Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Users Guide
Console
GBOSCG201009-01
Global Technology Associates 3505 Lake Lynda Drive Suite 109 Orlando, FL 32817
Table of Contents
Introduction........................................................................................................................................................................................... 1 About.This.Guide. 1 Conventions 1 Additional.Documentation. 1 Connecting.to.the.Console.Interface..................................................................................................................................................3 . Common.Tasks. ....................................................................................................................................................................................5 . Resetting.the.firewall.to.factory.defaults. 5 Switching.the.firewalls.active.slice. 6 HowdoIswitchbetweenslices? 6 Using.the.Console.Interface. ............................................................................................................................................................... 7 . Config. 8 ConfigurationVerification 8 EmailConfiguration 9 System 10 ActivationCodes 10 ContactInformation 11 Date/Time 12 Objects 13 AddressObjects 13 Accounts 14 RemoteAdministration 14 Encryption 15 GeneratingSSLCertificates 15 Network 16 Settings 16 EnteringtheHostName 16 EnteringtheDefaultRoute 16 DefiningNetworkInterfaces 16 Aliases 19 Timeouts 20 NAT 21 InboundTunnels 21 StaticAddressMapping 23 PassThrough 24 Hosts/Networks 24 Routing 25 RIP 25 StaticRoutes 27 SecurityPolicies 28 Preferences 28 ResettoFactoryDefaults 29 Tools. 30 Shutdown 30 Halt 30 Reboot 30 NetworkDiagnostics 30 FlushARPTable 30 Ping 31 TraceRoute 31 Interfaces 32 Reports. 33 Hardware 33 Reference.A:.User.Interface...............................................................................................................................................................34 Keystroke.Commands. 35 Navigation. 35 Menus 35 Buttons 36 Entry,Choice,Check,andItemListFields 36
Table of Contents
iii
Introduction
GTAFirewallUTMAppliances,poweredbyGB-OS,arepredominantlyadministeredusingtheplatformindependentWebinterface.Aseconduserinterface,theConsoleinterface,allowstheusertodefault policiesincaseofaconfigurationerror,recoveraGTAFirewallUTMAppliance,resetamisconfigured firewalltodefaultsandperformbasicconfigurationtasks. TheConsoleinterfaceisaGUI-basedinterfaceofhierarchicalmenus.ItoperatesonlyontheGTA firewallconsole;itcannotbeaccessedinanyotherway.TheConsoleinterfaceshouldonlybeusedfor basicconfigurationorforrecoverypurposes.Comprehensiveconfigurationsettingsareonlyavailable fromtheWebinterface. Inthisguide,theConsoleinterfaceisillustratedanddescribedintheorderthefunctionsappearinthe Consoleinterfacemenus.Navigation,commonkeystrokes,menuitemsandbuttonsareexplainedin ReferenceA:UserInterface.
Conventions
Afewconventionsareusedinthisguidetohelpyourecognizespecificelementsofthetext.Ifyouare viewingthisguideinPDFformat,colorvariationsmayalsobeusedtoemphasizenotes,warningsand newsections.
Italics
Bold Italics
Blue Underline Small CapS Monospace Font
Emphasis
Publications
Clickable hyperlink (email address, Web site or in-PDF link) On-screen field names On-screen text On-screen menus, menu items On-screen buttons, links
Condensed Bold
BOLD.SMALL.CAPS
Additional Documentation
Foradditionalinstructionsoninstallation,registrationandsetupofaGTAproduct,seeapplicable QuickGuides,FAQsortechnicalpapers.Foroptionalfeatures,seetheappropriatefeatureguide. DocumentationisincludedontheCDshippedwithnewGTAproducts,andisalsoavailablefor downloadfromtheGTAWebsite. Note
For the latest documentation, check the GTA Web site for current PDFs.
Introduction
Available Documentation
Document
GB-OS Users Guide GB Commander Product Guide GTA Reporting Suite Product Guide Surf Sentinel Content Filtering Option Guide GTA VPN Option Guide www.gta.com H2A High Availability Option Guide Mail Sentinel Option Guide
Topics
GB-OS features and Web user interface. GB Commander for GTA firewalls. GTA Reporting Suite stand-alone reporting software. Email anti-spam and anti-virus filtering optional feature. Content filtering optional feature. High availability optional feature. VPN (virtual private networks) feature. Hardware specifications, current documentation, examples
Introduction
Serial Cable
GB-2000
PC Workstation
GTA Firewall
1. Connect the GTA firewall to the workstation. To connect to the Console interface, connect your GTA firewall to a PC workstation using the serial port and boot up the firewall. 2. Configure the terminal emulation software. Enter the appropriate settings to emulate the console connections. 3. Enter the firewall administrators user name and password.
Description
VT-100 or PuTTY COM port connected via DB-9 cable to the firewall 38400 8 None 1 Hardware
Stop
Parity
Data/Bit Rate
Flow Control
Common Tasks
Inmostcircumstances,theConsoleinterfaceisusedasaneffortoflastresort.Sinceconfiguration optionsarelimited,firewalladministratorsgenerallyusetheConsoleinterfacewhentheWebinterfaceis nolongeraccessible.Commontasksthatareperformedincluderesettingthefirewalltofactorydefaults andswitchingthefirewallsactiveslice. Note
This chapter only applies to issues that can be resolved using the Console interface. For more troubleshooting issues and solutions, refer to the GB-OS Users Guide.
Whenthewordloadingappears,immediatelypressCONTROL-R.Thesystemwillbegintoload,and configurationandhardwaredatawillappearonscreen.Finally,aconfirmationquestiondisplays:
Are you sure you want to reset your firewall configuration?: (yes or no)
Common Tasks
Common Tasks
Note
For information on the Console interfaces user interface, refer to Reference A: User Interface.
Config
TheConfigmenucontainscommandsrelatedtothesetupandconfigurationoftheGTAfirewall.The Consoleinterfaceislimitedinitsconfigurationoptions.Toproperlyadministerthefirewall,usetheWeb interface.
Configuration Verification
Configuration VerificationwillrunasystemconfigurationcheckontheGTAfirewall.Thecheckwillverifyall areasofthefirewallsconfiguration. AfteryouhaveconfiguredyourGTAfirewall,runaconfigurationverificationtoensurethatyouhavea validconfiguration.Verificationhappenseverytimeasectionorconfigurationissaved. Toverifyyourconfiguration,navigatetoConfig>Configuration Verification.
Email Configuration
TheEmail Configurationsub-sectionallowstheusertoemailthefirewallsconfigurationtotheentered recipient.Thisfunctionisusefulfortechnicalsupportpurposes. EmailConfigurationallowstheusertoemailacopyofthesysteminformationtoadesignatedemail address. EmailConfigurationsendsanemailwiththesereports: AConfigurationReport HTML AHardwareConfigurationReport AVerificationReport Acopyofthecurrentroutingtable AcopyofthecurrentARPtable ActiveVPNs ActivePolicies AuthenticatedARPTable AuditEvents CurrentStatistics HardwareSummary IpsecTunnels MailSentinelPolices,Routes,Statistics XML EnteranyadditionalinformationintheComment(s) field. Toemailyourfirewallsconfiguration,navigatetoConfig>Email Configuration.
System
TheSystemmenuitemcontainsmenuoptionsforconfiguringactivationcodes,contactinformation,the firewallsdateandtime,andaddressobjects.
Activation Codes
InActivation Codes,theadministratorcanentertheGTAfirewallsserialnumberandoptionalfeature activationcodesforoptionssuchasH2AHighAvailability,SurfSentinel,MailSentinelAnti-Spam&AntiVirusorGTAMobileVPNClientlicenses.Activationcodesenteredduringinstallationorpre-installed withhardwareapplianceswillalsoappear. Activationcodesareprovidedwithsoftwareorfeatureregistration.EnterGTAfirewallactivationcodes byhighlightingtheselectedrowandhitting<Return>toeditor<Insert>ortheIkeytoadd. SelectSave.Thesystemwilldisplayadescriptionofwhathasbeenactivated.Ifthisdescriptionis garbledordoesnotappear,thecodehasbeenenteredincorrectlyorisnotcorrectforthecurrent systemorversion. Toenteractivationcodes,navigatetoConfig>System>Activation Codes. Note
Activation codes will not function without the system serial number entered in the Serial field. GTA Firewall UTM Appliances have the serial number pre-installed. The firewalls serial number can also be found on the card that shipped with the firewall or in the GTA Online Support Center.
10
Contact Information
Contact Informationstoresinformationaboutthefirewalladministrator.Thisinformationisusedbyemail, reportsandlistfunctions. Toenterthefirewalladministratorscontactinformation,navigatetoConfig>System>Contact Information.
Description
Enter the firewall administrators name. Enter the firewall administrators company. Enter the firewall administrators email address. Enter the firewall administrators phone number. Enter the email address to be used for technical support. Default is gb-config@gta.com
Email Address
Phone Number
11
Date/Time
Sincethefirewallsdateandlocaltimeareusedtotaglogmessages,havingthefirewallconfigured tooperateonaccuratetimesettingsisimportant.TheDate/TimeserviceusesUTC(UniversalTime Coordinated)asitsdefaulttimezone. Tosetyourfirewallsdateandtime,navigatetoConfig>System>Date/Time.
Description
Enter your the current date as YYYY-MM-DD. Enter the current time (in 24 hour format) as HH:MM:SS.
12
Objects
UsingobjectsincreasesspeedandconsistencywhencreatingaconfigurationwithGB-OS.Auserneed onlydefineanaddressorgroupofaddresses,aninterface,oraconfigurationonce,thenselectthe objectineachscreenwherethatdefinitionisrequired.Oncetheobjectiscreatedtheuserwillonlyneed tochangetheobjecttochangethedefinitioninallthelocationswhereitisused. IntheConsoleinterface,onlyaddressobjectsareavailableforconfiguration.Toconfigureallother objects,itisnecessarytologintotheWebinterface. Theaddressobjectlistdisplaysthenameanddescriptionofalldefinedaddressobjects.Whenusing theConsoleinterface,userscanresetandsavetheaddressobjects.Editingorinsertingnewaddress objectsisnotpossible. Tovieworresettheaddressobjectlist,navigatetoConfig>System>Objects>Address Objects.
Address Objects
13
Accounts
TheAccountssectioncontainsconfigurationscreensthatdisplayoptionsforremoteadministration. Note
Administration accounts are only configurable via the Web interface. For more information, refer to the GB-OS Users Guide.
Remote Administration
Remote AdministrationcontrolsremoteadministrationviatheWebinterface,andwhetheraVPNconnection requiresUserAuthentication.Thedefaultsettingsenableremoteadministrationandtheabilitytoapply updates.TheWebinterfaceisservedonstandardTCPport443forSSLencryption. Toconfigureremoteadministrationpreferences,navigatetoConfig>Accounts>Remote Administration.
Description
Automatic All
Automatic Protected
14
Foradditionalsecurity,SSL(SecureSocketsLayer)encryptionisavailable.SSLencrypted administrationrequiresaremoteaccesspolicywithaportthatmatchestheremoteadministrationport (443,bydefault). SSLcertificatesincludethreevaliditychecks: 1. Anissuer,orself-issuedcertificateauthority. 2. Adate,whichwillbethedateofcertificategeneration. 3. Aname,whichwillbethefirewallshostname. Tocreateacertificateinwhichthenameonthesecuritycertificatematchesthenameonthesite,the hostnamefoundinConfig>Network>SettingsmustmatchthenamegiventothefirewallintheDNSServer.If youcannotmatchthehostname,youmayinsteadaddthehostnametotheLMHOSTfileonWindows computers. Table 4.7: Encryption Levels
Level
All None
Encryption
Key Strength
n/a n/a 40-,56-, 64-bit 128-bit 168-bit
Description
Disables SSL encryption Accepts low/medium/high levels of encryption A low level of SSL encryption. Easier to break. A medium level of SSL encryption. Harder to break. A high level of SSL encryption. Difficult to break.
Low
High
Medium
15
Network
TheNetworksectionallowsfortheconfigurationofthefirewallsnetworksettings,aliases,timeouts,NAT (NetworkAddressTranslation),passthroughandrouting.
Settings
MuchofthedatafoundinNetwork Settingswillhavebeenenteredduringinstallation,includingtherequired protectedandexternalnetwork. Todefineyournetworkssettings,navigatetoConfig>Network>Settings.
Thehostname,definedintheHost namefield,isthesystemnameassignedtotheGTAfirewalland isusedtotaglogmessages.GTArecommendsusingafullyqualifieddomainnameasthehost nameforyourGTAfirewall.Afullyqualifieddomainnameisthecompletedomainnameforaspecific computer(host)onthenetwork,whichisbrokendowntoahost,domainandtop-leveldomain(e.g. firewall.example.com).Hostnamesmustbeunique.IfyournetworkDHCPserverscreateIPaddress assignmentsbasedonthesystemname,enterthehostname,oftenassignedbyyourISP. Thedefaultgateway,definedintheDefault Routefield,isanodeonthenetworkthatservesasan accesspointtoanothernetwork,usuallytheInternet.EntertheIPaddressoftheselecteddefaultroute. ThisvalueisusuallytheIPaddressoftherouterconnectingthenetworktotheInternetandmustbe onthesamelogicalnetworkastheassociatedexternalinterface.IfyourexternalinterfaceusesPPPor DHCPtoobtainanIPaddress,enteringanIPaddressintheDefault Routefieldisnotneeded. Anetworkinterface: Assignsanetwork(representedbyanIPaddressandasubnetmask)toaphysicalNIC Designatesanetworktype Identifiesagateway(defaultroute) AGTAfirewallrecommendstwologicalnetworks,aprotectednetworkandanexternalnetwork. Additionalexternalandprotectedlogicalnetworkscanbeadded,aswellasoneormorePrivateService Networks(PSN). Definednetworkinterfacesserveasinterfaceobjectsthroughouttheconfiguration,allowingthe administratortoreferencetheinterfacequicklywhenconfiguringthefirewall. CAUTION
If a network interfaces name is changed, but a policy that references it is not updated to refer to the new name, all new connections maintained by the policy will fail to match.
16
LogicalnetworkinterfacesthatdonotusePPPorDHCPconfigurationsrequireanIPaddressand subnetmask.Ifasubnetmaskisnotentered,thesystemwillattempttocreateonebasedonthe networkclassinCIDRnotation,ClassC=/24,ClassB=/16orClassA=/8.Doingsohelpsprevent misconfiguration. Wheneditinganetworkinterface,atablelabelednetwoRk InteRfaCe CaRDswillbedisplayed.ThenetwoRk InteRfaCe CaRDstableshowsinformationregardingtheGTAfirewallsNICs,suchastheirMACaddress andconnection. CAUTION
Use caution when changing the logical names of interfaces; if a logical name does not match a policy, you may lose access to the firewall.
Toeditanetworkinterface,highlightthedesiredinterfaceandhittheEnterkey.
Description
Assign a logical name to identify the network interface. Network interface names may not use a number as the first character. Enable this checkbox if you wish to make the logical interface an Internet gateway. The NIC to be used by the defined network interface. AUTO is generally recommended. Selections are: AUTO: Auto-select the active network connection. UTP_10: Use the unshielded twisted pair interface at 10Mbps. TX_100: Use the unshielded twisted pair interface at 100Mbps. Maximum Transmission Value. Default is 1500. Incorrect MTUs can cause poor performance. Select to define the network interface as an external interface. Select to define the network interface as a protected interface. Select to define the network interface as an PSN interface. Select Default (full- or half-duplex) or Full Duplex.
17
Description
Connection
18
Aliases
AliasesallowanetworkinterfacetopossessmultipleIPaddresses.AnIPaliasmaybeassignedtoany networkinterface. Aliasesareespeciallyusefulontheexternalnetworkinterface,orifmultiplehostsonthePSNor protectednetworkarerequiredforthesameservicegroupviaatunnel(e.g.multipleinternalWeb serversthatallservecontenttotheexternalnetwork).AliasesusedonanexternalNICattachedtothe Internetmustbelegitimate,registeredIPaddresses.Analiasdoesnotneedtohavethesamesubnetas therealIPaddress,sincetheGTAfirewallwillroutepacketsbetweenallnetworkstowhichitislogically attached. IftheIPaliasisonthesamelogicalnetworkasthenetworkinterfacesprimaryIPaddress,useasubnet maskof32bits(255.255.255.255). Toconfigurealiases,navigatetoConfig>Network>Aliases.TheAliasesscreenwilldisplayalldefinedaliases. PressEntertoeditanexistingalias,orpressInsertortheIkeytocreateanewalias.
Description
A unique name to identify the alias elsewhere in the firewalls configuration. Alias names may not use a number as the first character. The interface that will have an alias applied. The IP address of the alias.
IP Address/Netmask
19
Timeouts
Timeoutsdefinehowlongaconnectionshouldbeidlebeforeitismarkedreadytoclose.Theresult ofaconnectionreachingitstimeoutvaluediffersforeachIPprotocol.Forexample,TCPhasenough informationembeddedforGB-OStodeterminewhentheconnectionisreadytoclose,butwithICMP andUDP,itisgenerallyimpossibletodeterminewhenaconnectionisreadytoclose. Todefinetimeouts,navigatetoConfig>Network>Timeouts.
Description
20
NAT
NetworkAddressTranslation(NAT)translatesanIPaddressbehindthefirewalltotheIPaddressofthe externalnetworkinterface,disguisingtheoriginalIPaddress.NATisappliedintheConsoleinterface usinginboundtunnelsandstaticmapping. Inboundtunnelsallowexternalhoststoinitiateconnectionswithinternalhostsusingservicegroups (e.g.TCP,UDP,ICMPorHTTP).Normallythefirewallblocksallinboundtraffictotheinternalnetworks. Tunnelsallow,forexample,computerssuchasWeb(port80)serversonaPSNtobereachedfromthe Internet. TunnelscanbedefinedfortrafficfromeitherexternalnetworksorthePSN.Tunnelsaretypicallyused withinboundconnections,theyarenotnormallyusedfortrafficinboundfromaprotectednetwork interface,whichisbydefaultallowedaccesstotheotherlogicalnetworktypeswithoutuseofatunnel. Tunnelscanbecreatedfortheseinboundconnections: FromanexternalnetworkinterfacetoahostonaPSN. Fromanexternalnetworkinterfacetoahostonaprotectednetwork. FromaPSNinterfacetoahostonaprotectednetwork. TunnelsaredefinedbyaninterfaceandserviceIPandaninternaldestinationIPaddress. Onlytheexternaldestinationsideofthetunnelisvisible.Sincetunnelstransparentlyforwardthe connectionusingNAT,auserontheexternalnetworksidewillneverseetheultimatedestinationofthe tunnel.Thetunnelappearstobeaserviceoperatingonthefirewall. IfatunneloriginatesfromanIPaliasaddress,youmayneedtomapthedestinationhosttotheIPalias usingstaticaddressmappingsothatsecondaryconnectionsappeartooriginatefromthesameaddress asthetunnel. Toconfigureinboundtunnels,navigatetoConfig>Network>NAT>Inbound Tunnels.TheInbound Tunnelsscreenwill displayalldefinedinboundtunnels,ifany.PressEntertoeditanexistingalias,orpressInsertortheIkey tocreateanewalias.
Inbound Tunnels
21
Description
A toggle for whether the inbound tunnel should be disabled or not. Default is off. A short description to identify the function of the inbound tunnel. Select the IP Protocol to be used by the inbound tunnel. Select the external destination IP address of the tunnel. Select the internal destination IP address of the tunnel. A toggle for whether the firewall should automatically accept all traffic for the tunnel regardless of configured policies. Default is enabled. Authentication allows the administrator to require users to authenticate to the firewall using GBAuth before initiating a connection. Default is off. Hides the source of the inbound tunnel connection. Useful for when the GTA firewall is used on an intranet. Default is off. A toggle for whether TCP SYN Cookies should be used or not. Default is on.
Service To
Automatic Accept All Policy Require Authentication Hide Source SYN Cookies
22
StaticaddressmappingallowsaninternalIPaddressorsubnettobestaticallymappedtoaninterface duringNAT.Bydefault,allIPaddressesontheprotectednetworksandPSNsaredynamicallyassigned totheprimaryIPaddressoftheoutboundnetworkinterface.Staticaddressmappingisusedwhenitis desirabletostaticallyassigntheIPaddressusedinNAT. Tousestaticaddressmapping,firstassignatleastoneIPaliastothedesiredoutboundnetwork interface(externalnetworkinterfaceorPSNinterface). ThetargetofamapdefinitionmustbeanIPaliasorinterface. Mappingisonlyassociatedwithoutboundpacketflow. Mapdefinitionsmaybeforasinglehostorasubnet. Toconfigurestaticaddressmapping,navigatetoConfig>Network>NAT>Static Address Mapping.TheStatic Address Mappingscreenwilldisplayalldefinedstaticaddressmappings,ifany.PressEntertoeditanexisting alias,orpressInsertortheIkeytocreateanewalias.
Description
To Interface
23
Pass Through
ThePass ThroughsectioncontainsHosts/Networks,whichspecifiesanIPaddress,subnetornetworkthatwill nothaveNATappliedtoitstraffic.
Hosts/Networks
Hosts/NetworksspecifiesanIPaddress,subnetornetworkthatwillnothaveNATappliedtoitstraffic.See productspecificationsforthenumberofpassthroughhosts/networksavailableonaspecificmodel.
Description
Select the address object that will be used as the host member. If an address object cannot be used, select <USER DEFINED> as the ObjeCt and enter the IP address and subnet mask that will be mapped (e.g., to a map a single IP address, use a subnet mask of /32 (255.255.255.255)). Select the destination interface that should not apply NAT when outbound IP packets are received. Enable to accept unsolicited IP packets from the specified IP address. Disabled by default.
24
Routing
TheRoutingsectioncontainsRIP,whichisusedtoreceiveroutingtables,andStatic Routes,whichareused todefinestaticpathsbetweenoneinternalsubnetandanother.
RIP
RIPisdisabledbydefaultonGB-OS,soroutinginformationtoredirectpacketsisnotacceptedfrom externalsources.IfRIPisenabled,thefirewallcanreceiveand/orbroadcastroutinginformationfor eitherRIPversion1or2. ToconfigureRIP,navigatetoConfig>Network>Routing>RIP.TheRIPscreenwilldisplayalldefinedinterfaces andtheirRIPconfiguration.TherearetwocheckboxesavailableontheRIPscreen,enableandaDveRtIse Default Route.Toggletheenablecheckboxtoenabletheservice.EnabletheaDveRtIse Default Route checkboxifyouwishtodosoonanyprotectednetworkorPSNonwhichRIPisenabled.PressEnterto editanexistinghostornetwork,orpressInsertortheIkeytocreateanewhostornetworkdefinition.
25
Description
Enables the RIP interface. The interface for which RIP is being configured. Not configurable. Controls how RIP is implemented. input determines whether any version of RIP will be accepted from other routers. The choices are: <1>: Version 1 RIP is accepted or exported. <2>: Version 2 RIP is accepted or exported. <Both>: Both version 1 and 2 are used. Controls how RIP is implemented. Output determines whether any version of RIP will be exported or broadcast. The choices are: <1>: Version 1 RIP is accepted or exported. <2>: Version 2 RIP is accepted or exported. <Both>: Both version 1 and 2 are used. Type of encryption that will be used. If an encryption is selected, the password field is enabled. Encryption types are: None, Clear and MD5. This only applies to RIPv2 Password that must be used to collect routing information through RIPv4. Pre-shared secret key ID. This only applies to RIPv2 when MD5 encryption is used.
Output
26
Static Routesdefineroutingpathsbetweenonesubnetandanother.Staticroutessupersedethedefault gatewaydefinedinConfig>Network>Settings. Definingastaticrouteisusefulwhenthereisarouterbetweendifferentpartsofaninternalnetwork, creatingmultiplesubnetswithinyourinternalnetwork.Withoutastaticroute,thefirewallroutesalltraffic, evenifitshouldbedirectedtoadifferentsubnetontheinternalnetwork.Trafficwillnottravelfrom internalsubnetsinthiscase,causingspoofingmessages.Staticroutessolvethisproblembydiverting internaltrafficbacktotheappropriateinternalsubnetbeforeitreachesagateway. Usingastaticroute,thefirewallcorrectlyroutesinternalmulti-subnettraffictootherinternalIPs. Toconfigurestaticaddressmapping,navigatetoConfig>Network>Routing>Static Routes.TheStatic Routesscreen willdisplayalldefinedstaticroutes,ifany.PressEntertoeditanexistingstaticroute,orpressInsertor theIkeytocreateanewhostornetworkdefinition.
Static Routes
Description
27
Security Policies
PoliciescontrolaccesstoandthroughtheGTAfirewall.Theimplicitrule,thatwhichisnotexplicitly allowedisdenied,appliestobothoutboundandinboundpackets.Unlessapolicyisinplaceallowing forasituationwhereapacketisaccepted,itwillalwaysbedeniedbydefault. TheConsoleinterfaceonlyallowsforthedefaultingofpolicysets.Todefinesecuritypolicies,itis requiredtologintotheWebinterfacetodoso.
Preferences
Policypreferencesallowthefirewalladministratortogloballydefinemostloggingandpolicydefinitions foralldefinedpoliciesinonelocation.Loggingoptionsforautomaticpolicies,tunnelconnections (opensandcloses)andpolicyblocksmaybeselected. FromthealaRmssectionthefirewalladministratorcansetthedefaultparametersforalarmnotifications. Whenapolicyismatched,analarmeventisactivated.Eachalarmeventincrementsthealarmcountby one.Ifeitherthetimeornumberofalarmsthresholdisexceeded,anotificationwillbesentdocumenting alltheevents.Multiplemessageswillbesentifthenumberofeventsexceedsthemaximumcount. FromtheGeneRalsectionthefirewalladministratorcanenableordisableautomaticpolicies,generate alarms,sendemail,sendanICMPservicenotavailablemessage,orloganevent. Tosetpolicypreferences,navigatetoConfig>Security Policies>Preferences.
Description
28
Description
Tunnel Closes
29
Tools
TheToolssectioncontainsanumberoftoolsusefulforadministratingandtroubleshootingthefirewalls configuration.
Shutdown
TheShutdownconfigurationscreen,locatedatTools>Shutdown,containshaltandrebootservices.
Halt
Haltproperlyshutsdownallservices,preparingthefirewallsoitcanbepoweredoff.Oncehalted,the firewallmustberestartedfromtheconsoleinterfaceorbephysicallyreset. Tohaltthefirewall,navigatetoTools>Shutdown>Halt.Whenthemenuitemisselected,apop-upwindow isdisplayedwhichrequestsconfirmationofthehaltrequest.SelecttheOKbuttontoconfirmthe command.
Reboot
Rebootrestartsthefirewall.Torebootthefirewall,navigatetoTools>Shutdown>Reboot.Whenthemenuitemis selected,apop-upwindowisdisplayedwhichrequestsconfirmationoftheresetrequest.SelecttheOK buttontoconfirmthecommand.
Network Diagnostics
TheNetwork Diagnosticsconfigurationscreen,locatedatTools>Network Diagnostics,containspingandtraceroute tests,whichareusefulforverifyingconnectivity.
30
Ping
ThepingfunctionexecutesthenetworkpingconnectivitytestbyusingtheICMPprotocol.Thepingis executedfromtheGTAfirewall,notfromyourcomputer.PinginganIPaddressisusefulforverifying connectivityfromthefirewalltoanytargethostontheexternalorinternalnetwork. ThefirewallwillattempttosendfiveICMPpingpacketstothetargetdestinationandwilldisplayrelevant statistics. TopinganIPaddressordomainname,navigatetoTools>Network Diagnostics>Ping,entertheaddressintothe HostfieldandselecttheOKbutton.
Trace Route
ThetraceroutefunctionperformsaroutingtracefromthefirewalltoadesignatedIPaddressordomain name.LikePInG,tRaCe Routeisusefulfortestingnetworkconnectivity.Todeterminewhetherarouteto anInternethostisviable,thetraceroutefunctionlaunchesUDPprobepacketswithashorttimetolive (TTL),andthenlistensforanICMPtimeexceededreplyfromagateway. Whenthetraceisactive,threeprobesarelaunchedfromeachgateway,withtheoutputshowingtheTTL, addressofthegateway,androundtriptimeofeachprobe. TotraceanIPaddressordomainname,navigatetoTools>Network Diagnostics>Trace Route,entertheaddress intotheHostfieldandselecttheOKbutton.
31
Interfaces
TheInterfacesconfigurationscreen,locatedatTools>Interfaces,allowsanetworkinterfaceonthefirewall tobeEnabled(upandcapableofsending/receivingpackets),or<Disabled>(downandincapableof sending/receivingpackets). CAUTION
Disabling the network interface on which your computer resides will result in loss of connectivity to the firewall.
32
Reports
TheReportssectioncontainsthehardwarereport,whichisusefulfortroubleshootingpurposes.
Hardware
TheHardwareReportgeneratesareportofthehardwarecomponentsdetectedinyoursystemandis usefulindiagnosinghardwareproblems.Ifyoususpectahardwareproblem,generatethisreportand reviewthehardwarelisted.GTAstechnicalsupportstaffmayalsorequestacurrenthardwarereportin ordertoresolveaGTAfirewallissue. Torunthehardwarereport,navigatetoReports>Hardware.
33
34
Keystroke Commands
Alldataentryandinterfacenavigationisdoneusingthekeyboardattachedtotheterminalorworkstation runningterminalemulationsoftware. Table A.1: Keystroke Commands
Keystroke Command
<Esc> <F2> <F6> <F7> <F8> or <Tab> <F10> <F12>
Description
Exit/Cancel Display all list choices Clear field Previous field Next field Ok/Save Toggle color display Delete or backspace Toggle choice list / Select highlighted button Insert line item
Navigation
AlthoughtheConsoleinterfacesdisplaymayvarybaseduponyourmethodofconnection,allvariations usethefollowingmenus,buttons,fieldsandlistsinnavigation.
Menus
Therearefivetop-levelmenusintheConsoleinterface:Config,Tools,Reports,ExitandHelp.Most configurationitemsarefoundundertheConfigmenu.Toolsusefulfortroubleshootingyourfirewalls configurationarelocatedundertheToolsmenu.ReportscontainstheHardware Report,whichgeneratesa reportonyourfirewallshardwareconfiguration.ExitincludesthecommandtoexittheConsoleinterface, whileHelpwilldisplaytheGB-OSversionnumber. Usethekeyboardarrowkeystomovethroughthemenusandpressthe<Return>or<Spacebar>keyto selectthefunctioncurrentlyhighlighted.
35
Buttons
ButtonsarefieldswhichappearsimilartotheWebinterfacesbuttons;theseConsolebuttonfieldscan beselectedbypressing<Return>or<Spacebar>whenthefieldishighlighted. Table A.2: Buttons
Keystroke Command
Cancel Default Save
Description
Saves the configuration screen. Cancels changes and exits the configuration screen or section. Exits the screen, or executes an administrative action. Creates configuration settings in the section that conforms to the GTA firewalls settings; not factory settings. Sends email.
OK
Send
36
Copyright 1996-2010,GlobalTechnologyAssociates,Incorporated(GTA).Allrightsreserved. Exceptaspermittedundercopyrightlaw,nopartofthismanualmaybereproducedordistributedinanyformorbyanymeans withoutthepriorpermissionofGlobalTechnologyAssociates,Incorporated. Technical Support GTAincludes30daysupandrunninginstallationsupportfromthedateofpurchase.SeeGTAsWebsiteformore information.GTAsdirectcustomersintheUSAshouldcalloremailGTAusingthetelephoneandemailaddressbelow. InternationalcustomersshouldcontactalocalAuthorizedGTAChannelPartner. Tel:+1.407.380.0220 Email:support@gta.com Disclaimer NeitherGTA,noritsdistributorsanddealers,makeanywarrantiesorrepresentations,eitherexpressedorimplied,as tothesoftwareanddocumentation,includingwithoutlimitation,theconditionofsoftwareandimpliedwarrantiesofits merchantabilityorfitnessforaparticularpurpose.GTAshallnotbeliableforanylostprofitsorforanydirect,indirect, incidental,consequentialorotherdamagessufferedbylicenseeorothersresultingfromtheuseoftheprogramorarisingout ofanybreachofwarranty.GTAfurtherreservestherighttomakechangestothespecificationsoftheprogramandcontentsof themanualwithoutobligationtonotifyanypersonororganizationofsuchchanges. Mentionofthird-partyproductsisforinformationalpurposesonlyandconstitutesneitheranendorsementnora recommendationfortheiruse.GTAassumesnoresponsibilitywithregardtotheperformanceoruseoftheseproducts. Everyefforthasbeenmadetoensurethattheinformationinthismanualisaccurate.GTAisnotresponsibleforprintingor clericalerrors. Trademarks & Copyrights GB-OS,SurfSentinel,MailSentinelandGB-WareareregisteredtrademarksofGlobalTechnologyAssociates,Incorporated. GBCommanderisatrademarkofGlobalTechnologyAssociates,Incorporated.GlobalTechnologyAssociatesandGTAare servicemarksofGlobalTechnologyAssociates,Incorporated. Microsoft,InternetExplorer,MicrosoftSQLandWindowsareeithertrademarksorregisteredtrademarksofMicrosoft CorporationintheUnitedStatesand/orothercountries. AdobeandAdobeAcrobatReaderareeitherregisteredtrademarksortrademarksofAdobeSystemsIncorporatedinthe UnitedStatesand/orothercountries. UNIXisaregisteredtrademarkofTheOpenGroup. LinuxisaregisteredtrademarkofLinusTorvalds. BINDisatrademarkoftheInternetSystemsConsortium,IncorporatedandUniversityofCalifornia,Berkeley. WELFandWebTrendsaretrademarksofNetIQ. Sun,SunMicrosystems,SolarisandJavaaretrademarksorregisteredtrademarksofSunMicrosystems,Inc.intheUnited Statesand/orothercountries. JavasoftwaremayincludesoftwarelicensedfromRSASecurity,Inc. SomeproductscontainsoftwarelicensedfromIBMareavailableathttp://oss.software.ibm.com/icu4j/. SomeproductsincludesoftwaredevelopedbytheOpenSSLProject(http://www.openssl.org/). MailshellandMailshellAnti-SpamisatrademarkofMailshellIncorporated.Someproductscontaintechnologylicensedfrom MailshellIncorporated. Allotherproductsaretrademarksoftheirrespectivecompanies.
. Global.Technology.Associates,.Inc.
3505 Lake Lynda Drive, Suite 109 Orlando, FL 32817 USA Tel: +1.407.380.0220 Fax: +1.407.380.6080 Web: http://www.gta.com Email: info@gta.com
38
Copyright