AhnLab TrusGuard, Installation Manual

Page 1: ......

Page 2: ... an improper use or manipulation of this product All specifications of the product are subject to change without prior notice to the individuals and or companies that purchase the product and may be different from those described in this document Certificate of Broadcasting and Communications Equipment Code A TrusGuard has been issued the Certificate of Broadcasting and Communications Equipment Co...

Page 3: ...troduction 16 TrusGuard System Specifications 21 Compatibility 40 Chapter3 Installation 41 Overview 42 Before Installation 44 System Settings 46 Initial Login 47 License 49 Update 51 Network Interface 54 Static IP Address Port 56 PPPoE Port For IPv4 58 DHCP DHCPv6 Port 61 Aggregation 62 Bridge 65 VLAN 68 Secondary Port 69 HA Mode 71 Routing Setting 76 Gateway 76 Multi Path Routing 77 Security Sett...

Page 4: ...rmation 90 Change Session Settings 92 Policy Settings 93 Network Connection 98 Rack Mount 98 Connect Power and Start System 99 After Installation 102 Installation Completed 103 Chapter4 Client Program 105 TrusGuard SSL VPN Client 106 Installation and Login 106 Manage Certificate 111 SSL VPN Client Status Icon 113 Remove TrusGuard SSL VPN Client 114 TrusGuard Auth 115 Chapter5 Remove Device 119 Rem...

Page 5: ...Chapter1 Before You Start Technical Support 6 About This Guide 7 Checklist 8 Safety Precautions 9 Installation Environment 11 Security Checklist 13 ...

Page 6: ...Check the Online Help or Administrator s Guide The Online Help and Administrator s Guide contain useful information on using AhnLab TrusGuard which might help you solve your problem before consulting with us Update the engine files and patch files to the latest version Many of the problems can be resolved by updating the engine and patch files to the latest version Update the firmware to the lates...

Page 7: ...neers who understand TCP IP and network protocol It also includes instructions on some basic features for the general user The administrator must make sure the general user uses TrusGuard SSL VPN Client and TrusGuard Auth securely Document Conventions This guide includes the following document conventions Bold Type Button name menu or field on a window or typing for emphasis Note Note to consider ...

Page 8: ... from one site you may be provided with one AhnLab Software License only Check that the CD is in a sealed package and the security sticker is not damaged or missing Check that the Warranty Seal is not damaged or missing If damaged AhnLab may provide only limited warranty and or repair services The seal may not be attached the same as below Note If you get your device repaired we will attach a new ...

Page 9: ...r from an AC power source Do not overload the power outlet and cable and make sure that there is enough current capacity for the device Power cable Do not step on the power cable Do not bend the power cable by force and do not put any heavy object on it Do not pull the power cable and do not tie it in knots Do not heat the power cable When unplugging the power cable hold the plug not the cable Do ...

Page 10: ...ir Prohibited Your warranty is invalidated if you dissemble or modify the device or remove the label Your warranty is invalidated if you dissemble or modify the device or remove the Warranty Seal Precautions Do not use the device near any heat source Only use parts that have been provided by AhnLab Keep the work environment clean Make sure that the device does not get wet Do not expose the device ...

Page 11: ... least two hours before installation The device must be completely dry Otherwise there are hazards of electric shock Ventilation The device must be installed in a location with good ventilation Provide adequate space in front of and behind the device to allow proper ventilation Allow a minimum clearance of 15 cm from the wall Use racks that provide ventilation Humidity High humidity could cause sh...

Page 12: ...pply Some devices have two power input ports One is the main power input and the other is for backup Use grounded electrical outlets to protect the device and yourself It is highly recommended to use a UPS Uninterruptible Power Supply with your device for continuously operation If there are two power input ports in your device plug the power cables into two different power outlets ...

Page 13: ...you must immediately reflect the changes and security policy in the current security policy of AhnLab TrusGuard in order to keep the security level the same as before Regular Security Policy Check Set AhnLab TrusGuard to record logs and check the security policy and system logs regularly Remote Connection Prohibited Prohibit remote access to the system other than authorized hosts Use of Default Ac...

Page 14: ...tures and patches to block security threats and to achieve the stable operation environment Trusted Administrator An administrator must have no malicious intent and be properly trained and perform his her duty in accordance with the administrator guideline Trusted Timestamp The device must have a trusted time stamp provided by the NTP server that conforms to RFC 1305 ...

Page 15: ...Chapter2 AhnLab TrusGuard Overview Introduction 16 TrusGuard System Specifications 21 Compatibility 40 ...

Page 16: ...bution processing technology It also uses AhnLab Cloud Computing E Security Service ACCESS a cloud based threat management system AhnLab TrusGuard also provides stable and secure high performance VPN Advanced A TEAM Advanced A TEAM architecture maximizes firewall performance It employs a highly innovative processing algorithm to separate packets for general or accelerated processing Packets are th...

Page 17: ...2 Chapter2 AhnLab TrusGuard Overview 17 Flexible Secure VPN Network AhnLab TrusGuard supports both IPSec VPN and SSL VPN and interoperates with IPS to prevent malware propagation via VPN tunnel ...

Page 18: ...usGuard Installation Guide Proactive Comprehensive Defense AhnLab TrusGuard provides strong ACCESS based integrated security ACCESS proactively protects systems from zero day attacks and unknown attacks in real time ...

Page 19: ...y Emergency response Center analyzes monitors the signatures 24 7 365 and updates them two to three times a day Bot Prevention AhnLab TrusGuard prevents bots and malware from entering the network and running By controlling access to bot malware distributing sites and communication with the C C server based on ACCESS it protects your system from advanced persistent threats ...

Page 20: ...se Center monitors security threats all over the world 24 7 365 to prevent new security threats and minimize damages caused by these threats CERT Computer Emergency Response Center monitors customer s networks 24 7 365 to get information on attacks and threats in real time and deliver the information to ASEC Signatures are created based on the collected information and reflected on AhnLabTrusGuard...

Page 21: ...as of June 2013 The network port modules may differ according to date of manufacture and order specification For SOHO TrusGuard 31A TrusGuard 50A TrusGuard 70A For Small Business TrusGuard 100A For Medium Enterprise TrusGuard 400A TrusGuard 500A For Large Enterprise TrusGuard 1000P TrusGuard 5000 TrusGuard 10000P TrusGuard 22000 ...

Page 22: ...1A Front Back Specification CPU Single Core RAM 1GB HDD n a Interface 1Gbe Copper 6 Ports Size 300x44x260 WxHxD mm 1U Environment Operating Storage temperature 5 35C 40 70C Electric Energy Consumption Power 100W Single 12V AC Adapter Heat Max 116 6 BTU h ...

Page 23: ...erview 23 Installation Kit Inspection Sheet x 1 Power Adapter 12V AC x 1 UTP Cables CAT 5e Straight Through 2m x 6 Console Cable DB9 RJ 45 2m x 1 Power Code 250V 7A 2m x 1 Mount Bracket L Type x 1 pair Rubber Feet x 4 Manual CD x 1 ...

Page 24: ...e RJ 45 x 1 USB disabled x 2 Size 440 x 44 x 240 W x H x D mm 1U Environment Operating Storage temperature 0 40C 0 70C Electric Energy Consumption Power 150W Installation Kit Inspection Sheet x 1 UTP Cables CAT 5e Straight Through 2m x 6 Console Cable RJ 45 2m x 1 Power Code 250V 7A 2m x 1 Mount Bracket L Type x 2 Rubber Feet x 4 Manual CD x 1 ...

Page 25: ... RJ 45 x 1 USB disabled x 2 Size 440 x 44 x 240 W x H x D mm 1U Environment Operating Storage temperature 0 40C 0 70C Electric Energy Consumption Power 100W Installation Kit Inspection Sheet x 1 UTP Cables CAT 5e Straight Through 2m x 6 Console Cable RJ 45 2m x 1 Power Code 250V 7A 2m x 1 Mount Bracket L Type x 2 Rubber Feet x 4 Manual CD x 1 ...

Page 26: ...DD 500GB Interface 1Gbe Copper 6 Ports Size 438x44x291 WxHxD mm 1U Environment Operating Storage temperature 0 40C 10 70C Electric Energy Consumption Power 250W Single Input 100 240V 100V 3 5A 240V 1 5A 50 60Hz Output DC 3 3V 13A 5V 14A 12V V1 18A 12V V2 18A 12V 0 3A 3 3V 10A 5Vsb 2A Heat Max 699 46 BTU h ...

Page 27: ... TrusGuard Overview 27 Installation Kit Inspection Sheet x 1 UTP Cables CAT 5e Straight Through 2m x 6 Console Cable DB9 RS232 2m x 1 Power Code 250V 7A 2m x 1 Mount Bracket L Type x 1 pair Rubber Feet x 4 Manual CD x 1 ...

Page 28: ... Front Back Specification CPU Dual Core RAM 4GB HDD 1TB Interface Network Port 1GbE Copper on board x 6 1GbE Fiber on board x 4 Network Interface Slotx1 1GbE Fiber on demand x 2 Others Console RJ 45 x 1 USB disabled x 2 Size 437 x 88 x 503 6 W x H x D mm 2U ...

Page 29: ...n Power 300W Redundant Installation Kit Inspection Sheet x 1 UTP Cables CAT 5e Straight Through 2m x 5 1G Fiber Cables LC LC 3m Multi Mode x 4 1G Fiber Cables LC LC 3m Multi Mode x 4 SFP Modules 850nm Multi Mode 3 3V 550m x 4 Console Cable RJ 45 2m x 1 Power Code 250V 7A 2m x 2 Mount Rail x 2 Rubber Feet x 4 Manual CD x 1 ...

Page 30: ...Front Back Specification CPU Quad Core RAM 4GB HDD 1TB Interface Network Port 1GbE Copper on board x 6 1GbE Fiber on board x 4 Network Interface Slot x 1 1GbE Fiber on board x 2 Others Console RJ 45 x 1 USB disabled x 2 Size 437 x 88 x 503 6 W x H x D mm 2U ...

Page 31: ...n Power 300W Redundant Installation Kit Inspection Sheet x 1 UTP Cables CAT 5e Straight Through 2m x 5 1G Fiber Cables LC LC 3m Multi Mode x 6 1G Fiber Cables LC SC 3m Multi Mode x 6 SFP Modules 850nm Multi Mode 3 3V 550m x 6 Console Cable RJ 45 2m x 1 Power Code 250V 7A 2m x 2 Mount Rail x 2 Rubber Feet x 4 Manual CD x 1 ...

Page 32: ... HDD 2TB Interface 1Gbe Copper 6 Ports 1Gbe Fiber 8 Ports Size 450x88x580 WxHxD mm 2U Environment Operating Storage temperature 5 35C 0 70C Electric Energy Consumption Power 500W Redundant Input 90 264V 115V 10A 230V 5A 47 63Hz Output DC 5V 24A 12V 36A 12V 0 8A 3 3V 24A 5Vsb 3 5A Heat Max 1330 68 BTU h ...

Page 33: ...CAT 5e Straight Through 2m x 6 1G Fiber Cables LC LC 3m Multi Mode x 8 1G Fiber Cables LC SC 3m Multi Mode x 8 SFP Modules 850nm Multi Mode 3 3V 550m x 8 Console Cable DB9 RJ 45 2m x 1 Power Code 250V 7A 2m x 2 Mount Bracket L Type x 2 pair Mount Rail x 1 pair Rubber Feet x 5 Manual CD x 1 ...

Page 34: ...ation CPU Octa Core RAM 16GB HDD 2TB Interface Network Port 1GbE Copper on board x 2 1GbE Fiber on board disabled x 1 Network Interface Slot x 3 1GbE Copper on board x 8 1GbE Fiber on board x 4 10GbE Fiber on board x 2 1GbE Copper on demand Replacement of the existing card x 8 ...

Page 35: ... Input 90 264V 115V 10A 230V 5A 47 63Hz Output DC 5V 24A 12V 36A 12V 0 8A 3 3V 24A 5Vsb 3 5A Heat Max 1330 68 BTU h Installation Kit Inspection Sheet x 1 UTP Cables CAT 5e Straight Through 2m x 10 1G Fiber Cables LC LC 3m Multi Mode x 4 1G Fiber Cables LC SC 3m Multi Mode x 4 10G Fiber Cables LC LC 3m Multi Mode x 2 10G Fiber Cables LC SC 3m Multi Mode x 2 SFP Modules 850nm Multi Mode 3 3V 550m x ...

Page 36: ... Front Back Specification CPU Multi Core RAM 16GB HDD 2TB Interface 1Gbe Copper 14 Ports 1Gbe Fiber 8 Ports 10Gbe Fiber 2 Ports Size 450x88x580 WxHxD mm 2U Environment Operating Storage temperature 5 35C 0 70C Electric Energy Consumption Power 500W Redundant ...

Page 37: ...ght Through 2m x 14 1G Fiber Cables LC LC 3m Multi Mode x 8 1G Fiber Cables LC SC 3m Multi Mode x 8 10G Fiber Cables LC LC 3m Multi Mode x 2 10G Fiber Cables LC SC 3m Multi Mode x 2 SFP Modules 850nm Multi Mode 3 3V 550m x 8 SFP Modules MMF Hot pluggable 9 95 to 10 3Gb s 300m x 2 Console Cable DB9 RJ 45 2m x 1 Power Code 250V 7A 2m x 2 Mount Bracket L Type x 2 pair Mount Rail x 2 pair Rubber Feet ...

Page 38: ...ont Back Specification CPU 16 Cores RAM 24GB HDD 2TB Interface Network Port 1GbE Copper on board x 2 1GbE Copper on board disabled x 1 Network Interface Slot x 3 1GbE Copper on board x 8 1GbE Fiber on board x 4 10GbE Fiber on board x 2 1GbE Fiber on demand x 2 ...

Page 39: ...5V 24A 12V 36A 12V 0 8A 3 3V 24A 5Vsb 3 5A Heat Max 1330 68 BTU h Installation Kit Inspection Sheet x 1 UTP Cables CAT 5e Straight Through 2m x 10 1G Fiber Cables LC LC 3m Multi Mode x 4 1G Fiber Cables LC SC 3m Multi Mode x 4 10G Fiber Cables LC LC 3m Multi Mode x 2 10G Fiber Cables LC SC 3m Multi Mode x 2 SFP Modules 850nm Multi Mode 3 3V 550m x 4 SFP Modules MMF Hot pluggable 9 95 to 10 3Gb s 3...

Page 40: ... Patch3 or higher TrusGuard Manager 1 5 Patch7 or higher AhnLab Policy Center 3 5 or higher TrusAnalyzer TrusAnalyzer is a log server for TrusGuard and other AhnLab applicances TrusGuard Manager TrusGuard Manager is a centralized management solution that enables centralized management AhnLab devices AhnLab Policy Center AhnLab Policy Center is a centralized management solution used to manage V3 In...

Page 41: ...tallation 44 System Settings 46 Initial Login 47 License 49 Update 51 Network Interface 54 Routing Setting 76 Security Settings 78 Connect to Log Server 81 Other Settings 90 Network Connection 98 After Installation 102 Installation Completed 103 ...

Page 42: ...cording to the network environment and initialize the system The network engineer shall not be responsible for any problem caused by wrong information provided by the administrator Installation Steps AhnLab TrusGuard installation is divided into physical installation of the device and system settings For methods on setting the policies refer to Help or Administrator s Guide Start physically instal...

Page 43: ...ard will get initialized You are adviced to perform the following settings only Enter product license Set network interface Set routing After completing the above settings set the TrusGuard Manager connecting settings Caution In TrusGuard Manager system settings and policies are managed in profiles Before connecting to TrusGuard specify the system settings and profiles to apply first ...

Page 44: ...or the bridge interface you need a separate network interface to manage the device Next hop Router Switch The router switch will affect the routing and network redundancy Check the type connection and configuration of the router switch installed at the upper part that connects to the upper network and lower part that connects to the subnet You may need to set the settings to enable communication w...

Page 45: ... address of the server that use access control policy Service provided by the server and users service provided to outside the network and service provided to the sub network Types and versions of OS and applications installed on the server host this information is used to set the IPS policy profile There are advanced security policies that cannot be applied to hosts using Linux or Mac OS These ho...

Page 46: ...ask AhnLab Password Please ask AhnLab Administrative IP Address 10 0 0 0 16 IP address allowed to access the device IPv4 Address 10 0 N 254 24 N is the number allotted to the network port E g eth0 eth1 ethN IPv6 Address Not allotted Before System Settings Before setting the system check below Internet connection PC or laptop that meets the administrative system requirements Product license Power ...

Page 47: ...ry network port e g eth0 Insert the other UTP cable s RJ 45 connector into the PC s network port Connect the UTP cable to an Internet switch 3 Check TrusGuard s port status The green LED on the left of the port will turn on if properly connected If not the light will not turn on When the connection speed is 10 Mbps or 100 Mbps the orange LED on the right of the port will turn on If not it will fli...

Page 48: ...ing message will no longer appear Administrator session will time out after 10 minutes of inactivity To change the time use the set_webui_timeout command in a terminal Step 3 Connect to Network Temporarily for System Settings While setting the system you need to update the signatures and V3 engine Connect TrusGuard to the Internet temporarily to perform this update 1 Check the network information ...

Page 49: ... License License Step 1 Prepare License Check the TrusGuard license to register You can only use the IPv4 firewall and proxy if you do not register the license The licenses available are as below IPS License to use IPS feature Endpoint Control License to use endpoint control IPSec License to use IPSec VPN ...

Page 50: ...d to create the license Device ID Device number Serial Number Product license number Registration Date License registered date Step 2 Enter License 1 In the New License field enter the encoded license string 2 Click OK 3 Click Logout to log out and log in again Note You need the Device ID and Serial Number to change the license Only authorized engineers can register change the license To change th...

Page 51: ...agnostic mode from the terminal 2 Used the commands below to check the network connection ifconfig Check whether the IP address in correct in the network interface netstat Type netstat rn command to check whether the gateway information is correct nslookup Type nslookup www google com to check DNS query ping Type ping www google com to check Internet connection If there is no problem move on to th...

Page 52: ...needed change the upate cycle Siganture based Rule Malicious traffic pattern used by IPS Behavior based Rule Abnormal traffic pattern used by IPS Anti Virus Engine V3 engine for anti virus feature Content Rating DB Content rating DB used by website filter Anti MalSite DB on malicious sites used by Anti MalSite 2 If you changed the update cycle click OK and then Apply ...

Page 53: ...he update is completed will appear Note If you try to update a feature you do not have a license for a message that update is not available for the feature will appear Step 3 Disconnect from Temporary Network Disconnect the device from the network and initialize the network settings for update ...

Page 54: ...he networks to connect use VLAN it recognizes VLAN tag Secondary Port Allot an additional IP address to the network interface GRE Set the GRE tunnel Apart from the above you can also use AutoConfiguration AC in IPv6 environment and GRE port for IPSec VPN Port Labelling In TrusGuard 2 1 Patch1 you can label the network port IN OUT DMZ Before setting the interface label the network port first If the...

Page 55: ...ork interface of TrusGuard as the gateway Operating in Bridge Mode If you use an IP address for the bridge the bridge interface becomes the gateway If there is no IP address the router s IP address can be used as the gateway If there is no IP address for the bridge interface it is called a transparent bridge If you use a transparent bridge you cannot use services that depend on network interface I...

Page 56: ...IP Address Port Set the static IP address port as below Use the default settings for any fields that have been left out 1 Select the network port to use a static IP address and click 2 Specify the settings as below Select Static for Type Enter the IPv4 or IPv6 address Select the response protocol in Control PING To respond to ICMP ping requests HTTPS To allow access to administrative web page ...

Page 57: ...bytes when using IPSec VPN PPPoE 100 to 1 492 bytes Default 1 492 IPv6 Network 1 280 to 1 500 bytes Duplex Set the transmission rate and method 10Mbps Half 10Mbps Full 100Mbps Half 100Mbps Full 1000Mbps Full 10Gbps Full Auto configuration 3 Click OK 4 Click Apply Note If you do not want to use an IPv6 address enter 0 ...

Page 58: ...n small scale network with no static IP address Set PPPoE Port Set the PPPoE settings as below Use the default settings for any fields that have been left out 1 Select the network port to use xDSL and click 2 Specify the settings as below Select Enable Select PPPoE for Type Enter the PPPoE subscriber s ID Enter the PPPoE subscriber s Password Select the response protocol in Control ...

Page 59: ...one ISPs If you use multiple lines but one ISP only you may not be able to use all the lines when there is a problem in yoru ISP s line Use More Than 2 PPPoE Lines There are times when you get disconnected from your online banking service When it happens go to Network Routng Multipath Routing and change the Load Balancing to Source IP Address In a Terminal use the set_gw_check command to check the...

Page 60: ...TrusGuard as the DHCP server Advanced Settings You can use commands that control PPPoE connection in a Terminal Regularly check the connection with the PPP server using Link Control Protocol LNK when PPPoE client daemon is running on the system Run the commands below to display the interval of checking PPP server connection and number of retry attempts when failed to connect get_pppctl Command to ...

Page 61: ...k interface as below Use the default settings for any fields that have been left out 1 Use the DHCP to get an IP address Select the network port to use and click 2 Specify the settings as below Select Enable Select DHCP for Type Select DHCPv6 if you need to get the IP address from an IPv6 network Select the response protocol in Control PING To respond to ICMP ping requests HTTPS To allow access to...

Page 62: ... control DHCP connection in a Terminal When the network port is set to get the IP address from the DHCP server it will take time to get the IP address If the IP address it not received within a specific time period the connection will be considered down If disconnected the device uses the set_dsl_mon command to check the network connection and when the network is up it restarts the DHCP client get...

Page 63: ... Aggregation for Type Select the Mode Active Backup Active Active 802 3ad L2 load balancing 802 3ad L3 L2 load balancin 802 3ad L4 L4 load balancin Select more than two Network Interfaces Enter the IPv4 address if not used enter 0 0 0 0 0 Enter the IPv6 address if not used enter 0 Select the response protocol in Control PING To respond to ICMP ping requests HTTPS To allow access to administrative ...

Page 64: ...hnLab TrusGuard Installation Guide NDP To allow the operation in the link layer of the Internet model and address autoconfiguraiton 3 Click OK 4 Click Apply Note To use 802 3ad the switch must support 802 3ad ...

Page 65: ...e the same network address When the cable modem operates as DHCP and the bottom network host must use DHCP Bridge and aggregation are similar but its use is different Set Bridge Interface Set the bridge interface as below Use the default settings for any fields that have been left out 1 In the profile policy modification tool click 2 Add Network Interface will appear Specify the settings as below ...

Page 66: ...bridge with lower number becomes the root bridge 3 Click OK 4 Click Apply Note To use Active Standby HA bridge you must specify STP and Bridge Priority Note If you do not allot an IP address of the bridge uncheck all Control checkboxes Interface for Bridge Bridge can be used in the following interfaces Network port using static IP address Aggregation interface Convert Connection Using LLCF You can...

Page 67: ...ddress of the upper router as the gateway To use NAT get an IP address for the bridge or use a secondary port with the same IP address Set Bridge Active Active HA The following requirements must be met before implementing Active Active HA using bridge interface OSPF or RIP must be used in the upper lower router When setting OSPF or RIP in TrusGuard use the upper router s IP address and bottom L3 s...

Page 68: ...VLAN Interface Set the VLAN interface as below Use the default settings for any fields that have been left out 1 In the profile policy modification tool click 2 Add Network Interface will appear Specify the settings as below Specify the VLAN interface Name e g vlan0 Select VLAN for Type Enter the VLAN ID 0 to 4 095 Select the Network Interface Enter the IPv4 address ...

Page 69: ...link layer addresses NDP To allow the operation in the link layer of the Internet model and address autoconfiguraiton 3 Click OK 4 Click Apply Secondary Port Secondary port is used in HA mode when setting services that use TrusGuard s IP address Set Secondary Port Set the secondary port as below Use the default settings for any fields that have been left out 1 In the profile policy modification to...

Page 70: ...ode In a device using HA mode a secondary port must be added to network interface connected to the upper network All the secondary ports in devices using HA mode must use the same IP address The IP address to be used by the secondary port must be able to communicate with the router switch Select Enable HA for ARP Control Next hop router switch uses ARP communication to connect devices using HA mod...

Page 71: ...er lower router switch specifies the master s HA interface virtual IP address as the next hop Active Active HA Equal cost multiple path routing used when the upper lower router switch specifies the master s and slave s virtual IP addresses as the same next hop HA peer uses HA sync interface to sync the sessions and policies Active Standby HA Syncs all sessions and policies Active Active HA Syncs p...

Page 72: ... uses the master s virtual IP address VIP2 as the gateway All the HA peers use the upper router s IP address as the gateway The routing gateway from top to bottom uses the master s virtual IP address VIP3 You can set this mode regardless of the type of upper lower switch L2 L3 All routing goes through the master s virtual IP address VIP1 and VIP3 If a problem occurs in the master the slave informs...

Page 73: ...ateway Do not set the HA interface as route bridge is selected among the HA peers by STP Active Active Router Mode L3 switch is needed as the upper switch Both L2 and L3 switches can be used as the bottom switch The sub network uses VIP1 or VIP2 or the IP address of the bottom switch as the gateway All the HA peers use the upper router s IP address as the gateway The gateway that connects the uppe...

Page 74: ...Mode You need a L3 switch The bottom switch must be in a sub network with different SIP1 and SIP2 Set OSPF routing in upper lower router switch You can also use RIP The sub network is used as a gateway so it uses SIP1 The HA peers uses OSPF routing for each upper router s IP address and bottom SIP2 Do not set the HA interface as it operates using routing protocol ...

Page 75: ...elow is not shared between HA peers Network interface settings Host name DHCP Routing information dynamic static multicast ARP License IPSec VPN profile SA SSL VPN The network interface type and setting must be the same but properties lie the interface s IP address does not get shared ...

Page 76: ...ting stage enter the basic information only Check the routing operation after connecting the system to a network This document focuses on static routing Gateway Register the gateway for TrusGuard to use Note If you set the network port with DHCP or PPPoE you do not need to set the gateway It will be automatically set Step 1 Check Routing Table Step Monitor Center Menu Routing IPv4 Routing IPv6 Rou...

Page 77: ...the menu go to Network Routing Multipath Routing 2 The Multipath Routing Settings window will appear Select Load Balancing Per session Per source IP Per session Specifies routing path per session Per source IP Specifies routing path per source IP 3 Click OK 4 Click Apply Per session is only available while the session is active Note When there are more than two gateways use the set_gw_check comman...

Page 78: ...terface to use for SSH terminal connection and TrusGuard s administrative page and register the IP address to allow connection Change Administrator Account Change the default administrator account before use System Administrator Administrator Account 1 Double click or select the account to modify and click The Modify Administrator Account window will appear Change the ID and Password Click OK 2 Cl...

Page 79: ...tion To allow access to the administrator s web page HTTPS should be displayed To allow connection to SSH terminal SSH should be displayed If both HTTPS and SSH are not displayed double click the interface or select it and click Then modify Control 3 Click OK 4 Click Apply Step 2 Register Administrative IP Address Step System Administrator Administrative IPv4 Address Administrative IPv6 Address Re...

Page 80: ...newly registered administrative to connect to a network interface or enter wizard mode in Terminal and run setadminhost to redesignate the administrative IP address and administrator s network interface To remove the administrative IP address used in the initial system settings stage connect to the network and then log in with the newly registered administrative IP address and remove it ...

Page 81: ...ent Log to search for check event logs on system events and administrator s policy settings Firewall Log Go to Monitor Center Menu Log Firewall Log to search for check firewall logs on packets and sessions allowed denied expired according to the firewall policy Security and VPN logs are recorded with the firewall logs Security logs record application of other security policies except for firewall ...

Page 82: ...for check security logs There are the following security log licenses General Provides general proxy features of Firewall and Contents Filters except IPv6 Web Traffic Limit Records logs on web traffic limit Proxy Login Records logs on user authentication to open proxy session Proxy Session Records logs on starting and ending time of session connected by proxy Mail Proxy Records logs on mail proces...

Page 83: ...curity policy application Logs on features you do not use or do not have the license for are of no use so go to System Log and change the settings of local cerver TrusGuard only records logs selected from the local server Note Logs not recorded by the local server cannot be sent to other log servers Step 2a Set Local TrusAnalyzer Device with a hard disk can run TrusAnalyzer and manage logs Device ...

Page 84: ...select it and click 2 Deselect logs you do no need from Local Server Settings The local server only creates and sends the selected logs so it affects the settings of log servers that are newly added Even if you select the logs not selected from the local server in a newly added log server the logs will not be created 3 Click OK ...

Page 85: ... TrusAnalyzer is running and you need to stop TrusAnalyzer settings If the result is 0 TrusAnalyzer is not running Move on to Step 2 Step 2 Set TrusAnalyzer and Restart System 1 Type set_atllite 1 and press the Enter key 2 Type apply and press the Enter key 3 Type exit and press the Enter key to enter admin mode 4 Type system and press the Enter key to enter ssytem mode 5 Type reboot and press the...

Page 86: ...e in an environment where performance and stability are most important it is advisable to manage your logs with TrusAnalyzer which is operated separate from the device More so if you want to use HA mode Step 1 SNMP Settings System SNMP To register TrusAnalyzer in TrusGuard use the SNMP information provided by the system or enter the system information in TrusAnalyzer yourself The method to registe...

Page 87: ...tion MD5 SHA Auth PW Password to use with the hash algorithm Encryption Algorithm Algorithm to use for message encryption DES AES Encryption Key Key used for message encryption IP CIDR IPv4 CIDR of network or host that sent received SNMP communication 6 Click OK 7 Select to use SNMP 8 Click Apply Caution SNMP community name or user name are used for SNMP authentication Try to use words other than ...

Page 88: ...remote log server connection as below 1 Click 2 Specify the settings in Add Log Server Items not selected in the local server cannot be used even if selected in a newly added server Enter the TrusAnalyzer s IP address in Log Server IP Enter the Port number Syslog DTLS 516 Syslog 514 3 Click OK 4 Click Apply ...

Page 89: ...on 89 Step 3 Register TrusGuard in TrusAnalyzer Connect the device to the network first Log in to TrusAnalyzer and use the SNMP community name TrusGuard s IP address and SNMP listening port number 161 to register the device ...

Page 90: ... the default account and restrict the IP addresses to allow access to the administrator s interface System Information Set the system host name time and language Click Save after changing the settings Step System System Information System Information Note If you change the systeme information it will immediately get applied to the system But if you restart the system it will change back to the ori...

Page 91: ...ect Input click the calendar icon and click the date or enter the date in the format of YYYY MM DD and the time in hh mm ss Note In TrusAnalyzer this time is shown as Received Time System Language The logs web interface an SSL VPN starting page will be in the language you choose Only Korean and English are supported now Caution If you change the language while operating the system the logs recorde...

Page 92: ... overwrites the IP header while processing packets so you need to change the MSS value Select whether to enable TCP MSS Enter a number between 100 and 1 360 The TCP MSS values that are usually used are 1 500 1 340 980 and 660 bytes It is recommended to use 1 340 bytes in xDSL or VPN environment Change TCP Validation Test Settings in Asymmetric Routing Environment Change the TCP validation test set...

Page 93: ...on table and monitored Payload Payload is the part excluding the header in a packet If TCP IP header information is used to control network access the payload checks the contents of the packets that have been allowed access Use a proxy if you need to control a frequently used application protocol Use the Anti Virus Anti Spam Web Filter and Anti Malsite as the proxy s plugin Use IPS to block traffi...

Page 94: ...e IP address profile is selected from the firewall policy as below Interface based NAT Dynamic NAT Apply firewall policy by using the source IP address before applying NAT The destination IP address does not get converted Static NAT LS NAT Apply firewall policy based on destination IP address private IP address after applying NAT The source IP address does not get converted Policy based NAT Conver...

Page 95: ...er than using all 0 0 0 0 0 all 0 all which means all network addresses it is safer to set all profile with different network interface e g 0 0 0 0 0 eth0 connected to eth0 When registering IPSec VPN remote subnetwork address as an IP address profile use the local VPN gateway interface name used by TrusGuard to communicate with the remote VPN gateway An IP profile cannot directly refer to a bridge...

Page 96: ...cate with LDAP Start TLS and LDAPS server you need the authentication server s certificate Step 4 Register Time to Apply Policy Check whether there is communication to allow or block at specific times Register the time to apply the policy as a profile in Object Schedule Schedule Schedule profile can be used to use firewall policy at the specified time only Schedule profile is used when sending Tru...

Page 97: ... Policy Click Apply Step 9 Terminate System After completing the system and policy settings terminate the system to connect the device to the network Before terminating the system check as follows 1 All the network settings used in the temporary network have been removed 2 The network settings are correct 3 The security settings are completed 4 Terminate the system Log in to Terminal Type system a...

Page 98: ...ed by the device 1U TrusGuard 31A TrusGuard 50A TrusGuard 70A TrusGuard 100A 2U TrusGuard 400A TrusGuard 500A TrusGuard 1000P TrusGuard 5000 TrusGuard 10000P TrusGuard 22000 Rules of Rack Mounting When installing multiple devices on a rack cage you must follow the rules below Attach the shelf brackets and guide rails to the rack first If installing one device only install it on the bottom of the r...

Page 99: ... the ON OFF switch For products with I O power switch at the back you need to press the switch in I direction to use the ON OFF switch at the front Caution There are two power input ports One is the main power input and the other is for backup Make sure you plug the power cables into two different power outlets Note If you connect to one power source or a problem occurs in the power there will be ...

Page 100: ...k interface and check the system settings and policy settings Check the network configuration and identify all the network interfaces to connect to the network The network interfaces could use more than one network ports Check all the network ports Modify any wrong settings and click Apply Step 2 Network Settings Change the settings to allow routing between the connected network and TrusGuard Chec...

Page 101: ...n the left of the port will turn on if properly connected If not the light will not turn on When the connection speed is 10 Mbps or 100 Mbps the orange LED on the right of the port will turn on If not it will flicker When the connection speed is 1 Gbps the green LED on the right of the port will turn on If not it will flicker Check TrusGuard s SPF port status The optical cable is a pair of RX TX c...

Page 102: ...behavior rules in IPS Policy two to three weeks of observation is needed After the observation period seach for the following logs in TrusAnalyzer that is connected to TrusGuard and change the threshold and action Firewall Log Search for Log ID UTM_IPS and check the detection list IPS Log Check the Rule ID of behavior rules and then search Note If you need better Anti DoS or Anti DDoS feature use ...

Page 103: ...ironment the system will be handed over to your network administrator Check System Operation The newtwork administrator must make sure the system runs properly in the network Receipt Check whether the firmware version is the same as in the receipt Sign on the receipt after the installation is completed and the version has been checked ...

Page 104: ...104 AhnLab TrusGuard Installation Guide ...

Page 105: ...Chapter4 Client Program TrusGuard SSL VPN Client 106 TrusGuard Auth 115 ...

Page 106: ... VPN Client uses the following ports to connect to the network Confirm whether the ports are disabled if the SSL VPN connection fails SSL VPN Login TCP Port 443 SSL VPN Communication UDP 51000 to 51019 TCP Port specified by administrator Installation and Login Connect and Install This guide is based on Windows 7 and Internet Explorer 9 To use SSL VPN you need TrusGuard SSL VPN Client TrusGuard SSL...

Page 107: ...f already installed AOS will run 3 When Open FIle Security Warning appears click Run Publisher If you click AhnLab Inc it will show AhnLab s certificate information 4 If an installation message for the SSL VPN driver appears click Continue Note The SSL VPN driver used by TrusGuard SSL VPN Client has passed the Windows Hardware Quality Labs WHQL test but does not reflect on the installation program...

Page 108: ...on method ID Password Certificate Login with ID Password Enter your user information and click Login Select the Save ID checkbox to save the login ID Enter the Group ID and Password Required when authenticated by separate authentication server Ignore when using authentication account managed by TrusGuard Select the Save Group Account checkbox to save the Group ID and Password Login with Certificat...

Page 109: ...s Enter all fields and check the Auto Login checkbox to automatically log in without entering your password To run TrusGuard SSL VPN Client at system startup check the Autorun upon system startup checkbox If there is a problem in SSL VPN communication check the Use Port TCP checkbox This option will get disabled when you restart TrusGuard SSL VPN Client Step 3 Check Program Status If you log in su...

Page 110: ... SSL VPN Client settings appears Specify settings and click OK VPN Start Page The SSL VPN Client home page shows notices and a list of networks the user can use Notice The notice set by the administrator Click the title to see the contents Network List The SSL VPN network list which can be used by SSL VPN user IP The IP address of the SSL VPN network Domain The domain name ...

Page 111: ...ity you can login by using certificate First of all the certificate must be registered in TrusGuard SSL VPN Client Please connect to the SSL VPN login page Register Certificate 1 Click Certificate Management in SSL VPN login window 2 When TrusGuard SSL VPN Client appears click Import to import the local certificate and CA certificate Enter the following fields and click OK Name Enter the name of t...

Page 112: ...select the private key file with key extension 2 Check that the certificate has been registered Export Certificate 1 When TrusGuard SSL VPN Client appears select the certificate to export 2 Click Export Specify the file path and click OK CA certificate will be converted into CRT file and get saved in the designated path Private key will be converted into KEY file and get saved in the designated pa...

Page 113: ... SSL VPN temporary files stored in the web browser will be removed Program When a user logs out of the SSL VPN the TrusGuard SSL VPN Client will be removed Auto Login Select the checkbox to remember the login information and automatically log in Session Timeout Alert Select the checkbox to display a session timeout alert Autorun upon system startup Select the checkbox to automatically log in when ...

Page 114: ...lick About Session Timeout Alert If a user does not connect the internal network for a certain period of time the VPN connection will be automatically disconnected The administrator can set the timeout session from 3 to 30 minutes or disable this function if necessary Note If you enabled Auto Login in Settings you will be automatically logged in even when you log out Remove TrusGuard SSL VPN Clien...

Page 115: ...ion area Note If you are not using HTTP proxy you will not be redirected to the TrusGuard Auth installation page Login When TrusGuard Auth is installed it waits and automatically runs when user authentication is needed Login with Password 1 The authentication window will appear when TrusGuard Auth starts Enter the ID and click OK The password window will appear If you are getting authenticated via...

Page 116: ...me out after 30 minutes of inactivity You can log back in 1 Right click on the TrusGuard Auth icon in the Windows notification area 2 Click Winkey from the popup menu 3 Proceed with the method of logging in with OTP Login to Other Applications Connect to FTP in Terminal Before logging in with remote user account you need to go through the authentication process with the proxy user s account to con...

Page 117: ...sword Confirm Password Enter the new password again 4 Click OK Note The password must be a combination of alphabets and numbers not contain five or more forward or reverse sequence of numbers or alphabets e g abcdef13 not contain the same character more than three times in a row not contain special characters Exit If you exit TrusGuard Auth your user session will also end 1 Right click on the Trus...

Page 118: ...118 AhnLab TrusGuard Installation Guide ...

Page 119: ...Chapter5 Remove Device Remove Device 120 ...

Page 120: ...ator s ID and press the Enter key When the password prompt password appears type the password and press the Enter key 4 Check that the system has terminated If connected via SSH check the SSH session has ended and whether the system is responding to ping it should not response If connected with console cable check the system is turned off Note If a problem occurs in the system it will not be able ...