Console Guide 5.4

GB-OS 5.
Users Guide
Console
GBOSCG201009-01
Global Technology Associates 3505 Lake Lynda Drive Suite 109 Orlando, FL 32817
Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email: info@gta.com Web: www.gta.com
GB-OS Console Users Guide
Table of Contents
Introduction........................................................................................................................................................................................... 1 About.This.Guide. 1 Conventions 1 Additional.Documentation. 1 Connecting.to.the.Console.Interface..................................................................................................................................................3 . Common.Tasks. ....................................................................................................................................................................................5 . Resetting.the.firewall.to.factory.defaults. 5 Switching.the.firewalls.active.slice. 6 HowdoIswitchbetweenslices? 6 Using.the.Console.Interface. ............................................................................................................................................................... 7 . Config. 8 ConfigurationVerification 8 EmailConfiguration 9 System 10 ActivationCodes 10 ContactInformation 11 Date/Time 12 Objects 13 AddressObjects 13 Accounts 14 RemoteAdministration 14 Encryption 15 GeneratingSSLCertificates 15 Network 16 Settings 16 EnteringtheHostName 16 EnteringtheDefaultRoute 16 DefiningNetworkInterfaces 16 Aliases 19 Timeouts 20 NAT 21 InboundTunnels 21 StaticAddressMapping 23 PassThrough 24 Hosts/Networks 24 Routing 25 RIP 25 StaticRoutes 27 SecurityPolicies 28 Preferences 28 ResettoFactoryDefaults 29 Tools. 30 Shutdown 30 Halt 30 Reboot 30 NetworkDiagnostics 30 FlushARPTable 30 Ping 31 TraceRoute 31 Interfaces 32 Reports. 33 Hardware 33 Reference.A:.User.Interface...............................................................................................................................................................34 Keystroke.Commands. 35 Navigation. 35 Menus 35 Buttons 36 Entry,Choice,Check,andItemListFields 36
Table of Contents
iii
Introduction
GTAFirewallUTMAppliances,poweredbyGB-OS,arepredominantlyadministeredusingtheplatformindependentWebinterface.Aseconduserinterface,theConsoleinterface,allowstheusertodefault policiesincaseofaconfigurationerror,recoveraGTAFirewallUTMAppliance,resetamisconfigured firewalltodefaultsandperformbasicconfigurationtasks. TheConsoleinterfaceisaGUI-basedinterfaceofhierarchicalmenus.ItoperatesonlyontheGTA firewallconsole;itcannotbeaccessedinanyotherway.TheConsoleinterfaceshouldonlybeusedfor basicconfigurationorforrecoverypurposes.Comprehensiveconfigurationsettingsareonlyavailable fromtheWebinterface. Inthisguide,theConsoleinterfaceisillustratedanddescribedintheorderthefunctionsappearinthe Consoleinterfacemenus.Navigation,commonkeystrokes,menuitemsandbuttonsareexplainedin ReferenceA:UserInterface.
About This Guide

Thisguideonlyprovidesabriefoverviewwhendiscussingconfigurationareas.Fordetailedexplanations, examplesandwalkthroughs,refertotheGB-OS Users Guide.
Conventions
Afewconventionsareusedinthisguidetohelpyourecognizespecificelementsofthetext.Ifyouare viewingthisguideinPDFformat,colorvariationsmayalsobeusedtoemphasizenotes,warningsand newsections.
Italics
Bold Italics
Blue Underline Small CapS Monospace Font
Emphasis
Publications
Clickable hyperlink (email address, Web site or in-PDF link) On-screen field names On-screen text On-screen menus, menu items On-screen buttons, links
Condensed Bold
BOLD.SMALL.CAPS
OrganizationofthechaptersinthisguideisaccordingtotheConsoleinterfacesmenustructure.The exceptionstothisruleincludetheReferencechapters.Forthelocationofspecifictopics,pleaseseethe tableofcontents.
Additional Documentation
Foradditionalinstructionsoninstallation,registrationandsetupofaGTAproduct,seeapplicable QuickGuides,FAQsortechnicalpapers.Foroptionalfeatures,seetheappropriatefeatureguide. DocumentationisincludedontheCDshippedwithnewGTAproducts,andisalsoavailablefor downloadfromtheGTAWebsite. Note
For the latest documentation, check the GTA Web site for current PDFs.
ThesemanualsandotherdocumentationcanalsobefoundontheGTAWebsite(www.gta.com). DocumentsontheWebsiteareeitherinplaintext(*.txt)orportabledocumentformat(*.pdf)which requiresAdobeReaderversion7.0orgreater.AfreecopyofAdobeReadercanbeobtainedfromwww. adobe.com.
Introduction
Available Documentation
Document
GB-OS Users Guide GB Commander Product Guide GTA Reporting Suite Product Guide Surf Sentinel Content Filtering Option Guide GTA VPN Option Guide www.gta.com H2A High Availability Option Guide Mail Sentinel Option Guide
Topics
GB-OS features and Web user interface. GB Commander for GTA firewalls. GTA Reporting Suite stand-alone reporting software. Email anti-spam and anti-virus filtering optional feature. Content filtering optional feature. High availability optional feature. VPN (virtual private networks) feature. Hardware specifications, current documentation, examples
Introduction
Connecting to the Console Interface

TheConsoleinterfaceisalwaysavailableontheGTAfirewall;accesscannotbedisabled.TheConsole interfaceisaccessibleusingtheserialportandaserialcable.ToconnecttotheConsoleinterface,a physicalconnectionbetweentheGTAfirewallandeitheraterminal(usingaserialconsolecable)ora computerwithterminalemulationsoftware(usingaDB-9null-modemcable)isrequired.

Connect to the Console interface using the serial cable included with your GTA firewalls packaging.
Serial Cable
GB-2000
PC Workstation
GTA Firewall
1. Connect the GTA firewall to the workstation. To connect to the Console interface, connect your GTA firewall to a PC workstation using the serial port and boot up the firewall. 2. Configure the terminal emulation software. Enter the appropriate settings to emulate the console connections. 3. Enter the firewall administrators user name and password.
Figure 2.1: Connecting to the Console Interface
ToconnecttotheGTAfirewallusingacomputerrunningterminalemulationsoftware,enterthefollowing settings: Table 2.1: Connecting to the Console Interface

Field
Emulation Port Baud Rate
Description
VT-100 or PuTTY COM port connected via DB-9 cable to the firewall 38400 8 None 1 Hardware
Stop
Parity
Data/Bit Rate
Flow Control
PowerontheGTAfirewall.Oncebooted,youwillbepromptedforthefirewalladministratorsuserID andpassword(defaultsarefwadmin).Theconfigurationmenuscreen(similartotheillustrationbelow) shouldappear.
Figure 2.2: The Console Interface
Common Tasks
Inmostcircumstances,theConsoleinterfaceisusedasaneffortoflastresort.Sinceconfiguration optionsarelimited,firewalladministratorsgenerallyusetheConsoleinterfacewhentheWebinterfaceis nolongeraccessible.Commontasksthatareperformedincluderesettingthefirewalltofactorydefaults andswitchingthefirewallsactiveslice. Note
This chapter only applies to issues that can be resolved using the Console interface. For more troubleshooting issues and solutions, refer to the GB-OS Users Guide.
Resetting the firewall to factory defaults

Generally,resettingthefirewalltofactorydefaultsshouldonlybeperformedwhenallotheroptionshave beenexhausted.Forexample,iflogininformationhasbeenirretrievablylostorifitisnolongerpossible toconnecttotheWebinterface. Byresettingtofactorydefaults,allcurrentconfigurationdatawillbeerasedandthefirewall administratorsusernameandpasswordwillbothbecomethecase-sensitiveusernameandpassword fwadmin. CAUTION
Resetting the firewall will cause it to lose current configuration data. The configuration data can only be restored by loading a saved configuration with a known user name and password, or by manually entering the desired settings.
How do I reset my firewall to factory defaults?

Toresetyourfirewalltofactorydefaults,attacheitheraterminal(usingaserialconsolecable),ora computerwithterminalemulationsoftware(usingaDB-9null-modemcable). PowerontheGTAfirewall.Thefollowingwillbedisplayed:
GB-OS 5.3.x loading ...
Whenthewordloadingappears,immediatelypressCONTROL-R.Thesystemwillbegintoload,and configurationandhardwaredatawillappearonscreen.Finally,aconfirmationquestiondisplays:
Are you sure you want to reset your firewall configuration?: (yes or no)
Toresettofactorydefaults,typethewordyesinlower caseletters.Typinganyotherkeywillrebootthe systemwithoutresettingtodefaults.Ifthereisnoinputaftertwominutes,thefirewallwillcontinueits bootprocess.
Common Tasks
Switching the firewalls active slice

Thememorysection(slice)featurecanbeusedtotestanewfirewallconfigurationinproductionwhile preservingthecurrentconfigurationintheothermemoryslice.Becauseeachslicecontainsitsown configuration,itispossibletorollbackyourfirewallssettingstoaknowngoodconfiguration.
How do I switch between slices?

Thememorysection(slice)featurecanbeusedtotestanewfirewallconfigurationinproductionwhile preservingthecurrentconfigurationintheothermemoryslice.Inthefollowingexample,memoryslice1 containsthecurrentconfiguration,andmemoryslice2isusedfortestingaconfiguration. 1. Rebootthefirewall. 2. Selectandbootmemoryslice2. CAUTION
Memory slice 2 will now be your active firewall.
3. SwitchtotheWebinterfacetomakeadvancedconfigurationchanges;thecurrentlyselected slicewillloadbydefaultuntilanotherisselected. 4. Toreverttothelastconfiguration,rebootthefirewallusingtheconsoleinterfaceandselect memoryslice1. Note

The active slice can also be selected from within the Web interface. See the GB-OS Users Guide for more information.
Common Tasks
Using the Console Interface

ThischapterprovidesawalkthroughoftheConsoleinterface,providingexplanationandinstructionon configurationareas. CAUTION
Any changes made to the configuration will be immediately applied to the firewall.
Note
For information on the Console interfaces user interface, refer to Reference A: User Interface.
Figure 4.1: The Console Interface
Config
TheConfigmenucontainscommandsrelatedtothesetupandconfigurationoftheGTAfirewall.The Consoleinterfaceislimitedinitsconfigurationoptions.Toproperlyadministerthefirewall,usetheWeb interface.
Figure 4.2: The Config Menu
Configuration Verification
Configuration VerificationwillrunasystemconfigurationcheckontheGTAfirewall.Thecheckwillverifyall areasofthefirewallsconfiguration. AfteryouhaveconfiguredyourGTAfirewall,runaconfigurationverificationtoensurethatyouhavea validconfiguration.Verificationhappenseverytimeasectionorconfigurationissaved. Toverifyyourconfiguration,navigatetoConfig>Configuration Verification.
Figure 4.3: Verifying the Configuration
Email Configuration
TheEmail Configurationsub-sectionallowstheusertoemailthefirewallsconfigurationtotheentered recipient.Thisfunctionisusefulfortechnicalsupportpurposes. EmailConfigurationallowstheusertoemailacopyofthesysteminformationtoadesignatedemail address. EmailConfigurationsendsanemailwiththesereports: AConfigurationReport HTML AHardwareConfigurationReport AVerificationReport Acopyofthecurrentroutingtable AcopyofthecurrentARPtable ActiveVPNs ActivePolicies AuthenticatedARPTable AuditEvents CurrentStatistics HardwareSummary IpsecTunnels MailSentinelPolices,Routes,Statistics XML EnteranyadditionalinformationintheComment(s) field. Toemailyourfirewallsconfiguration,navigatetoConfig>Email Configuration.
Figure 4.4: Emailing the Configuration
System
TheSystemmenuitemcontainsmenuoptionsforconfiguringactivationcodes,contactinformation,the firewallsdateandtime,andaddressobjects.
Activation Codes
InActivation Codes,theadministratorcanentertheGTAfirewallsserialnumberandoptionalfeature activationcodesforoptionssuchasH2AHighAvailability,SurfSentinel,MailSentinelAnti-Spam&AntiVirusorGTAMobileVPNClientlicenses.Activationcodesenteredduringinstallationorpre-installed withhardwareapplianceswillalsoappear. Activationcodesareprovidedwithsoftwareorfeatureregistration.EnterGTAfirewallactivationcodes byhighlightingtheselectedrowandhitting<Return>toeditor<Insert>ortheIkeytoadd. SelectSave.Thesystemwilldisplayadescriptionofwhathasbeenactivated.Ifthisdescriptionis garbledordoesnotappear,thecodehasbeenenteredincorrectlyorisnotcorrectforthecurrent systemorversion. Toenteractivationcodes,navigatetoConfig>System>Activation Codes. Note
Activation codes will not function without the system serial number entered in the Serial field. GTA Firewall UTM Appliances have the serial number pre-installed. The firewalls serial number can also be found on the card that shipped with the firewall or in the GTA Online Support Center.
Figure 4.5: Entering Activation Codes
10
Contact Information
Contact Informationstoresinformationaboutthefirewalladministrator.Thisinformationisusedbyemail, reportsandlistfunctions. Toenterthefirewalladministratorscontactinformation,navigatetoConfig>System>Contact Information.
Figure 4.6: Entering Contact Information
Table 4.1: Contact Information

Field Name
Company Name
Description
Enter the firewall administrators name. Enter the firewall administrators company. Enter the firewall administrators email address. Enter the firewall administrators phone number. Enter the email address to be used for technical support. Default is gb-config@gta.com
Email Address
Support Email Address
Phone Number
11
Date/Time
Sincethefirewallsdateandlocaltimeareusedtotaglogmessages,havingthefirewallconfigured tooperateonaccuratetimesettingsisimportant.TheDate/TimeserviceusesUTC(UniversalTime Coordinated)asitsdefaulttimezone. Tosetyourfirewallsdateandtime,navigatetoConfig>System>Date/Time.
Figure 4.7: Setting the Firewalls Date and Time
Table 4.2: Date/Time

Field Name
Time Date
Description
Enter your the current date as YYYY-MM-DD. Enter the current time (in 24 hour format) as HH:MM:SS.
12
Objects
UsingobjectsincreasesspeedandconsistencywhencreatingaconfigurationwithGB-OS.Auserneed onlydefineanaddressorgroupofaddresses,aninterface,oraconfigurationonce,thenselectthe objectineachscreenwherethatdefinitionisrequired.Oncetheobjectiscreatedtheuserwillonlyneed tochangetheobjecttochangethedefinitioninallthelocationswhereitisused. IntheConsoleinterface,onlyaddressobjectsareavailableforconfiguration.Toconfigureallother objects,itisnecessarytologintotheWebinterface. Theaddressobjectlistdisplaysthenameanddescriptionofalldefinedaddressobjects.Whenusing theConsoleinterface,userscanresetandsavetheaddressobjects.Editingorinsertingnewaddress objectsisnotpossible. Tovieworresettheaddressobjectlist,navigatetoConfig>System>Objects>Address Objects.
Address Objects
Figure 4.11: Address Objects
13
Accounts
TheAccountssectioncontainsconfigurationscreensthatdisplayoptionsforremoteadministration. Note
Administration accounts are only configurable via the Web interface. For more information, refer to the GB-OS Users Guide.
Remote Administration
Remote AdministrationcontrolsremoteadministrationviatheWebinterface,andwhetheraVPNconnection requiresUserAuthentication.Thedefaultsettingsenableremoteadministrationandtheabilitytoapply updates.TheWebinterfaceisservedonstandardTCPport443forSSLencryption. Toconfigureremoteadministrationpreferences,navigatetoConfig>Accounts>Remote Administration.
Figure 4.12: Remote Administration
Table 4.6: Remote Administration

Field
WWW (Web Interface) Server Port Encryption Enabled Enables remote administration for the Web interface. The TCP port allowing Web administration. SSL encryption default is 444. A selection for the level of SSL encryption. All levels of SSL encryption are enabled by default. Setting encryption to <none> will turn off SSL encryption. A selection for whether automatic policies should be enabled for all interfaces. A selection for whether automatic policies should be enabled for the protected interface.
Description
Automatic All
Automatic Protected
14
Foradditionalsecurity,SSL(SecureSocketsLayer)encryptionisavailable.SSLencrypted administrationrequiresaremoteaccesspolicywithaportthatmatchestheremoteadministrationport (443,bydefault). SSLcertificatesincludethreevaliditychecks: 1. Anissuer,orself-issuedcertificateauthority. 2. Adate,whichwillbethedateofcertificategeneration. 3. Aname,whichwillbethefirewallshostname. Tocreateacertificateinwhichthenameonthesecuritycertificatematchesthenameonthesite,the hostnamefoundinConfig>Network>SettingsmustmatchthenamegiventothefirewallintheDNSServer.If youcannotmatchthehostname,youmayinsteadaddthehostnametotheLMHOSTfileonWindows computers. Table 4.7: Encryption Levels
Level
All None
Encryption
Key Strength
n/a n/a 40-,56-, 64-bit 128-bit 168-bit
Description
Disables SSL encryption Accepts low/medium/high levels of encryption A low level of SSL encryption. Easier to break. A medium level of SSL encryption. Harder to break. A high level of SSL encryption. Difficult to break.
Low
High
Medium
Generating SSL Certificates EachtimeGB-OSisupdated,theSSLcertificateisrenewedforaperiodofoneyearfromtherelease builddate.YoumayalsomanuallygenerateanewcertificatebyusingtheNew SSL CertifiCatebutton. ThiscreatesanewSSLcertificateforthefirewall,whichisvalidforoneyearfromitscreationdate. Note

Changing the firewalls host name will automatically generate a new SSL certificate using the new host name.
15
Network
TheNetworksectionallowsfortheconfigurationofthefirewallsnetworksettings,aliases,timeouts,NAT (NetworkAddressTranslation),passthroughandrouting.
Settings
MuchofthedatafoundinNetwork Settingswillhavebeenenteredduringinstallation,includingtherequired protectedandexternalnetwork. Todefineyournetworkssettings,navigatetoConfig>Network>Settings.
Figure 4.13: Network Settings
Thehostname,definedintheHost namefield,isthesystemnameassignedtotheGTAfirewalland isusedtotaglogmessages.GTArecommendsusingafullyqualifieddomainnameasthehost nameforyourGTAfirewall.Afullyqualifieddomainnameisthecompletedomainnameforaspecific computer(host)onthenetwork,whichisbrokendowntoahost,domainandtop-leveldomain(e.g. firewall.example.com).Hostnamesmustbeunique.IfyournetworkDHCPserverscreateIPaddress assignmentsbasedonthesystemname,enterthehostname,oftenassignedbyyourISP. Thedefaultgateway,definedintheDefault Routefield,isanodeonthenetworkthatservesasan accesspointtoanothernetwork,usuallytheInternet.EntertheIPaddressoftheselecteddefaultroute. ThisvalueisusuallytheIPaddressoftherouterconnectingthenetworktotheInternetandmustbe onthesamelogicalnetworkastheassociatedexternalinterface.IfyourexternalinterfaceusesPPPor DHCPtoobtainanIPaddress,enteringanIPaddressintheDefault Routefieldisnotneeded. Anetworkinterface: Assignsanetwork(representedbyanIPaddressandasubnetmask)toaphysicalNIC Designatesanetworktype Identifiesagateway(defaultroute) AGTAfirewallrecommendstwologicalnetworks,aprotectednetworkandanexternalnetwork. Additionalexternalandprotectedlogicalnetworkscanbeadded,aswellasoneormorePrivateService Networks(PSN). Definednetworkinterfacesserveasinterfaceobjectsthroughouttheconfiguration,allowingthe administratortoreferencetheinterfacequicklywhenconfiguringthefirewall. CAUTION
If a network interfaces name is changed, but a policy that references it is not updated to refer to the new name, all new connections maintained by the policy will fail to match.
Entering the Host Name
Entering the Default Route
Defining Network Interfaces
16
LogicalnetworkinterfacesthatdonotusePPPorDHCPconfigurationsrequireanIPaddressand subnetmask.Ifasubnetmaskisnotentered,thesystemwillattempttocreateonebasedonthe networkclassinCIDRnotation,ClassC=/24,ClassB=/16orClassA=/8.Doingsohelpsprevent misconfiguration. Wheneditinganetworkinterface,atablelabelednetwoRk InteRfaCe CaRDswillbedisplayed.ThenetwoRk InteRfaCe CaRDstableshowsinformationregardingtheGTAfirewallsNICs,suchastheirMACaddress andconnection. CAUTION
Use caution when changing the logical names of interfaces; if a logical name does not match a policy, you may lose access to the firewall.
Toeditanetworkinterface,highlightthedesiredinterfaceandhittheEnterkey.
Figure 4.14: Editing a Network Interface
Table 4.8: Defining a Network Interface

Field
Name Gateway Connection NIC
Description
Assign a logical name to identify the network interface. Network interface names may not use a number as the first character. Enable this checkbox if you wish to make the logical interface an Internet gateway. The NIC to be used by the defined network interface. AUTO is generally recommended. Selections are: AUTO: Auto-select the active network connection. UTP_10: Use the unshielded twisted pair interface at 10Mbps. TX_100: Use the unshielded twisted pair interface at 100Mbps. Maximum Transmission Value. Default is 1500. Incorrect MTUs can cause poor performance. Select to define the network interface as an external interface. Select to define the network interface as a protected interface. Select to define the network interface as an PSN interface. Select Default (full- or half-duplex) or Full Duplex.
Option MTU Interface Type External Protected
PSN (Private Service Network)
17
Table 4.8: Defining a Network Interface

Field
Network Address DHCP IP Address Network Interface Cards NIC MAC Address Name The Network Interface Card (e.g., eth0). If the device is an Ethernet card, its MAC address will be displayed in this section. Use to assign a physical interface to a particular logical interface. Record MAC addresses before installation into GB-Ware hardware. The name assigned to the NIC. The NICs connection speed. AUTO: Auto-selects the active network connection. UTP_10: Uses the unshielded twisted pair interface at 10Mbps. TX_100: Uses the unshielded twisted pair interface at 100Mbps. Dynamic Host Configuration Protocol. DHCP is typically required for cable modem connections. When selected, the system uses DHCP to obtain an IP address for the specified interface. DHCP may be used on any and all network interfaces. Enter the IP address/subnet to assign to the logical interface. Connections using DHCP or PPP do not require an IP address to be entered.
Description
Connection
18
Aliases
AliasesallowanetworkinterfacetopossessmultipleIPaddresses.AnIPaliasmaybeassignedtoany networkinterface. Aliasesareespeciallyusefulontheexternalnetworkinterface,orifmultiplehostsonthePSNor protectednetworkarerequiredforthesameservicegroupviaatunnel(e.g.multipleinternalWeb serversthatallservecontenttotheexternalnetwork).AliasesusedonanexternalNICattachedtothe Internetmustbelegitimate,registeredIPaddresses.Analiasdoesnotneedtohavethesamesubnetas therealIPaddress,sincetheGTAfirewallwillroutepacketsbetweenallnetworkstowhichitislogically attached. IftheIPaliasisonthesamelogicalnetworkasthenetworkinterfacesprimaryIPaddress,useasubnet maskof32bits(255.255.255.255). Toconfigurealiases,navigatetoConfig>Network>Aliases.TheAliasesscreenwilldisplayalldefinedaliases. PressEntertoeditanexistingalias,orpressInsertortheIkeytocreateanewalias.
Figure 4.15: Editing an Alias
Table 4.9: Edit Alias

Field
Name Interface
Description
A unique name to identify the alias elsewhere in the firewalls configuration. Alias names may not use a number as the first character. The interface that will have an alias applied. The IP address of the alias.
IP Address/Netmask
19
Timeouts
Timeoutsdefinehowlongaconnectionshouldbeidlebeforeitismarkedreadytoclose.Theresult ofaconnectionreachingitstimeoutvaluediffersforeachIPprotocol.Forexample,TCPhasenough informationembeddedforGB-OStodeterminewhentheconnectionisreadytoclose,butwithICMP andUDP,itisgenerallyimpossibletodeterminewhenaconnectionisreadytoclose. Todefinetimeouts,navigatetoConfig>Network>Timeouts.
Figure 4.16: Defining Timeouts
Table 4.10: Timeouts

Field
TCP Timeout Send Keep Alives? The time, in seconds, that the firewall will wait before timing out TCP packets. Default is 600. If a successfully created, TCP connections remain idle for the timeout period and if this field is disabled, the connection is marked ready to close. If this field is enabled, a Keep Alive packet is sent. If the connection is still valid, the GTA firewall will set the connection idle time to zero. If the connection is invalid, the GTA firewall will see a reset packet indicating this, sent by the client to its server, and will mark the connection ready to close. If no response is received within five minutes, the GTA firewall will mark the connection ready to close. Enabled by default. As part of TCP connection creation, the client and server exchange several IP packets. All packets sent from the server will have a bit indicating ACK (acknowledgement) in the header. As part of Stateful Packet Inspection, the GTA firewall keeps a record of seeing this bit. If it is not seen, the remote server may be down. If the idle time is reached without an ACK from the server, the connection is marked ready for close. Default is 30 seconds. The time, in seconds, that the firewall will wait before timing out UDP packets. Default is 600. The time, in seconds, that the firewall will wait before timing out ICMP packets. Default is 15. This is the timeout for any supported protocol other than TCP, UDP or ICMP. After a connection is marked as ready to close, the GTA firewall will wait five seconds before it actually closes the connection. This gives redundant IP packets a chance to clear the GTA firewall without causing false doorknob twist error messages. Default is 600 (10 minutes). If your firewall is experiencing spurious Remote Access Policy blocks from reply packets, typically from port 80 (the Internet), you may want to increase this value, giving packets from slow or distant connections more time to return before the connection is closed. Default value is 20 seconds.
Description
Wait for ACK
UPD Timeout ICMP Timeout Default Timeout
Wait for close
20
NAT
NetworkAddressTranslation(NAT)translatesanIPaddressbehindthefirewalltotheIPaddressofthe externalnetworkinterface,disguisingtheoriginalIPaddress.NATisappliedintheConsoleinterface usinginboundtunnelsandstaticmapping. Inboundtunnelsallowexternalhoststoinitiateconnectionswithinternalhostsusingservicegroups (e.g.TCP,UDP,ICMPorHTTP).Normallythefirewallblocksallinboundtraffictotheinternalnetworks. Tunnelsallow,forexample,computerssuchasWeb(port80)serversonaPSNtobereachedfromthe Internet. TunnelscanbedefinedfortrafficfromeitherexternalnetworksorthePSN.Tunnelsaretypicallyused withinboundconnections,theyarenotnormallyusedfortrafficinboundfromaprotectednetwork interface,whichisbydefaultallowedaccesstotheotherlogicalnetworktypeswithoutuseofatunnel. Tunnelscanbecreatedfortheseinboundconnections: FromanexternalnetworkinterfacetoahostonaPSN. Fromanexternalnetworkinterfacetoahostonaprotectednetwork. FromaPSNinterfacetoahostonaprotectednetwork. TunnelsaredefinedbyaninterfaceandserviceIPandaninternaldestinationIPaddress. Onlytheexternaldestinationsideofthetunnelisvisible.Sincetunnelstransparentlyforwardthe connectionusingNAT,auserontheexternalnetworksidewillneverseetheultimatedestinationofthe tunnel.Thetunnelappearstobeaserviceoperatingonthefirewall. IfatunneloriginatesfromanIPaliasaddress,youmayneedtomapthedestinationhosttotheIPalias usingstaticaddressmappingsothatsecondaryconnectionsappeartooriginatefromthesameaddress asthetunnel. Toconfigureinboundtunnels,navigatetoConfig>Network>NAT>Inbound Tunnels.TheInbound Tunnelsscreenwill displayalldefinedinboundtunnels,ifany.PressEntertoeditanexistingalias,orpressInsertortheIkey tocreateanewalias.
Inbound Tunnels
Figure 4.17: Creating an Inbound Tunnel
21
Table 4.11: Inbound Tunnels

Field
Disable Description From
Description
A toggle for whether the inbound tunnel should be disabled or not. Default is off. A short description to identify the function of the inbound tunnel. Select the IP Protocol to be used by the inbound tunnel. Select the external destination IP address of the tunnel. Select the internal destination IP address of the tunnel. A toggle for whether the firewall should automatically accept all traffic for the tunnel regardless of configured policies. Default is enabled. Authentication allows the administrator to require users to authenticate to the firewall using GBAuth before initiating a connection. Default is off. Hides the source of the inbound tunnel connection. Useful for when the GTA firewall is used on an intranet. Default is off. A toggle for whether TCP SYN Cookies should be used or not. Default is on.
Service To
Automatic Accept All Policy Require Authentication Hide Source SYN Cookies
22
StaticaddressmappingallowsaninternalIPaddressorsubnettobestaticallymappedtoaninterface duringNAT.Bydefault,allIPaddressesontheprotectednetworksandPSNsaredynamicallyassigned totheprimaryIPaddressoftheoutboundnetworkinterface.Staticaddressmappingisusedwhenitis desirabletostaticallyassigntheIPaddressusedinNAT. Tousestaticaddressmapping,firstassignatleastoneIPaliastothedesiredoutboundnetwork interface(externalnetworkinterfaceorPSNinterface). ThetargetofamapdefinitionmustbeanIPaliasorinterface. Mappingisonlyassociatedwithoutboundpacketflow. Mapdefinitionsmaybeforasinglehostorasubnet. Toconfigurestaticaddressmapping,navigatetoConfig>Network>NAT>Static Address Mapping.TheStatic Address Mappingscreenwilldisplayalldefinedstaticaddressmappings,ifany.PressEntertoeditanexisting alias,orpressInsertortheIkeytocreateanewalias.
Static Address Mapping
Figure 4.18: Creating a Static Address Mapping
Table 4.12: Static Address Mapping

Field
From (source) Object IP Address Select the address object that will be mapped. If an address object cannot be used, enter the IP address and subnet mask that will be mapped (e.g., to a map a single IP address, use a subnet mask of /32 (255.255.255.255)) by selecting <USER DEFINED>. Select the address object representing the IP address to which the source will be mapped.
Description
To Interface
23
Pass Through
ThePass ThroughsectioncontainsHosts/Networks,whichspecifiesanIPaddress,subnetornetworkthatwill nothaveNATappliedtoitstraffic.
Hosts/Networks
Hosts/NetworksspecifiesanIPaddress,subnetornetworkthatwillnothaveNATappliedtoitstraffic.See productspecificationsforthenumberofpassthroughhosts/networksavailableonaspecificmodel.
ToconfigurehostsornetworksthatwillbypassNAT,navigatetoConfig>Network>Pass Through>Hosts/Networks. TheHosts/Networksscreenwilldisplayalldefinedhostsornetworks,ifany.PressEntertoeditanexisting hostornetwork,orpressInsertortheIkeytocreateanewhostornetworkdefinition.
Figure 4.19: Defining a Host or Network
Table 4.13: Hosts/Networks

Field
Address Interface Allow Inbound Object
Description
Select the address object that will be used as the host member. If an address object cannot be used, select <USER DEFINED> as the ObjeCt and enter the IP address and subnet mask that will be mapped (e.g., to a map a single IP address, use a subnet mask of /32 (255.255.255.255)). Select the destination interface that should not apply NAT when outbound IP packets are received. Enable to accept unsolicited IP packets from the specified IP address. Disabled by default.
24
Routing
TheRoutingsectioncontainsRIP,whichisusedtoreceiveroutingtables,andStatic Routes,whichareused todefinestaticpathsbetweenoneinternalsubnetandanother.
RIP
RIP(RoutingInformationProtocol)istypicallyusedbyrouterstoreceiveupdatedroutingtables.RIPis anIProutingprotocolthatallowsbroadcastingand/orlisteningtoroutinginformationinordertochoose themostefficientrouteforapacket.HostsusingRIPselecttheroutesthatusethefewesthops,or selectanalternatepathifarouteisdownorhasbeenslowedbyhightraffic.RIPislimitedto15hops; morethanthat,andtherouteisflaggedasunreachable. CAUTION

Most smaller network configurations do not benefit from RIP. Before using RIP, be aware that the protocol may decrease performance rather than help small networks and acceptance of RIP sources can compromise network security.
RIPisdisabledbydefaultonGB-OS,soroutinginformationtoredirectpacketsisnotacceptedfrom externalsources.IfRIPisenabled,thefirewallcanreceiveand/orbroadcastroutinginformationfor eitherRIPversion1or2. ToconfigureRIP,navigatetoConfig>Network>Routing>RIP.TheRIPscreenwilldisplayalldefinedinterfaces andtheirRIPconfiguration.TherearetwocheckboxesavailableontheRIPscreen,enableandaDveRtIse Default Route.Toggletheenablecheckboxtoenabletheservice.EnabletheaDveRtIse Default Route checkboxifyouwishtodosoonanyprotectednetworkorPSNonwhichRIPisenabled.PressEnterto editanexistinghostornetwork,orpressInsertortheIkeytocreateanewhostornetworkdefinition.
Figure 4.20: RIP Setup
25
Table 4.14: Edit RIP Interface

Field
Enabled Input Interface
Description
Enables the RIP interface. The interface for which RIP is being configured. Not configurable. Controls how RIP is implemented. input determines whether any version of RIP will be accepted from other routers. The choices are: <1>: Version 1 RIP is accepted or exported. <2>: Version 2 RIP is accepted or exported. <Both>: Both version 1 and 2 are used. Controls how RIP is implemented. Output determines whether any version of RIP will be exported or broadcast. The choices are: <1>: Version 1 RIP is accepted or exported. <2>: Version 2 RIP is accepted or exported. <Both>: Both version 1 and 2 are used. Type of encryption that will be used. If an encryption is selected, the password field is enabled. Encryption types are: None, Clear and MD5. This only applies to RIPv2 Password that must be used to collect routing information through RIPv4. Pre-shared secret key ID. This only applies to RIPv2 when MD5 encryption is used.
Output
Password Type Password Key ID
26
Static Routesdefineroutingpathsbetweenonesubnetandanother.Staticroutessupersedethedefault gatewaydefinedinConfig>Network>Settings. Definingastaticrouteisusefulwhenthereisarouterbetweendifferentpartsofaninternalnetwork, creatingmultiplesubnetswithinyourinternalnetwork.Withoutastaticroute,thefirewallroutesalltraffic, evenifitshouldbedirectedtoadifferentsubnetontheinternalnetwork.Trafficwillnottravelfrom internalsubnetsinthiscase,causingspoofingmessages.Staticroutessolvethisproblembydiverting internaltrafficbacktotheappropriateinternalsubnetbeforeitreachesagateway. Usingastaticroute,thefirewallcorrectlyroutesinternalmulti-subnettraffictootherinternalIPs. Toconfigurestaticaddressmapping,navigatetoConfig>Network>Routing>Static Routes.TheStatic Routesscreen willdisplayalldefinedstaticroutes,ifany.PressEntertoeditanexistingstaticroute,orpressInsertor theIkeytocreateanewhostornetworkdefinition.
Static Routes
Figure 4.21: Static Route Setup
Table 4.15: Configuring Static Routes

Field
Network Object IP Address Gateway Object IP Address IP address or interface object of the destination/gateway (default route) selected for this static route. If <USER DEFINED> has been selected for the gateways ObjeCt, enter the address and subnet mask, either in CIDR-based (slash) or dotted decimal notation. IP address(es) whose traffic will be subject to the static route, either by selecting the appropriate interface object. If <USER DEFINED> has been selected for the networks ObjeCt, enter the address and subnet mask, either in CIDR-based (slash) or dotted decimal notation.
Description
27
Security Policies
PoliciescontrolaccesstoandthroughtheGTAfirewall.Theimplicitrule,thatwhichisnotexplicitly allowedisdenied,appliestobothoutboundandinboundpackets.Unlessapolicyisinplaceallowing forasituationwhereapacketisaccepted,itwillalwaysbedeniedbydefault. TheConsoleinterfaceonlyallowsforthedefaultingofpolicysets.Todefinesecuritypolicies,itis requiredtologintotheWebinterfacetodoso.
Preferences
Policypreferencesallowthefirewalladministratortogloballydefinemostloggingandpolicydefinitions foralldefinedpoliciesinonelocation.Loggingoptionsforautomaticpolicies,tunnelconnections (opensandcloses)andpolicyblocksmaybeselected. FromthealaRmssectionthefirewalladministratorcansetthedefaultparametersforalarmnotifications. Whenapolicyismatched,analarmeventisactivated.Eachalarmeventincrementsthealarmcountby one.Ifeitherthetimeornumberofalarmsthresholdisexceeded,anotificationwillbesentdocumenting alltheevents.Multiplemessageswillbesentifthenumberofeventsexceedsthemaximumcount. FromtheGeneRalsectionthefirewalladministratorcanenableordisableautomaticpolicies,generate alarms,sendemail,sendanICMPservicenotavailablemessage,orloganevent. Tosetpolicypreferences,navigatetoConfig>Security Policies>Preferences.
Figure 4.22: Policy Preferences
Table 4.16: Policy Preferences

Field
Alarms Send email for alarms... Maximum Alarms per Email Attempt to Log Host Names Page When Threshold Reached Sets the intervals for when an email should be dispatched to the firewalls administrator. Maximum number of alarm messages included in a per email message. An alarm message is generally 200 bytes. Attempt to resolve the host name of the IP address that generated the alarm. If pager is enabled and enabled, a pager notification is sent when an alarm threshold is exceeded.
Description
28
Table 4.16: Policy Preferences

Field
General Automatic Policies Deny Address Spoof Deny Fragments Options: Enable/Disable; Log. GTA recommends leaving automatic policies enabled. Always enabled. Options: Alarm, Email, Log. Always enabled. Options: Alarm, Email, ICMP, Log. Options: Enable/Disable, Log. Can be used to block some fragment attacks. GTA recommends leaving this option disabled. Always enabled. Option: Log packets. Always enabled. Option: Enable/Disable, Log. Options: Enable/Disable, Log. Options: Enable/Disable, Log. Options: Enable/Disable, Log. Stealth mode has priority over all filters. Always enabled. Option: Log, enabled by default. Always enabled. Option: Log, enabled by default.
Description
Deny Doorknob Twist
Deny Invalid Packets Stealth Mode
Deny Unexpected Packets
TCP Syn Cookies Tunnel Opens Policy Blocks
Tunnel Closes
Reset to Factory Defaults

Reset to Factory DefaultswillresetallGTAfirewallconfigurationparametersbacktotheiroriginalfactory settings.ThisfunctionisexclusivetotheConsoleinterfaceforultimatesecurity.ToresetyourGTA firewall,navigatetoConfig>Reset to Factory Defaults. CAUTION
Resetting your GTA firewall to factory defaults will wipe out all previously configured settings.
OnceyouhaveusedReset to Factory Defaults,youmustconfigureyourfirewallagain.Forconfiguringyour GTAfirewall,pleaserefertotheGB-OS Users Guide. Whenthemenuitemisselected,apop-upwindowisdisplayedwhichrequestsconfirmationofthereset request.SelecttheOKbuttontoconfirmthecommand.
29
Tools
TheToolssectioncontainsanumberoftoolsusefulforadministratingandtroubleshootingthefirewalls configuration.
Figure 4.23: The Tools Menu
Shutdown
TheShutdownconfigurationscreen,locatedatTools>Shutdown,containshaltandrebootservices.
Halt
Haltproperlyshutsdownallservices,preparingthefirewallsoitcanbepoweredoff.Oncehalted,the firewallmustberestartedfromtheconsoleinterfaceorbephysicallyreset. Tohaltthefirewall,navigatetoTools>Shutdown>Halt.Whenthemenuitemisselected,apop-upwindow isdisplayedwhichrequestsconfirmationofthehaltrequest.SelecttheOKbuttontoconfirmthe command.
Reboot
Rebootrestartsthefirewall.Torebootthefirewall,navigatetoTools>Shutdown>Reboot.Whenthemenuitemis selected,apop-upwindowisdisplayedwhichrequestsconfirmationoftheresetrequest.SelecttheOK buttontoconfirmthecommand.
Network Diagnostics
TheNetwork Diagnosticsconfigurationscreen,locatedatTools>Network Diagnostics,containspingandtraceroute tests,whichareusefulforverifyingconnectivity.
Flush ARP Table

TheARPTablelistcontainsalistofcurrentlyknownARPaddresses.ThelistcontainstheIPaddressto MACaddresstranslationsandtheTTL(TimetoLive)foreachentry.ARPtableentriesarekeptfor20 minutesandarescannedeveryfive(5)minutestocheckforexpiredentries.Onceanentryisexpired, thefirewallwillnottrytore-maptheaddressfor20seconds. FlushingtheARPTablewillclearthecacheofIPaddressesresolvedbytheaddressresolutionprotocol andrecordedintheARPtable. ToflushtheARPTable,navigatetoTools>Network Diagnostics>Flush ARP Table.Whenthemenuitemisselected, apop-upwindowisdisplayedwhichrequestsconfirmationoftheresetrequest.SelecttheOKbuttonto confirmthecommand.
30
Ping
ThepingfunctionexecutesthenetworkpingconnectivitytestbyusingtheICMPprotocol.Thepingis executedfromtheGTAfirewall,notfromyourcomputer.PinginganIPaddressisusefulforverifying connectivityfromthefirewalltoanytargethostontheexternalorinternalnetwork. ThefirewallwillattempttosendfiveICMPpingpacketstothetargetdestinationandwilldisplayrelevant statistics. TopinganIPaddressordomainname,navigatetoTools>Network Diagnostics>Ping,entertheaddressintothe HostfieldandselecttheOKbutton.
Figure 4.24: Pinging an IP Address
Trace Route
ThetraceroutefunctionperformsaroutingtracefromthefirewalltoadesignatedIPaddressordomain name.LikePInG,tRaCe Routeisusefulfortestingnetworkconnectivity.Todeterminewhetherarouteto anInternethostisviable,thetraceroutefunctionlaunchesUDPprobepacketswithashorttimetolive (TTL),andthenlistensforanICMPtimeexceededreplyfromagateway. Whenthetraceisactive,threeprobesarelaunchedfromeachgateway,withtheoutputshowingtheTTL, addressofthegateway,androundtriptimeofeachprobe. TotraceanIPaddressordomainname,navigatetoTools>Network Diagnostics>Trace Route,entertheaddress intotheHostfieldandselecttheOKbutton.
Figure 4.25: Tracing an IP Address

31
Interfaces
TheInterfacesconfigurationscreen,locatedatTools>Interfaces,allowsanetworkinterfaceonthefirewall tobeEnabled(upandcapableofsending/receivingpackets),or<Disabled>(downandincapableof sending/receivingpackets). CAUTION
Disabling the network interface on which your computer resides will result in loss of connectivity to the firewall.
Totoggleaninterfacetobeenabledordisabled,navigatetoTools>Network Diagnostics>Interface,highlightthe selectedinterfaceandhitthespacebar.
Figure 4.26: Enabling an Interface
32
Reports
TheReportssectioncontainsthehardwarereport,whichisusefulfortroubleshootingpurposes.
Figure 4.27: The Reports Menu
Hardware
TheHardwareReportgeneratesareportofthehardwarecomponentsdetectedinyoursystemandis usefulindiagnosinghardwareproblems.Ifyoususpectahardwareproblem,generatethisreportand reviewthehardwarelisted.GTAstechnicalsupportstaffmayalsorequestacurrenthardwarereportin ordertoresolveaGTAfirewallissue. Torunthehardwarereport,navigatetoReports>Hardware.
Figure 4.28: Running the Hardware Report
33
Reference A: User Interface

TheConsoleinterfaceisaGUI-basedinterfaceofhierarchicalmenus.Asthenameimplies,theConsole interfaceonlyoperatesontheGTAfirewallconsole;youcanaccesstheinterfaceviaaworkstation attachedtothefirewallthroughtheserialportandusingaterminalemulatorsuchasTeraTerm. TheConsoleinterfacecanonlybeusedtoperformlimitedconfigurationtasks,asitisprimarilyusedasa fail-safe.ItisbestsuitedforadministrativetaskswhentheWebinterfaceisnotavailable. CAUTION
Configuration data is read by the Console interface only once a session, when the administrator logs on. This means that if the configuration is modified via the Web interface during a Console session, the new data will not appear on the Console interface, and subsequent changes made using Console will overwrite the changes made remotely.
Figure A.1: The Console Interface
Features: Physicalaccesscontrol(oneaccesspoint)whenusedastheonlyaccesstothefirewall. Resetcapability. Fail-safeaccesstofirewall.
34
Keystroke Commands
Alldataentryandinterfacenavigationisdoneusingthekeyboardattachedtotheterminalorworkstation runningterminalemulationsoftware. Table A.1: Keystroke Commands
Keystroke Command
<Esc> <F2> <F6> <F7> <F8> or <Tab> <F10> <F12>
Description
Exit/Cancel Display all list choices Clear field Previous field Next field Ok/Save Toggle color display Delete or backspace Toggle choice list / Select highlighted button Insert line item
<Del> or <Backspace> <Spacebar> <Insert> or <I>
Navigation
AlthoughtheConsoleinterfacesdisplaymayvarybaseduponyourmethodofconnection,allvariations usethefollowingmenus,buttons,fieldsandlistsinnavigation.
Menus
Therearefivetop-levelmenusintheConsoleinterface:Config,Tools,Reports,ExitandHelp.Most configurationitemsarefoundundertheConfigmenu.Toolsusefulfortroubleshootingyourfirewalls configurationarelocatedundertheToolsmenu.ReportscontainstheHardware Report,whichgeneratesa reportonyourfirewallshardwareconfiguration.ExitincludesthecommandtoexittheConsoleinterface, whileHelpwilldisplaytheGB-OSversionnumber. Usethekeyboardarrowkeystomovethroughthemenusandpressthe<Return>or<Spacebar>keyto selectthefunctioncurrentlyhighlighted.
Figure A.2: Menus
35
Buttons
ButtonsarefieldswhichappearsimilartotheWebinterfacesbuttons;theseConsolebuttonfieldscan beselectedbypressing<Return>or<Spacebar>whenthefieldishighlighted. Table A.2: Buttons
Keystroke Command
Cancel Default Save
Description
Saves the configuration screen. Cancels changes and exits the configuration screen or section. Exits the screen, or executes an administrative action. Creates configuration settings in the section that conforms to the GTA firewalls settings; not factory settings. Sends email.
OK
Send
Entry, Choice, Check, and Item List Fields

FieldsintheConsoleinterfacecanbedataordataentryfields,choice/selectionfields,checkfieldsand itemlistfields. Datafieldsarerepresentedbyeitherablanklineoralinewithadefaultorplaceholderentry (e.g.,0.0.0.0/24)asadataformatexample.Somefieldsareprefilledbythesystemandwillbe unavailablefordataentry. Choicefieldsoffertheuseranumberofitemsfromwhichtoselectthedesiredentry;scrollthroughthe availableselectionsbypressingthe<SpaceBar>. Checkfieldsareeitherenabled[X]ordisabled[ ].Usethe<SpaceBar>keytotoggleacheckfield. ItemListfieldsrepresenttheitemsthathavebeenenteredinsectionswithmorethanoneitem.Seethe editscreenforthesebyhighlightingtheselecteditemandpressing<Return>.
36
Copyright 1996-2010,GlobalTechnologyAssociates,Incorporated(GTA).Allrightsreserved. Exceptaspermittedundercopyrightlaw,nopartofthismanualmaybereproducedordistributedinanyformorbyanymeans withoutthepriorpermissionofGlobalTechnologyAssociates,Incorporated. Technical Support GTAincludes30daysupandrunninginstallationsupportfromthedateofpurchase.SeeGTAsWebsiteformore information.GTAsdirectcustomersintheUSAshouldcalloremailGTAusingthetelephoneandemailaddressbelow. InternationalcustomersshouldcontactalocalAuthorizedGTAChannelPartner. Tel:+1.407.380.0220 Email:support@gta.com Disclaimer NeitherGTA,noritsdistributorsanddealers,makeanywarrantiesorrepresentations,eitherexpressedorimplied,as tothesoftwareanddocumentation,includingwithoutlimitation,theconditionofsoftwareandimpliedwarrantiesofits merchantabilityorfitnessforaparticularpurpose.GTAshallnotbeliableforanylostprofitsorforanydirect,indirect, incidental,consequentialorotherdamagessufferedbylicenseeorothersresultingfromtheuseoftheprogramorarisingout ofanybreachofwarranty.GTAfurtherreservestherighttomakechangestothespecificationsoftheprogramandcontentsof themanualwithoutobligationtonotifyanypersonororganizationofsuchchanges. Mentionofthird-partyproductsisforinformationalpurposesonlyandconstitutesneitheranendorsementnora recommendationfortheiruse.GTAassumesnoresponsibilitywithregardtotheperformanceoruseoftheseproducts. Everyefforthasbeenmadetoensurethattheinformationinthismanualisaccurate.GTAisnotresponsibleforprintingor clericalerrors. Trademarks & Copyrights GB-OS,SurfSentinel,MailSentinelandGB-WareareregisteredtrademarksofGlobalTechnologyAssociates,Incorporated. GBCommanderisatrademarkofGlobalTechnologyAssociates,Incorporated.GlobalTechnologyAssociatesandGTAare servicemarksofGlobalTechnologyAssociates,Incorporated. Microsoft,InternetExplorer,MicrosoftSQLandWindowsareeithertrademarksorregisteredtrademarksofMicrosoft CorporationintheUnitedStatesand/orothercountries. AdobeandAdobeAcrobatReaderareeitherregisteredtrademarksortrademarksofAdobeSystemsIncorporatedinthe UnitedStatesand/orothercountries. UNIXisaregisteredtrademarkofTheOpenGroup. LinuxisaregisteredtrademarkofLinusTorvalds. BINDisatrademarkoftheInternetSystemsConsortium,IncorporatedandUniversityofCalifornia,Berkeley. WELFandWebTrendsaretrademarksofNetIQ. Sun,SunMicrosystems,SolarisandJavaaretrademarksorregisteredtrademarksofSunMicrosystems,Inc.intheUnited Statesand/orothercountries. JavasoftwaremayincludesoftwarelicensedfromRSASecurity,Inc. SomeproductscontainsoftwarelicensedfromIBMareavailableathttp://oss.software.ibm.com/icu4j/. SomeproductsincludesoftwaredevelopedbytheOpenSSLProject(http://www.openssl.org/). MailshellandMailshellAnti-SpamisatrademarkofMailshellIncorporated.Someproductscontaintechnologylicensedfrom MailshellIncorporated. Allotherproductsaretrademarksoftheirrespectivecompanies.
. Global.Technology.Associates,.Inc.
3505 Lake Lynda Drive, Suite 109 Orlando, FL 32817 USA Tel: +1.407.380.0220 Fax: +1.407.380.6080 Web: http://www.gta.com Email: info@gta.com
38
Copyright

Console Guide 5.4

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Console Guide 5.4

Caricato da

Copyright:

Formati disponibili

GB-OS 5.

Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email: info@gta.com Web: www.gta.com

GB-OS Console Users Guide

GB-OS Console Users Guide

About This Guide

OrganizationofthechaptersinthisguideisaccordingtotheConsoleinterfacesmenustructure.The exceptionstothisruleincludetheReferencechapters.Forthelocationofspecifictopics,pleaseseethe tableofcontents.

ThesemanualsandotherdocumentationcanalsobefoundontheGTAWebsite(www.gta.com). DocumentsontheWebsiteareeitherinplaintext(*.txt)orportabledocumentformat(*.pdf)which requiresAdobeReaderversion7.0orgreater.AfreecopyofAdobeReadercanbeobtainedfromwww. adobe.com.

GB-OS Console Users Guide

GB-OS Console Users Guide

Connecting to the Console Interface

Connecting to the Console Interface

Figure 2.1: Connecting to the Console Interface

Connecting to the Console Interface

GB-OS Console Users Guide

ToconnecttotheGTAfirewallusingacomputerrunningterminalemulationsoftware,enterthefollowing settings: Table 2.1: Connecting to the Console Interface

PowerontheGTAfirewall.Oncebooted,youwillbepromptedforthefirewalladministratorsuserID andpassword(defaultsarefwadmin).Theconfigurationmenuscreen(similartotheillustrationbelow) shouldappear.

Figure 2.2: The Console Interface

Connecting to the Console Interface

GB-OS Console Users Guide

Resetting the firewall to factory defaults

How do I reset my firewall to factory defaults?

Toresettofactorydefaults,typethewordyesinlower caseletters.Typinganyotherkeywillrebootthe systemwithoutresettingtodefaults.Ifthereisnoinputaftertwominutes,thefirewallwillcontinueits bootprocess.

GB-OS Console Users Guide

Switching the firewalls active slice

How do I switch between slices?

3. SwitchtotheWebinterfacetomakeadvancedconfigurationchanges;thecurrentlyselected slicewillloadbydefaultuntilanotherisselected. 4. Toreverttothelastconfiguration,rebootthefirewallusingtheconsoleinterfaceandselect memoryslice1. Note

GB-OS Console Users Guide

Using the Console Interface

Figure 4.1: The Console Interface

Using the Console Interface

GB-OS Console Users Guide

Figure 4.2: The Config Menu

Figure 4.3: Verifying the Configuration

Using the Console Interface

GB-OS Console Users Guide

Figure 4.4: Emailing the Configuration

Using the Console Interface

GB-OS Console Users Guide

Figure 4.5: Entering Activation Codes

Using the Console Interface

GB-OS Console Users Guide

Figure 4.6: Entering Contact Information

Table 4.1: Contact Information

Support Email Address

Using the Console Interface

GB-OS Console Users Guide

Figure 4.7: Setting the Firewalls Date and Time

Table 4.2: Date/Time

Using the Console Interface

GB-OS Console Users Guide

Figure 4.11: Address Objects

Using the Console Interface

GB-OS Console Users Guide

Figure 4.12: Remote Administration

Table 4.6: Remote Administration

Using the Console Interface

GB-OS Console Users Guide

Generating SSL Certificates EachtimeGB-OSisupdated,theSSLcertificateisrenewedforaperiodofoneyearfromtherelease builddate.YoumayalsomanuallygenerateanewcertificatebyusingtheNew SSL CertifiCatebutton. ThiscreatesanewSSLcertificateforthefirewall,whichisvalidforoneyearfromitscreationdate. Note

Using the Console Interface

GB-OS Console Users Guide

Figure 4.13: Network Settings

Entering the Host Name

Entering the Default Route

Defining Network Interfaces

ThesemanualsandotherdocumentationcanalsobefoundontheGTAWebsite(www.gta.com). DocumentsontheWebsiteareeitherinplaintext(.txt)orportabledocumentformat(.pdf)which requiresAdobeReaderversion7.0orgreater.AfreecopyofAdobeReadercanbeobtainedfromwww. adobe.com.