Nortel 5100 Series Release 2.3.3, User'S Manual And Command Reference

Page 1: ...Great America Parkway Santa Clara CA 95054 Phone 1 800 4Nortel http www nortel com Nortel Switched Firewall 5100 Series Release 2 3 3 User s Guide and Command Reference TM part number 213455 L October...

Page 2: ...Nortel Networks Inc assumes no responsibility or liability arising from the use of products described herein except as expressly agreed to in writing by Nortel Networks Inc The use and purchase of thi...

Page 3: ...g help over the telephone from a Nortel Solutions Center 17 Using an Express Routing Code to get help from a specialist 17 Getting help through a Nortel distributor or reseller 17 Chapter 1 Introducti...

Page 4: ...e SmartDashboard 58 Creating a Firewall policy test rule 64 Creating and installing Firewall security rules 66 SecurID authentication 67 Topology of SecurID authentication 68 Configuring RSA authentic...

Page 5: ...meters 101 Defining areas 102 Assigning the area index 102 Using the area ID to assign the OSPF area number 103 Attaching an area to a network 103 Interface cost 104 Electing the designated router and...

Page 6: ...ring Check Point software for active standby 133 Configuration dump for VRRP active standby failover 139 Configuring VRRP active active failover 145 Configuration overview 145 Requirements 147 Install...

Page 7: ...ible Power Supply 216 Configuring UPS support 216 Displaying UPS configuration 220 RADIUS authentication 221 VPN support 223 ISP redundancy 225 User Authority 226 Chapter 8 Upgrading and reinstalling...

Page 8: ...255 Starting the SSH session 257 Using the Command Line Interface 258 Basic operation 258 The Main Menu 259 Idle time out 259 Multiple administration sessions 260 Global commands 260 Command Line his...

Page 9: ...nu 300 CA Certificate Management Menu 301 SNMP Administration Menu 302 SNMP Users Menu 304 Trap Hosts Menu 305 SNMP System Information Menu 306 Advanced SNMP Settings Menu 307 Audit Menu 308 Radius Au...

Page 10: ...3 Proxy Arp List Menu 354 DHCP Relay Menu 355 DHCP Relay Interface number Menu 356 DHCP Server number Menu 357 Firewall License Menu 358 Firewall Configuration Menu 359 Sync Configuration Menu 361 Por...

Page 11: ...4 Mounting a floppy disk on the Firewall 397 Mounting a CD ROM on the Firewall 398 Mounting the USB port 399 Tuning Check Point NGX performance 400 Connection parameters 400 NAT parameters 401 Reading...

Page 12: ...tus check reveals an interface is down 414 Actions 414 VRRP configuration tips 415 VRRP active master backup fails 416 Actions 416 VRRP both masters are active 417 Actions 417 Poor performance under h...

Page 13: ...configuring and maintaining a network It is assumed that users of this guide are familiar with Ethernet concepts and IP addressing How this book is organized The chapters in this book are organized a...

Page 14: ...ware describes how to upgrade or reinstall the Nortel Switched Firewall system component software Chapter 9 Basic system management describes the various tools used for managing the system and explain...

Page 15: ...bol Meaning Example AaBbCc123 This fixed width type is used for names of commands files and directories used within the text View the readme txt file It also depicts on screen computer output and prom...

Page 16: ...documentation product bulletins search the Technical Support web site and the Nortel Knowledge Base for answers to technical questions sign up for automatic notification of new software and documenta...

Page 17: ...tside North America go to the following web site to obtain the telephone number for your region www nortel com callus Using an Express Routing Code to get help from a specialist You can find Express R...

Page 18: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 18 Preface 213455 L October 2005...

Page 19: ...functions Nortel Switched Firewall components and features The following topics are included in this section New features and basic functions Initial setup DHCP Relay and OSPF Layer 2 and Layer 3 fir...

Page 20: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 20 Getting started 213455 L October 2005...

Page 21: ...rity applications and networking technology It addresses the needs for security performance and ease of use The software is a combination of NSF Single System Image SSI software and the Firewall 1 NGX...

Page 22: ...with Application Intelligence R60 and Hotfix Accumulator 14 HFA_14 software Reliability and redundancy Nortel Switched Firewall Series 5100 Release 2 3 3 provides the following reliability and redunda...

Page 23: ...e from the CLI using the following commands info monitor curdata for current data info monitor histdata for historical data based on the time interval specified by the user Current statistics and hist...

Page 24: ...Model Supported Ports RAM 5111 NE1 Two embedded 10 100 1000 Mbps Copper Ethernet ports One quad Copper Ethernet Four 10 100 1000 Mbps Copper Ethernet ports 512 MB 5114 NE1 Two embedded 10 100 1000 Mb...

Page 25: ...Firewall Figure 1 Nortel Switched Firewall network elements Table 3 Nortel Switched Firewall 5100 Series Hardware Performance Model Throughput Concurrent Sessions New Connections per Second 5114 NE1...

Page 26: ...tel Switched Firewall The Nortel Switched Firewall is placed in the path between your various trusted semi trusted and untrusted networks It examines all traffic moving between the connected networks...

Page 27: ...management station running the SmartCenter Server see Note below Check Point SmartCenter Server management station The management station running the SmartCenter Server holds the master policy databas...

Page 28: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 28 Introduction 213455 L October 2005...

Page 29: ...0 hardware as described in the Nortel Switched Firewall 5100 Series Hardware Installation Guide 216382 D including mounting the components attaching network cables turning on power and connecting a co...

Page 30: ...statically configured on the firewall for internal networks plus the IP address of the internal router that handles routes for these networks The IP address of the default gateway for data moving thro...

Page 31: ...in the following sections Firewall management network The management network is automatically configured when you run Setting up the basic configuration on page 37 NOTE The management network port is...

Page 32: ...n The Check Point management station IP address is 192 168 1 3 Management of non NGX modules for example NG AI NG AI R55W and Edge modules is not supported by the SmartCenter server configuration NOTE...

Page 33: ...ser s Guide and Command Reference Initial setup 33 213455 L October 2005 The following figure illustrates the Check Point window with Smart Portal option and user authentication Figure 3 Check Point G...

Page 34: ...L October 2005 To register the Smart Portal user name and password do the following 1 From the Manage menu select Users and Administrators as illustrated in Figure 4 Figure 4 Check Point Users and Adm...

Page 35: ...e in the Login entry field 5 Type password in the Password field and confirm 6 Click OK 7 Apply the necessary policies to allow remote users to log in through Smart Portal 8 Open a web browser and log...

Page 36: ...network The IP address range of the Trusted Network is 10 3 0 0 16 The trusted network connects to port 3 Interface 1 NSF 5109 port 3 Interface 1 The Interface address is 10 3 0 1 Untrusted network I...

Page 37: ...Enter the default login name admin and the default password admin If the Nortel Switched Firewall is set to factory defaults a special Setup utility menu appears Use the clone command to restore the...

Page 38: ...subnet In this example the network spans 192 168 1 0 24 6 Enter the VLAN tag ID information Specify a VLAN tag ID for SSI management traffic NOTE NSF 2 3 3 does not support multiple interfaces on the...

Page 39: ...uay 2 Antigua Barbuda 19 El Salvador 36 Peru 3 Argentina 20 French Guiana 37 Puerto Rico 4 Aruba 21 Greenland 38 St Kitts Nevis 5 Bahamas 22 Grenada 39 St Lucia 6 Barbados 23 Guadeloupe 40 St Pierre M...

Page 40: ...9 Indiana Marengo Eastern Standard Time Indiana Crawford County 10 Indiana Vevay Eastern Standard Time Indiana Switzerland Cnty 11 Indianapolis Eastern Standard Time Indiana most locations 12 Juneau A...

Page 41: ...in a cluster with this firewall In that case you must enter 1 or 3 at the prompt and install the SmartCenter Server on the management station See Check Point documentation for more information about...

Page 42: ...when the following message is displayed Once this Setup process is complete you will need to log in and configure Check Point licenses as shown in the following section 16 Install the firewall licens...

Page 43: ...s a notification of how many days are left before the trial period ends If local licensing is used enter Check Point licensing information for the Firewall NOTE If central licensing is used skip this...

Page 44: ...IP address The port that you assign to this interface may be used to attach network devices such as a management console as long as the device is in the same IP network as the firewall s host IP addre...

Page 45: ...configuration on page 37 Interface 1 is for trusted internal network traffic and resides on port 3 Interface 2 is for untrusted external network traffic and resides on port 4 1 Optional Reset the fir...

Page 46: ...ion changes This command applies the configuration changes on the Firewall Main cfg net port 3 Select the Port 3 Menu Port 3 name if_1 Name this port for Interface 1 Port 3 apply Apply the setting to...

Page 47: ...rewall SMART Clients can be implemented on a separate workstation or on the same workstation as the SmartCenter Server For other commands that allow you to delete members or reorder the list see cfg f...

Page 48: ...for creating editing updating and monitoring firewall security policies The SMART Client software can be installed on administrative workstations in your network or on the same workstation as the Sma...

Page 49: ...ents listed below Operating System Refer to the Check Point Release Notes at http www checkpoint com Processor Intel Pentium II 300 MHz or better Disk space 40 MB Memory 256 MB Check Point Management...

Page 50: ...may choose either Check Point Enterprise Pro or Check Point Express but be sure you match the selection you made in Step 12 on page 41 during the initial setup procedure for the firewall host For a de...

Page 51: ...pe page 8 When prompted select SmartCenter optional and SmartConsole then click Next see Figure 11 Figure 11 Check Point three tier architecture page Check SmartCenter if you selected 1 or 3 in Step 1...

Page 52: ...ry management workstation For these instances do not select SmartCenter 9 When prompted select Primary SmartCenter then click Next see Figure 12 Figure 12 Check Point SmartCenter type selection page N...

Page 53: ...installs the SVN Foundation software standard SmartCenter if selected and SmartConsole components The installation status is displayed in the Installation Status box see Figure 14 Figure 14 Installat...

Page 54: ...R60 installation page 13 When prompted specify the SmartConsole components to be installed see Figure 17 Figure 17 Check Point SmartConsole component installation page Check Point Enterprise Pro pres...

Page 55: ...d Reference Initial setup 55 213455 L October 2005 14 When prompted click the Add button see Figure 18 Figure 18 Administrator s Permissions page 15 Enter the login information for SmartCenter adminis...

Page 56: ...st IP address if the GUI client is on the same host as the Smart Center Server 20 Specify the DNS hostname or IP address of other management clients to interface with this management station 21 Click...

Page 57: ...al setup 57 213455 L October 2005 When the Internal CA Status changes to Initialized click Next see Figure 21 Figure 21 Certificate Authority page 24 Record the SmartCenter Server fingerprint by click...

Page 58: ...llation of the SmartCenter Server and SmartConsole are complete 27 Use the SmartDashboard to define a firewall object See Defining a Firewall Object in the SmartDashboard on page 58 28 Create a firewa...

Page 59: ...Server tools during Step 14 on page 55 Also specify the IP address of the SmartCenter Server and click OK NOTE Be sure you have added this IP address in the client access list to allow SMART Client a...

Page 60: ...the Management Server tools during Step 24 on page 57 4 Create a new Gateway object to represent the newly installed Firewall From the SmartDashboard Network Objects pane right click the Check Point...

Page 61: ...ollowing information Name If this is a Windows machine use the name you specified in Editing the Windows hosts file on page 48 Otherwise type a name for example isd1 IP Address The address of the newl...

Page 62: ...page 58 The Communications dialog box appears see Figure 28 Figure 28 Communications page uninitialized Enter the Activation Key the SIC password and click Initialize The SmartCenter Server will cont...

Page 63: ...ll members topology to retrieve the interfaces you configured on the firewall and the topology information under the IP Addresses behind interfaces header NOTE The topology information is needed to in...

Page 64: ...ou can remove this test policy and create firewall security rules that will restrict undesirable traffic From the SmartDashboard menu bar select Rules Add Rule Top see Figure 31 A new rule will be add...

Page 65: ...OK NOTE If your system has a active standby high availability or active active configuration go to Policy Global Properties NAT Network Address Translation and deselect Automatic ARP configuration be...

Page 66: ...ct the SmartView Tracker Active Mode Use a client station to ping the firewall If the SmartView Tracker displays an entry for the ping traffic the configuration is good NOTE The SmartView Tracker is a...

Page 67: ...100 Release 2 3 3 Browser Based Interface User s Guide Part number 216383 D SecurID requires the following token authenticator password Token authenticators generate one time passwords that are synchr...

Page 68: ...n a stand alone system Following are the configuration details iSD1 host IP address 10 10 1 1 interface 2 port 2 address1 172 25 3 1 for Check Point management station interface3 port3 address1 10 8 9...

Page 69: ...ure 36 SecurID authentication on an HA system Following are the configuration details iSD1 host IP address 10 10 1 1 iSD2 host IP address 10 10 1 2 Port 1 is used for synchronization Interface 2 port...

Page 70: ...s 10 8 90 205 Configuring RSA authentication manager Perform the following steps to configure the agent host on the ACE server 1 Go to Start 2 Select Program 3 Select RSA ACE Server 4 Select Database...

Page 71: ...Add Agent Host window Figure 37 Add Agent Host window 9 Resolve the host name and IP address by editing the hosts file in C WINNT system32 drivers etc Following is an example of host name and IP addr...

Page 72: ...vers dialog box is depicted in Figure 38 Figure 38 Assign Acting Servers page NOTE All names must be resolved with their IP addresses 10 From the User menu select Add User 11 In the Add User dialog bo...

Page 73: ...etup 73 213455 L October 2005 The Add User window is depicted in Figure 39 Figure 39 Add User page 12 Click Agent Host Activations The Agent Hosts Activations window appears The Agent Hosts Activation...

Page 74: ...re 41 Figure 41 Add Group window Type the group name Select the user name to add to the group NOTE The user group must be identical to the user group specified in Check Point 14 To activate users retu...

Page 75: ...re 43 Figure 43 Group Activations window 18 To import a token go to the Token menu and import a token range number from the floppy disk 19 To edit a token select Edit Token from the Token menu 20 The...

Page 76: ...ndow appears see Figure 45 Figure 45 Resynchronize Token window In the entry field type the code displayed on the token Click OK The Resynchronize Token window re appears see Figure 46 Figure 46 Resyn...

Page 77: ...Select Token dialog box Click Select Token from List Click OK 25 To generate a configuration file perform the following steps Open the Agent Host menu Click Generate Configuration File to generate the...

Page 78: ...agent host to generate the configuration file as depicted in Figure 49 Figure 49 Select Agent Host window 26 Start the RSA ACE server by performing the following steps Go to Start Select Programs Sel...

Page 79: ...ated file to the var ace folder on the Firewall using the Browser Based Interface perform the following steps 1 Select Firewall 2 Select SecurID 3 Click Browse 4 Select the filed named sdconf rec 5 Cl...

Page 80: ...the firewalls or the Check Point service TIP To stop Check Point use the command cpstop To start Check Point use the command cpstart Configuring partner RSA authentication agent The RSA SecurID authen...

Page 81: ...eID Rule 1 challenges users from any location trying to access any service Rule 2 is not required if the Firewall is configured to allow outgoing packets as part of the Global Policy Properties Rule 3...

Page 82: ...ck Point Firewall 1 session authentication support can be used instead of RSA SecurID However use of Firewall 1 session authentication support requires additional client software If the additional sof...

Page 83: ...h this rule With session authentication passwords can be cached Authentication for every connection is not required when passwords are cached TIP Caching of passwords is not supported for one time pas...

Page 84: ...IP addresses on port 2 The DMZs are connected to the Switched Firewall using a single 802 1Q VLAN Tagged Trunk The VLANs are used to isolate traffic from different security zones A Layer 2 switch is...

Page 85: ...en TAG is always enabled However Windows PCs must be tagged if they are connected directly to the interface Or you can add a 802 1q capable Layer 2 switch between the PC and the firewall SmartDashboar...

Page 86: ...box To create a network object for the public web server in DMZ 2 perform the following steps 1 Right click the Network Topology window The shortcut menu appears 2 Select New Network Object Workstatio...

Page 87: ...255 255 0 cfg sys adm idle 10m cfg sys adm telnet ena n cfg sys adm ssh ena n cfg sys adm web cfg sys adm web http port 80 ena y cfg sys adm web ssl port 443 ena n tls y sslv2 y sslv3 y cfg sys adm we...

Page 88: ...addr2 0 0 0 0 mask 255 255 255 0 vlanid 0 port 4 ena y cfg net if 1 vrrp vrid 1 ip1 0 0 0 0 ip2 0 0 0 0 cfg net if 2 addr1 192 168 0 1 addr2 0 0 0 0 mask 255 255 255 0 vlanid 10 port 2 ena y cfg net i...

Page 89: ...net adv route ospf rtrid 0 0 0 0 spf 5 10 ena n cfg net adv route ospf if 1 Identical cfg ospf configurations for if 1 2 3 33 aindex 0 prio none cost none hello 10 dead 40 trans 1 retra 5 auth none md...

Page 90: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 90 Initial setup 213455 L October 2005...

Page 91: ...nal capability of being able to dynamically allocate reusable network addresses and configuration parameters for client operation Built on the client server model DHCP allows hosts or clients on an IP...

Page 92: ...P IP network In the DHCP environment the Nortel Switched Firewall acts as a relay agent The DHCP relay feature cfg net dhcprl enables the firewall to forward a client request for an IP address to DHCP...

Page 93: ...figured on the firewall The use of two servers provides failover redundancy but you can configure up to eight DHCP servers However no health checking is supported DHCP Relay functionality is assigned...

Page 94: ...ration 5 Apply and save the changes cfg net dhcprl server 1 DHCP Server 1 addr 10 1 1 1 Set IP address of 1st DHCP server DHCP Server 1 ena Enable the DHCP server DHCP Server 1 server 2 Set IP address...

Page 95: ...of routing devices neighbors adjacencies link state database authentication and internal versus external routing NSF 2 3 3 OSPF implementation on page 101 This section gives you information specific...

Page 96: ...e following sections describe key OSPF concepts Types of OSPF areas An AS can be broken into logical units known as areas In any AS with multiple areas one area must be designated as area 0 known as t...

Page 97: ...er IR a router that has all of its interfaces within the same area IRs maintain LSDBs identical to those of other routing devices within the local area Area Border Router ABR a router that has interfa...

Page 98: ...parameters respond to each other s hello packets and become neighbors Neighbors continue to send periodic hello packets to advertise their health to neighbors In turn they listen to hello packets to...

Page 99: ...red into the LSDB of each routing device OSPF uses flooding to distribute LSAs between routing devices When LSAs result in changes to the routing device s LSDB the routing device forwards the changes...

Page 100: ...RIP or RIPv2 It is also useful to tell routers outside your network upstream providers or peers about the routes you have access to in your network Sharing of routing information between autonomous s...

Page 101: ...4 Authentication on page 105 GRE Tunnel support on page 106 OSPF features not supported in this release on page 106 Configurable parameters In the Nortel Switched Firewall 2 3 3 OSPF parameters can be...

Page 102: ...nterface on the Nortel Switched Firewall The full process is explained in the following sections An OSPF area is defined by assigning two pieces of information an area index and an area ID The command...

Page 103: ...2 NOTE Although both types of area ID formats are supported be sure that the area IDs are in the same format throughout an area Attaching an area to a network Once an OSPF area has been defined it mus...

Page 104: ...y assigning a priority value to the OSPF interfaces The commands are as follows A priority value of 255 is the highest and 1 is the lowest A priority value of 0 specifies that the interface cannot be...

Page 105: ...ters long For interfaces the following CLI commands can be used MD5 authentication OSPF MD5 passwords use strong cryptographic to protect data and passwords To preserve security MD5 passwords should b...

Page 106: ...to the Management IP address MIP If GRE packets are IPSec IPSec GRE OSPF encrypted packets are decrypted by Check Point software and then forwarded by GRE to the MIP In this release static GRE routes...

Page 107: ...areas 4 Configure OSPF interface parameters IP interfaces are used for attaching networks to the various areas Example 1 configuring a simple OSPF domain In this example two OSPF areas are defined one...

Page 108: ...Interface 1 mask 255 255 255 0 Set IP mask on backbone network Interface 1 ena Enable IP interface 1 Interface 1 if 2 Select menu for IP interface 2 Interface 2 addr1 10 10 12 1 Set IP address on tra...

Page 109: ...unnel OSPF packets in a GRE tunnel so other routers on the internet do not need to learn about OSPF In Figure 56 the OSPF network is on the GRE interface 50 1 1 0 24 the GRE tunnel end points is on ph...

Page 110: ...face for GRE 1 GRETunnel 1 remoteaddr 20 1 1 1 Assign GRE tunnel end point of NSF New York GRETunnel 1 ena Enable GRE 1 GRETunnel 1 host1 sip 50 1 1 1 Assign source IP address GREHost 1 dip 50 1 1 2 A...

Page 111: ...Switched Firewall 9 Configure Check Point GUI for GRE support To support GRE on the firewall you need special configurations and rules from Check Point For more information refer to the document 5100_...

Page 112: ...the OSPF subnet 20 0 0 0 subnet have the same destination i n gre GRE Tunnel Information Num GRETunnel Phylcl Phyrmte GRElcl GRErmte GREMask 1 tunnel_one 30 1 1 1 20 1 1 1 50 1 1 1 50 1 1 2 255 255 2...

Page 113: ...ls NSF 1 and NSF 2 2 Log in to firewall NSF 1 as admin and type new for initializing the firewall as a new installation Sync net 10 10 1 0 NSF 1 10 10 1 1 2 3 2 3 1 Check Point Management Station Smar...

Page 114: ...e VRRP on the client interface join Join the cluster Management network port 1 Firewall NSF 2 IP 10 10 1 2 MIP IP 10 10 1 10 Check Point Gateway Installation Type 1 Main info clu IP addr type MIP Loca...

Page 115: ...tware to support failover on the OSPF network Main cfg net if 4 addr1 200 200 200 1 Main cfg net if 4 addr2 200 200 200 2 Main cfg net if 4 mask 255 255 255 0 Main cfg net if 4 port 4 Main cfg net if...

Page 116: ...m the Topology page specify the cluster IPs for the interfaces External interface Name External_If IP 10 8 90 200 Internal interface Name Internal_If IP 200 200 200 4 15e Add a new rule to allow OSPF...

Page 117: ...over type VRRP active standby also referred to as high availability VRRP active active or ClusterXL Check Point failover solution VRRP on the Switched Firewall on page 118 Configuring VRRP active stan...

Page 118: ...ion that deviates from RFC 2338 in some details The VRRP router controlling the IP addresses associated with the virtual router is called the active master and it forwards packets intended for these I...

Page 119: ...r is independent of the default condition For more information see Active master determination on page 119 Active master determination VRRP ensures that one virtual router or the other assumes the rol...

Page 120: ...tunity to respond to ensure that it is down before going on to the next step If ARP replies from the active master are not received failover occurs the backup virtual router assumes the role of active...

Page 121: ...availability and active active configurations Active Standby High Availability The active master uses its vrid to set a unique virtual router MAC address according to this formula 0x00005E0001 vrid Th...

Page 122: ...86 VRRP router parameters VRRP router parameters are defined globally using the CLI VRRP Settings Menu on page 335 or the BBI see the Network VRRP form in the Nortel Switched Firewall 5100 Series BBI...

Page 123: ...dress IP address mapping Then the backup delays a period of time defined by the cfg net vrrp garp GARP delay value before sending continuous GARP messages at intervals defined by the cfg net vrrp gbca...

Page 124: ...page 330 The virtual router IP address and the sub addresses must be unique but all three IP addresses must belong to the same subnet Advanced failover check If Advanced Failover Check AFC cfg net vr...

Page 125: ...an effective high availability network that reduces the chance that a single point of failure can bring down the system The following topics are addressed in this section Configuration overview on pa...

Page 126: ...to the firewalls hubs may also be used for the same purpose The default data path is through link3 and link4 since the VRRP Election process see page 119 default designates the firewall with the highe...

Page 127: ...add the second firewall NOTE If access lists are configured on the firewall 1 make sure that an access list entry for firewall 2 is added on firewall 1 or add an access list entry for the SSI network...

Page 128: ...redundant network feeds to the Switched Firewalls NOTE Be sure to connect each network to the same port interface on both Switched Firewalls Configuration check list 1 Check Point sync network should...

Page 129: ...a unique IP address but enter the same MIP you used for firewall 1 3 Reboot and log back into NSF 1 to complete the VRRP configuration on both Switched Firewalls NOTE The Nortel Single System Image S...

Page 130: ...ses 6 Enter the virtual router ID vrid Each virtual router interface gets a unique vrid which is used to generate the virtual router MAC address see MAC address mapping on page 121 NOTE Vrids must be...

Page 131: ...p ip2 are both set to 0 0 0 0 For additional information about the Sync interface see Synchronizing Nortel Switched Firewalls on page 186 Configure the real addresses for the router interface and enab...

Page 132: ...ive failover Refer to Configuration dump for Check Point ClusterXL failover on page 179 13 Launch the Check Point SmartDashboard tool to manage both firewalls as a cluster Active Standby failover Refe...

Page 133: ...ve standby Use the following procedure to configure Check Point software for active standby mode 1 Enter the IP address of the external interface as shown in Figure 59 Check Point Gateway Cluster IP a...

Page 134: ...uide and Command Reference 134 Redundant Firewalls 213455 L October 2005 2 Perform the following steps to select Cluster Members and to verify the firewalls in the cluster see Figure 60 Figure 60 Gate...

Page 135: ...135 213455 L October 2005 2a Check for third party configuration see Figure 61 Figure 61 Gateway Cluster Properties Third party configuration NOTE For more information about third party configuration...

Page 136: ...mand Reference 136 Redundant Firewalls 213455 L October 2005 2b To enable synchronization select 1st Synch from the Network Objective list on the Edit Topology page see Figure 62 Figure 62 Edit Topolo...

Page 137: ...137 213455 L October 2005 3 Ensure that the Automatic ARP configuration check box on the NAT page is not checked Do not let Check Point handle ARP in Active Standby mode see Figure 63 Figure 63 Globa...

Page 138: ...ls 213455 L October 2005 5 If you are using Check Point SmartDefence TTL fingerprint scrambling set TTL to 255 as shown in Figure 64 Figure 64 Check Point SmartDashboard SmartDefense TTL page The rema...

Page 139: ...g sys dns cfg sys cluster cfg sys cluster host 1 cfg sys cluster host 2 cfg sys accesslist add 172 25 3 0 255 255 255 0 cfg sys adm idle 10m cfg sys adm telnet ena n cfg sys adm ssh ena n cfg sys adm...

Page 140: ...rtype 2 ena false cfg sys adm audit servers cfg sys adm auth timeout 10s fallback on ena false cfg sys adm auth servers cfg sys log debug n srcip auto cfg sys log syslog cfg sys log ela ena n addr 0 0...

Page 141: ...0 mode full cfg net port 4 name none autoneg on speed 0 mode full cfg net port 5 name none autoneg on speed 0 mode full cfg net port 6 name none autoneg on speed 0 mode full cfg net if 1 addr1 10 10 1...

Page 142: ...200 1 1 1 addr2 200 1 1 2 mask 255 255 255 0 vlanid 0 port 4 mgmt n ena y cfg net if 3 vrrp vrid 192 ip1 200 1 1 100 ip2 0 0 0 0 cfg net vrrp ha y aa n clusterxl n adint 3 garp 1 gbcast 2 afc y prefma...

Page 143: ...ad 40 trans 1 retra 5 auth none ena n cfg net ospf if 4 aindex 0 prio none cost1 none cost2 200 hello 10 dead 40 trans 1 retra 5 auth none ena n cfg net ospf if 5 aindex 0 prio none cost1 none cost2 2...

Page 144: ...ultgw metric 10 t1 ena n cfg net parp enable n cfg net parp list cfg net dhcprl ena n cfg net dhcprl if 2 ena n cfg net dhcprl if 3 ena n cfg net dhcprl if 4 ena n cfg net dhcprl if 5 ena n cfg fw ena...

Page 145: ...active active failover on page 154 Configuration overview An active active configuration is similar to a active standby configuration see Configuring VRRP active standby failover on page 125 with the...

Page 146: ...te layer 7 switches to supply separate data feeds for the firewall hosts The synchronization connection on port 2 supports stateful failover see Synchronizing Nortel Switched Firewalls on page 186 for...

Page 147: ...terface then make sure cfg net if vrrp ip1 and cfg net if vrrp ip2 settings for the sync interface is 0 0 0 0 3 VLAN is not supported on the sync interface 4 Make sure the routers are pointing to the...

Page 148: ...figuring Check Point software Use the following procedure to configure Check Point software 1 On the Gateway Cluster Properties General Properties page type the IP address for the external interface s...

Page 149: ...Guide and Command Reference Redundant Firewalls 149 213455 L October 2005 1a To view the members of the gateway cluster select Cluster Members from the Gateway Cluster Properties list Figure 67 Cluste...

Page 150: ...arty Configuration from the Gateway Cluster Properties list and check for proper third party configuration see Figure 68 Figure 68 Gateway Cluster Properties 3rd Party Configuration NOTE For more info...

Page 151: ...2 3 3 User s Guide and Command Reference Redundant Firewalls 151 213455 L October 2005 3 From the Gateway Cluster Properties list select the Edit Topology page and enable Synchronization see Figure 69...

Page 152: ...alls 213455 L October 2005 4 Select Global Properties FireWall NAT and ensure that the Automatic ARP configuration check box is not checked see Figure 70 Do not let Check Point handle ARP in Active Ac...

Page 153: ...3455 L October 2005 6 If you are using Check Point SmartDefence TTL fingerprint scrambling then set TTL to 255 as shown in Figure 71 Figure 71 Check Point SmartDashboard SmartDefense TTL The remaining...

Page 154: ...ys time ntp cfg sys dns cfg sys cluster cfg sys cluster host 1 cfg sys cluster host 2 cfg sys accesslist add 172 25 3 0 255 255 255 0 cfg sys adm idle 10m cfg sys adm telnet ena n cfg sys adm ssh ena...

Page 155: ...cfg sys adm audit vendorid 1872 alteon vendortype 2 ena false cfg sys adm audit servers cfg sys adm auth timeout 10s fallback on ena false cfg sys adm auth servers cfg sys log debug n srcip auto cfg s...

Page 156: ...none autoneg on speed 0 mode full cfg net port 3 name none autoneg on speed 0 mode full cfg net port 4 name none autoneg on speed 0 mode full cfg net port 5 name none autoneg on speed 0 mode full cfg...

Page 157: ...0 port 3 mgmt y ena y cfg net if 2 vrrp vrid 11 ip1 100 1 1 100 ip2 100 1 1 200 cfg net if 3 addr1 200 1 1 1 addr2 200 1 1 2 mask 255 255 255 0 vlanid 0 port 4 mgmt n ena y cfg net if 3 vrrp vrid 192...

Page 158: ...hello 10 dead 40 trans 1 retra 5 auth none ena n cfg net ospf if 3 aindex 0 prio none cost1 none cost2 200 hello 10 dead 40 trans 1 retra 5 auth none ena n cfg net ospf if 4 aindex 0 prio none cost1 n...

Page 159: ...redist static metric 10 t1 rmap 0 ena n cfg net ospf redist defaultgw metric 10 t1 ena n cfg net parp enable n cfg net parp list cfg net dhcprl ena n cfg net dhcprl if 2 ena n cfg net dhcprl if 3 ena...

Page 160: ...terXL is Check Point implementation of failover For more information about ClusterXL refer to the Check Point documentation Figure 72 illustrates the topology for configuring Check Point ClusterXL fai...

Page 161: ...XL Server 100 1 1 150 gw 200 1 1 100 Client 100 1 1 150 gw 100 1 1 100 Eth0 172 25 3 1 24 Management Eth1 10 10 1 1 24 Sync Eth3 200 1 1 1 24 Eth2 100 1 1 1 24 Clean Eth0 172 25 3 2 24 Management Eth1...

Page 162: ...in unicast mode as some routers may not support Multicast mac address 2 Select the multicast mode of ClusterXL if your router supports Multicast Mac address see page 176 3 Select IPs in the Advanced L...

Page 163: ...213455 L October 2005 Step by step configuration procedure Use the following procedure to configure the management station 1 Select the Host Node General Properties page and perform the following ste...

Page 164: ...ewall 2 3 3 User s Guide and Command Reference 164 Redundant Firewalls 213455 L October 2005 1b Establish the security policy on the Check Point SmartDashboard see Figure 74 Figure 74 Check Point Smar...

Page 165: ...Guide and Command Reference Redundant Firewalls 165 213455 L October 2005 1c Specify the Cluster IP address of the external interface and select the ClusterXL check box see Figure 75 Figure 75 Gateway...

Page 166: ...Reference 166 Redundant Firewalls 213455 L October 2005 2 Click Communication see Figure 76 Figure 76 Cluster Member Properties General key 1 3 Provide the activation key see Figure 77 4 Click Initial...

Page 167: ...ndow appears showing the Trust state Figure 78 Figure 78 Communication In Figure 78 the Trust state shows Trust established TIP If trust is not established there is no communication between the manage...

Page 168: ...ser s Guide and Command Reference 168 Redundant Firewalls 213455 L October 2005 6 From the Gateway Cluster Properties menu select Topology The Edit Topology page appears see Figure 79 Figure 79 Edit T...

Page 169: ...Reference Redundant Firewalls 169 213455 L October 2005 The Interface Properties window appears see Figure 80 See Figure 81 Figure 82 and Figure 83 for examples of the Interface Properties for eth1 et...

Page 170: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 170 Redundant Firewalls 213455 L October 2005 Figure 81 Interface Properties General eth1 Figure 82 Interface Properties General eth2...

Page 171: ...rewall 2 3 3 User s Guide and Command Reference Redundant Firewalls 171 213455 L October 2005 Figure 83 Interface Properties General eth3 9 Click Communication see Figure 84 Figure 84 Cluster Member P...

Page 172: ...tialize see Figure 85 Figure 85 Communication Activation Key The Communication window indicating the Trust state appears see Figure 86 Figure 86 Communication window Trust state In Figure 86 the Trust...

Page 173: ...ewall 2 3 3 User s Guide and Command Reference Redundant Firewalls 173 213455 L October 2005 The DN details appear in the Cluster Members property window 13 Select the Topology tab see Figure 87 Figur...

Page 174: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 174 Redundant Firewalls 213455 L October 2005 Figure 88 Interface Properties General eth0 Figure 89 Interface Properties General eth1...

Page 175: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference Redundant Firewalls 175 213455 L October 2005 Figure 90 Interface Properties General eth2 Figure 91 Interface Properties General eth3...

Page 176: ...s Guide and Command Reference 176 Redundant Firewalls 213455 L October 2005 14 On the Gateway Cluster Properties ClusterXL page select Load Sharing for ClusterXL properties see Figure 91 Figure 92 Ga...

Page 177: ...2 3 3 User s Guide and Command Reference Redundant Firewalls 177 213455 L October 2005 The Advanced Load Sharing Configuration window appears see Figure 93 Figure 93 Advanced Load Sharing Configuratio...

Page 178: ...nce 178 Redundant Firewalls 213455 L October 2005 15 Enable proxy ARP Figure 95 Figure 95 Global Properties NAT Complete the remaining configuration to add the necessary rules and push the policy to t...

Page 179: ...p clusterxl 4 The IP address for individual member interfaces are configured using cfg net if addr1 and cfg net if addr2 5 Set cfg net if vrrp ip1 and cfg net if vrrp ip2 to 0 0 0 0 6 Port1 is used fo...

Page 180: ...y cfg sys adm web ssl certs cfg sys adm web ssl certs serv cfg sys adm web ssl certs ca cfg sys adm snmp ena y model v2c level auth access d events y alarms y rcomm public cfg sys adm snmp users cfg s...

Page 181: ...tp 0 0 0 0 int 1 0 size 0 cfg sys user expire 0 cfg sys user adv cfg sys ups type usb snmphost 0 0 0 0 snmpport 161 snmpcomm none level 5 master 0 0 0 0 ena n cfg net gateway 0 0 0 0 cfg net port 1 na...

Page 182: ...net if 2 vrrp vrid 1 ip1 0 0 0 0 ip2 0 0 0 0 cfg net if 3 addr1 100 1 1 1 addr2 100 1 1 2 mask 255 255 255 0 vlanid 0 port 3 mgmt n ena y cfg net if 3 vrrp vrid 1 ip1 0 0 0 0 ip2 0 0 0 0 cfg net if 4...

Page 183: ...ospf if 2 aindex 0 prio none cost1 none cost2 200 hello 10 dead 40 trans 1 retra 5 auth none ena n cfg net ospf if 3 aindex 0 prio none cost1 none cost2 200 hello 10 dead 40 trans 1 retra 5 auth none...

Page 184: ...1 rmap 0 ena n cfg net ospf redist defaultgw metric 10 t1 ena n cfg net parp enable n cfg net parp list cfg net dhcprl ena n cfg net dhcprl if 2 ena n cfg net dhcprl if 3 ena n cfg net dhcprl if 4 ena...

Page 185: ...behind the Firewall perform the following steps 1 Open a DOS window on the management station and enter a static route between addr1 and the host 1 IP address For this example the management station...

Page 186: ...5 Push the policy 6 Use the following CLI command to turn on HA cfg net vrrp ha y apply Synchronizing Nortel Switched Firewalls Two Switched Firewalls can be synchronized to provide stateful failover...

Page 187: ...ple Host 2 3 From the Check Point SmartDashboard update the firewall interface information See page 136 4 From the Check Point SmartDashboard re install the security policies on both Nortel Switched F...

Page 188: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 188 Redundant Firewalls 213455 L October 2005...

Page 189: ...an configure your firewall in bridge mode This chapter describes how to configure the Nortel Switched Firewall for Layer 2 and Layer 3 firewalls Overview on page 190 Configuring Layer 2 bridge mode Fi...

Page 190: ...ransparently through a bridge because forwarding is done at Layer 2 Packets are forwarded based on the Ethernet address rather than the IP address An Ethernet bridge distributes Ethernet frames from o...

Page 191: ...e up to 25 bridges and add any physical port other than SSI management port to these bridges If you define bridges for specific VLANs then the ports attached to the bridge listen to those VLANs only I...

Page 192: ...e mode firewall The Layer 2 bridge is configured on interfaces eth2 and eth3 on ports 3 and 4 The sync and management 172 16 2 144 145 networks are configured on the port 1 Figure 96 Configuring Layer...

Page 193: ...ort To support failover on Layer 2 firewalls you must configure VRRP in one of the following two ways Pure Layer 2 mode Configure at least one non bridge interface with VRRP and a bridge interface wit...

Page 194: ...aces configured on the firewall The management network and sync configuration is connected through Interface 1 Proceed to the next section to configure Check Point software to support Layer 2 bridge m...

Page 195: ...itched Firewall NSF 2 perform the following steps 1a Select General Properties from the Gateway Cluster Properties menu The Gateway Cluster Properties General Properties page appears see Figure 97 Fig...

Page 196: ...oducts area select the following Firewall SmartView Monitor 1h Click OK 2 From the Gateway Cluster Properties menu select Cluster Members The Gateway Cluster Properties Cluster Members page appears se...

Page 197: ...s Guide and Command Reference Layer 2 and Layer 3 Firewalls 197 213455 L October 2005 The Cluster Member Properties page appears see Figure 99 Figure 99 Cluster Member Properties 3 Repeat steps 2 thr...

Page 198: ...select Topology The Edit Topology page appears see Figure 100 TIP Check Point cannot identify a pure Layer 2 bridge device because the bridge interface does not hold a valid IP address Figure 100 Edi...

Page 199: ...n the Specify Cluster operating mode area select High Availability 6c From the 3rd Party Solution list select Other OPSEC 6d Select Use State Synchronization 6e Consult the OPSEC documentation to dete...

Page 200: ...ewalls 213455 L October 2005 Check Point disables address spoofing on bridge ports unless they are manually added to the configuration eth2 and eth3 are bridge ports Figure 102 Gateway Cluster Propert...

Page 201: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference Layer 2 and Layer 3 Firewalls 201 213455 L October 2005 8a Edit the topology for the cluster Figure 103 Edit Topology 8b Click OK...

Page 202: ...se the following procedures 1 Configuring the Firewall software 2 Configuring the Check Point software to support a Layer 3 Firewall Configuring the Firewall software Figure 104 shows the network topo...

Page 203: ...rewall Figure 104 Configuring Layer 3 Firewall Host 1 Host 2 Host 3 Host 4 172 16 5 11 172 16 5 12 172 16 5 13 172 16 5 14 eth3 eth2 eth3 eth2 Internal eth1 Host 5 Host 6 192 168 1 5 172 16 2 147 2 1...

Page 204: ...firewall see Setting up the basic configuration on page 37 specify port 1 for the management network and the firewall IP address 172 16 2 144 Specify VLAN tag ID 0 for the management traffic Configur...

Page 205: ...nfigured on the firewall The management network and sync configuration is connected through Interface 1 and the external network is connected through interface 2 Proceed to the next section to configu...

Page 206: ...irewall NSF 2 perform the following steps 1a Select General Properties from the Gateway Cluster Properties menu The Gateway Cluster Properties General page appears see Figure 105 Figure 105 Gateway Cl...

Page 207: ...ducts area select the following Firewall SmartView Monitor 1h Click OK 2 From the Gateway Cluster Properties menu select Cluster Members The Gateway Cluster Properties Cluster Members page appears see...

Page 208: ...appears see Figure 107 Figure 107 Cluster Member Properties 3 Type the IP Address for NSF 1 in the IP Address field TIP Select Get Address to browse for and select the IP Address 3a Click OK 4 Repeat...

Page 209: ...3 device because the bridge interface holds a valid IP address Figure 108 Edit Topology 6 Manually add the cluster IP address for the bridge interface with VRRP IP addresses 172 16 5 1 255 255 255 0...

Page 210: ...ty 7c Select Other OPSEC from the 3rd Party Solution list 7d Select Use State Synchronization 7e Consult the OPSEC documentation to determine the settings for the OPSEC check boxes 7f Click OK NOTE Th...

Page 211: ...er Properties menu select Topology The Gateway Cluster Properties Topology page appears see Figure 110 8b Select Enable Extended Cluster Anti Spoofing The Check Point software disables Address Spoofin...

Page 212: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 212 Layer 2 and Layer 3 Firewalls 213455 L October 2005 9a Edit the topology for the cluster Figure 111 Edit Topology 9b Click OK...

Page 213: ...ot have different VLAN tags TCP proxies NAT VPN and Syndefender are not supported on a Layer 2 firewall If VLANs are configured on the bridge then TAG is always enabled for that interface If you confi...

Page 214: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 214 Layer 2 and Layer 3 Firewalls 213455 L October 2005...

Page 215: ...escribes several applications including Check Point applications that Nortel Switched Firewall 2 3 3 supports Uninterruptible Power Supply on page 216 RADIUS authentication on page 221 VPN support on...

Page 216: ...system shutdown follows when one of the following occurs the battery is exhausted a timeout in seconds expires a runtime expires based on internal APC calculations Sometimes power returns during the...

Page 217: ...ure 112 Configuring UPS in stand alone mode Use the following commands to configure the firewall for the configuration shown in Figure 112 1 Select UPS type 2 Specify the battery level 0 100 of the UP...

Page 218: ...UPS type 2 Specify the Master firewall for the UPS device NOTE Master Firewall refers to the Firewall that is physically connected to the UPS USB 3 Specify the battery level 0 100 of the UPS device a...

Page 219: ...se for SNMP based support Use the following commands to configure the firewall for the configuration shown in Figure 114 1 Select UPS type 2 Specify the Master firewall for the UPS device NOTE Master...

Page 220: ...7 Enable UPS Monitor Displaying UPS configuration Verify UPS configuration with the following command cfg sys ups snmphost Current value 0 0 0 0 Enter IP address of the UPS Set IP address of SNMP UPS...

Page 221: ...thentication applies to both stand alone and cluster configurations Use the following commands to configure the firewall for the RADIUS support 1 Add a user 2 Select a group Edit the user created in S...

Page 222: ...CLI The RADIUS server can also be set up in a high availability configuration The console session in the current master takes over and login is possible through the console and the BBI If failover oc...

Page 223: ...es running third party VPN software VPN support is entirely configured by the Check Point management tools To enable VPN support do the following 1 Open the SmartDashboard 2 Double click the firewall...

Page 224: ...and Command Reference 224 Applications 213455 L October 2005 7 On the VPN Advanced page select the appropriate options for your system Figure 116 Figure 115 Gateway Cluster Properties General Figure...

Page 225: ...lable modes are Load Sharing In this mode the load is distributed between the ISPs for all outgoing connections New connections are randomly assigned to a link If a link fails all new outgoing connect...

Page 226: ...IIS servers The user authority feature is used by two kinds of users LAN users Users on the LAN use user authority to access the external resources to provide various authentication and authorization...

Page 227: ...on the firewall module 4 Configure user authority web access FP3 installed on top of Microsoft IIS webserver 4 0 or 5 0 in Windows 2000 or Windows NT server Refer to your Check Point documentation for...

Page 228: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 228 Applications 213455 L October 2005...

Page 229: ...on page 231 Nortel Switched Firewall SSI upgrades on page 231 Built in Firewall software upgrades on page 231 Check Point Management Station upgrades on page 232 Upgrade and reinstall images on page...

Page 230: ...the Firewall OS and built in Check Point firewall software The latest released version is factory installed and a copy of the software on CD ROM is included with each shipment Check Point Firewall 1 N...

Page 231: ...e in order to initialize new features All configuration data is retained Minor Releases This type of upgrade typically corrects minor software problems on the Nortel Switched Firewall Minor upgrades m...

Page 232: ...tion of this reinstall see Reinstalling software on page 240 The img image is installed from an ftp tftp scp sftp server using the boot user login with the ForgetMe password The img image overwrites t...

Page 233: ...CDROM The server must allow anonymous login NOTE Make certain that your FTP TFTP SCP SFTP server is on a secure trusted network One way to ensure FTP security is to implement the server on the SmartC...

Page 234: ...ount and check the current version of the software as shown below 2 FTP or TFTP download If you downloaded the upgrade image to the FTP TFTP SCP SFTP server do the following only anonymous ftp is supp...

Page 235: ...rent status changes to permanent permanent means that the software is operational and will survive a reboot of the system NSF 2 3 3 does not support downgrading from 2 3 3 to previous releases You can...

Page 236: ...e status of the software package 2 Activate the new unpacked software package 3 Wait for the firewall to reboot As a result of running the activate command the system reboots and you have to re login...

Page 237: ...l with the in the MIP column 2 Login into one of the firewalls with the MIP using the admin account 3 Upgrade the Check Point software on the Management station fro R55 to NGX R60 4 Select the version...

Page 238: ...using Smart Update 14 Push the Policy to both of the firewalls and make sure both firewalls are UP in the info summary menu It takes a longer time for NSF 2 3 3 version to come up because of the vari...

Page 239: ...ic is forwarding properly by watching the Check Point logs using SmartView Tracker on the Check Point SMART Client Table 4 shows the time it takes to complete an upgrade procedure Main info net vrrp s...

Page 240: ...can later be restored by using the gtcfg command For more information about these commands see the Configuration Menu on page 279 There are two methods of reinstalling software on the firewall Using t...

Page 241: ...must provide access to your tftp ftp server To do this use the maint diag fw unldplcy command but exercise caution the command provides access to all Follow up with a policy push from your SmartCente...

Page 242: ...the boot user The password is ForgetMe 3 After a successful login follow the onscreen prompts and provide the required information For example login boot Password Available network interfaces br0 00...

Page 243: ...mation about network settings such as IP address network mask and gateway IP address After the new boot image has been installed the Firewall will reboot and you can log in again when the login prompt...

Page 244: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 244 Upgrading and reinstalling the software 213455 L October 2005...

Page 245: ...ss has been granted see Defining the remote access list on page 252 For additional details see The Command Line Interface on page 251 The Browser Based Interface BBI The BBI allows management through...

Page 246: ...bility four levels of user access have been implemented on the Nortel Switched Firewall The default user names and password for each access level are listed in Table 5 User names and passwords are cas...

Page 247: ...f this documentation CAUTION The root login on this system is only intended for debugging and emergency repair typically under the direction of support personnel All modifications to the system includ...

Page 248: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 248 Basic system management 213455 L October 2005...

Page 249: ...mand Line Interface CLI commands and menu items organized in the same way as the CLI The section starts with listing the global commands which can be used at any menu prompt and then explains the rema...

Page 250: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 250 Command reference 213455 L October 2005...

Page 251: ...ub menus Each menu displays a list of commands and or sub menus that are available along with a summary of what each command does Below each menu is a prompt where you can enter any command appropriat...

Page 252: ...remote access list The remote access list allows the administrator to specify IP addresses or address ranges that are permitted remote access to the system There is only one remote access list which i...

Page 253: ...he access list are permitted to access any enabled management feature You cannot enable SSH for some and Telnet for others 3 Apply the changes Using Telnet A Telnet connection allows convenient manage...

Page 254: ...es are configured during the initial setup see Chapter 2 Initial setup on page 29 3 Enable Telnet For security purposes Telnet is initially disabled To enable Telnet sessions on the Firewall issue the...

Page 255: ...ected to the network SSH access provides the same management options as those available through the local serial port SSH access provides the following security benefits Server host authentication Enc...

Page 256: ...and When reconnecting to the Nortel Switched Firewall after having generated new host keys your SSH client will display a warning that the host identification or host keys has been changed 5 Use the a...

Page 257: ...e following SSH command where the l lower case L option is followed by the user name admin oper and so on being logged in and the host IP address NOTE You cannot log in as boot or root using SSH Once...

Page 258: ...hanges and make them take effect the administrator must use the global apply command This allows the administrator to make an entire series of changes and then put them into effect all at once The glo...

Page 259: ...e minutes of inactivity This function is controlled by the idle time out parameter as shown in the following command where the time out period is specified in seconds as an integer from 300 604800 sec...

Page 260: ...command Provides more information about a specific command on the current menu When used without the command parameter a summary of the glo bal commands is displayed Redisplay the current menu or up...

Page 261: ...illiseconds between attempts The DNS parameters must be configured if specifying hostnames see DNS Servers Menu on page 285 pwd Display the command path used to reach the current menu revert Cancel al...

Page 262: ...h the last 10 commands The recalled command can be entered as is or edited using the options below Ctrl n Also the down arrow key Recall the next command from the history list This can be used multipl...

Page 263: ...rs that distinguish the command from the others in the same menu or sub menu For example the command shown above could also be entered as follows Tab completion By entering the first letter of a comma...

Page 264: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 264 The Command Line Interface 213455 L October 2005...

Page 265: ...Configuration Menu boot Boot Menu maint Maintenance menu diff Show pending config changes global command validate Validate configuration global command security Display security status global command...

Page 266: ...rading Nortel Switched Firewall software and for reboot ing if necessary The Boot Menu is accessible using an administrator login See page 365 for menu items maint The Maintenance Menu is used for sen...

Page 267: ...disabled for remote management fea tures such as Telnet SSH and the BBI for the cluster It also lists which users if any are still using default passwords which should be changed apply This global com...

Page 268: ...tor copy the information and paste it to the CLI window When pasted the configuration content is batch processed by the Nortel Switched Fire wall The pasted commands are entered as pending and any in...

Page 269: ...cs brmac Show a list of bridge mac entries sensor Show sensor information ssh Show SSH configuration web Show Web configuration log Show Log configuration ups Show UPS configuration about Show informa...

Page 270: ...isplays the current network configuration This is the same information that is displayed using the cfg net cur command To view menu items see page 274 fw This command displays the Firewall status enab...

Page 271: ...r to the brctl show command from the root prompt brmac This command displays the list of mac addresses learned dynamically by the bridges configured on the Switched Firewall This command is similar to...

Page 272: ...command lists the alarms generated in the system The sensor module is responsible for generating the alarm events when the fan rpm values reaches the critical level or when the temperature reaches th...

Page 273: ...ormation includes CPU use hard disk use and status of important applications such as Webserver Check Point Firewall SNMP and Inet Server link This command displays the status information for all netwo...

Page 274: ...ays the current statistics for the following parameters CPU use memory use hard disk use total connections and connections per second rate and throughput histdata This command displays historical data...

Page 275: ...n from the root prompt gw This command displays the default gateway configured in the cluster When no gateway is configured this command displays the following log message no default gateway has been...

Page 276: ...tic and OSPF routes info net route ospf OSPF Router Information Menu info_net_route Menu static Show static routes configuration ospf OSPF Router Menu Table 14 Route Information Menu info net route Co...

Page 277: ...tables which includes the link ID ADV router age sequence checksum and link count neigh This command displays information about the cluster s OSPF neighbors Neighbors are routing devices that maintai...

Page 278: ...Show VRRP status cfg Show VRRP configuration Table 16 VRRP Information Menu info net vrrp Command and Usage status This command displays the status of the VRRP virtual router cfg This command display...

Page 279: ...paste Table 17 Configuration Menu cfg Command Syntax and Usage sys The System Menu is used for configuring system wide parameters See page 281 for menu items net The Network Configuration Menu is use...

Page 280: ...st reboot the Switched Firewall after restoring a configuration using the cfg gtcfg command misc The Miscellaneous Settings Menu is used to turn on or off configuration warning mes sages See page 364...

Page 281: ...s dns The DNS Servers Menu lets you change Domain Name System DNS parameters See page 285 for menu items cluster This command displays the Host Information menu which allows you to configure the host...

Page 282: ...m Logging Menu is used to configure system message logging features Mes sages can be logged to the system console terminal ELA facility and archived to a file that can be automatically e mailed See pa...

Page 283: ...date YYYY MM DD This command sets the system date according to the specified format time HH MM SS This command sets the system time using a 24 hour clock format NOTE It is recommended that you reboot...

Page 284: ...mmand lists all configured NTP servers by their index number and IP address del index number This command lets you remove an NTP server from the configuration by specifying the server s index number U...

Page 285: ...r and IP address del index number This command lets you remove a DNS server by index number Use the list command to display the index numbers and IP addresses of added DNS servers add DNS server IP ad...

Page 286: ...u The Host Information Menu allows you to configure the Firewall s host IP address Cluster Menu host Cluster Host Menu Table 22 Cluster Menu cfg sys host Command Syntax and Usage host cluster host num...

Page 287: ...me This command allows you to give a user friendly name to each firewall When you login as admin the name of the firewall is displayed as part of the banner This allows you to easily identify the fire...

Page 288: ...command To view the host number type and IP address for both hosts in a cluster use the cfg sys cluster cur command Once you have removed a host from the cluster using the delete command you can only...

Page 289: ...cess list You can ping the firewall host from an IP address not listed in the access list however When a client s IP address is added to the access list that client is permitted to access all enabled...

Page 290: ...an remain inac tive before being automatically logged out The time period is specified in seconds from 300 to 3600 The default is 600 seconds 10 minutes NOTE If you make changes to the Firewall config...

Page 291: ...Network Management Proto col SNMP read access and to enable or disable SNMP event and alarm messages for the Nortel Switched Firewall This menu is also used for defining SNMP information permission l...

Page 292: ...lnet on page 253 Telnet Administration Menu ena Enable Telnet dis Disable Telnet Table 26 Telnet Administration Menu cfg sys adm telnet Command Syntax and Usage ena This command enables the Telnet man...

Page 293: ...By default SSH is disabled For more information about the SSH feature see Using Secure Shell on page 255 SSH Administration Menu ena Enable SSH dis Disable SSH sshkeys SSH host keys menu Table 27 SSH...

Page 294: ...generate Generate new SSH host keys for the cluster show Show current SSH host keys for the cluster knownhosts SSH known host keys menu Table 28 SSH Host Keys Menu cfg sys adm ssh sshkeys Command Syn...

Page 295: ...known SSH keys of remote hosts del Delete known SSH host key by index add Add a new SSH host key import Retrieve SSH key from remote host Table 29 SSH Known Host keys Menu cfg sys adm ssh sshkeys know...

Page 296: ...S with Secure Socket Layer SSL or both For more information see the NSF 2 3 3 Browser Based Interface User s Guide 216383 D Web Administration Menu http HTTP Configuration Menu ssl SSL Configuration M...

Page 297: ...rmation see the NSF 2 3 3 Browser Based Interface User s Guide 216383 D HTTP Configuration Menu port Set HTTP Port number ena Enable HTTP dis Disable HTTP Table 31 HTTP Configuration Menu cfg sys adm...

Page 298: ...isable SSL tls Set TLS sslv2 Set SSL version 2 sslv3 Set SSL version 3 certs Certificate Management Menu Table 32 SSL Configuration Menu cfg sys adm web ssl Command Syntax and Usage port HTTPS port nu...

Page 299: ...Authority certificates required for SSL See page 299 for menu items Certificate Management Menu serv Server Certificate Management Menu ca Certificate Authority Management Menu Table 33 Certificate M...

Page 300: ...erate a certificate request or a self signed certificate exp This command is used for exporting certificate requests to an external Certificate Authority CA This command produces output that can be co...

Page 301: ...a CA certificate add Add a CA certificate Table 35 CA Certificate Management Menu cfg sys adm web ssl certs ca Command Syntax and Usage list This command lists all configured CA certificates del This...

Page 302: ...Based Interface User s Guide 216383 D SNMP Administration Menu ena Enable SNMP dis Disable SNMP model Set security model level Set usm security level access Set read access control events Set trap ev...

Page 303: ...ages to the SNMP trap hosts When enabled messages regarding general occurrences such as detection of a new components are sent alarms y n This command is used to enable or disable sending alarm messag...

Page 304: ...system The SNMP System Information Menu is used to configure basic identification informa tion such as support contact name system name and system location See page 306 for menu items adv The Advanced...

Page 305: ...ord and confirmation password the user must enter for access encryption string and confirmation if the level encrypt option is used on the SNMP Administration Menu cfg sys adm snmp the encryption stri...

Page 306: ...enter port number community string and trap user information insert index number IP address This command lets you add a new trap host IP address to the access list at the specified index position All...

Page 307: ...Advanced Settings Menu trapsrcip Set source ip of traps Table 40 Advanced SNMP Settings Menu cfg sys adm snmp adv Command and Usage trapsrcip auto unique mip This command is used to configure which s...

Page 308: ...6 RADIUS Accounting Audit Menu servers RADIUS Servers Menu vendorid Set vendor id for audit attribute vendortype Set vendor type for audit attribute ena Enable server dis Disable server Table 41 Audit...

Page 309: ...ries in the RADIUS server log can be made easier by defining a suitable string in the RADIUS server dictionary for example Nortel NSF Audit Trail and mapping this string to the vendor type value Note...

Page 310: ...ration Specify the IP address a TCP port number and the shared secret The next available index number is assigned automatically by the system For backup purposes several RADIUS audit servers can be ad...

Page 311: ...k Use local password as fallback ena Enable RADIUS Authentication dis Disable RADIUS Authentication Table 43 Authentication Menu cfg sys adm auth Command Syntax and Usage servers This command displays...

Page 312: ...onfiguration Specify the IP address a TCP port number and the shared secret The next available index number is assigned automatically by the system For backup purposes several RADIUS authentication se...

Page 313: ...le 45 Platform Logging Menu cfg sys log Command Syntax and Usage syslog The System Logging Menu is used to configure syslog servers The Nortel Switched Firewall software can send log messages to speci...

Page 314: ...of the outgoing interface is used This is the default unique The IP address of the individual Switched Firewall is used mip The IP address of the cluster MIP is used This setting is useful with applic...

Page 315: ...uding its IP address and local facil ity number The local facility number can be used to uniquely identify syslog entries For more information see the UNIX manual page for syslog conf insert index num...

Page 316: ...k Point SmartCenter Server to which log messages will be sent Specify the IP address in dotted decimal notation sev emerg alert crit err warning notice info debug This command is used to set the minim...

Page 317: ...archived log Table 48 Log Archiving Menu cfg sys log arch Command Syntax and Usage email e mail address This command is used in conjunction with smtp to set the e mail address where log files will be...

Page 318: ...ys user Command Syntax and Usage passwd admin password new admin password confirm new admin password This command lets you change the administrator password The password can contain spaces and is case...

Page 319: ...d a user account Only the admin user can perform this action After adding a user account you must also assign the account to a group using the User Admin Menu edit edit user name This command opens th...

Page 320: ...d Usage password admin password new user password confirm new user password This command lets you change the password for the selected user The password can contain spaces and is case sensitive There...

Page 321: ...pubkey Set RSA DSA Public Key for User ena Enable User Account dis Disable User Account del Remove SSH User Table 51 SSH User Admin Menu cfg sys user adv user user name Command Syntax and Usage name...

Page 322: ...e Table 52 Groups Menu cfg sys user edit groups Command Syntax and Usage list This command lists all group members by index number and name for example 1 admin 2 oper del Index number of entry to dele...

Page 323: ...to configure the UPS support in the Cluster Select USB type when the Switched Firewall has been connected to the UPS through an USB cable Select SNMP when the UPS is communi cating with the Switched...

Page 324: ...o communicate with the UPS system When the UPS type is selected as USB configure the master to be the firewall that is directly connected to the UPS via the USB cable If the UPS type is configured as...

Page 325: ...ll In addition to enabling or disabling ports this menu is used to create and apply port filters and specify port link characteristics To view menu items see page 327 NOTE The 5106 and 5114 have four...

Page 326: ...re GRE tunneling in the Nortel Switched Firewall See page 339 for menu items ospf The OSPF Menu is used to configure Open Shortest Path First OSPF routing protocol See page 340 for menu items parp The...

Page 327: ...or 100Base TX segments For physical port specifications and LED behavior see the Nortel Switched Firewall 5100 Series Hardware Installation Guide Port 1 Menu name Set port name autoneg Set autonegotia...

Page 328: ...an integer representing Mb second For Fast Ethernet ports speed can be set to 10 or 100 For Gigabit Ethernet ports speed is fixed at 1000 mode This command is used to set the port duplex mode to eith...

Page 329: ...r2 interface IP address e g 192 4 17 102 This command configures the real second IP address for host 2 interface using dotted decimal notation Addr2 should not be configured unless the interface is pa...

Page 330: ...igned to an interface To config ure a port see Port Menu cfg net port on page 327 vrrp The VRRP Menu is used for configuring an interface for high availability when redun dant firewall hosts are in a...

Page 331: ...uter ID 1 255 This command assigns an ID for the virtual router interface The vrid on this interface must be configured the same for both the active master and the backup Separate inter faces must hav...

Page 332: ...s on the bridge for host 1 interface using dotted decimal notation addr2 bridge interface IP address e g 192 4 17 102 This command configures the second IP address on the bridge for host 2 interface u...

Page 333: ...e page 334 for menu items ena This command enables this bridge dis This command disables this bridge del This command removes the bridge from the firewall configuration Bridge 1 Ports Menu list List a...

Page 334: ...ents host 1 and ip2 represents host 2 Each virtual IP addresses must be on the same network as the real router IP address The virtual router IP address cfg net bridge bridge number vrrp ip1 becomes th...

Page 335: ...be configured the same for both the active master and the backup Separate inter faces must have unique vrids NOTE Vrids must be at least one number apart e g vrids 1 and 2 are not acceptable vrids 1...

Page 336: ...erify static routes against ip1 and ip2 addresses adint 1 3600 This command displays the current advertisement interval in seconds and provides the option to change it A VRRP advertisement message is...

Page 337: ...alue to determine the interval in seconds between GARP messages For example if your adint value is 10 and your gbcast value is 3 the interval between GARP messages will be 30 10 x 3 seconds The defaul...

Page 338: ...lets you remove a route from the configuration by specifying the route index number Use the list command to display the index numbers of configured routes add destination IP address destination mask g...

Page 339: ...mand Syntax and Usage name gre_tunnel name This command allows you to define a unique name of up to 16 characters phyif physical interface_number This command is used to define the local GRE tunnel en...

Page 340: ...nations based on the cumulative cost required to reach the destination The routers then select the least cost path for each routing request which optimizes traffic speed and efficiency in the network...

Page 341: ...ted for use with OSPF See page 349 for menu items rtrid1 router ID1 router IP address This command sets a static router ID 1 for this cluster The router ID is expressed in dot ted decimal IP address f...

Page 342: ...ena Enable area dis Disable area del Remove OSPF Area Index Table 65 OSPF Area Index Menu cfg net ospf aindex Command Syntax and Usage id area ID such as 0 0 0 0 This command sets the OSPF area number...

Page 343: ...This command deletes this area index from the configuration OSPF Interface 1 Menu aindex Set area index prio Set interface router priority cost1 Set Cost for first 5100 cost2 Set Cost for second 5100...

Page 344: ...based on bandwidth Low cost indicates high bandwidth The default is 1 cost2 output cost 1 65535 This command sets the cost of output routes on this interface Cost is used in calculating the shortest p...

Page 345: ...md5key option For more information see Authentication on page 100 key type 1 password This option is used with the previous OSPF auth option When the auth option is set to password the key option set...

Page 346: ...et interface router priority cost1 Set Cost for first 5100 cost2 Set Cost for second 5100 hello Set hello interval in seconds dead Set dead interval in seconds trans Set transmit delay in seconds retr...

Page 347: ...dead dead interval 1 65535 This command sets the router dead interval in seconds If the Firewall holding the MIP does not receive hello on the IP interface within the dead interval the Firewall holdin...

Page 348: ...rocessing on routing devices that are not listening to OSPF packets key plain text password This option is used with the OSPF auth option When the auth option is set to pass word the key option sets t...

Page 349: ...stribution Menu connected Connected Route Redistribution Menu static Static Route Redistribution Menu defaultgw Default Gateway Redistribution Menu Table 68 Route Redistribution Menu cfg net ospf redi...

Page 350: ...tax and Usage metric Sets metric of advertised connected routes The metric cost range is 1 to 16777214 0 none and indicates the relative cost of this route The larger the cost the less preferable the...

Page 351: ...Usage metric Sets metric of advertised static routes The metric cost range is 1 to 16777214 0 none and indicates the relative cost of this route The larger the cost the less preferable the route The d...

Page 352: ...u cfg net ospf redist defaultgw Command Syntax and Usage metric Sets metric of advertised default gateway routes The metric cost range is 1 to 16777214 0 none and indicates the relative cost of this r...

Page 353: ...nd to ARP requests intended for devices behind the firewall including VLAN and VRRP interfaces Table 72 Proxy ARP Menu cfg net parp Proxy Arp Menu list Proxy ARP List Menu enable Set Proxy ARP enable...

Page 354: ...you add an address to the Proxy ARP list Use dotted decimal nota tion to specify the address The maximum number of addresses is 2 048 however the recommended limit is 256 Typically the IP addresses a...

Page 355: ...sable DHCP Relay clrlocsts Clear local DHCP Relay stats Table 74 DHCP Relay Menu cfg net dhcprl Command Syntax and Usage if value 1 255 This command is used to specify the interface to allow DHCP requ...

Page 356: ...y requests into the network The default value for DHCP Relay Interface is disabled DHCP Relay Interface 1 Menu ena Allow DHCP Relay on Interface dis Disable DHCP Relay on Interface Table 75 DHCP Relay...

Page 357: ...s of DHCP server This command adds a DHCP server to the system configuration The DHCP server added here will supply clients entering the network with an IP address and a default gateway When the DHCP...

Page 358: ...ration dates of the licenses Licenses configured using the Check Point central licensing mechanism will not be listed using this command del This command is used to remove an IP address and or Check P...

Page 359: ...ll 1 NG processing on all healthy Firewalls dis Disable the Check Point Firewall 1 NG processing on the firewall and mark the Firewall as down The Check Point SmartCenter Server cannot be used to mana...

Page 360: ...st of SMART Clients that can access the Firewall when the SmartCenter Server is enabled on the Firewall See page 363 for menu items smart The SmartUpdate Configuration Menu is used to enable disable C...

Page 361: ...ble Sync Table 79 Sync Configuration Menu cfg fw sync Command Syntax and Usage ena This command enables session state synchronization in a redundant configuration For synchronization to work there mus...

Page 362: ...ps on default port number 4433 This CLI command is used to change the default port number to any user defined port number in the range 1024 to 65534 Portal Configuration Menu portno Set Smart Portal p...

Page 363: ...cfg fw client Command Syntax and Usage list Displays the list of SMART Clients with access to the Nortel Switched Firewall manage ment server del index value Allows you to delete a specified member fr...

Page 364: ...turn on or off configuration warning messages SmartUpdate Configuration Menu ena Enable Smart Update Mode dis Disable Smart Update Mode Table 82 SmartUpdate Configuration Menu cfg fw smart Command Syn...

Page 365: ...ed to a particular Firewall s individually assigned IP address WARNING If you do not enter the halt command before powering off the Firewall all configurations may be lost and the Firewall will be res...

Page 366: ...e version This command activates a downloaded and unpacked Nortel Switched Firewall software upgrade package The unpacked software package will be labeled as permanent If serious problems occur while...

Page 367: ...7 for menu items Software Patches Menu cur Display current software patches installed install Download software patch from FTP server uninstall Remove software upgrade package Table 86 Software Patche...

Page 368: ...iguration ospf OSPF Debug Menu cplog Check Point Logs emc EMC Server s admin password change logdetail Obtain extensive detail about the log error code dumped Table 87 Maintenance Menu maint Command S...

Page 369: ...gs peakconnec Peak connections policy Firewall policy status Firewall status Table 88 Firewall Maintenance Menu maint fw Command Syntax and Usage sync This command tests the session state synchronizat...

Page 370: ...cies from the Check Point SmartDashboard after you have re established trust clearlog This command clears all firewall log files peakconnec This command is used to display the Check Point connection t...

Page 371: ...onfiguration no logs to the default file tsdump tgz The size of the file is typically small enough to fit on a floppy disk NOTE The previous contents of the file are overwritten each time you use this...

Page 372: ...taken from a firewall can be used only to restore that same firewall or a replacement for that firewall For more information about how to back up the firewall configuration see Backing Up a Configura...

Page 373: ...ents packets Set log OSPF packets msgs View last 100 debug messages 2003 04 18 19 20 51 OSPF LSA Refresh ospf_lsa_refresh_walker start 2003 04 18 19 20 51 OSPF LSA Refresh ospf_lsa_refresh_walker next...

Page 374: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 374 Command reference 213455 L October 2005...

Page 375: ...213455 L October 2005 Part 3 Appendices Appendix A Event Logging API Appendix B Backing Up and Cloning Configurations Appendix C Common tasks Appendix D Troubleshooting Appendix E Software licenses...

Page 376: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 376 Appendices 213455 L October 2005...

Page 377: ...formation about configuring and administering OPSEC applications in Check Point refer to your complete Check Point Firewall 1 NGX documentation ELA configuration requires steps at both the Check Point...

Page 378: ...ver Open the Check Point SmartDashboard to create an ELA OPSEC application for the Firewall To create a new OPSEC application use the following procedure 1 From the Check Point SmartDashboard main pag...

Page 379: ...wing fields see Figure 118 Provide an identifier in the Name field to use when pulling the certificate to the Firewall Refer to the Nortel Switched Firewall in the Host field Select User Defined from...

Page 380: ...e the Activation Key when you pull the certificate to the Firewall Figure 119 Communication page NOTE Once SIC is initialized the trust state displays as Initialized but trust not established This is...

Page 381: ...olicy page appears see Figure 121 Select the object Click OK Figure 120 Check Point SmartDashboard Install Figure 121 Install Policy page NOTE If the Check Point antispoofing feature is not enabled a...

Page 382: ...tched Firewall 5100 Series Release 2 3 3 Browser Based Interface User s Guide Part number 216383 D 2 Select the Cluster ELA form and define the general settings see Figure 122 Figure 122 BBI Cluster E...

Page 383: ...SIC area The DN is specified in the SIC area of the Check Point Gateway General Properties page Figure 123 Check Point Gateway General Properties 4 Return to the BBI Cluster ELA form and do the follo...

Page 384: ...on ela1 Set the password to match the OPSEC application SIC password 6 Click Update Certificate NOTE In order for ELA to function a separate certificate for SIC communication must be installed on each...

Page 385: ...ix describes how to perform cluster backup and cloning on the Nortel Switched Firewall 5100 Series for Release 2 3 3 Overview on page 386 Backing Up and Cloning on page 387 Backing Up a Configuration...

Page 386: ...using the clone command from the root login Clone Command The backup restore procedure can be used for cloning On a fresh Firewall you can use the clone command to restore the full configuration of a...

Page 387: ...e then reset the SIC on both NSF Firewalls and install the policies again Reboot both the NSF Firewalls and proceed with the above step 2 Enter the backup command 3 Select the backup mode and provide...

Page 388: ...be used Check Point should not drop packets sent to the TFTP FTP server Check whether FTP and TFTP access to the TFTP FTP server is working from root login Cloning a Configuration 1 Log in as root to...

Page 389: ...f both Firewalls are not active disable sync cfg fw sync dis apply wait two minutes and again enable sync cfg fw sync ena apply This automatically reboots both Firewalls After the system is up again c...

Page 390: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 390 Backing Up and Cloning Configurations 213455 L October 2005...

Page 391: ...image from CD ROM on page 392 Enabling USB support on page 393 Mounting a floppy disk on the Firewall on page 397 Mounting a CD ROM on the Firewall on page 398 Mounting the USB port on page 399 Tunin...

Page 392: ...h will take several minutes If the Firewall doesn t reboot automatically take the software CD out and reboot the Firewall 6 Log in as admin the password is admin The installation is complete NOTE If y...

Page 393: ...wall operation Follow the procedures given in this section and contact Nortel Technical Support if you need more information Verify USB support on the Firewall Before modifying the BIOS settings verif...

Page 394: ...d connected to your NSF 5100 Series firewall Refer to the Nortel Switched Firewall 5100 Series Hardware Installation Guide 216382 D for more information about how to connect a monitor and keyboard to...

Page 395: ...Utility screen is displayed in Figure 126 Figure 126 Configuration Setup Utility screen 3 Select the Devices and I O Ports option The Devices and I O Ports screen is displayed in Figure 127 Figure 12...

Page 396: ...in Figure 128 Figure 128 Devices and I O Ports USB Setup 6 Press Esc twice Pressing the escape key twice exits both the USB Setup Menu and the Configuration Setup Utility The Exit Setup dialog box app...

Page 397: ...following procedure can be used for mounting a floppy disk to read or write files on the Firewall 1 Insert a DOS formatted floppy into the Firewall 2 Log in as root 3 Enter the following command 4 Co...

Page 398: ...2005 Mounting a CD ROM on the Firewall The following procedure can be used for mounting a CD ROM to read files on the Firewall 1 Insert a CD ROM into the Firewall 2 Log in as root 3 Enter the followin...

Page 399: ...y occur on USB ports When you request for an upload or download the USB port is mounted and dismounted automatically after the file is copied However if you need to manually mount the USB ports perfor...

Page 400: ...e following steps 1 Right click the firewall object on the Check Point SmartDashboard 2 Select Edit 3 Open the Logs and Masters Capacity Optimization tab 4 Edit the Maximum concurrent sessions see Fig...

Page 401: ...e of the Check Point NG by entering the following commands at the firewall CLI and at the Check Point management station command line 1 Log in to the local terminal as admin to disable the firewall Al...

Page 402: ...tion Kernel modules information NG memory information Generating public private DSA key pair The following screen captures demonstrate the generation of the DSA key pair creating an SSH account on a f...

Page 403: ...ation has been saved in tkey Your public key has been saved in tkey pub The key fingerprint is 2d 77 72 7d 35 58 2c 4b a4 f8 56 50 73 42 92 ae test Phantom test Phantom test cat tkey pub ssh dss AAAAB...

Page 404: ...r RSA DSA public key for user ssh dss AAAAB3NzaC1kc3MAAACBAKEdba7LVbswXDoYDmQaPifvruRFxa465FffwsGmF LQ98t PYqwJvwLgtCyQVUL9GyUvAlECvPTlBCsAATnITo0KYL03axqqRr9PmdgaxrCcAkyQlL oOHcDzuhUXB0wYXc9ymDTP 4HF...

Page 405: ...the firewall shell using SSH For a password enter the passphrase you entered when you generated the SSH keys in Step 1 on page 402 Main cfg sys accesslist add Enter network address 33 1 1 0 Enter netm...

Page 406: ...Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 406 Common tasks 213455 L October 2005...

Page 407: ...0 Cannot download policy on Firewall on page 411 Poor performance with other devices on page 412 Cannot log in to the management station from the SMART Client on page 412 Check Point sends connection...

Page 408: ...on page 410 Actions Verify that the management station is connected to the correct port by entering the following command on the Firewall Reset the Secure Internal Communication using the one time pas...

Page 409: ...to see if ICMP reaches the Firewall from your source IP address Managing licenses Re installing an existing license If the Firewall crashed and was re imaged before the license was deleted from the F...

Page 410: ...ing format Use the Firewall name as entered in the hosts file page 287 Be sure to enter the information exactly as shown on your specific Check Point license 2 To verify that the local license is inst...

Page 411: ...om Firewall console As a result anti spoofing blocks the traffic because incorrect interfaces were used Action Delete the existing policies by entering the command below and retrieve the interfaces fr...

Page 412: ...e adjacent device Cannot log in to the management station from the SMART Client The SMART Client cannot log into the management station Actions If the SMART Client and SmartCenter Server are not in th...

Page 413: ...Invoke the Firewall CLI command cfg fw sync ena to verify that Check Point Sync is enabled Verify the cluster configuration on the SmartCenter Server and ensure that at least one interface is defined...

Page 414: ...es installed on the firewalls do not drop the synchronization traffic If the problem persists disable and enable synchronization using the following Firewall CLI commands cfg fw sync dis TIP Wait for...

Page 415: ...Series Hardware Installation Guide 216382 D 3 Establish trust with both units Make sure you can ping both iSD host IP addresses from the management station if the management station and iSD host IP ad...

Page 416: ...he SIC status between the management station and the firewall If as suspected the devices are not communicating Reset SIC at the SMART Client see Re establishing SIC on page 410 and at the CLI see cfg...

Page 417: ...ment packets multicast packets which indicate VRRP active master activity on the interface If you don t see VRRP advertisement packets check the firewall status If the Policy is DefaultFilter or Initi...

Page 418: ...release 2 3 1 the real physical IP addresses are configured with the addr1 and addr2 commands in the Interface menu The virtual IP addresses are configured with the ip1 and ip2 commands in the VRRP I...

Page 419: ...213455 L October 2005 419 APPENDIX E Software licenses The Nortel Switched Firewall includes software which is covered by the following licenses...

Page 420: ...this software without prior written permission For written permission please contact apache apache org 5 Products derived from this software may not be called Apache nor may Apache appear in their nam...

Page 421: ...he names mod_ssl must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact rse engelschall com 5 Products derive...

Page 422: ...ssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission For written permission please contac...

Page 423: ...above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features o...

Page 424: ...ny form whatsoever must retain the following acknowledgment This product includes PHP freely available from http www php net 6 The software incorporates the Zend Engine a product of Zend Technologies...

Page 425: ...AR PURPOSE See the GNU General Public License for more details You should have received a copy of the GNU General Public License in the file COPYING along with this program if not write to Free Softwa...

Page 426: ...ch a program whether gratis or for a fee you must give the recipients all the rights that you have You must make sure that they too receive or can get the source code And you must show them these term...

Page 427: ...cense Exception if the Program itself is interactive but does not normally print such an announcement your work based on the Program is not required to print an announcement These requirements apply t...

Page 428: ...ponsible for enforcing compliance by third parties to this License 7 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues c...

Page 429: ...D OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM I...

Page 430: ...mouse clicks or menu items whatever suits your program You should also get your employer if you work as a programmer or your school if any to sign a copyright disclaimer for the program if necessary...