).

When this condition is detected, the HA4000 drops the packet and issues an

MTU discovery packet to the source host, informing it to reduce its MTU. The

HA4000 suggests an MTU value of the actual MTU size minus the encryption

overhead.

When you specify the total MTU size, the HA4000 subtracts the IPSec header

overhead from the specified PMTU value to calculate the actual PMTU size that

it asks the device to send.

For example, if an HA4000 MTU size of 1500 is specified and the encryption

overhead is 40 bytes, the adjusted MTU, from the HA4000 gateway’s

perspective, is 1460 bytes (1500 minus 40).

Содержание HighAssurance 4000

Страница 1: ...HighAssuranceTM 4000 Gateway The Foundation of Internet Security User s Guide...

Страница 2: ...k and SafeEnterprise and HighAssurance are trademarks of SafeNet Inc All other product and company names may be the property of their respective owners SafeNet Inc 800 533 3958 Sales 800 545 6608 Cust...

Страница 3: ...Management Port 17 Log On to the CLI 17 Assign IP Addresses 18 Prepare the Device for Operation 19 Configure the Remote Interface 19 Assign the Remote Port IP Address 20 Set the Remote Port Auto Negot...

Страница 4: ...and Reference 63 CLI Overview 63 Command Hierarchy 63 Syntax Conventions 63 Examples 64 Command Usage Tips 64 User Types 65 Command Shortcuts 65 Commands 66 Appendix A MIB Support 85 Appendix B Produc...

Страница 5: ...r Between Two HA4000 Gateways 22 Figure 3 4 HA4000 Gateways Connected Back to Back Transparent 27 Figure 3 5 ARP Used to Resolve Layer 2 MAC Addresses 28 Figure 3 6 Packets Forwarded to a Gateway 28 F...

Страница 6: ...Table 5 1 HA4000 Troubleshooting 52 Table 5 2 CLI IPSec Diagnostic Commands 56 Table 5 3 AES Messages 56 Table 5 4 HA4000 Security Association Fields 58 Table 5 5 SPD Selectors 59 Table 6 1 CLI Comma...

Страница 7: ...the HA4000 can be seamlessly deployed into Gigabit Ethernet environments including IP site to site VPNs and storage over IP networks Its high speed Triple DES 3DES IPSec processing capabilities elimi...

Страница 8: ...1 8 Gbps 3DES encryption and decryption z Comprehensive security standards support z Key management Internet Key Exchange IKE RFC 2409 NIST FIPS PUB 186 Manual keys Diffie Hellman key exchange groups...

Страница 9: ...Unit is powered off On Unit is powered on Remote Yellow link status Off Loss of signal on the remote interface On Normal operation Remote Green traffic status Off No traffic is passing over the remote...

Страница 10: ...he communication endpoints and the secure tunnel endpoints A communication endpoint is the entity that is being protected by the HA4000 This can be a host a server or a subnet The secure tunnel endpoi...

Страница 11: ...Overview 11 z HMAC SHA1 06 authentication z Manual keys or IKE key management Caution MD5 is not a FIPS approved authentication algorithm Therefore using MD5 authentication in a security policy remove...

Страница 12: ...o multimode Gigabit Ethernet Interface transceivers and two 3 meter multimode fiber cables GBIC SM Kit Contains two single mode Gigabit Ethernet Interface transceivers and two 3 meter single mode fibe...

Страница 13: ...vercurrent protection and supply wiring Consult the voltage and amperage ratings on the UL label affixed to the unit s rear panel when addressing this concern z Grounding Maintain reliable grounding o...

Страница 14: ...eway s local port and then connect it to the local device such as a server or switch Warning Warning Warning Warning When the dust covers are removed and no cable is connected radiation can be emitted...

Страница 15: ...Installation 15 Notes z If you experience a problem during system initialization go to Chapter 5 Troubleshooting z Until you configure your security policies the HA4000 gateway s default mode of opera...

Страница 16: ...he settings If the HA4000 device is rebooted or the power is recycled unsaved configurations are lost z To save the running configuration enter this command copy system running nvram config z Some com...

Страница 17: ...t be configured to connect the device to the SMC Log On to the CLI The HA4000 gateway s CLI is accessible through a serial link connected to the HA4000 RS 232 craft port Typically the craft port is us...

Страница 18: ...and SNMP based performance monitoring z The subnet mask is the portion of the IP address that identifies the network or subnetwork for routing purposes z The default gateway assigned only when the HA...

Страница 19: ...55 255 255 0 192 168 10 1 config ifMan exit config exit admin copy system running nvram config Prepare the Device for Operation Configure the Remote Interface Follow the procedures described in this s...

Страница 20: ...arameter descriptions go to ip address on page 74 Example This example sets the remote port IP address during initial HA4000 configuration admin config terminal config interface remote config ifRemote...

Страница 21: ...he default gateway on the HA4000 gateway s remote port z Negotiated IPSec IKE policies will be used z The HA4000 gateways IPSec peers are in a routed network Where the gateways are deployed on a singl...

Страница 22: ...e the ikeDefaultGateway command on HA4000 1 see Figure 3 3 to specify Router R2 s local router port IP address 192 168 144 100 HA4000 1 uses the router network to forward packets to its peer HA4000 2...

Страница 23: ...nhanced level of certificate validation You may also control which IKE ID is sent to the peer gateway by setting the IKE ID type used for the remote port Both of these commands affect the remote port...

Страница 24: ...e specifically when using the Default command if the Subject Alt Name exists in the certificate then the first field in the Subject Alt Name is used for the IKE ID If the Subject Alt Name does not exi...

Страница 25: ...ed to the LAN through a switch the local port IP address is the address the server uses to identify the HA4000 Previously configured policies will not recognize a new local port IP address until the H...

Страница 26: ...tiation specify whether to enable flow control To have the HA4000 to use flow control specify enable otherwise specify disable These are the possible configurations and the associated command 3 Go to...

Страница 27: ...rts are on the same subnet The routers are able to resolve the Layer 2 MAC address of the destination stations and traffic flows through the HA4000 gateways In this scenario use the macAddressResoluti...

Страница 28: ...ation S2 is on a different subnet than HA4000 2 s local port To send packets to Station S2 HA4000 2 uses the macAddrResolutionMechanism command with the gateway attribute to identify the IP address of...

Страница 29: ...the PMTU size must be set to a number smaller than the smallest MTU in the path Older Layer 2 devices are more likely to require frames of a certain size than are newer Layer 3 devices Check with your...

Страница 30: ...nd jumbo frame handling is not required set the PMTU to 2944 or less Configure the PMTU At the config prompt enter this command pmtu size_in_bytes For size in bytes type a number from 128 through 12 1...

Страница 31: ...are created as well as certificate expirations Certificate expirations are important only if you plan to replace the HA4000 gateway s default self signed certificate with one of your own Note If the c...

Страница 32: ...and another for read write rw access At the config prompt enter this command snmp server community word ro rw where word is a text string of alphanumeric characters Any printable character is valid E...

Страница 33: ...server trap enable all z Send logon traps to host 192 168 10 10 and all traps to host 192 168 10 15 config snmp server trap host 192 168 1 10 login config snmp server trap host 192 168 1 15 all Table...

Страница 34: ...criticalError fanStatus generic IPSecPeer login host ip address all criticalError fanStatus generic IPSecPeer login Example This example disables the fanStatus trap and disables logon traps to host 1...

Страница 35: ...ive Tasks There are only two administrator configuration tasks setting passwords and limiting the number of unsuccessful logon attempts Set Passwords Administrators can change the Administrator and Ne...

Страница 36: ...n as Administrator 2 Go into configuration mode enter this command configure terminal 3 At the config prompt enter this command netman password password where password is the new password Example In t...

Страница 37: ...fig netman login disable 5 z The Administrator enables the Network Manager s logon config netman login enable Save the Configuration When you complete configuring the HA4000 save the configuration to...

Страница 38: ...he reboot process the device LEDs indicate progress z The power LED illuminates z About a minute after rebooting the alarm LED begins to blink z When the boot process completes the alarm LED turns off...

Страница 39: ...nfiguration and version information Caution If you make configuration changes and don t save them the running configuration Note will not be the same as the saved configuration To view the running con...

Страница 40: ...255 0 ikeDefaultGateway 192 168 144 100 autoNegotiationFlowControl enabled enabled txEnable always interface local ip address 192 168 10 150 255 255 255 0 autoNegotiationFlowControl disabled enabled...

Страница 41: ...files created to configure the unit and security policies In addition to the current file system the HA4000 gateway stores a backup copy of the file system which is created using the procedure describ...

Страница 42: ...an FTP server to transfer files to or from the HA4000 Note The FTP client must be configured before any copy ftp commands can be used 1 Log on as Network Manager 2 To enter configuration mode enter th...

Страница 43: ...bed in Configure the FTP Client on page 42 3 At the admin prompt enter this command copy nvram fs nvram fs backup 4 Download new software enter this command copy ftp fs nvram fs The CLI is disabled wh...

Страница 44: ...plan to replace the HA4000 certificate contact a CA to obtain a certificate in PKCS 12 format The pass phrase that is provided to encrypt the file when it is created is also used to decrypt it when d...

Страница 45: ...tter z Check fans for reduced airflow caused by dust build up and clean as necessary z Examine cables and fiber for damage z Ensure that airflow requirements are met No special maintenance is required...

Страница 46: ...to log file on page 77 Example This example sets the number of log files to 6 and the file size to 300 KB admin configure terminal config log file 6 300 Configure Log File Events The log command defin...

Страница 47: ...a new security policy This setting allows you to track the progress of events at a high level Verbose displays the quiet and normal messages plus a significant number of trace messages for debugging p...

Страница 48: ...he response config log list Terminal Output Log file output Level Setting snmp trap disabled disabled quiet snmp event disabled disabled quiet snmp packets disabled disabled quiet cmbSsh disabled enab...

Страница 49: ...sabled enabled quiet Ssh enabled disabled normal Upload Log Files On occasion you may need to send log files to a central office or SafeNet Customer Support for analysis or troubleshooting assistance...

Страница 50: ...0 terminal z Send log file 1 to the FTP host filename View log CoLog 1 admin copy nvram logs 1 ftp Restore Factory Settings With the clear command you can restore some or all of the HA4000 factory se...

Страница 51: ...ample This example clears the HA4000 s saved configuration replaces it with the factory default configuration and then reboots the device admin clear configuration This will replace your nvram configu...

Страница 52: ...e network cable Verify correct transmit and receive cable polarity Check the operational status of the equipment being connected Verify that the auto negotiation and flow control settings on the local...

Страница 53: ...on The HA4000 does not recognize its new remote port IP address Verify the IP address using the show ip addresses command For instructions go to View Configurations on page 39 Correct the IP address i...

Страница 54: ...running nvram config command Unsaved configuration changes are lost when the unit is rebooted For more information go to Save the Configuration on page 37 Can t establish a link Check physical connec...

Страница 55: ...ess If the HA4000 gateways are installed in a routed network make sure that a default gateway is defined on the remote interface For details go to Assign IKE Default Gateway on page 21 Manual key IPSe...

Страница 56: ...your Security Gateway hardware supports these features Syntax show ipSec aesSupport Table 5 2 CLI IPSec Diagnostic Commands Command Displays show ipSec aesSupport Displays whether the installed hardw...

Страница 57: ...ly OFF 304 packets 0 0135 of total packets were dropped CODE 29 It is assumed that IKE is being initiated for this connection Packets are dropped until the IKE negotiation finishes This is normal oper...

Страница 58: ...security policy database SPD Each entry in the database represents a policy Syntax show ipSec spd all Table 5 4 HA4000 Security Association Fields Field Description SPI Security parameter index unique...

Страница 59: ...ors SPD Selector Description Direction Inbound packets enter the remote port from the untrusted network Outbound packets enter the local port from the trusted network Policy The policy type is display...

Страница 60: ...ntax show ipSec statistics Direction Policy Encap Source Address Mask Dest Address Mask Src Port Dest Port Protocol INBOUND IPSEC YES 10 10 0 0 255 255 0 0 40 40 0 0 255 255 0 0 OUTBOUND IPSEC 40 40 0...

Страница 61: ...kts w o error 0 0 Multicast pkts w o error 0 0 Broadcast pkts w o error 0 0 Flow control pkts w o error 0 0 Good control pkts dropped due to unknown opcode 0 0 Good pkts received 64 byte length 0 0 Ba...

Страница 62: ...pd all z ipSec statistics z logging z nvram config z system running z version The show all command also lists information about the internal tasks running on the HA4000 gateway Note Issue this command...

Страница 63: ...The exit command leaves the current CLI mode and returns to the previous hierarchy level Syntax Conventions Command references listed in this chapter are presented using the following format conventi...

Страница 64: ...r displays context sensitive help When you enter at the start of a line or after a space character two columns of text display The left column lists the keywords that can be entered next N N N N type...

Страница 65: ...s a shortcut for the snmp server command When enough characters are typed to uniquely identify the command the Tab key isn t necessary For example a shortcut for the copy system running nvram config c...

Страница 66: ...e 20 and Layer 2 MAC Address Resolution on page 27 Syntax clear configuration policies all Shortcut None User Type Network Manager Hierarchy Level Configuration Description Restores the HA4000 factory...

Страница 67: ...s nvram fs Shortcut None User Type Network Manager Hierarchy Level Command Description Downloads a new file system from an FTP server to the HA4000 Reboot Required Yes Usage Guidelines See Load Softwa...

Страница 68: ...the backup file system as the HA4000 gateway s running image Reboot Required Yes Usage Guidelines See Restore the Backup on page 42 Syntax copy nvram logs n ftp terminal Shortcut None User Type Netwo...

Страница 69: ...o create on the FTP host If unspecified the file name is root xml Reboot Required No Usage Guidelines None Syntax copy system running nvram config Shortcut copy s n User Type Network Manager and Admin...

Страница 70: ...led between the HA4000 gateway s local and remote ports The default setting is to copy the DF bit from the original packet to the encapsulating header and process ICMP PMTU messages Parameters and Att...

Страница 71: ...ess specifies the IP address of the FTP host ftp_userid specifies the user ID of a user on the FTP host ftp_password specifies the user ID s password ftp_directory specifies the directory containing t...

Страница 72: ...tGateway none ipAddress Shortcut ike User Type Network Manager Hierarchy Level Remote interface configuration Description Defines how IKE negotiation traffic is routed to the appropriate network when...

Страница 73: ...ect Alt Name is used for the IKE ID If the Subject Alt Name does not exist the Subject Distinguished Name is used This setting allows the HA4000 to send an IKE ID of type other than IP Address by inst...

Страница 74: ...ss subnet_mask gateway none Shortcut None User Type Network Manager Hierarchy Level Interface configuration Description Assigns the IP address and subnet mask for the interface being configured On the...

Страница 75: ...s non IPSec traffic to the management port disable disallows IPSec on the HA4000 management port dpd configures dead peer detection on the management port phase1 configures the Phase 1 IKE security as...

Страница 76: ...nfiguration errors Case sensitive ike specifies IKE negotiation messages For technical support diagnostic use Case sensitive Ssh specifies Secure Shell messages For technical support diagnostic use Ca...

Страница 77: ...hrough 99 of log files size_in_kbytes specifies the log file size in kilobytes The total amount of space reserved for logging cannot exceed 64 MB number of files multiplied by file size Reboot Require...

Страница 78: ...nes See Layer 2 MAC Address Resolution on page 27 Syntax netman password password login enable disable value Shortcut None User Type Administrator Hierarchy Level Configuration Description Configures...

Страница 79: ...Parameters password character string with at least one alphanumeric character Passwords are case sensitive they are suppressed from displaying when typed A password can include these special characte...

Страница 80: ...Reboot Required Yes when changing the PMTU from jumbo to normal modes Usage Guidelines See Configure the PMTU on page 29 Syntax reboot Shortcut None User Type Network Manager and Administrator Hierarc...

Страница 81: ...nd Attributes cli sets the session timer for the CLI number specifies the number of minutes Default is 15 minutes for the CLI Reboot Required No Usage Guidelines See Set Session Timer on page 32 Synta...

Страница 82: ...ounts and discards The clear attribute resets counters to zero after they are displayed ipSec sa displays the details of the active security associations ipSec spd all displays a summary of the securi...

Страница 83: ...the MIB2 system group Enclose multi word strings in quotation marks name_arg specifies a logical name to the HA4000 The value is defined by sysName in the MIB2 system group Enclose multi word strings...

Страница 84: ...arameters and Attributes enable allows the management port to accept a telnet session to remotely configure the HA4000 Telnet access is enabled by default disable disallows telnet access to the unit W...

Страница 85: ...e proprietary MIBs which are included on the HA4000 Gateway CD z co smi mib Management Information Structure z co tc mib Textual conventions used in HA4000 MIBs z co gigif mib Objects related to the g...

Страница 86: ...9 inch rack mount design 4 H x 17 W x 15 D 10 16 cm H x 43 18 cm W x 38 1 cm D 10 pounds 4 55 kg 115 VAC 10 amps 50 60 Hz 200 240 VAC 5 amps 50 60 Hz 120 watts power dissipation typical Environmental...

Страница 87: ...tions 87 Appendix C Cable Specifications DB 9 Null Modem Cable Figure C 1 DB 9 Null Model Cable Specifications Table C 1 Null Model Pin Connections Pin Pin 2 RD Receive Data 3 TD 3 TD Transmit Data 2...

Страница 88: ...88 RJ 45 Ethernet Straight Through Cable Figure C 2 RF 45 Ethernet Straight Through Cable RJ 45 Ethernet Crossover Cable Figure C 3 RJ 45 Ethernet Crossover Cable Table C 2 Straight Through Cable Con...

Страница 89: ...RJ 45 Ethernet Crossover Cable Appendix C Cable Specifications 89 Table C 3 Crossover Cable Connections RJ 45 Pin RJ 45 Pin 1 Rx 3 TX 2 Rc 6 Tx 3 Tx 1 Rc 6 Tx 2 Rc...

Страница 90: ...d can result in complete or intermittent failures Always follow ESD prevention procedures when removing and replacing components To prevent ESD damage follow these guidelines z Always use an ESD wrist...

Страница 91: ...otice Canada This Class B digital apparatus meets all requirements of the Canadian interference causing Regulations Cet appareil num rique de la classe B est respecte toutes les exigencies du Reglemen...

Страница 92: ...ppendix E Regulatory Information 92 European Notice Products with the CE Marking comply with both the EMC Directive 89 336 EEC and the Low Voltage Directive 73 23 EEC issued by the Commission of the E...

Страница 93: ...n SA four block cipher Type of symmetric secret key encryption algorithm that encrypts a fixed length block of plaintext at a time With a block cipher the same plaintext block always encrypts to the s...

Страница 94: ...the message Digital Signature Standard DSS Standard for digital signatures using the DSA public key algorithm and the SHA 1 hash algorithm DSS See Digital Signature Standard E encryption Scrambles an...

Страница 95: ...ber of seconds the SA can be used or as the maximum number of kilobytes that can be transmitted using the SA Lightweight Directory Access Protocol LDAP Online directory service protocol defined by IET...

Страница 96: ...key is public but the private key is known only to its owner Any entity that possesses the public key can encrypt a message so that only a single recipient the owner of the private key can decrypt it...

Страница 97: ...to map traffic to a policy which ultimately maps to an SA that is maintained in the security association database SHA See Secret Hash Algorithm Simple Certificate Enrollment Protocol SCEP A PKI commu...

Результаты поиска

Содержание HighAssurance 4000

Отзывы:

Похожие инструкции для HighAssurance 4000

Бренды по названию

Популярные бренды

SafeNet HighAssurance 4000, Руководство пользователя

Результаты поиска

Содержание HighAssurance 4000

Отзывы:

Похожие инструкции для HighAssurance 4000

Бренды по названию

Популярные бренды