FireProof User Guide Version 2.20
Contents
1. LANInterfaces Application Switch Platform 2 10 LANInterfaces Fast Ethernet Platform 2 9 Large Client Table Size G 5 Load Sharing G 6 Management and Configuration G 6 Mirroring G 6 Monitoring FireProof Performance 4 1 Mounting the Device 2 2 Mapping NAT Addresses to Virtual IP Addresses 3 24 Modifying Differentiated Services Modifying Network 3 105 Modifying Policie Modifying Service N Native Windows NT Resources Agent Support G 6 Network Design No NATConfiguration 0 One Leg Lollipop Configuration A 6 OSPF Area Parameters 3 65 FireProof User Guide OSPF Interface Parameters 3 63 _ OSPF Link State Database 3 66 OSPF Neighbor Table 3 67 OSPF Protocol Parameters 3 61 P Physical Interface G 7 Physical IP address G 7 Policy Statistics 4 13 Port Statistics 4 15 _ Physical Route 3 68 R Refreshing Zoom View 3 8 Resetting the Device 3 83 RIP Interface Parameters 3 60 RIP Protocol Parameters 3 58 Running Configware 3 2 S Safety Instructions Ill Session Balancing Modes G 7 Simple FireProof Configuration Smooth Firewall Shutdown G 7 SNMP Port Restrictions G 8 Setting Device Global Parameters Setting Global Parameters 3 96 Setting Interface Addresses and IP Router Options 3 16 Setting Physical Port SNMP Restrictions 3 73 Setting Up Application Secu2. Chapter 3 Configuring FireProof This chapter describes how to configure FireProof to your requirements using the Configware management software Chapter 4 Monitoring FireProof Performance This chapter describes how to view detailed performance graphs which help monitor FireProof performance Appendix A Example Configurations This Appendix provides examples of FireProof configurations Appendix B Troubleshooting This Appendix provides troubleshooting solutions to some common FireProof problems Appendix C ASCII Command Line Interface This Appendix defines the CLI for FireProof APPENDIX D Software License Upgrade This appendix provides the procedures required to upgrade your software using either Configware or ASCII CLI FireProof User Guide O Jose About This Guide Oe radware Glossary This glossary provides explanations of terms and concepts used in network configurations X FireProof User Guide O OO0 0O O radware Chapter 1 Introducing FireProof FP The Problem The Solution FireProof Network Design FireProof Entry Level Product Chapter 2 Installing FireProof Checking the Contents Mounting the Device Connecting FireProof to Your Network AC Power Connection ASCII Terminal Serial Connection LAN Connections Configuring FireProof IP Host Parameters FireProof Specifications and Requirements Hardware Fast Ethernet Platform Hardware Application Switch Platform LAN Interfaces
3. Full Path Health Monitoring You can monitor the full path health of the FireProof to an IP address beyond the network s firewalls Doing so ensures that the path is open Note that if you enable Full Path Health Monitoring firewall operation Status will not be reported The firewall IP address should not be removed at anytime from the Full Path Health Monitor window otherwise their status will not be checked Note Full path health monitoring cannot be used between to FireProofs configured on the same device using Port Rules tS To monitor the full path health of a device beyond a specific 1 2 firewall From the FireProof menu choose Firewall Table The Firewall Table window is displayed Select a firewall to check through Click Full Path Health Monitoring The Full Path Health Monitor window is displayed Active indicates that FireProof successfully connected with the IP Address Not In Service indicates that FireProof failed to connect with the IP Address To add IP addresses to the Full Path Health Monitoring Checklist From the FireProof menu choose Firewall Table The Firewall Table window is displayed Select a firewall to check through Click Full Path Health Monitoring The Full Path Health Monitor window is displayed Click Insert The Connectivity Check Table Insert window is displayed In the Check Address field enter the IP address of the remote device to check Click Accept The Connectivity Check
4. e From the QoS menu choose View Active Policies A secondary menu displays Policies Networks and Services from which you can view the active tables for these functionalities For example the Active Network Table window is displayed ate Active Network Table 176 200 116 271 Network Name Network Mode IFP Address Address Mask From Address To Address 1 any IF range 0 0 0 0 0 0 0 0 0 0 0 0 255 255 255 255 Status Finished Error y 3 99 FireProof User Guide O OO0 Oe radware Chapter 3 Configuring FireProof C To refresh an active table In the Active Network Table window for example click Refresh The data displayed in the window is updated The following statistical parameters of active policies are displayed in the Active Policies Table window Matched Packets Displays the number of packets matched to the policy in the last second kbps Used Bandwidth Displays the amount of bandwidth used in the last second kbps Average Bandwidth Displays the average amount of bandwidth used per second kbps since the device was booted or since the policies were last updated Peak Average Bandwidth Displays the peak average amount of bandwidth used per second kbps since the device was booted or since the policies were last updated DSCP Displays the Diffserv policy assigned to a packet To activate inactive policies From the QoS menu select Update Policies The Update Confirmation
5. method d retries e status Command Syntax global connectivity check interval get global conchk interval get global connectivity check interval update global conchk interval update lt check connectivity Interval gt global connectivity check method get global conchk method get Description Enables the user to view the global Connectivity Check Interval Example global conchk interval Gee Enables the user to change the global Connectivity Check Interval Example global conchk interval update 10 Enables the user to view the global Connectivity Check Method The values for the check connectivity mode field are the following 1 Ping x TCP Port Example global conchk method get FireProof User Guide Appendix C ASCII Command Line Interface Global Connectivity Check Command Syntax global connectivity check method update global conchk method update lt check connectivity mode gt global connectivity check retries get global conchk retries get global connectivity check retries update global conchk retries update lt check connectivity retries gt global connectivity check status get global conchk status get FireProof User Guide O OO0 0O eo radware Description Enables the user to change the Global Connectivity Check Method Example global conchk method update 1 Enables the user to view the global Connectivity Check Retries Example g
6. 1 Inthe Global Parameters window QoS Global Parameters select Enabled from the Classification Mode dropdown list 2 Inthe Modify Network Table window QoS Modify Policies Networks configure network for the local network For example Modify Network Table FireProof T In order to simplify configuration a network can consist of a combination of network subnets and ranges For example Range 11 1 1 0 11 1 1 255 Subnet 10 1 1 0 255 255 255 0 A 22 FireProof User Guide Appendix A Example Configurations 3 4 O OO0 0 radware In the Modify Filter Groups Table window QoS Modify Policies Services Filter Groups Configure a group for the protocols allowed for communication between the remote server and the internal server For example Modify Filter Groups Table FireProof OO x i t In the Modify Policies Table window QoS Modify Policies Policies configure the following for example Modify Policies Table FireProof FireProof User Guide A 23 6 OO Oe radware A 24 9 Appendix A Example Configurations In the Modify Policies Table window QoS Modify Policies Policies use the Edit Default Policy button to set the default Action as required F Edit Default Policy FireProof IOl x W oF 324 Policy Name Action 1 Defautt Black ha aa Status Finishea Error From the Update Confirmation dialog box QoS Upd
7. Example redund mirror active mode get Enables the user to change the Redundant Admin Status Example redund status update enable C 55 O OO0 0O Oe radware Remote Appendix C ASCII Command Line Interface This group of commands enables the user to manipulate the data of the remote connectivity table For more information refer to Configuring a Remote Virtual IP Address in Chapter 3 page 3 51 Command Syntax remote get remote get firewall IP remote IP address remote destroy remote destroy lt firewall IP gt lt remote IP address gt remote create remote create lt firewall IP gt lt remote IP address gt C 56 Description Enables the user to view the Remote Connectivity table Example remote get 1 1 1 1 10 0 0 0 Enables the user to delete an entry in the Remote Connectivity table Example remote destroy ed edad T0000 Enables the user to create an entry in the Remote Connectivity table Example remote create 1 1 1 1 10 0 0 0 FireProof User Guide Appendix C ASCII Command Line Interface man Oe radware This group of commands enables the user to manipulate the RIP data For more information refer to Configuring Router Settings in Chapter 3 page 3 55 Entering the ospf command will display the following options e admstts Administration Status e iftbl Interface Table ospf2rip Leak OSPF to RIP e stat2rip Leak Static to RIP Command
8. FireProof Application Switch and Fast Ethernet Platforms Software Version 2 20 radware O OO0 0O Oe radware This guide is delivered subject to the following conditions and restrictions Copyright Radware Ltd 2000 All rights reserved The copyright and all other intellectual property rights and trade secrets included in this guide are owned by Radware Ltd The guide is provided to Radware customers for the sole purpose of obtaining information with respect to the installation and use of the FireProof and may not be used for any other purpose The information contained in this guide is proprietary to Radware and must be kept in strict confidence It is strictly forbidden to copy duplicate reproduce or disclose this guide or any part thereof without the prior written consent of Radware FireProof User Guide O OO0 0O Oe radware CAUTION Due to the risks of electrical shock and energy mechanical and fire hazards any procedures that involve opening panels or changing components must be performed by qualified service personnel only To reduce the risk of fire and electrical shock disconnect the instrument from the power line before removing cover or panels SERVICING Do not perform any servicing other than that contained in the operating instructions unless you are qualified to do so There are no user serviceable parts inside the unit chassis HIGH VOLTAGE Any adjustment maintenance and re
9. lt value gt Appendix C ASCII Command Line Interface Description Enables the user to view the global Remove Entry at Session End status The values for the value field are the following 1 Enable 2 Disable Example global remsess get Enables the user to change the global Remove Entry at Session End status Example global remsess update 2 FireProof User Guide Appendix C ASCII Command Line Interface ae Oe radware Global Session Tracking Command Syntax Description global session tracking get Enables the user to view the global global sestrack get Session Tracking status The values for the session tracking field are the following 1 Enable 2 Disable Example global sestrack get global session tracking Enables the user to change the global update Session Tracking status global sestrack update Example global sestrack lt session tracking gt update 2 FireProof User Guide C 33 O OO0 0O Oe radware C 34 Global Select Firewall on Source Port Command Syntax global select firewall on source port get global slctfiw get global select firewall on source port update global slctfw update lt value gt Appendix C ASCII Command Line Interface Description Enables the user to view the global Select Firewall on Source Port status The values for the value field are the following 1 Enable 2 Disable Example global sestrack get Ena
10. vee Appendix C ASCII Command Line Interface e radware BWM Utilization This group of commands enables the user to manipulate the data of the BWM utilization Entering the Utils command will display the following options e Action Application CBQ Classify Ports The possible Switch Values for the bwm utils ports command are the following bw Bandwidth Allocated Priority C 16 Red Command Syntax BWM utils action get action get BWM utils action update action update lt action updaterules 1 gt BWM utils application mode get appl mode get BWM utils application mode update appl mode update lt application classify mode gt Description Enables the user to retrieve information for existing BWM actions Example bwm utils action get Enables the user to update information for an existing BWM action Example bwm utils action update 2 Enables the user to retrieve the BWM application modes Example bwm utils appl mode get Enables the user to update the BWM application mode Example bwm utils appl mode update enable FireProof User Guide Appendix C ASCII Command Line Interface BWM Utilization Command Syntax BWM utils CBQ mode get cbq mode get BWM utils CBQ mode update cbq mode update lt cbq mode gt BWM utils CBQ borrow get cbq borrow get BWM utils CBQ borrow update cog borrow update lt cbq borrow mode gt BWM utils classific
11. 2 From the Device menu select Interface Parameters The nterface Parameters for Port window is displayed for the selected port Alternatively right click the selected port and select Interface Parameters P Interface Parameters for port 2 LP 3 20 Interface Parameters MAC Address oo 00 80 00 00 01 st t CS s Interface Type Ethernet CSMACD Interface Descriptor Ethernet Interface Interface Speediops 10M interface Status Down Status Finished Error lj 3 82 FireProof User Guide O OO0 Chapter 3 Configuring FireProof O Oe radware The Interface Parameters for Port window contains the following fields MAC Address The Mac Address of the port This corresponds to the selected port so that the MAC address of port F1 will end in cO and F2 will end in c1 and so on Interface Type The type of interface selected for example Ethernet CSMACD Interface Descriptor The Description of the selected interface for example Ethernet Interface Interface Speed bps The speed in bits per second of the selected port The speed is automatically sensed but may be manually forced using the drv set speed command in the CLI Refer to Appendix C for more information Status The status of the selected interface either Up or Down Resetting the Device You may wish to reset the device at any given time so as to revert to the last saved configuration f To reset the device 1 From the Device
12. Example 3 One Leg Lollipop Configuration Router 20 1 1 100 Firewall 2 20 1 1 10 10 1 1 10 lt lt i i Local FireProof W Network Figure A 3 Local Network Subnet and Firewall Subnet on the same LAN A 6 FireProof User Guide O Appendix A Example Configurations ites Oe radware Properties e The Local Network Side Subnet and the Firewall Side Subnet are on the same LAN All connections can be made to the same switch e Firewalls must be configured with the Network Address Translation feature enabled in order to ensure return traffic uses the correct firewall for each session Configuration 1 Define two IP interfaces on port 1 of the FireProof The first with IP address 10 1 1 10 and the second with IP address 20 1 1 10 then make sure both IP addresses are associated with port 1 2 Inthe Firewalls Table window FireProof Firewall Table insert firewalls 20 1 1 1 and 20 1 1 2 3 The default router of the FireProof should be one of the firewall s internal interfaces for example 20 1 1 1 The router of the firewalls for the local network should be the 20 1 1 10 address of the FireProof The default router for the Local Network should be the FireProof address 10 1 1 10 4 Itis recommended to use Full Path Health Monitoring to ensure the remote side of the firewall is operational In the Firewall Table window FireProof Firewall Table select a firewall and click Full Path Health Monit
13. Fast Ethernet Platform LAN Interfaces Application Switch Platform Hardware Requirements Software Requirements Installing Configware Management Software FireProof User Guide XII O ee Contents O0 radware 4 a Chapter 3 Configuring FireProof Getting Started Running Configware Using Buttons Permanently Adding Devices to Configware Connecting to a Device Zoom View Viewing Traps Setting Up a VLAN Creating VLANs Configuring VLAN Parameters Setting Interface Addresses and IP Router Options Setting Up Firewalls Configuring Firewalls Creating Virtual IP Addresses Mapping NAT Addresses to Virtual IP Addresses Smart NAT Creating Rules for Port Connection Configuring Application Aging Configuring Firewall Grouping Full Path Health Monitoring Controlling Traffic to Newly Booted Firewalls Viewing Active Clients Global Configuration Setting Up Redundant FireProof Devices Configuring IP Router Redundancy Configuring Mirroring Configuring a Remote Virtual IP Address Defining Load Balancing Algorithms Configuring Router Settings Adjusting Operating Parameters Configuring Interface Parameters RIP Protocol Parameters RIP Interface Parameters OSPF Protocol Parameters OSPF Interface Parameters OSPF Area Parameters OSPF Link State Database elelee OlloOINIWIWININ G9 199 1 G21 Go BIR IRE R O K w hy P O raed ce ue bu V N NIN ORDO Q OO H 3 32 3 34 W W 00 A BR R BI O NI OTR O O W1 WIG
14. NATed For example all traffic to destination port 80 is not NATed Destination port O refers to all the ports e Router Address The IP address of the router To perform No NAT From the FireProof menu choose FireProof The No NAT Table window is displayed Ensure that Smart NAT is enabled From the FireProof menu select Smart NAT and then choose Static NAT The Static NAT Table window is displayed Click Insert The Static NAT Table Insert dialog box is displayed Enter the appropriate information Click Update The Static NAT Table Insert dialog box closes In the Static NAT Table window click Set Your changes are made FireProof User Guide O Chapter 3 Configuring FireProof Hee Oe radware Creating Rules for Port Connection You can create rules for port connection so that traffic entering a certain port always exits via a specified port For example you can create a rule whereby traffic entering port 1 always exits via port 2 It is legal to have traffic exit the same port through which it enters In this way you can keep network segments separate The default device configuration has no port connection rules Flow is not limited and traffic can go from all ports to all ports according to routing and load balancing algorithms Note For security reasons you can only configure this via ASCII CLI C To create rules for port connection 1 Type rules set x y where x is the incoming port and y is the outgoing
15. from each firewall You use the Mapping Table window to map NAT addresses to virtual IP addresses To access the Mapping Table window From the FireProof menu choose Mapped IP The Mapping Table window is displayed aik Happing Table 176 200 99 99 Status Finished Error E FireProof User Guide O Chapter 3 Configuring FireProof O0 Oe radware The Mapping Table window contains the following fields e Virtual IP Address The virtual IP address to which you wish to map the NAT address e Firewall IP Address The IP address of the firewall you wish to map to the virtual IP address e Firewall NAT Address The NAT address of the firewall e To map a new NAT address to a virtual IP 1 Inthe Mapping Table window click Insert The Mapped IP Table Insert dialog box is displayed 2 Enter the appropriate information 3 Click Update The Mapped IP Table Insert dialog box closes 4 Inthe Mapping Table window click Set Your changes are made Smart NAT Smart NAT refers to intelligent Network Address Translation which is discussed in this section in different forms Smart NAT enables a local area network to use or map one set of IP addresses for internal devices to multiple sets of addresses for external devices The following types of Smart NAT are explained Dynamic and Static In addition a new NAT feature has been added No NAT which provides an easy No NAT configuration Refer to page 3 29 f
16. select a rule 2 Click Firewall Table The Firewall Table window is displayed Configuring Application Aging You can assign different applications different client life times Since applications are identified by the ports they use you assign application aging times by configuring aging times for specific ports For example you can assign FIP longer aging times and HTTP shorter ones You can configure application aging times for applications in the TCP and UDP protocols For applications not included in the UDP and TCP protocols e g ICMP use port O Any applications for which you do not assign an aging time will age according to the Global Configuration 3 32 FireProof User Guide O OO0 Chapter 3 Configuring FireProof 0O Oe radware You use the Application Aging Table window to configure application aging Note In order for Application Grouping to work you must have one of these options enabled Open New Entry for Different Source Port and Select New Firewall for Different Source Port f To access the Application Aging Table window From the FireProof menu select Firewalls Advanced Configuration and then choose Aging By Application Port The Application Aging Table window is displayed as shown below Application Aging Table 176 200 99 99 Mi Ea Status Finished Error E The Application Aging Table window contains the following fields e Application Port The application port for which to confi
17. 105 Viewing and Modifying Differentiated Services page 3 110 Setting Global Parameters Setting the global parameters specifies the BWM functionality of the FireProof To access the Global Parameters window e From the QoS menu select Global Parameters The Global Parameters window is displayed as shown below Global Parameters Classification Mode Enabled Application Classification Enabled O Scheduling Algorithms Class Based Queuing CBA CBO Borrowing Dissbled O Random Early Detection RED None a Maximum Bandwidth kbps Status Finished Error E 3 96 FireProof User Guide O Chapter 3 Configuring FireProof Hee Oe radware The Global Parameters window displays the following fields e Classification Mode From the dropdown list select Policies Diffserv or Disable to specify which classification is to be used Disable No classification The BWM management feature is disabled Policies The device classifies each packet by various policies configured by the user The policies can use various parameters such as source and destination IP addresses application and so on If required the DSCP field in the packets can be marked according to the policy the packet matches Diffserv BWM 2 00 only The device classifies packets only by the DSCP Differentiated Services Code Point value e Application Classification From the dropdown list select Enable or Disable to spe
18. 11014 S LoL n on EN DAJTI O w o o s 0 O01 01 KE 1O 00 N Q9 O Co aI O Ol W O O XII O Contents ets O0 radware OSPF Neighbor Table Configuring the Router ARP Addresses Setting Up Security Configuring Management Station Access Setting Physical Port SNMP Restrictions Configuring Bridge Settings Bridge Operating Parameters Bridge Forwarding Nodes Configuring Services Configuring Polling Changing Community Names Syslog Reporting Event Log Getting Device Information Viewing Interface Parameters Resetting the Device Setting Device Global Parameters Device Tuning Configuring Via File Setting Up Application Security Configuring Bandwidth Management BWM Viewing Active Policies Modifying Policies Modifying Services Viewing and Modifying Differentiated Services Updating Software Chapter 4 Monitoring FireProof Performance Element Statistics IP Interface Statistics Firewall Statistics Policy Statistics Port Statistics XIV O OO0 0O O0 radware XV Appendix A Example Configurations Example 1 Simple FireProof Configuration Example 3 One Leg Lollipop Configuration Example 4 Typical FireProof Configuration Example 5 Redundant FireProof Configuration Example 6 Redundant FireProof Configuration Using VLAN Example 7 DMZ Support with Port Connectivity Rules Example 8 Application Grouping with FireProof Example 9 QoS used for Access Control Example 10 Bandwidth
19. 2 Firewall 1 Local Network 10 1 1 X Figure A 1 Local Network and Firewalls on Different Subnets A 2 FireProof User Guide O OO Appendix A Example Configurations Ye Ce radware Properties e The Local Network Side and the Firewall Side are on different subnets Firewalls must be configured with the Network Address Translation feature enabled in order to ensure return traffic uses the correct firewall for each session The firewalls can be proxy firewalls In this case make use of a virtual IP to represent the proxy address of the firewalls for the configured clients Configuration 1 2 Define two IP interfaces on the FireProof One with a 10 1 1 10 address on port 1 and one with a 20 1 1 10 address on port 2 In the Firewalls Table window FireProof Firewall Table insert firewalls 20 1 1 1 and 20 1 1 2 The default router of the FireProof should be one of the firewall s internal interfaces for example 20 1 1 1 The next hop router of the firewalls for the local network should be the 20 1 1 10 address of the FireProof assigned to port 2 Default router for the Local side Should be the FireProof internal address 10 1 1 10 In the Global Configuration window FireProof Global Configuration adjust the Dispatch Method and the Connectivity Check configuration as required It is recommended to use Full Path Health Monitoring to ensure the remote side of the firewall is operational In the Firew
20. Bits per second 19200 Data bits 8 Parity None Stop bits 1 Flow Control None OS hS SCS SC hS S hS SC hS Note When using Microsoft s HyperTerminal program Flow Control should be set to none Turn on the power to the unit If the device is connected and operating properly the PWR and System OK indicators on the front panel are lit continuously LAN Connections Use a standard UTP or STP cable to connect FireProof to the LANs The cables used differs in each platform of the device as follows Fast Ethernet In all the ports a 10 100BaseT cable can be used Application Switch In eight of the ports a 10 100BaseT cable can be used and in two ports a LOOOBaseSX cable must be used t To connect a FireProof port to a network LAN 1 2 Connect a standard UTP or STP cable to the port interface located on the front panel Connect the other end of the cable to the LAN switch FireProof User Guide O Chapter 2 Installing FireProof wee Oe radware Configuring FireProof IP Host Parameters FireProof IP host parameters enable an SNMP Network Management Station NMS to establish communication with the device The manual configuration of the device differs depending on the platform therefore this procedure is divided into two parts The first procedure see below is applicable to the Application Switch platform and the second procedure see page 2 8 is applicable to the Fast
21. Browse to search the directory tree for the file 3 Inthe Password field enter the password received with the new software version Note The password is case sensitive 4 Enter the software version number as specified in the new software documentation 5 Click Set The status of the upload is displayed in the Progress Status field 6 You are prompted to restart the device 3 114 FireProof User Guide O OO0 O O0 radware Monitoring FireProof Performance This chapter describes how to view performance graphs of your Radware network devices You can graph statistics that show the performance of devices as a whole or of specific interfaces of the devices The BadFrames SNMP counter of certain devices is automatically monitored and by default you will be informed when an unusually high concentration of error frames occur The relevant parameters are called the Threshold Parameters You can modify the Threshold parameters and you can also disable threshold reporting The following sections are discussed in this chapter e Element Statistics page 4 2 IP Interface Statistics page 4 9 Firewall Statistics page 4 11 Policy Statistics page 4 13 Port Statistics page 4 15 FireProof User Guide 4 1 O ets Chapter 4 Monitoring FireProof Performance Oe radware Element Statistics C To graph element statistics 1 From the Performance menu choose Element Statistics The Flement Stat
22. Chapter 3 Configuring FireProof Hee Oe radware The IP Routing Table window includes the following fields e Dest IP Address The destination IP address of this router e Network Mask The destination network mask of this route e Next Hop Address of the next system of this route local to the interface e If Number The IF Index of the local interface through which the next hop of this route is reached e Metric Number of hops to the destination network Protocol Through which protocol the route is known e Type How remote routing is handled Remote Forwards packets Reject Discards packets Ct To add a static node to the route 1 Inthe P Routing Table window click Insert The P Routing Table Insert dialog box is displayed Adjust the appropriate values Click Update The P Routing Table Insert dialog box closes In the IP Routing Table window click Set Your changes are recorded eS To edit an existing node on the route In the P Routing Table window select a table entry Click Edit The P Routing Table Edit dialog box is displayed Adjust the appropriate values Click Update The P Routing Table Edit dialog box closes In the IP Routing Table window click Set Your changes are recorded SRN ED A ARP Addresses You use the Global ARP Table window to monitor set and edit ARP addresses on the local route gt To access the Global ARP Table window From the Router menu selec
23. Ethernet platform Note All other FireProof parameters are configured using Radware s Configware software C To manually configure FireProof IP host parameters in the Application Switch platform 1 Ensure that the ASCII terminal is connected to the device 2 Turn on the power to the device 3 If you require to access the command line press any key within three seconds of the boot up The following command line is displayed print this list boot load and go print fatal exception download via xmodem erase configuration from flash download to secondary boot via xmodem clear Log file 7s coQ ED OW If you do not require to access this command line the Startup Configuration window is automatically displayed 4 Select the symbol to access the Startup Configuration window The window is displayed as shown next page FireProof User Guide 2 5 2 6 Chapter 2 Installing FireProof Startup Configuration Exit IP address IP subnet mask Port number Default router IP address RIP version OSPF enable OSPF area ID NMS IP address Community name 10 Configuration file name O 1 2 3 4 5 6 T 8 9 Enter your choice Enter the number of the parameter for which you require to define the information Enter the parameters configuration and click Enter The value of the parameter is displayed in the screen The following list defines the parameters in the Startup Configurati
24. Hello Interval TEE Tal 0 0 0 0 Designated Router Enabled Broadcast 1 10 2 176 200 99 99 176 200 99 99 0 0 0 0 Designated Router Enabled Broadcast wa 10 Status Finished Error E The OSPF Interface Table window includes the following fields e IP Address The IP Address of this OSPF interface e Designated Router The IP Address of the designated router e Backup Designated Router The IP Address of the backup designated router e Interface State The interface state of the OSPF interface Down The OSPF interface is down Loopback The OSPF interface is in the Loopback state FireProof User Guide Oe radware 3 63 OO0 O radware 3 64 Chapter 3 Configuring FireProof Waiting The OSPF interface is currently waiting Point to Point The OSPF interface is in the point to point state Designated Router The OSPF interface is the designated router Backup Designated Router The OSPF interface is the backup designated router Other Designated Router Other routers are the designated and backup routers Admin Status The administrative status of the OSPF in the router Enabled means that the OSPF process is active on at least one interface Disabled means the process is not active on any interfaces Interface Type The OSPF interface type Broadcast LANs are broadcast type x 25 and Frame Relay are NBMA type and point to point LANs
25. If you use an external TFTP server the configuration file is saved in the location configured in that server To use the default TFTP server do not check the box Click Set The status of the download is displayed in the Progress Status field To edit the configuration file From the Configuration menu choose Edit File The Edit Config File window is displayed In the Ber Formatted File field enter the name of the file you want to edit Alternatively click Browse to search the directory tree for the file In the ASCII Formatted File field enter the name of the ASCII file you want to create In the Direction field choose BER to ASCII to convert the file Click Set The status of the conversion is displayed in the Progress Status field Click Edit ASCII File to edit the configuration file The Edit File Edit Config File window is displayed Make your changes to the file save and close the Edit File Edit Config File window In the Direction field choose ASCII to BER to convert the file back Click Set You can now return the file to the device or send it to another device FireProof User Guide Chapter 3 Configuring FireProof O OO0 O Oe radware f To send the configuration file to a device 1 From the Configuration menu choose Send To Device The Send Configuration To Device window is displayed ate Send configuration to device 176 200 99 99 File Name i relative to lt Contigw are dire Nma Confi
26. Interface This group of commands enables the user to manipulate the Mapped and Virtual IP Tables For more information refer to Creating Virtual IP Addresses in Chapter 3 page 3 22 Entering the vip command will display the following options mapped The Mapped IP Table e virtual The Virtual Ip Table The possible values for the Mode field are as follows Command Syntax VIP mapped get vip mapped get virtual ip firewall ipl VIP mapped update vip mapped update lt virtual ip gt lt firewall ip gt lt firewall NAT ip gt VIP mapped destroy vip mapped destroy lt s lt virt al ip lt firewall ip gt VIP mapped create vip mapped create lt virtual ip gt lt firewall ip gt lt firewall NAT ip gt 1 Regular 2 Backup Description Enables the user to view the Mapped IP table Example vip mapped get 1 1 1 1 PA Enables the user to update an entry in the Mapped IP table Example vip mapped update aE E E al E A E E Enables the user to delete an entry in the Mapped IP table Example vip mapped destroy A Sande AraAra Enables the user to create an entry in the Mapped IP table Example vip mapped create EOS ES E ee ae Oa Olah FireProof User Guide Appendix C ASCII Command Line Interface Command Syntax VIP virtual get vip virtual get virtual ip VIP virtual update vip virtual update lt virtual ip gt m lt mode gt VIP virtual dest
27. Line Interface Example Login Password fp Logs the user out of the CLI Example Logout Password Enables the user to set a new Login password Example passwd Enter Old Password Enter New Password Repeat New Password FireProof User Guide Appendix C ASCII Command Line Interface man One Trap Oe radware Enables the user to use the One Trap command to view or change the server status For more information refer to Configuring One Trap in Chapter 3 page 3 88 Command Syntax Description one trap get onetrap get one trap update Enables the user to view the One Trap status Example onetrap get Enables the user to update change onetrap update lt value gt _ the One Trap status Example FireProof User Guide onetrap update disable This group of commands enables the user to configure the ping setup The syntax for the Ping command is as follows Ping s t n count l size w timeout Destination IP Address The possible options for the ping command are the following e s Stops the pings e t Pings to the specified host until interrupted e n count The number of echo requests to send Enter the required number in the lt count gt The default is 1 maximum is 65535 size The Sent Data size Enter the required number in the lt size gt The default is 10 maximum is 1450 w timeout The time in milliseconds to wait for each reply The default is 1000 C 4
28. Neighbor Table The OSPF Neighbor Table window is displayed f OSPF Neighbor Table 176 200 99 99 Neighbor s Address Router ID Priority Neighbor State Length of the Retransmission Queue Status Finished Error i FireProof User Guide 3 67 O sae ve Chapter 3 Configuring FireProof Oe radware The OSPF Neighbor Table window contains the following fields e Neighbor Address The IP address of this neighbor e Router ID A unique identifier for the neighboring router in the autonomous system e Priority The priority of this neighbor A priority of O means that this neighbor is not eligible to become the designated router on this network e Neighbor State The state of the relationship with neighbor Down Attempt Init Two Way Exchange Start Exchange Loading Full e Length of the Retransmission Queue The current length of the retransmission queue Configuring the Router You configure the router using the P Routing Table window To access the IP Routing Table window e From the Router menu select Routing Table The P Routing Table window is displayed IP Routing Table 176 200 99 99 Dest IP Address Network Mask WNextHop If Num Metric Protocol Type 1 1 0 0 0 255 0 0 0 0 0 0 0 F 1 1 Local Local 2 176 200 0 0 255 255 0 0 0 0 0 0 100001 1 Local Local es Pas a Status Finished Error 3 68 FireProof User Guide O
29. O OO0 O Oe radware Configuring FireProof Configware is an SNMP based network management system It gives you access to a myriad of configuration and monitoring options for each Radware device on the network and provides real time graphs of a wide selection of MIB variables to help you monitor the performance of each device The following sections are discussed in this chapter Getting Started page 3 2 Setting Up a VLAN page 3 12 Setting Interface Addresses and IP Router Options page 3 16 Setting Up Firewalls pagel 3 19 Configuring Router Settings page 3 55 Setting Up Security page 3 72 Configuring Bridge Settings page 3 75 Configuring Services page 3 78 Setting Up Application Security page 3 92 Configuring Bandwidth Management BWM page 3 96 Updating Software page FireProof User Guide 3 1 O ee Chapter 3 Configuring FireProof e radware Getting Started The following subjects are discussed in this chapter Running Configware below Using Buttons page 3 3 Permanently Adding Devices to Configware page 3 3 Connecting to a Device page 3 7 Zoom View page 3 8 Viewing Traps page 3 8 Running Configware Standalone gt To run Configware Windows 98 NT e From the directory lt Configware_Install gt NMS run the program go bat The Configware opening screen is displayed as shown below P Configware 1 34 Options n e Devices Radware IP
30. Output discarded packets fine packets Output non unicast packets Output subnetwork unicast packets packets with errors not transmitted subnetwork unicast packets delivered 3 From the Optional Counters list choose the counters to graph 4 Click Show Graph The Port Statistics Graph window is displayed You can change the look and behavior of the graph using the control panel t To access the control panel Click Control Panel The Control Panel contains the following menus Graph Type The graph type menu contains a selection of different graph views including Bar Area Plot Scatter Plot Stacking Bar Stacking Area and Pie FireProof User Guide 4 15 6 OO Oe radware Chapter 4 Monitoring FireProof Performance Data Buffer Size The number of past graph samples stored The greater the number the more samples are stored for later review Monitor Size The number of graph samples that are displayed on the screen Sample Time The amount of time between samples in seconds Presentation Units The average number of events per number of seconds entered here based on the the total number of events recorded for the duration of the Sample Time For example if the Presentation Units is set as 1 and the Sample Time is set as 5 the graph will display the average number of events per 1 second based on the last 5 seconds of data Changing the value of the Presentation Units will change the display of all graphs st
31. Virtual IP Address page 3 51 Defining Load Balancing Algorithms page 3 52 FireProof User Guide 3 19 O OO 0O Oe radware 3 20 Chapter 3 Configuring FireProof Configuring Firewalls You use the Firewalls Table window to monitor insert and edit firewall information C To access the Firewall Table window From the FireProof menu choose Firewall Table The Firewall Table window is displayed as shown below i Firewall Table 176 200 99 99 Firewall Address Firewall Name Admin Status Operational Status Firewall Priority Attach Users Number Peak Load Frames Rate Peak Bytes Load Status Finished Error SE m The Firewall Table window includes the following fields Firewall Address The IP address of the firewall Firewall Name The name of the firewall Each firewall should have a unique name Admin Status The firewall status Enabled Activates the firewall The Operational Status see Operational Status below will change to active Disabled Stops the firewall The Operational Status will change to Not In Service All connections end and no new connections can be made Shutdown Shuts down the firewall The Operational Status will change to No New Sessions No new connections can be made Existing connections remain until ended by the client Operational Status The Operational Status parameter reflects th
32. You use the Global Configuration window to monitor insert and edit global configuration information Ct To access the Global Configuration window From the FireProof menu choose Global Configuration FireProof User Guide 3 41 O OO 0O Oe radware 3 42 Chapter 3 Configuring FireProof The Global Configuration window is displayed Global configuration 192 1 5 21 _ Oy x 22 3 General Connectivity Check Client T able Advanced Admin Status Enable had Dispatch Method Cyclic x Client Aging Time C Clients Connect Denials Moo Translate Outbound Traffic to Virtual Address Disable x Smat NAT Enable x Status Finished Error Error Log The Global Configuration window includes the following fields General Tab e Admin Status The status of FireProof can be either of the following options Enable FireProof is active All users are balanced between the Firewalls Disable FireProof is inactive Clients connecting to the device will be sent to the default firewall e Dispatch Method The method used to determine to which firewall the traffic will be directed Note that when port rules are enabled only servers accessible via the designated port will be taken into account Cyclic Directs traffic to each firewall one by one Least Amount Traffic Directs traffic to the firewall with the least traffic Fewest Number of Users Directs traffic to the fir
33. a client IP and a destination IP The default configuration regards all the sessions opened by a client to the same destination as a single session for best performance For more accurate load balancing all the sessions opened by the same client s application to the same destination are counted together For even more accurate load balancing each session opened by the client s to the same destination is counted separately The last option offers balancing of the client s sessions between the firewalls This option should be used cautiously Smooth Firewall Shutdown FireProof allows the definition of a smooth firewall shutdown procedure If this is activated new clients will not be directed to this firewall until existing clients complete their sessions i e until the Client Table is empty Then the firewall can be shutdown in an orderly manner G 7 FireProof User Guide 6 OO 0O Oe radware SNMP Port Restrictions SNMP provides its own inherent security mechanism through the use of the Community Table Although SNMP Community Tables provide security extra provisions may be necessary especially given FireProof s role in providing overall network security FireProof provides additional security by allowing you to restrict which physical ports accept SNMP messages By restricting SNMP access to specific ports you can limit access to FireProof management to those areas on the network where authorized users are likely to resi
34. a Device dialog box closes In the Edit Device List window click Set The changes are recorded To delete devices from the device list From the Configware window click Options The General Option window is displayed In the General Options window click Configuration The Configuration options are displayed in the General Options window In the Configuration window click Edit Device List The Edit the Device List window is displayed From the list choose the device you require to delete FireProof User Guide Chapter 3 Configuring FireProof O OO0 0O Oe radware Click Delete Click Set The device is deleted from the list To set a device as default From the Configware window click Options The General Options window is displayed In the General Options window click Configuration The Configuration options are displayed in the General Options window Click Edit Device List The Edit the Device List window is displayed From the list double click the device you require to set as the default The device appears in the Default Device field Click Set The device appears in the Devices field of the opening screen when Configware is launched Connecting to a Device C To connect to a device 1 In the Configware opening screen do one of the following e From the Devices dropdown list choose a device e Inthe IP Address field enter the IP Address of the device e Adjust the community as required Cl
35. and to ensure that packets are sent to the MAC address of the FireProof during end station to firewall communications Note VLAN redundancy is available only in Regular VLAN mode FireProof User Guide A About This Guide IX AC Power Connection 2 3 Active Policies 3 99 Adding Devices to ConfigWare 3 3 Adjusting Operating Parameters Advanced Monitoring and Statistics G 1 Application Grouping with FireProofjA 19 Application Health Monitoring G 1 Application Securit ARP Addresses 3 69 ASCII Terminal Serial Connection 2 3 ASCIICommand Line Interface C 1 Backup Firewall Configuration G 1 Bandwidth Managemen Bi directional Configuration A 11 aces Bridging G 2 Bandwidth Management 3 96 O OO0 O O radware Bridge Forwarding Nodes 3 76 Bridge Operating Parameters 3 75 BWM 3 96 _ C Checking the Contents 2 2 Changing Community Names 3 79 Configuring a Remote Virtual IP Address 3 51 Configuring Application Nendo Configuring Bridge Settings 3 75 Configuring Dynamic Smart NAT 3 27 Configuring FireProof 3 1 Configuring Firewall Grouping 3 34 Configuring Firewalls 3 20 Configuring Interface Parameters Configuring IP Router Redundancy Configuring Management Station Access 3 72 Configuring Mirroring 3 49 6 OO Oe radware Configuring One Trap 3 88 Configuring Polling 3 78 Configuring Router Settings 3 55 Configu
36. click Set Your changes are recorded Configuring VLAN Parameters You use the Virtual LAN Parameters window to monitor add and edit VLAN parameters FireProof User Guide O Chapter 3 Configuring FireProof salves Oe radware C To access the Virtual LAN Parameters window From the Device menu choose VLAN Parameters The Virtual LAN Parameters window is displayed as shown below e Yirtual LAN Parameters 176 200 99 99 Virtual LON Parameters IF WLAN Auto Config Enabled Auto Contig Aging Time 3600 VLAN Ethemet Type ooog VLAN Ethernet Type Mask FFFF Status Finished Error The Virtual LAN Parameters window includes the following fields e IP VLAN Auto Config When this parameter is enabled the device will automatically detect and add interfaces to existing IP VLANs in accordance with incoming IP broadcasts and ARP requests This means that a network device can be moved to a different device port and remain in the same VLAN This will be done only for VLANs with Auto Config On e Auto Config Aging Time Ports refresh time for VLANs with autoconfig e LAN Ethernet Type for user defined VLANs Defines the Ethernet type for user defined VLANs e VLAN Ethernet Type Mask for user defined VLANs Defines the mask on Ethernet type for user defined VLANs C To configure VLAN interface parameters 1 Inthe Virtual LAN Parameters window adjust the appropriate values 2 Click Set Your chang
37. counters inf Typing the print ip inf command displays the IP Address table rd Typing the print ip rd command displays the IP Redundancy table rip Typing the print ip rip command displays an additional sub menu enabling the user to print the following conf Prints the IP Interface table This command enables the user to print the I2 data to the CLI screen Typing the print 12 command displays the following submenu items inf Typing the print 12 inf command displays the I2 Interface table This command enables the user to print the Logfile data to the CLI screen This command enables the user to print the Device data to the CLI screen Typing the print os command displays the following submenu items e resource Typing the print os resource command displays the Device Resource Utilization table C 49 O vee Appendix C ASCII Command Line Interface Oe radware Syntax Description print rea This command enables the user to print the REA data to the CLI screen Typing the print rea command displays the following submenu items e prx Typing the print rea prx command displays an additional sub menu enabling the user to print the following alias Prints the Farm Alias Entries table dstrnge Prints the Destination Ranges table srvrtbl Prints the Servers in Farm table print snmp This command enables the user to print the SNMP tables to the CLI screen Typing the print snmp command displays th
38. discarded because they needed to be fragmented at this entity but could not be e g because their Don t Fragment flag was set FireProof User Guide O Chapter 4 Monitoring FireProof Performance wee Oe radware IP fragments The number of failures detected by the failed reassembly IP re assembly algorithm for whatever reason timed out errors etc Note that this is not necessarily a count of discarded IP fragments since some algorithms notably the algorithm in RFC 815 can lose track of the number of fragments by combining them as they are received IP fragments The number of IP datagrams successfully reassembled successfully re assembled IP fragments received The number of IP fragments received need reassembly which needed to be reassembled at this entity Outgoing discarded IP The number of output IP datagrams for datagrams that have which no problem was encountered to no error prevent their transmission to their destination but which were discarded e g for lack of buffer space Note that this counter would include datagrams counted in ipForwDatagrams if any such packets met this discretionary discard criterion Output IP datagrams The number of IP datagrams discarded discarded no route because no route could be found to found transmit them to their destination Note that this counter includes any packets counted in ipForwDatagrams which meet this no route criterion Note that this inclu
39. information about an existing application aging entry Example appl aging update 1 10 Enables the user to delete a specific application aging entry Example appl aging destroy 1 Enables the user to create a new application aging entry Example appl aging create 1 100 C 5 Q vee Appendix C ASCII Command Line Interface Oe radware This group of commands enables the user to manipulate the data of the ARP Table For more information refer to ARP Addresses in Chapter 3 Configuring FireProof page 3 69 Command Syntax Description arp get Enables the user to retrieve arp get information an existing arp entry interface Example arp get 1 176 200 1 1 Net address arp destroy Enables the user to delete a specific arp destroy arp entry lt interface gt Example arp destroy 1 lt Net address gt 176 200 1 1 arp create Enables the user to create a new arp arp create entry lt interface gt Example arp create 1 lt Net address gt 176 200 1 1 00d0b76b1242 lt Physical Address gt arp help list Opens an online help for arp tables arp help Example arp help Bandwidth This group of commands enables the user to Management manipulate the Bandwidth Management data Entering the bwm command will display the following options Network e Policy e Service e Utils C 6 FireProof User Guide Appendix C ASCII Command Line Interface ae Oe radware BWM This group of commands enables the us
40. likely to reside You use the SNMP Port Table window to define SNMP restrictions C amp To access the SNMP Port Table window From the Services menu choose SNMP Port FireProof User Guide 3 73 O OO0 Oe radware Chapter 3 Configuring FireProof The SNMP Port Table window is displayed P SNMP ports Table 176 200 105 191 Port Number Mode TEE Ae 2 ACCEPT 3 ACCEPT 4 ACCEPT 5 5 ACCEPT E ACCEPT 7 ACCEPT 5 ACCEPT 3 ACCEPT 10 3 a Status Finished Error i T g The SNMP Port Table window contains the following fields e Port Number The number of the physical port This field is read only e Mode The access mode of the port Forward The SNMP message is forwarded to the device t To configure SNMP port restrictions Discard The SNMP message is not forwarded to the device 1 Inthe SNMP Port Table window select the port you require to configure 2 Select the mode 3 Click Set Your changes are made 3 74 FireProof User Guide O Chapter 3 Configuring FireProof OO0 Oe radware Configuring Bridge Settings Once a VLAN is defined bridging is performed within the VLAN For example if a DECnet VLAN is defined on ports 1 and 2 DECnet frames into port 1 are bridged to port 2 and DECnet frames into port 2 are bridged to port 1 This section contains the following information e Bridge Operating Parameters below e Bridge Forwardin
41. menu select OSPF then choose Area Parameters The OSPF Area Parameters window is displayed h OSPF Area Parameters 176 200 99 99 OSPF rea Parameters Area ID janan t tt SS Number of AS Border Routers i nnn Number of Internal LoAs LF Internal LS Checksum Sum pea Import AS Estem Import External Status Finished Error ue The OSPF Area Parameters window includes the following fields e Area ID The IP address of the area e Number of AS Border Routers The total number of Autonomous System border routers reachable within this area This number is initially zero and is calculated in each SPF pass FireProof User Guide 3 65 O OO Oe radware Chapter 3 Configuring FireProof e Number of Internal LSAs The number of internal link state advertisements in the link state database e Internal LS Checksum Sum The sum of LS checksums of internal LS advertisements contained in the LS database Use this sum to determine if there has been a change in a router s LS database and to compare the LS database of two routers e Import AS Extern Whether or not to import autonomous system external link advertisements f To adjust the OSPF area parameters 1 2 In the OSPF Area Parameters window adjust the appropriate values Click Set Your changes are recorded OSPF Link State Database CS To access the OSPF Link State Database window 3 66 From the Router menu select OSPF then choose Lin
42. port x and y can be the same port 2 Press Enter t To view rules configured for a specific port 1 Type rules get x where x is the port number 2 Press Enter To delete a specific rule 1 Type rules delete x y where x is the incoming port and y is the outgoing port 2 Press Enter C To delete all rules 1 Type rules delete 2 Press Enter You can use the Rules Table window to view what rules have been configured on the device C To access the Rules Table window e From the FireProof menu select Firewalls Advanced Configuration and then choose Rules Table FireProof User Guide 3 31 O woes Chapter 3 Configuring FireProof Oe radware The Rules Table window is displayed as shown below i Rules table 176 200 99 99 FireProof Port Number Leaving Port Number Number Of Firewalls On Port aT None T l 0 i 2 None 3 None 4 None 5 None 6 None 7 None 8 None 9 O ONDA UN lo ol olo oloo olo None Status Finished Error i The Rules Table window includes the following fields e FireProof Port Number The FireProof port number from which the traffic enters e Leaving Port Number The number of the FireProof port through which traffic entering the FireProof Port Number can exit e Number of Firewalls on Port The number of servers connected to the FireProof port t To view the Firewall Table of a specific FireProof port 1 From the Rules lable window
43. severity Trap severity ratings include in increasing order of severity Informational Warning Error and Fatal Date The date that the trap occurred Time The time that the trap occurred Source The IP Address that triggered the trap Information Description of the trap Note Traps are only displayed in this window when the device is configured to send traps to the management station and only traps that are sent whilst this window is open are displayed FireProof User Guide 3 11 O woes Chapter 3 Configuring FireProof Oe radware Setting Up a VLAN FireProof allows you to define VLANs VLANs are software defined groups of interfaces that communicate within one protocol seemingly as if they are on the same wire even though they are spread out on different LAN segments Standard interface attributes can be applied to VLANs There are a number of default VLANs that already exist and initially do not contain any ports e Other VLAN iflndex 100000 e IP VLAN iflndex 100001 IP VLANs are automatically assigned a MAC address The Other VLAN is a Super VLAN that includes all protocols for which VLANs have not been defined However it does not include IP The following table lists the VLAN types that FireProof supports VLAN Type Description Regular The device acts as a bridge Refer to Example 2 in Appendix A for further details BroadcastAndUnicast The device acts as a bridge and as a proxy ARP hidi
44. the balancing scheme using two additional load balancing parameters FireProof receives the index for its load balancing algorithms from each firewall using Simple Network Management Protocol SNMP Diagnostics FireProof includes LED diagnostic indicators which provide instant information about the unit and the interface status Unit LEDs ON power on and System OK Interface specific LEDs ON proper connection and ACT current traffic load Dynamic NAT You use Dynamic NAT to avoid return delivery problems that can occur when using FireProof to load balance among multiple transparent traffic forwarders and multiple address ranges while performing NAT for an internal network Should one of the address ranges become unavailable return traffic from the internal network will be assigned a NAT address in one of the other address ranges ensuring packet delivery FireProof User Guide G 3 O OO 0O Oe radware Extended Health Monitoring FireProof can check the health of network elements beyond a firewall checking both the firewall itself and the availability of the network on the other side If the network is not reachable FireProof stops forwarding traffic to the specified firewall FireProof Redundancy An additional FireProof allows for FireProof redundancy and ensures full fault tolerance with no single point of failure The backup FireProof device monitors the primary FireProof through the network implying immedi
45. to Last Graph Right Arrow
46. to your device The following connections should be completed in this order AC Power Connection ASCII Terminal Serial Connection LAN Connections Configuring the IP Host Parameters AC Power Connection The device should be supplied with AC power via a 1 5m or 5 foot Standard power cable C To connect the AC power connection 1 2 Connect the power cable to the main socket located on the rear panel of the device Connect the power cable to the grounded AC outlet ASCII Terminal Serial Connection The serial port connector varies depending on the platform of your device as follows Fast Ethernet The serial port connector is a 9 pin connector which is connected to the rear panel Application Switch The serial port connector is a 9 pin connector which is connected to the front panel CS To make the ASCII terminal connection 1 2 3 4 Connect the serial port connector to the front panel Connect the other end of the serial port connector cable to your computer Access Hyperterminal From the HyperTerminal opening window select the File menu then Properties FireProof User Guide 2 3 6 OO Oe radware 2 4 Chapter 2 Installing FireProof Or Click the Properties icon in the toolbar The New Connection Properties dialog box is displayed Click Configure The Properties dialog box containing the Port Settings tab is displayed Verify that the fields are set as follows
47. update 1 2 This group of commands enables the user to manipulate SYN attack data Command Syntax synatack get synattack get synatack update synattack update lt value gt FireProof User Guide Description Enables the user to view the Timeout for SYN attack Example synattack get Enables the user to update the Net Attack Example synattack update 5 C 65 O OO0 0O Oe radware Appendix C ASCII Command Line Interface This group of commands enables the user to manipulate the data of the TFTP tables For more information refer to Configuring Via File in Chapter 3 page 3 89 Entering the snmp command will display the following options e fromdev The Configuration file From Device data e todev The Configuration file To Device data Command Syntax TFTP from device get tftp fromdev get TFTP from device update tftp fromdev update lt config file gt lt IFIP Server gt TFTP to device get tftp todev get TFTP to device update tftp todev update lt config file gt lt TFTP server gt C 66 Description Enables the user to view the TFIP from device data Example tftp fromdev get Enables the user to update the TFTP from device data Example tftp fromdev update ELile 257070 0 Enables the user to view the TFTP to device data Example tftp todev get Enables the user to update the TFIP to device data Example tftp todev update file 25 0 00 Fire
48. with the address 10 1 1 11 to be associated with the VLAN defined in step 1 above If there is an existing IP interface with a 10 1 1 11 address it should be edited so that this address is associated with the VLAN If there is no existing IP interface with a 10 1 1 11 address one must be created In the Firewall Table window FireProof Firewall Table insert firewalls 10 1 1 1 and 10 1 1 2 Make sure Firewall Mode is set to Regular Configure Full Path Health Monitoring as required In the Global Redundancy Configuration window FireProof Redundancy Global Configuration ensure that in the Interface Grouping field is Disabled and the IP Redundancy Admin Status field is Enabled Ensure that the VLAN Redundancy Device Mode is set to Backup Define FireProof 2 interfaces as redundant to those of FireProof 1 In the IP Redundancy Table window FireProof Redundancy IP Redundancy Table of FireProof 2 enter 10 1 1 11 for the interface address and 10 1 1 10 as the main device IP address Notes 1 A 16 In advanced configuration any IP addresses owned by the main device besides its interfaces IP addresses such as NAT or VIP should be configured similarly on the backup device with Redundancy Mode set to Backup When using layer 3 switches between the FireProof devices the Backup Fake ARP parameter might need to be changed Refer to page 3 46 for further information FireProof User Guide O Appendix A Example Configura
49. 1 11 11 4 6 and 202 22 22 4 6 FireProof User Guide O OO0 Appendix A Example Configurations eo 3 4 6 radware In the Modify Policies Table window QoS Modify Policies Policies configure the following Modify Policies Table FireProof with SynApps FO O i Ree Ree H L In the Modify Policies Table window QoS Modify Policies Policies use the Edit Default Policy button to set the default action and priority as required Edit Default Policy FireProof wit M E4 From the Update Confirmation dialog box QoS Update Policies click OK to activate the newly configured policies FireProof User Guide A 27 O ae ts Appendix A Example Configurations Oe radware Notes 1 When Application Classification is Disabled meaning packets are classified rather than sessions and when protocols requiring special Support such as FTP Rshell and Rexec are also being classified it is recommended to use Layer 4 in the Client Table mode 2 When Application Classification is Enabled meaning sessions are being classified and when using protocols in the BWM policies it is recommended to use Layer 4 in the Client Table mode The classification indication is kept in the Client Table in the relevant entry so that different entries are required for different protocols and each has a different classification indication A 28 FireProof User Guide O Appendix A Example Configurations
50. 2 2 Connecting FireProof to Your Network page 2 3 Configuring FireProof IP Host Parameters page 2 5 FireProof Specifications and Requirements page 2 9 PARN Installing Configware Management Software page FireProof User Guide 2 1 O aaa vs Chapter 2 Installing FireProof Oe radware Checking the Contents Before beginning the hardware installation open the box and check that the following components are included FireProof device Configware Management Software CD Rom User s Manual One power cable Only for countries using 110v power supply One serial cable Two cross cables Application Switch platform only A set of mounting brackets If you are missing any of the above components please contact your FireProof reseller Mounting the Device FireProof can be either racked mounted or mounted on a tabletop The package includes brackets to enable rack mounting of the device Rubber feet are attached to the bottom of the device to enable tabletop mounting Note After mounting ensure that there is adequate airflow surrounding the device To rack mount the device 1 Attach one bracket to each side of the device using the screws provided 2 Attach the device to the rack with the mounting screws 2 2 FireProof User Guide O Chapter 2 Installing FireProof OO 1O Oe radware Connecting FireProof to Your Network After you have mounted the device you must connect the cables
51. 5 255 255 0 bridging is performed for IP network 192 1 1 0 between FireProof ports 1 2 and 4 Virtual IP Support FireProof allows you to balance firewalls that use NAT addresses This is accomplished by creating a virtual IP address that is mapped to the firewall NAT addresses Traffic destined for the virtual IP is redirected to the appropriate firewall according to the configured load balancing algorithm FireProof User Guide G 9 6 OO Oe radware VLAN Types Two types of IP VLANs are commonly encountered when configuring a FireProof Either VLAN can be used depending on the FireProof configuration requirements Refer to Chapter 1 page 1 4 for more details on VLANs used in the new platform Regular A Regular VLAN provides transparent bridging within the VLAN This means that when two stations communicate within the VLAN they are aware of each other s MAC addresses If stations A and B are on two different FireProof ports that belong to the same VLAN during communication A knows B s MAC address and B knows A s address BroadcastAndUnicast This is a special VLAN which allows bridging using standard proxy ARP techniques Stations on one VLAN port of the FireProof believe that all stations on other FireProof ports belonging to this VLAN have the same MAC address This one MAC address is actually the MAC of FireProof It is necessary to use BroadcastAndUnicast VLAN type in FireProof configurations to enable load balancing
52. 6 2 oF 4 Chapter 3 Configuring FireProof The Source Grouping Table window is displayed as shown below it Source Grouping Table 176 200 99 99 Source IP Address Source Subnet Mask Firewall IP ddress Operational Mode Status Finished Error E The Source Grouping Table window includes the following fields e Source IP Address The IP Address of the source e Source Subnet Mask The subnet mask of the source e Firewall IP Address The IP address of the firewall to handle the traffic e Operational Mode Whether the firewall will be active or backup for this group To define a group based on source subnet In the Source Grouping Table window click Insert The Source Grouping Insert Table dialog box is displayed Enter the appropriate information Click Update The Source Grouping Insert Table dialog box closes In the Source Grouping Table window click Set Your changes are made Setting Up Application Grouping Application grouping allows you to determine which firewalls will handle traffic destined for a specific application port You use the Application Port Grouping window to configure destination grouping Note In order for Application Grouping to work you must have one of these options enabled Open New Entry for Different Source Port and Select New Firewall for Different Source Port FireProof User Guide O OO0 Chapter 3 Configuring FireProof O O0 radwar
53. 7 O soso Appendix C ASCII Command Line Interface Oe radware This command enables the user to print all the available FireProof data to the CLI screen although most of this data may be displayed by other commands in the CLI Note This section does not contain all the available print commands To display the list of additional print commands type print in the CLI Typing the print command displays the following menu items Syntax Description print brg This command enables the user to print the Bridge data to the CLI screen Prank This command enables the user to print the Device devinfo Information to the CLI screen print ip This command enables the user to print the IP data to the CLI screen Typing the print ip command displays the following submenu items e arp Typing the print ip arp command displays an additional sub menu enabling the user to print the following tbl Prints the IP ARP table wl Prints the ARP wait list cnt Typing the print ip cnt command displays the IP Counters fp frw Typing the print ip frw command displays the IP Routing table C 48 FireProof User Guide Appendix C ASCII Command Line Interface Syntax print ip continued print logfile print os FireProof User Guide O OO0 0O 0 adware Description e icmp Typing the print ip icmp command displays an additional sub menu enabling the user to print the following cnt Prints the IP ICMP
54. 9 RIP Parameters Administrative Status Enabled Leak OSPF Routes Enabled Leak Static Routes Enabled Status Finished Error i The RIP Parameters window contains the following fields e Administrative Status The administrative status of the RIP in the router Disabled means the process is not active on any interfaces e Leak OSPF Routes Controls redistribution of routes from OSPF to RIP When this parameter is enabled all routes learned via OSPF are advertised into RIP e Leak Static Routes Controls redistribution of routes from static routes to RIP When this parameter is enabled all static routes learned via static are advertised into RIP f To edit RIP parameters 1 Inthe RIP Parameters window adjust the appropriate values 2 Click Set Your changes are recorded FireProof User Guide 3 59 O OO0 Oe radware 3 60 Chapter 3 Configuring FireProof RIP Interface Parameters You use the RIP Interface Table window to set and edit RIP interface parameters C To access the RIP Interface Table window From the Router menu select RIP and then choose Interface Parameters The RIP Interface Table window is displayed as shown below i RIP Interface Table 176 200 99 99 1 IP Address Outgoing RIP Incoming RIP Status teal RIP version 1 RIP Version 1 VALID 2 176 200 99 99 RIP version AlPVersion VALID Status Finished Error i
55. ASCII Command Line Interface Command Syntax global admin status get global admstts get global admin status update global admstts update lt admin status gt global client s life time get global clntage get global client s life time update global clntage update lt client life time gt global client table mode get global clntmode get global client table mode update global clntmode update lt client table mode gt FireProof User Guide O OO0 0O Oe radware Description Enables the user to view the global administration status Example global admstts get Enables the user to change the global administration status Example global admstts update enable Enables the user to view the global client s lifetime Example global clntage get Enables the user to change the global client s lifetime Example global clntage update 60 Enables the user to view the global Client Table Mode Example global clntmode get Enables the user to change the global Client Table Mode Example global clntmode update layer3 C 23 O OO0 0O e radware C 24 Global Connectivity Check Appendix C ASCII Command Line Interface This group of commands enables the user to manipulate or view the global connectivity check parameters For more information refer to Global Configuration in Chapter 3 page 3 41 Entering the global conchk command will display the following options e interval
56. Address jiz T6 200 99 99 io lt a WConne Status Finizhed 3 2 FireProof User Guide O Chapter 3 Configuring FireProof P Oe radware C To run Configware Unix e From the directory lt Configware_Install gt NMS run the program go The Configware opening screen is displayed Web Based c To run Configware using a Web browser e Browse to the URL entered during installation Using Buttons Configware windows have a toolbar with buttons for implementing various options Each window contains only those buttons relevant to that window Throughout this document buttons will be referred to by name Permanently Adding Devices to Configware By creating a list of devices in Configware you can keep track of all of the devices you manage and quicken the connection process You are prompted during the installation process to enter devices in the Device List Whether or not you added devices during installation you can add edit and delete devices at any time Also you can decide which device on the network to make the default device the device that appears in the opening screen fields when Configware launches 3 3 FireProof User Guide O ee Chapter 3 Configuring FireProof Oe radware gt To add devices to the device list 1 From the Configware window click Options The General Options window is displayed as shown below General Options 3 4 FireProof User Guide O Chapter 3 Configuring FirePr
57. Configuring Firewall Grouping in Chapter 3 page 3 34 Entering the group command will display the following options applport Application Port Group Table e dest Destination Subnet Group Table source Source Subnet Group Table The possible switches for the group commands are the following e 0 Operation Mode Command Syntax application port group table get group applport get application port or other firewall ip address application port group table update group applport update lt application port or other gt lt firewall ip address gt application port group table destroy group applport destroy lt application port or other gt lt firewall ip address gt Description Enables the user to view the Application Port Group Table Example group applport get 1 a beet ured Beeb Enables the user to update an Application Port Group Table entry Example group applport update P Leds Deeb Enables the user to delete an Application Port Group Table entry Example group applport destroy E S a a FireProof User Guide Appendix C ASCII Command Line Interface Command Syntax application port group table create group applport create lt application port or other gt lt firewall ip address gt destination subnet group table get group dest get subnet IP adress firewall ip address destination subnet group table update group dest update lt dest subnet addres
58. In the Firewall Table window FireProof Firewall Table on FireProof 1 Insert firewalls 20 1 1 1 and 20 1 1 2 3 Define two IP interfaces on FireProof 2 similarly One with a 30 1 1 10 address and one with a 100 1 1 10 address 4 Inthe Firewall Table window FireProof Firewall Table on FireProof 2 Insert firewalls 30 1 1 1 and 30 1 1 2 e The router of FireProof 2 for the local network should be one of the firewalls for example 30 1 1 1 and its default gateway to the Internet is the access router 100 1 1 20 e The router of the firewalls for the local network should be the 20 1 1 10 address of FireProof 1 e The default router of the firewalls to connect to the internet Should be the FireProof 2 internal address for example 30 1 1 10 e The default router of FireProof 1 should be one of the firewall s internal addresses for example 20 1 1 1 e The route of the access router to the local network should be FireProof 2 external address 100 1 1 10 e The default router of the local network should be FireProof 1 address 10 1 1 10 FireProof User Guide A 9 6 OO Oe radware A 10 Appendix A Example Configurations If the firewalls use static NAT addresses configure a virtual IP address in the Virtual IP table of FireProof 2 This is necessary in order to have one public address for each server rather than as many public IP addresses as the number of firewalls Using VIP on the external FirePro
59. Interface O OO 0O Oe radware Mandatory Fields Fields that must be added to a command for example arp update lt interface gt lt net address gt lt physical address gt These commands will appear in this appendix with lt gt if these fields are not added the command will not function and an error message will be displayed Switch These fields define a specific action within the command and must be one of the values displayed in the general description section of each command and must be followed with a value for the switch for example alias update lt alias address gt lt Switch gt lt Value gt Switch Values These values relate to a specific switch and are individual to each command and switch Typing the help command and switch to view the allowed values for the specified switch for example alias help s Console Key Definitions Cursor Movement keys Ss KS Ss KS SS S Ss KS Left Arrow Move cursor left Right Arrow Move cursor right Home Move cursor to the beginning of the line End Move cursor to the end of the line History Lines Retrieve keys 2 9 2 gt 9 Up Arrow Move cursor to the previous line Down Arrow Move cursor to the next line Character Set Up Arrow Move cursor to the previous line which fits the character set defined Character Set Down Arrow Move cursor to the next line which fits the character set defined Selection and Clipbo
60. Management Example 11 Application Security Appendix B Troubleshooting Appendix C ASCII Command Line Interface Appendix D Software License Upgrade Glossary Index gt a T N T eje NR T O P 00 LO 8 NO H Contents 7 a iR O OO0 O O0 radware Introducing FireProof FP FireProof is a dynamic load balancing system for effective management of traffic on multiple firewalls and other VPN and transparent devices Based on technologies of the award winning Radware Web Server Director family of IP traffic managers FireProof greatly improves firewall performance while maximizing uptime An ideal solution for large organizations that require top firewall performance Radware s FireProof system offers powerful load balancing and fault tolerance capabilities which together ensure the highest degree of availability and an effective growth path This chapter contains the following information e The Problem page 1 2 The Solution page 1 2 e FireProof Network Design page 1 3 e FireProof Entry Level Product page 1 3 FireProof User Guide 1 1 O aaa vs Chapter 1 Introducing FireProof Oe radware The Problem Generally firewalls have a limited traffic load capacity To accommodate traffic growth organizations can either install the existing firewall on a more powerful machine or add more firewall devices However these solutions can prove t
61. OO Oe radware Chapter 2 Installing FireProof LAN Interfaces Application Switch Platform FireProof comes with two Gigabit and or eight Fast Ethernet ports for IEEE 802 3 10 100 BaseT and 1000 BaseSx All the ports are auto sensing FireProof also supports half and full duplex communication on 1000 Mbps Hardware Requirements In order to use the Configware program successfully your system components must include the following Any Java enabled platform running on at least a 20OMHz processor At least 32 Mbytes RAM 15 Mbytes free disk space CD ROM for installation VGA or SuperVGA color adapter and monitor 64K colors recommended Software Requirements Java Support Microsoft Internet Explorer 4 0 or Sun JRE If you do not have Java support you can download Microsoft s Java Virtual Machine from their Web site http www microsoft com java vm dl_vm32 htm FireProof User Guide O Chapter 2 Installing FireProof ats Oe radware Installing Configware Management Software The Configware Management Software can be installed as a stand alone application or as a web based management applet Refer to Appendix D for installation details on web based management software C To install Configware as a stand alone application 1 Insert the Configware CD in the CD Rom drive The following window is displayed automatically m Install Configware gly ot Browse CD WebSite FireProof Ta ra
62. P address of the client only Destination IP Only Enables traffic to be load balanced based on the IP address of the destination only FireProof User Guide O OO0 Chapter 3 Configuring FireProof O Oe radware Remove Entry at Session End When enabled client entries are immediately removed from the Client Table when the client session ends Advanced Tab Identify Firewall by Port When enabled firewalls MAC address and incoming ports are checked to determine from which firewall traffic originated When disabled only the source MAC is checked This option should be enabled only when using port rules and when firewalls use the same MAC on different physical ports Port Hashing When disabled client table hashing is performed according to source IP and destination IP When enabled client table hashing is performed with the aforementioned as well as source port This can be enabled only when Client Table Mode is set to layer 4 and Select New Firewall When Source Port Different is enabled Note that changes here take place after device reboot tS To set FireProof global configuration 1 From the FireProof menu choose Global Configuration The Global Configuration window is displayed 2 Adjust the appropriate values 3 Click Set Your changes are recorded FireProof User Guide 3 45 O OO0 O Oe radware 3 46 Chapter 3 Configuring FireProof Setting Up Redundant FireProof Devices You can configu
63. Proof User Guide Appendix C ASCII Command Line Interface ae Oe radware Smart NAT Command Syntax Description smartnat mode update Enables the user to change the Smart smartnat mode update NAT Mode s status lt status gt Example smartnat mode update enable smartnat static get Enables the user to view the Static smartnat static get Smart NAT table local server IP Example smartnat static get router TAs Oo Ta smartnat destroy Enables the user to delete an entry in smartnat static destroy the Static Smart NAT table lt local server IP gt Example smartnat static lt router gt destroy 1 1 1 1 10 1 1 1 smartnat create Enables the user to create an entry in smartnat create the Static Smart NAT table lt local server IP gt The possible value for the NAT Mode lt router gt lt NAT IP gt field are the following m lt NAT mode gt 1 Regular 2 Backup Example smartnat static create Wig eg Ae O s ceed gol m FireProof User Guide C 63 O OO0 0O Oe radware C 64 Appendix C ASCII Command Line Interface This group of commands enables the user to manipulate the data of the SNMP tables For more information refer to Setting Up Security in Chapter 3 page 3 72 Entering the snmp command will display the following options e communty The SNMP Community table The possible switch values for the snmp communty are the following 0 Community Access t Community Trap
64. Proof User Guide Appendix C ASCII Command Line Interface O OO0 0O Oe radware This group of commands enables the user to manipulate Device Tuning option Entering the tune command will display the following options arptbl Arp Table brgfftbl Bridge FFT Table clInttbl Client Table dyntbl Dynamic Proximty Table ipfftbl IP FFT Table routtbl Routing Table Command Syntax tune ARP table get tune arptbl get tune ARP table update tune arptbl update lt table size gt tune bridge FFT table get tune brgfftbl get tune bridge FFT table update tune brgfftbl update lt table size gt tune client table get tune clnttbl get FireProof User Guide Description Enables the user to view the Tune ARP Table Example tune arptbl get Enables the user to update the ARP Table size Example tune arptbl update 2048 Enables the user to view the Tune Bridge FFT Table Example tune brgfftbl get Enables the user to update the Bridge FFT Table size Example tune brgfftbl update 2048 Enables the user to view the Tune Client Table Example tune clnttbl get C 67 O OO0 0O e radware C 68 Command Syntax tune client table update tune clnttbl update lt table size gt tune dynamic proximity table get tune dyntbl get tune dynamic proximity table update tune dyntbl update lt table size gt tune IP FFT table get tune ipfftbl get tune IP FFT table update tune i
65. Syntax Description RIP admin status get Enables the user to view the rip admstts get administration status admin status Example ospf admstts get RIP admin status update Enables the user to update change rip admstts update the Administration Status lt admin status gt Example ospf admstts update enable RIP interface table get Enables the user to view the Area rip iftbl get Table rip interface id Example ospf iftbl get 0 0 0 0 FireProof User Guide C 57 O OO0 0O Oe radware Command Syntax RIP interface table update rip iftbl update lt rip interface id gt lt Switch gt lt value gt RIP OSPF to RIP leak get rip ospf2rip get leakospf 2rip RIP direct ext leak update rip ext2ospf update lt leakospf2rip gt RIP leak static to Rip get rip stat2rip get leak static to rip RIP leak static to Rip update rip stat2rip update lt leak static to rip gt C 58 Appendix C ASCII Command Line Interface Description Enables the user to update change the Area Table The possible Switch Values for the areatbl command are the following e o Outgoing RIP e Incoming RIP m Default Metric d Virtual Distance e a Auto Send Example ospf iftbl update 0 0 0 0 o donotsend Enables the user to view the RIP OSPF to RIP Leak Example rip ospf2rip get Enables the user to update change the RIP OSPF to RIP Leak Example rip ext2ospf update enable Enables the user to vie
66. Table Insert window closes In the Full Path Health Monitor window click Set The IP Address is added to the list FireProof User Guide O Chapter 3 Configuring FireProof 80 O0 radware Controlling Traffic to Newly Booted Firewalls You can control traffic to specific firewalls that have been recently booted This means that newly booted firewalls won t be overrun by incoming traffic in accordance with the load balancing algorithm You use the Firewalls Advanced Configuration window to control traffic to firewalls gt To access the Firewalls Advanced Configuration window e From the FireProof menu select Firewalls Advanced Configuration then select Firewalls The Firewalls Advanced Configuration window iS displayed Firewalls Advanced Configuration 176 200 99 99 ol x etek Le 3 2 w Firewall Address Recovery Time WarmUp Time Status Finished Error ty The Firewalls Advanced Configuration window includes the following fields e Firewall Address The firewall IP address e Recovery Time The time in seconds during which no data will be sent to this firewall The time begins from the moment the first firewall is active usually after the firewall boots e Warm Up Time The time in seconds beginning after the Recovery Time ends During this time clients are sent to this firewall at an increasing rate so that the firewall can slowly reach its capacity This option will not function in the cycli
67. The RIP Interface Table window includes the following fields IP Address The IP address of the current interface Outgoing RIP The type of RIP to be sent RIP Version 1 Sending RIP updates compliant with RFC 1058 RIP Version 2 Multicasting RIP 2 updates Do Not Send No RIP updates are sent Incoming RIP The type of RIP to be received gt RIP 1 Accepting RIP 1 RIP 2 Accepting RIP 2 Do Not Receive No RIP updates are accepted Status The status of the RIP in the router FireProof User Guide O Chapter 3 Configuring FireProofWare Hee Oe radware f To edit RIP parameters 1 Inthe RIP Interface lable window select the interface you require to edit 2 Click Edit The RIP Interface Table Edit dialog box is displayed In addition to the parameters listed above the RIP Interface Table Edit dialog box includes the following e Default Metric Metric for the default route entry in RIP updates originated on this interface Zero indicates that no default route should be originated in this case a default route via another router may be propagated e Auto Send When this parameter is enabled this device advertises RIP messages with the default metric only This allows some stations to learn the default router address If the device detects another RIP message Auto Send is disabled Enable this to minimize network traffic when FireProof is the only router on the network e Virtual Dista
68. The default router of the FireProof should be one of the firewalls No further routes are required for the FireProof as the port rules dictate the routing behavior of the FireProof e The router of the firewalls for the local network should be the 20 1 1 10 address of the FireProof e The router of the firewalls for the DMZ should be the 110 1 1 10 address of the FireProof e The default router of the firewalls to the Internet should be the access router 200 1 1 10 e The default router of the local network to the Internet should be the 10 1 1 10 address on port 1 of the FireProof e The default router for the DMZ to the Internet is the 100 1 1 10 address on port 4 of the FireProof FireProof User Guide O Appendix A Example Configurations maa Oe radware Example 8 Application Grouping with FireProof Mail servers Firewall 1 Firewall 2 Firewall 3 FireProof j 10 1 1 10 Local clients 10 1 1 X FireProof User Guide A 19 6 OO Oe radware Appendix A Example Configurations Properties Three firewalls are used one of them protects access to the mail servers the other two protect traffic to and from the Internet Different aging may be required for mail traffic Configuration 1 PA A 20 Configure FireProof with the following IP addresses 10 1 1 10 and 20 1 1 10 for the required ports Configure the firewalls with the following addresses 20 1 1 1 20 1 1 2 and 20 1 1 3 in t
69. ae Oe radware Example 11 Application Security Properties The Application Security module can help protect your network from various attacks This example illustrates a configuration which blocks the most typical and popular forms of attacks such as SYN attack Land attack and others while at the same time achieving high performance Note SynApps license is required for this implementation Configuration 1 From the Security menu select Application Security and then choose Global Parameters The Application Security Global Parameters window is displayed In the Start Protection field select Enabled Click Set and the click OK to reset the device to enable this module 4 You need to define the policy by which the protection is run From the Security menu select Application Security and then choose Security Policy The Security Policy window is displayed 5 Select the Standard Protection checkbox in order to enable this feature 6 Click Set to record your selection w N FireProof User Guide A 29 O OO0 0O Oe radware Troubleshooting This appendix provides solutions to some commonly encountered FireProof problems FireProof User Guide B 1 6 OO Oe radware B 2 Appendix B Troubleshooting If Clients Table Overflow messages are encountered with the ASCII terminal or Configware the session table size is too small for the application This table size can be increased in the Device Tuni
70. al Server IP The IP address of the local server e Router IP The IP of a router which is being load balanced The router IP is chosen from the Firewalls table e From Static NAT The range of IP addresses e To Static NAT The range of IP addresses e Redundancy Mode The redundancy mode can be either Backup or Active The Active mode is for the active device and the Backup mode is for the backup device t To perform static NAT 1 From the FireProof menu choose Global Configuration The Global Configuration Table window is displayed 3 26 FireProof User Guide O OO0 Chapter 3 Configuring FireProof 60 Ce radware 2 Ensure that Smart NAT is enabled 3 From the FireProof menu select Smart NAT and then choose Static NAT The Static NAT Table window is displayed Click Insert The Static NAT Table Insert dialog box is displayed Enter the appropriate information Click Update The Static NAT Table Insert dialog box closes In the Static NAT Table window click Set Your changes are made ee Configuring Dynamic Smart NAT You use Dynamic Smart NAT to ensure the dynamic delivery of specific traffic to clients on the internal network FireProof uses Dynamic Smart NAT meaning on the fly mapping of addresses to load balance traffic among multiple transparent traffic connections using multiple address ranges ensuring return traffic uses the same path You can use Dynamic Smart NAT to assign a single address to a ran
71. all Table window FireProof Firewall Table select a firewall and click Full Path Health Monitoring For example configure the router at 100 1 1 10 as the Check Address for each of the firewalls When proxy firewalls are used a Virtual IP should be configured as discussed in Chapter 3 a In the Virtual IP Table window FireProof Virtual IP insert a virtual IP address for example 10 1 1 100 The clients should be configured to use that address as the proxy address b In the Virtual IP Table window select the vitual IP address and click Opens Mapped Table or select Mapped IP from the FireProof menu For each Firewall IP address insert the firewall IP and for each Firewall NAT address insert the Firewall IP as well FireProof User Guide A 3 gt aaa vs Appendix A Example Configurations eo radware Example 2 VLAN Configuration Router 100 1 1 10 100 1 1 11 100 1 1 12 Firewall 2 Firewall 1 10 1 1 11 10 1 1 12 A FireProof a 10 1 1 10 Local Network 10 1 1 X Figure A 2 Local Network and Firewall on Same Subnet FireProof User Guide A 4 Appendix A Example Configurations ites Oe radware Properties The Local Network Side and the Firewall Side are on the same IP subnet Firewalls must be configured with the Network Address Translation feature enabled in order to ensure return traffic uses the correct firewall for each session Configuration 1 D
72. ameters for firewalls should be similar to those configured on FireProof 1 in particular the Firewall Mode should be Regular 5 Define FireProof 2 interfaces as redundant to those of FireProof 1 In the P Redundancy Table window FireProof Redundancy IP Redundancy Table of FireProof 2 enter 10 1 1 11 and 20 1 1 11 as the interface addresses and 10 1 1 10 and 20 1 1 10 as the main addresses respectively 6 Set the Global Redundancy Configuration for FireProof 1 In the Global Redundancy Configuration window FireProof Redundancy Global Configuration set the IP Redundancy Status to Disabled and the Interface Grouping to Enabled FireProof User Guide O Appendix A Example Configurations ee Oe radware f Set the Global Redundancy Configuration for FireProof 2 In the Global Redundancy Configuration window FireProof Redundancy Global Configuration set the IP Redundancy Status to Enabled and the Interface Grouping to Disabled 8 The default router of both FireProof units should one of the firewall s internal addresses for example 20 1 1 1 The router of the firewalls for the local network should be the 20 1 1 10 address of FireProof 1 The default router of the local network should be the 10 1 1 10 address of FireProof 1 9 It is recommended to use Full Path Health Monitoring to ensure the remote side of the firewall is operational In the Firewall Table window FireProof Firewall Table select a firewall and c
73. ample bwm service basic temp update http f 80 Enables the user to delete an existing entry in the BWM Temporary Basic Filter Table Example bwm service basic temp destroy http Enables the user to create a new entry for the BWM Temporary Basic Filter Table Example bwm service basic temp create http to 81 Enables the user to retrieve information for an existing BWM Group Table Example bwm service group actual get Enables the user to retrieve information for an existing BWM Temporary BWM Group Table Example bwm service group temp get any 7 FireProof User Guide Appendix C ASCII Command Line Interface ae Oe radware BWM Service Command Syntax Description BWM service group temp Enables the user to update update information for an existing BWM bwm service group temp Temporary BWM Group Table update lt group gt lt entry gt Example bwm service group temp lt switch gt lt value gt get any 7 t regular BWM service group temp Enables the user to delete destroy information from an existing BWM bwm service group temp Temporary BWM Group Table destroy lt group gt lt entry gt Example bwm service group temp get any 7 BWM service group temp Enables the user to create an entry create for the BWM Temporary BWM Group bwm service group temp Table create lt group gt lt entry gt Example bwm service group temp t lt value gt get any 7 t static FireProof User Guide C 15 Q
74. ample group source update lt source subnet address gt 2 2 2 2 255 0 0 0 1 1 1 1 lt source mask gt lt firewall ip address gt source subnet group table Enables the user to delete a Source destroy Subnet Group Table entry group source source Example group source source destroy destroy 2 2 2 2 255 0 0 0 lt source subnet address gt 1 1 1 1 lt source mask gt lt firewall ip address gt C 38 FireProof User Guide Appendix C ASCII Command Line Interface Command Syntax source subnet group table create group source create lt source subnet address gt lt source mask gt lt firewall ip address gt FireProof User Guide O OO0 O Oe radware Description Enables the user to create a Source Subnet Group Table entry Example group source create 2326262 Zoo e000 dale C 39 C 40 Appendix C ASCII Command Line Interface This group of commands enables the user to manipulate the Intruder Detection Service for more information refer to Setting Up Application Security on page 3 87 Entering the ids command will display the following options Ncpaging Ncpdsize Ncpsdsiz Policy Stats Statsize Stattime Status Tcpaging Tcpsize Track The switch values for this command are the following e tti Tracking Time in MS e ts Threshold e O Object Type e tty Tracking Type Traps Command Syntax IDS ncpaging get ids ncpaging get IDS ncpaging update ids ncpagin
75. aps The Security Traps window is displayed fans Security Traps 176 200 105 191 Index Severity Date Time Source Information SS ee eee ee Saas Status Sending TRAP request Lg The following information is displayed in the Security Traps window Index An increasing index of trap records in the Security Traps Table window Severity The severity of the trap Date The date the trap was set Time The time the trap was set Source The source IP address of the attack Information A description of the of the security trap FireProof User Guide 3 95 O woes Chapter 3 Configuring FireProof Oe radware Configuring Bandwidth Management BWM You can configure the bandwidth for your device according to your needs by using Radware s Quality of Service QoS tool This enables you to classify user traffic according to a wide array of criteria then traffic is handled according to the matching policy At the same time a BWM solution can track the actual bandwidth used by each application and set limits as to how much bandwidth is used Refer to Appendix C for details about how to configure rules via the ASCII terminal Note Full functionality of this feature is only available with a SynApps license This section contains the following information Setting Global Parameters below Viewing Active Policies page 3 99 Modifying Policies page 3 100 Modifying Networks page 3 104 Modifying Services page 3
76. ard keys SS S SS S SO S Ss KS Ss S Control R Select right of the cursor Control L Select left of the cursor Control C Copy Control X Cut Control V Paste FireProof User Guide C 3 6 OO0 0O Oe radware C 4 Appendix C ASCII Command Line Interface Console Halt ESC ESC Abort printing Not enabled for Telnet CTRL D Abort Printing Not enabled for Telnet Note Boot 2 2 is required in order to support the following functionality Up and down arrow keys which display the history of the CLI The ESC key now enables you to stop table printing FireProof User Guide Appendix C ASCII Command Line Interface man Oe radware Application This group of commands enables the user to Aging manipulate the data of the Application Aging Time Table For more information refer to Configuring Application Aging in Chapter 3 Configuring FireProof page 3 32 Command Syntax application aging get appl aging get application port application aging update appl aging update lt application ports lt aging time gt application aging destroy appl aging destroy lt application port gt application aging create appl aging create lt application ports lt aging time gt FireProof User Guide Description Enables the user to retrieve information about an existing application aging entry Example appl aging get 1 Enables the user to update the
77. are Point to Point type Priority The priority of this interface The value O means that this router is not eligible to become the designated router on the current network If more than one routers has the same priority then the router ID is used Hello Interval The number of seconds between Hello packets All routers attached to a common network must have the same Hello Interval Time Before Declare Router Dead The number of seconds that a router s hello packets have not been seen before the router s neighbors declare the router down The Time Before Declare Router Dead value must be a multiple of the Hello Interval All routers attached to a common network must have the Time Before Declare Router Dead value Interface Authentication Key The authentication key for the interface Authentication Type The type of authentication key for the interface Metric Value The metric for this type of service on the interface FireProof User Guide O Chapter 3 Configuring FireProof OO0 Oe radware C To edit OSPF interface parameters 1 2 3 4 In the OSPF Interface Table window click Edit The OSPF Interface Table Edit dialog box is displayed Adjust the appropriate values Click Update The OSPF Interface Table Edit dialog box is displayed In the OSPF Interface Table window click Set Your changes are recorded OSPF Area Parameters e To access the OSPF Area Parameters window From the Router
78. asic filter Click Insert The nsert New Advanced Filters Parameters dialog box is displayed In the Enter advanced filter name field enter the name you require or select it from the dropdown list Using the right and left arrow buttons move the Optional Basic Filters you require to the Selected Basic Filters field Click Update The Insert New Advanced Filters Parameters dialog box closes In the Modify Advanced Filters Table window click Set Your changes are made FireProof User Guide O OO Chapter 3 Configuring FireProof 0O Oe radware C To delete advanced filters 1 2 3 In the Modify Advanced Filters Table window select the advanced filter you require to delete Click Delete The advanced filter is highlighted in red Click Set The advanced filter is deleted f To create new filter groups 1 From the QoS menu select Modify Policies and then choose Services From the secondary menu select Filter Groups The Modify Filter Groups Table window is displayed as shown below coe Modify Filter Groups Table SBEaBa 32A Filter Group Name Filter Group Entry Status Sending Datal Error e In the Modify Filter Groups Table window the following information is displayed e Filter Group Name The user defined name of the filter group e Filter Group Entry The name of the entry assigned to a specific filter group Filter group is a logical OR between other filters Clic
79. ate detection of network failures The user can configure the failure overcoming time Firewall Grouping You can set up a policy list in FireProof to govern which firewall s to use according to the traffic type You can define firewall groups according to the destination subnet of the traffic the source subnet of the traffic and or the application type of the traffic Firewall Recovery Period Each of the firewalls can be configured with a recovery and a warm up period When the firewall goes up no clients will be directed to it during its recovery After recovering clients are sent to the firewall at an increased rate during the configured warm up period Only then the firewall becomes fully operational G 4 FireProof User Guide O OO 0O Oe radware IP Interface An IP interface on FireProof is comprised of 2 components an IP address and an associated interface The associated interface can be a physical interface or a virtual interface VLAN IP routing is performed between FireProof IP interfaces while bridging is performed within an IP interface that contains an IP address associated with a VLAN IP Routing FireProof offers IP routing which is compliant with RFC1812 router requirements This allows the dynamic addition and deletion of IP interfaces IP routing occurs at full wire speed and extremely low latency iS maintained The IP router supports RIP I RIP Il and OSPF OSPF is an intra domain IP routing pro
80. ate Policies click OK to activate the newly configured policies FireProof User Guide O Appendix A Example Configurations wose Oe radware Example 10 Bandwidth Management Subnet X 222 2 2 0 Router Firewall 2 Firewall 1 r L FireProof Local Network ZEZE rts 10 1 1 X FireProof User Guide A 25 6 OO Oe radware A 26 Appendix A Example Configurations Note SynApps license is required to access this functionality Properties SMIP to the servers has highest priority e HTTP has higher priority than SMTP e HTTP traffic to users at subnet 222 2 2 0 has a low priority e FIP is limited to 200Kbit s and has a low priority Configuration 1 Inthe Global Parameters window QoS Global Parameters select Policies from the Classification Mode dropdown list 2 Inthe Modify Network Table window QoS Modify Policies Networks configure network for the local servers an Modify Network Table FireProof with Syn pps Hetwork Hame WNetwork Mode IP Address Address Mask FromaAddress To Address 1 any IP range 0 0 0 0 0 0 0 0 0 0 0 0 255 255 255 286 2 Servers IF range 0 0 0 0 0 0 0 0 10 1 1 4 10 1 1 6 3 subnet IF mask 222 220 295 255 7545 0 222 220 ey ee al Status Finished In order to simplify configuration a network can consist of a combination of network subnets and ranges For example the servers NAT consists of two ranges 20
81. ation Grouping Table window is displayed Destination Grouping Table 192 1 5 21 Destination IP Address Destination Subnet Mask FirewalllpAddress Operational Mode Status Finished Error Error Log FireProof User Guide O OO0 Chapter 3 Configuring FireProof O Oe radware The Destination Grouping Table window includes the following fields Destination IP Address The IP Address of the destination Destination Subnet Mask The subnet mask of the destination Firewall IP Address The IP address of the firewall to handle the traffic Operational Mode Whether the firewall will be active or backup for this group tS To define a group based on destination subnet 1 Inthe Destination Grouping Table window click Insert The Destination Grouping Insert Table dialog box is displayed w N Enter the appropriate information Click Update The Destination Grouping Insert Table dialog box closes 4 In the Destination Grouping Table window click Set Your changes are recorded Setting Up Source Grouping Source grouping allows you to determine which firewalls will handle traffic from a specific source subnet You use the Source Grouping Table window to configure destination grouping e To access the Source Grouping Table window e From the FireProof menu select Firewalls Advanced Configuration select Grouping then select Source Grouping FireProof User Guide 3 35 O OO0 Oe radware 3 3
82. ation mode get classify get BWM utils classification mode update classify update lt classification mode gt FireProof User Guide O OO0 0O Oe radware Description Enables the user to view the BWM CBQ mode Example bwm utils cbq get Enables the user to update the BWM CBQ mode CBQ mode values may be one of the following e Cyclic 1 e CBQ 2 Example bwm utils cbq mode update 1 Enables the user to view the BWM CBQ borrow mode Example bwm utils cbq borrow get Enables the user to update the BWM CBQ borrow mode Example bwm utils cbq borrow update enable Enables the user to view the BWM classification mode Example bwm utils classify get Enables the user to update the BWM classification mode Example bwm utils classify update disable C 17 O OO0 0O e radware C 18 BWM Utilization Command Syntax BWM utils ports get ports get lt index gt BWM utils ports update ports update lt index gt lt switch gt lt value gt BWM utils priority get priority get BWM utils RED info get red info get BWM utils RED mode get red mode get BWM utils RED mode update ports update lt RED mode gt Appendix C ASCII Command Line Interface Description Enables the user to view the BWM maximum port bandwidth Example bwm utils ports get 1 Enables the user to update the BWM maximum port bandwidth Example bwm utils ports update 1 bw 2400 Enables
83. atus 1 00 00 08 00 00 05 F2 Leamed 00 00 56 4242 D5 0C F2 Leamed 3 00 00 56 45 F5 64 F2 Leamed 4 00 00 86 45 F9 AC F2 Leamed 5 00 00 86 46 6E 94 F2 Leamed 6 00 00 86 46 73 FF F2 Leamed 8 00 00 B0 0F F5 80 F 2 Leamed 9 OO 00 BO 0F FC 42 F 2 Leamed 10 00 00 60 10 00 00 F 2 Leamed Status Finished Error The Global Forwarding Table window includes the following fields e MAC Address The node s MAC address e Port Port through which the node has been learned that is the port through which frames are received from this entry 3 76 FireProof User Guide O OO0 Chapter 3 Configuring FireProof O er i POAN RANE Oe radware e Status Describes how the node entry was added to the list and indicates status Learned The entry was automatically learned Self The entry is a FireProof port Py Mgmt The entry is a static node manually entered using the Edit button Other Node status cannot be described by one of the above To add a new bridge forwarding node In the Global Forwarding Table window click Insert The Global Forwarding Table Insert dialog box is displayed Adjust the appropriate values Click Update The Global Forwarding Table Insert dialog box closes In the Global Forwarding Table window click Set Your changes are made To edit an existing bridge forwarding node In the Global Forwarding Table window sel
84. ay means a policy only matches packets where the source IP and port match the source as well as the destination Twoway means that if the source matches the destination and vice versa this is also a match e Action The action to be applied to the packet is either Forward Block Block and reset or Block and bi directional reset e Priority SynApps only The priority attached to the packet by which it is forwarded is either Real time or a value of O 7 7 being the lowest priority Priority is only applicable if the action is forward FireProof User Guide O OO0 O Oe radware 3 101 O OO Oe radware 3 102 to 2 SRN E A Chapter 3 Configuring FireProof e Bandwidth SynApps only This defines the bandwidth limitation for packets matching this policy This option is used in conjunction with CBQ and not with WWR e Service The type of service is either None Basic Filter Advanced Filter or Filter Group e Description A description of the policy Operational Status From the dropdown list select Active or Inactive to specify the operational status of the policy Note If you select inactive when policies are updated this policy is not used to be matched against packets e DSCP Marking SynApps only Refers to Differentiated Services Code Point DSCP or Diffserv Enables you to mark the packet with a range of bits displayed in the dropdown list Click Insert The nsert New Policy Parameters dia
85. bits Load Counts the total amount of outbound traffic in K bits e Inbound Kbit s Rate Records the rate of inbound traffic in Kbits per second e Outbound Kbit s Rate Records the rate of outbound traffic in Kbits per second e Firewall Mode Whether the firewall is in regular or backup mode When a firewall is in backup mode FireProof will not send any messages to it unless all the firewalls in regular mode are down When more than one backup firewall exists FireProof determines which backup firewall to use according to the dispatch method and the firewall s priority FireProof User Guide 3 21 O OO Oe radware 3 22 FHAN RRND A Chapter 3 Configuring FireProof e Firewall Type This denotes the type of firewall This can be either Regular or Next Hop Router The Next Hop Router type implies that the firewall appears in the Routing Table Next Hop Router firewalls cannot be deleted Note When a firewall is a next hop router it cannot be deleted from the table In order to remove a firewall which is a next hop router make sure this router is not connected to the same interface as the default gateway of the device or change the routing configuration e Connection Limit The maximum number of allowed sessions open at any given time on this firewall When the limit is reached new sessions will no longer be redirected to this firewall e Firewall Mac Address Status This indicates if the MAC of the firewall has b
86. bles the user to change the global Select Firewall on Source Port status Example global slctfw update 2 FireProof User Guide Appendix C ASCII Command Line Interface ae Oe radware Global This group of commands enables the user to Virtual manipulate or view the global virtual remote data Remote Entering the global vrem command will display the following options e address e mode Command Syntax Description global virtual remote address Enables the user to view the global get virtual remote address global vrem address get Example global vrem address get global virtual remote address update Enables the user to view the global global vrem address virtual remote address update lt virtual remote Example global vrem address address gt update 1 1 1 1 global virtual remote mode Enables the user to view the global get virtual remote address The values for global vrem mode get the virtual remote status field are the following 1 Enable e 2 Disable Example global vrem address get global virtual remote mode Enables the user to view the global update virtual remote address global vrem mode Example global vrem address update lt virtual remote update 1 1 1 1 status gt FireProof User Guide C 35 O OO0 0O Oe radware C 36 Appendix C ASCII Command Line Interface This group of commands enables the user to manipulate or view the group parameters For more information refer to
87. c Weight Regular Check Period Response Weight 1 3 3 2 a 23 all ar ii 300 E Status Finished Error HEE The Windows NT Parameters window includes the following fields e Serial Number The serial number of the scheme Scheme number 1 is used for dispatch method nt 1 etc e Check Period The time interval between queries for the frequently updating parameters number of open sessions amount of traffic e Open Sessions Weight The relational weight for considering the number of active sessions on the server 3 52 FireProof User Guide O OO0 Chapter 3 Configuring FireProof O SR WN ED A Oe radware Incoming Traffic Weight The relational weight for considering the amount of traffic coming into the server Outgoing Traffic Weight The relational weight for considering the amount of traffic going out of the server Regular Check Period The time interval between queries for other less dynamic parameters average response time limits on users and TCP connections Response Weight The relational weight for considering the average response time of the server Users Limit Weight The relational weight for considering the limit on the number of logged in users on the server TCP Limit Weight The relational weight for considering the limit of TCP connections to the server NT Community The community name to use when addressing the server Retries Defines how many unansw
88. c load balancing algorithm f To configure traffic flow to a firewall 1 Inthe Firewalls Advanced Configuration window select the firewall you require to edit FireProof User Guide 3 39 O OO0 Oe radware 3 40 Chapter 3 Configuring FireProof Click Edit The Edit Firewalls Advanced Configuration dialog box is displayed Adjust the appropriate information Click Update The Edit Firewalls Advanced Configuration dialog box closes In the Firewalls Advanced Configuration window click Set Your changes are recorded Viewing Active Clients You can view a list of the clients currently connected to FireProof You can also find information about a specific client You use the Clients Table window a read only table comprised of the current active sessions to view a list of clients currently connected to the FireProof Note Using 64M DRAM FireProof 3 20 supports up to 350 000 entries in the Client Table Using 128M DRAM FireProof 3 20 supports up to 1 000 000 entries in the Client Table C To access the Clients Table window From the FireProof menu select Clients and then choose Clients Table The Clients Table window is displayed The Clients Table window displays the following e Client Address The IP address of the client e Destination Address The IP address of the destination e Firewall IP The IP address of the firewall that the client is attached to e Last Activity Time The time that the la
89. cast Type 1 Fl 11 1 1 2550 00 Enabled One Fill 2 100001 176 200 99 99 255 255 0 0 Enabled One Fill Status Finished Error E FireProof User Guide 3 57 O OO Oe radware Chapter 3 Configuring FireProof The P Router Interface Parameters window includes the following fields IP Address IP address of the interface Network Mask Associated subnet mask If Num Interface Number of the interface If the interface is a VLAN the included interfaces are listed in the box in the Edit window Fwd Broadcast Whether the device forwards incoming broadcasts to this interface Broadcast Type Fill the host ID in the broadcast address with ones or zeros f To configure IP Router interface parameters 1 Inthe P Router Interface Parameters window click Insert The IP Router Interface Parameters Insert dialog box is displayed 2 Adjust the appropriate values 3 Click Update The P Router Interface Parameters Insert window closes 4 Inthe IP Router Interface Parameters window click Set Your changes are recorded RIP Protocol Parameters You use the RIP Parameters window to set RIP protocol parameters C amp To access the RIP Parameters window O From the Router menu select RIP and then choose Parameters 3 58 FireProof User Guide O Chapter 3 Configuring FireProof 80 Oe radware The RIP Parameters window is displayed as shown below te RIP Parameters 176 200 99 9
90. ch gt lt value gt FireProof User Guide e a Firewall Admin Status Description Enables the user the retrieve information for a specific firewall Example firewall get 1 1 1 1 Enables the user to update the information of an existing firewall Example firewall update eee Heil Ome Enables the user to delete an existing firewall Example firewall destroy 1 1 1 1 Enables the user to create a new firewall Example firewall create 1 1 1 1 w 5 C 21 O vee Appendix C ASCII Command Line Interface Oe radware Command Syntax Description firewall switch help list Opens an online help for firewalls firewall help Example firewall help m lt Switchs Global This group of commands enables the user to manipulate or view the global parameters For more information refer to Global Configuration in Chapter 3 page 3 41 Entering the global command will display the following options admstts Admin Status clntage Client s Life Time clntmode Client Table Mode conchk Check Connectivity data dspmeth Dispatch Method fwportid Identify Firewall by Port mapmode Outbound Translation Mode newentry New Entry on Source Port porthash Include Source and Destination Port on Client Table Hashing remsess Remove Entry at Session End sestrack Session Tracking Slctfw Select Firewall on Source Port vrem Virtual Remote C 22 FireProof User Guide Appendix C
91. cify whether classification is performed per session Enable or per packet Disable e Scheduling Algorithms SynApps only From the dropdown list select Weighted Round Robin WRR or Class Based Queuing CBQ to specify how the queue of packets will function Note If the mode is changed you must reset the device e CBQ Borrowing SynApps only Select Enable or Disable to specify whether bandwidth can be borrowed from other policies This is only valid if CBQ is used as the scheduling algorithm e Random Early Detection RED SynApps only From the dropdown list select None Global or Weighted to specify the queue management Note After changing the Scheduling Algorithms or Classification Mode parameters it is necessary to reboot the device f To set the global parameters 1 Inthe Global Parameters window adjust the appropriate values 2 Click Set Your changes are recorded C To refresh the global parameters e Inthe Global Parameters window click Refresh to update the window FireProof User Guide 3 97 O OO0 Oe radware 3 98 Chapter 3 Configuring FireProof C To edit port bandwidth 1 In the Global Parameters window click Setting Bandwidth for Specific Port The Port Bandwidth Table window is displayed i Port Bandwidth Table loj x Port Available Bandwidth kbps Used Bandwidth kbps Status Sending Data Error E The following fields are displayed e Port The p
92. ckboxes provided in this window enable you to define the security policy that best suits your network 2 Select the checkboxes you require 3 Click Set to save your selection FireProof User Guide 3 93 O OO Oe radware 3 94 Chapter 3 Configuring FireProof You can view an Alerts Table window which contains information about security events detected by the Application Security module such as when an attack started and its status C To view the Alerts Table window e From the Security menu select Application Security and then choose Alerts Table The Alerts Table window is displayed i Alerts Table 176 200 105 191 i Status Finished The following information is displayed in the Alerts Table window e Attack Index An increasing index of attack records in the Alerts Table window e Attack Name The type of attack name Attack Source Address The source IP address of the attack e Attack Destination Address The destination IP address of the attack e Attack Status The status of the attack e Attack Time The time at which the attack was detected FireProof User Guide O OO0 Chapter 3 Configuring FireProof 0O Oe radware You can also view a Security Traps window which displays security traps information C To view the Security Traps window From the Security menu select Application Security and then choose Security Tr
93. cy table under Router IP Router IP Redundancy and that the interface grouping is enabled on the main FireProof under FireProof Global Configuration FireProof User Guide O Appendix B Troubleshooting onea Oe radware FireProof will not work when a client and a firewall reside on the Same subnet and on the same side of the FireProof In this case the firewall will respond to the client directly because it doesn t need the FireProof to route it to the client The FireProof will not be able to load balance the packets When firewalls work with the Network Address Translation NAT feature enabled FireProof must reside on the inner Secured side of the firewalls When firewalls work without the Network Address Translation feature the feature is disable two FireProofs have to be installed one on each side of the firewalls or port connection rules must be defined to separate internal and external ports If NAT is disabled then FireProof is needed to direct the packets to the firewalls they came from whereas when NAT is enabled the packet is sent directly to the firewalls e When physically replacing the firewall or its network card first remove the old firewall entry from the Arp table This can be done using the Router IP Router ARP Table option Doing so will prevent confusion if the old firewall IP address is used with another network card e As long as a firewall is configured as a router or default router it can
94. d drv set speed lt port gt lt speed gt C 20 Appendix C ASCII Command Line Interface Description Enables the user to set the DRV Auto Status The values for the auto parameter may be one of the following Enable Disable Restart Example drv set auto 1 disable Enables the user to set the DRV Duplex status The values for the duplex parameter may be one of the following Full Half Example drv set duplex 1 full Enables the user to set the DRV Speed value The values for the speed parameter may be one of the following 10 100 1000 Example drv set speed 1 1000 FireProof User Guide Appendix C ASCII Command Line Interface O OO0 0O Oe radware Firewall This group of commands enables the user to manipulate or view the data of the Firewall Table For more information refer to Configuring Firewall Grouping in Chapter 3 Configuring FireProof page 3 34 The possible Switch Values for the Farm command are the following n Firewall Name w Firewall Weight m Firewall Operation Mode Firewall Connection Limit t Firewall Type r Recovery Time u Warm Up Time P Command Syntax firewall get firewall get firewall address firewall update firewall update lt firewall address gt lt switch gt lt value gt firewall destroy firewall destroy lt firewall address gt firewall create firewall create lt firewall address gt lt swit
95. d by the SNMP protocol entity FireProof User Guide Chapter 4 Monitoring FireProof Performance SNMP generated Trap PDUs SNMP output PDUs padValues SNMP output PDUs genErr SNMP output PDUs noSuchName SNMP output PDUs tooBig Successfully delivered IP datagrams Total IP datagrams queued for transmission FireProof User Guide O OO 0O Oe radware The total number of SNMP Trap PDUs which have been generated by the SNMP protocol entity The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error status field is badValue The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error status field is genErr The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error status is noSuchName The total number of SNMP PDUs which were generated by the SNMP protocol entity and for which the value of the error status field is tooBig The total number of input datagrams successfully delivered to IP user protocols including ICMP The total number of IP datagrams which local IP user protocols including ICMP supplied to IP in requests for transmission Note that this counter does not include any datagrams counted in ipForwDatagrams 4 7 6 OO 0O Oe radware 4 8 Total number of incoming IP datag
96. d name of the filter e Description A description of the filter e Protocol The protocol used which is either IP UDP or TCP e Destination Port The destination port for UDP and TCP traffic only Source Port Range From The first port in the range of source ports for UDP and TCP traffic only e Source Port Range To The last port in the range of source ports for UDP and TCP traffic only This feature enables the user to configure filters for various bit patterns in packets e OMPC Length The length of the OMPC Offset Mask Pattern Condition data can be N A oneByte twoBytes threeBytes or fourBytes FireProof User Guide O OO0 Chapter 3 Configuring FireProof 0O m E al Oe radware OMPC Offset Refers to the offset in the packet where the OMPC is checked OMPC Pattern Refers to the OMPC pattern searched for in the packet e OMPC Mask The mask for the OMPC data e OMPC Condition The OMPC condition can be either N A equal notEqual greaterThan or lessThan e Content Offset Refers to the offset in the packet where the content is checked e Content Refers to the search for the content in the packet Content Type Refers to the type of content searched for in the packet It can be N A URL or text Note The parameters in the Active Basic Filter Table and the Modify Basic Filter lable windows are the same Click Insert The nsert New Basic Filter Parameters dialog box is displayed contai
97. de Static NAT You use Static NAT to ensure delivery to a particular server on the internal network For example if you have a server on the internal network that accepts the majority of the incoming connections you may want to define a static NAT address on the FireProof so that all incoming traffic to this address is delivered to the server Likewise FireProof will use this NAT address when transferring outbound traffic from this server In addition when using FireProof to load balance among multiple transparent traffic forwarders and multiple address ranges you can assign multiple Static NAT addresses to the internal server e g one for each address range SYSLog Support The FireProof can send SYSLog messages to any server of this kind to ensure smooth integration of FireProof message logging with existing network management tools G 8 FireProof User Guide O OO 0O Oe radware Tune Table A Tune Table allows the user to determine the relative sizes of the Routing Tables Client Tables Bridge Tables and others Virtual Interface VLAN A collection of physical interfaces A VLAN is defined by its protocol Bridging for the defined protocol is performed between the ports that belong to a VLAN In the case of IP bridging is performed within a VLAN on the IP address assigned to that VLAN For example if an IP VLAN contains physical interfaces 1 2 and 4 and is given an IP address of 192 1 1 1 with subnet mask 25
98. de s curit proche de l entr e de l alimentation qui contient le fusible 5 NE PAS UTILISER l quipement dans des locaux dont la temp rature maximale d passe 40 C 6 Assurez vous que le cordon d alimentation a t d connect AVANT d essayer de l enlever et ou v rifier le fusible de l alimentation g n rale VI FireProof User Guide O Safety Instructions se Oe radware C Ma nahmen zum Schutz vor elektrischem Schock und Feuer 1 Alle Wartungsarbeiten sollten ausschlieBlich von geschultem Wartungspersonal durchgef hrt werden Keine im Ger t befindlichen Teile durfen vom Benutzer gewartet werden 2 Offensichtlich defekte oder beschadigte Gerate durfen nicht angeschlossen eingeschaltet oder in Betrieb genommen werden 3 Stellen Sie sicher dass die Beluftungsschlitze am Ger t nicht blockiert sind 4 Ersetzen Sie eine defekte Sicherung ausschlie lich mit Sicherungen laut Sicherheitsbeschriftung 5 Betreiben Sie das Ger t nicht in R umen mit Temperaturen ber 40 C 6 Trennen Sie das Netzkabel von der Steckdose bevor Sie die Hauptsicherung prufen oder austauschen FireProof User Guide VII O OO0 0O Oe radware Chapter 1 Introducing FireProof This chapter introduces Radware s FireProof product FireProof is a dynamic load balancing system for effective management of traffic Chapter 2 Installing FireProof This chapter describes FireProof setup and Configware management software installation
99. des any datagarms which a host cannot route because all of its default gateways are down FireProof User Guide 4 5 6 OO Oe radware 4 6 Resource Utilization RIP changes made to IP Route Database RIP global responses sent to RIP queries SNMP get requests retrieved successfully SNMP Get Next PDUs processed SNMP Get Request PDUs processed SNMP set requests retrieved successfully SNMP Set Request PDUs processed SNMP generated Get Response PDUs Chapter 4 Monitoring FireProof Performance The percent of the device s CPU currently utilized The number of changes made to the IP Route Database by RIP The number of responses sent to RIP queries from other systems The total number of MIB objects which have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get Request and Get Next PDUs The total number of SNMP Get Request PDUs which have been accepted and processed by the SNMP protocol entity The total number of SNMP Get Request PDUs which have been accepted and processed by the SNMP protocol entity The total number of MIB objects which have been altered successfully by the SNMP protocol entity as the result of receiving valid SNMP Set Request PDUs The total number of SNMP Set Request PDUs which have been accepted and processed by the SNMP protocol entity The total number of SNMP Get Response PDUs which have been generate
100. dialog box is displayed Click OK to implement the latest policy changes Modifying Policies 3 100 1 You can add modify and delete policies in the Modify Policies Table window according to your requirements In addition you can edit the default policy of the device A default policy exists which can be matched to any traffic that does not match a user defined policy You can change the action and the priority of the default policy gt To create a new policy From the QoS menu select Modify Policies and then choose Policies FireProof User Guide Chapter 3 Configuring FireProof The Modify Policies Table window is displayed F Modify Policies Table 176 200 116 21 Geas 42 M Policy Name Source Destination Direction Action Priority Bandwidth Service Description Operational Status DSCP Marking 1 Default Oneway Forward 4 0 Active None Status Finished Error a y In the Modify Policies Table window the following information is displayed e Policy Name The user defined name of the policy Source The source address of the packet being matched by the policy e Destination The destination address of the packet being matched by the policy Note The source or destination can be an IP address or a network address Refer to Modifying Networks on page 3 97 e Direction The direction to which the policy relates is either Oneway or Twoway Onew
101. dware The following diagram represents a typical FireProof configuration Firewalls Local Access Clients FireProof FireProof Router A N N y 1 TT FireProof Network Design FireProof is designed to load balance IP traffic between a set of firewall machines The firewalls may be from different vendors To ensure data flow consistency the security rules should be identical All traffic must physically travel through the FireProof unit This includes traffic to and from the firewalls If configured in routing mode the administrator must ensure that the IP address of FireProof is the default gateway of all load balanced IP packets traveling to and from the firewalls e FireProof keeps track of the packets traveling from the local network to the Internet and from the Internet to the local network FireProof Entry Level Product Radware introduces the FireProof Entry Level product This is a basic model of the FireProof It supports all functionalities of the FireProof family and only differs with regard to its limitations FireProof User Guide 1 3 O OO0 O O0 radware Installing FireProof This chapter describes how to setup FireProof and install Configware Radware s management software If you prefer to use ASCII CLI refer to Appendix C for a full list of commands This chapter is divided into the following sections Checking the Contents page 2 2 Mounting the Device page
102. dware view Manual The following options are displayed on the left side of the screen e Install Configware Displays the Configware Web Based Management installation window in your browser Refer to Appendix D for further details e Browse CD Displays your Windows Explorer enabling you to browse the contents of the CD This enables you install Configware as a stand alone application Website Accesses the Radware website in your browser e View Manual Displays the manual in Acrobat FireProof User Guide 2 11 O OO0 O Oe radware 2 12 4 Chapter 2 Installing FireProof Install Java Enables you to install Java in a quick and easy to use set up Exit Closes the window Select Browse CD In Windows Explorer browse to the CD and select the Configware folder Double click on the jview_setup bat file The Configware 1 40 Installation window is displayed as shown below E Configw are 1 40 Installation Welcome to ConfigvVare 1 40 Build Sun 03 11 2001 This software i protected by copyright laws and may only be used in accordance with the following license terns and conditions Click Accept to accept the terms and conditions Othenwise click Exit to quit setup NOTE The new installed files will overwrite previously installed corresponding ones Other previously installed files however will not be deleted Before you Continue the installation process it is recommended to read the README TXT fil
103. e Cf To access the Application Port Grouping window From the FireProof menu select Firewalls Advanced Configuration select Grouping then select Application Grouping The Application Port Grouping window is displayed Application Port Grouping 192 1 5 21 Application Port Number Firewall IP Address Operational Mode Status Finished Error Error Log The Application Port Grouping window includes the following fields e Application Port Number The port number of the traffic This can be a number from 0 1024 or Other Use the group Other to define which firewalls will handle traffic that is not destined to application ports otherwise grouped If you don t define an Other group traffic not destined to a grouped application port will be load balanced amongst all of the firewalls defined in the FireProof Firewall IP Address The IP address of the firewall e Operational Mode Whether the firewall will be active or backup for this group To define a group based on application port In the Application Port Grouping window click Insert The Application Port Grouping Insert Table dialog box is displayed Enter the appropriate information Click Update The Application Port Grouping Insert Table dialog box closes In the Application Port Grouping window click Set Your changes are made FireProof User Guide 3 37 O OO0 0O Oe radware 3 38 Chapter 3 Configuring FireProof
104. e Admin Status of the firewall Active Firewall is active Not In Service Firewall is or will become inactive Existing sessions will be redirected to other firewalls FireProof User Guide O Chapter 3 Configuring FireProof P Oe radware No New Sessions Firewall will receive no new sessions Existing sessions are allowed to complete e Firewall Priority Priority for traffic directing A firewall with a higher weight will serve more clients The weight ranges from 1 to 100 A firewall with priority 2 will receive twice the amount of traffic as a Firewall with priority 1 This is not available for the cyclic dispatch method e Attach Users Number The number of active users on the firewall e Peak Load The highest number of packets per second on the firewall e Frames Rate The number of frames transferred in the last second e Peak Kbits Load The highest number of Kbits per second on the firewall Kbits Rate The number of Kbits transferred in the last second e Kbits Load The highest number of Kbits transferred in the last second e Kbits Limit Enables you to limit the total bandwidth used in Kbits per second e Inbound Kbits Limit Enables you to limit the inbound bandwidth used in Kbits per second e Outbound Kbits Limit Enables you to limit the outbound bandwidth used in Kbits per second e Inbound Kbits Load Counts the total amount of inbound traffic in K bits e Outbound K
105. e following submenu items commnity Prints the SNMP Community table rule Prints the SNMP Designated Ports table print swver This command enables the user to print the Cache Server Director current software version to the CLI screen Drine This command enables the user to print the Trap trapecho Echo status to the CLI screen print tune This command enables the user to print the Tune data to the CLI screen C 50 FireProof User Guide Appendix C ASCII Command Line Interface man Oe radware This command enables the user to reboot the system To Reboot the system 1 Type quit The following message is displayed Are you sure you want to reboot the system yes no Enter Yes or No as required eccreltiaterslivenam This group of commands enables the user to manipulate the data of the redundancy tables For more information refer to Setting Up Redundant FireProof Devices in Chapter 3 page 3 43 Entering the redun command will display the following options infgroup Interface Grouping status iprd Redundancy Table The possible switch values for this command are the following p Polling Interval t Timeout mirror Mirror Tables Status Redundancy Status Command Syntax Description redundant interface grouping Enables the user to view the get Redundant Interface Grouping status redund infgroup get Example redund infgroup get redundant interface grouping Enables the user to view
106. e menu contains a selection of different graph views including Bar Area Plot Scatter Plot Stacking Bar Stacking Area and Pie FireProof User Guide O OO 0O Oe radware 4 13 O ag Chapter 4 Monitoring FireProof Performance Oe radware Data Buffer Size The number of past graph samples stored The greater the number the more samples are stored for later review Monitor Size The number of graph samples that are displayed on the screen Sample Time The amount of time between samples in seconds t To review the last compiled graph e Click Show Last The last graph that was compiled is displayed The following counters can be graphed Average Bandwidth Displays the average amount of bandwidth used by the selected policy Peak Average Bandwidth Displays the peak average amount of bandwidth used by the selected policy Used Bandwidth Displays the amount of bandwidth used by the selected policy 4 14 FireProof User Guide O Chapter 4 Monitoring FireProof Performance wee Oe radware Port Statistics C To monitor the performance of port specifics 1 Select a port on the Configware software zoom view The port is highlighted 2 From the Performance menu choose Port Statistics The Port Statistics window is displayed it Port Statistics 176 200 99 99 Optional Counters Selected input discarded packets fine packets Input non unicast packets input packets with errors not delivered
107. e that is placed in the same directory where this install executable file is placed SHRINE VWRAP LICENSE AGREEMENT READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE OPENING THE PACKAGE CONTAINING THE PROGRAM DISKETTES THE COMPUTER SOFTWARE THEREIN AND THE ACCOMPANYING USER DOCUMENTATION THE PROGRAM THE PROGRAM IS COPYRIGHTED AND LICENSED WOT SOLD BY OPENING THE PACKAGE CONTAINING THE PROGRAM YOU ARE ACCEPTING AND AGREEING TO THE TERMS OF THIS LICENSE AGREEMENT IF YOU ARE NOT WILLING TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT YOU SHOULD PROMPTLY RETURN THE PACKAGE IN UNOPENED FORM AND YOU WILL RECEIVE A REFUND OF YOUR MONEY THIS LICENSE AGREEMENT REPRESENTS THE ENTIRE AGREEMENT CONCERNING THE PROGRAM BETWEEN YOU AND RADWARE LTD REFERRED TO AS LICENSOR AND IT SUPERSEDES ANY PRIQR PROPOSAL REPRESENTATION OR UNDERSTANDING BETWEEN THE PARTIES ie Read the SHRINK WRAP LICENSE AGREEMENT In order to continue with set up you must accept the license agreement by checking the Accept checkbox This enables the OK button FireProof User Guide Chapter 2 Installing FireProof oF O OO 0O Oe radware Click OK The Select Install Folder Name window is displayed as shown below i Select Install Folder Name i el Select drive E COMIN DDA S Jawa Y DIR CLASSES DIR Packages D R Contigvvare DIR Select This window enables you to insta
108. ect a node Click Edit The Global Forwarding Table Edit dialog box is displayed Adjust the appropriate values Click Update The Global Forwarding Table Edit dialog box is displayed In the Global Forwarding Table window click Set Your changes are made FireProof User Guide 3 77 O OO0 Oe radware 3 78 Chapter 3 Configuring FireProof Configuring Services You can configure a number of parameters that determine how FireProof performs service functions This section includes the following information Configuring Polling below Changing Community Names page 3 79 Syslog Reporting page 3 79 Event Log page 3 80 Getting Device Information page 3 81 Viewing Interface Parameters page 3 82 Resetting the Device page 3 83 Setting Device Global Parameters page 3 84 Device Tuning page 3 86 Configuring One Trap page 3 88 Configuring Via File page 3 89 Configuring Polling f To configure the polling of FireProof 1 From the Services menu choose Polling Configuration The Polling Configuration dialog box is displayed ar Folling Configuration Miel x Folling Configuration i FOLK Cancel 2 Set how often the device is polled in seconds 3 Click OK FireProof User Guide O Chapter 3 Configuring FireProof oe te radware Changing Community Names To change a device s community name 1 From the Services menu choose Community Change The Community Change dialog box i
109. ed Click OK to set default Diffserv values To update policy changes From the QoS menu select Update Policies The Update Confirmation dialog box is displayed Click OK to implement the latest policy changes FireProof User Guide O Chapter 3 Configuring FireProof salves Oe radware Updating Software Radware may release updated versions of FireProof software Upload these updated versions to benefit from increased functionality and performance Software download can accessed be via Configware or via ASCII terminal refer to Appendix C for further details A password is required when upgrading the software The password is provided with the new software documentation Note If upload is not successful current FireProof software does not change If download is successful new software is not implemented until you reset the device Caution Before uploading in VLAN regular mode disable redundancy C To upload software 1 From the File menu select Software Download The Update Device Software window is displayed ats Update Device Software 176 200 9999 File Name ig relative to lt Config are diz Nme Configuration Update Device Software File Hame Po ia Password New Version In 7 format Progress Status 1 Status Error ii FireProof User Guide 3 113 O ss Chapter 3 Configuring FireProof Oe radware 2 Inthe File Name field enter the name of the file Alternatively click
110. ed as shown below P Virtual IP Table 176 200 99 99 Virtual IP Address Mode Status Finished Error fi The Virtual IP Table window consists of the following fields e Virtual IP Address The IP address to which clients will connect Virtual IP addresses must be on the same subnet as the FireProof e Mode Defines the mode of the device If the device is an active device Regular should be selected If the device is a backup device Backup should be selected f To set up a Virtual IP address 1 ye TS In the Virtual IP Table window click Insert The Virtual IP Insert Table dialog box is displayed Adjust the values of the appropriate fields Click Update The Virtual IP Insert Table dialog box closes In the Virtual IP Table window click Set Your changes are made FireProof User Guide 3 23 O OO Oe radware 3 24 Chapter 3 Configuring FireProof C To edit a Virtual IP address 1 O N In the Virtual IP Table window select the virtual IP address you require to edit Click Edit The Virtual IP Edit Table dialog box is displayed Make changes to the appropriate fields Click Update The Virtual IP Edit Table dialog box closes In the Virtual IP Table window click Set Your changes are made Mapping NAT Addresses to Virtual IP Addresses Once you have created a virtual IP address you can map firewall NAT addresses to it You can assign each virtual IP address one NAT address
111. een located If false this firewall cannot participate in the forwarding e Firewall Port Number This is the FireProof port on which the firewall LAN resides To add a new firewall In the Firewall Table window click Insert The Firewall Table Insert dialog box is displayed Enter the appropriate information Click Update The Firewall Table Insert dialog box closes Click Set The firewall is added to the table To edit an existing firewall In the Firewall Table window select a firewall from the list Click Edit The Firewall Table Edit dialog box is displayed Enter the appropriate information Click Update The Firewall Table Edit dialog box closes Click Set The new firewall parameters are set Creating Virtual IP Addresses You can create virtual IP addresses so that FireProof can balance loads between firewalls where one or more use NAT addresses You do so by creating a virtual IP address and mapping the NAT addresses of the firewalls to it Clients destined to the virtual IP address are redirected to the appropriate firewall according to the configured dispatch method You can configure up to 400 virtual IP addresses per FireProof FireProof User Guide O OO0 Chapter 3 Configuring FireProof 0O Oe radware You use the Virtual IP Table window to configure virtual IP addresses C To access the Virtual IP Table window From the FireProof menu choose Virtual IP The Virtual IP Table window is display
112. efine an IP VLAN that includes ports 1 and 2 The FireProof includes an IP VLAN by default This VLAN can be edited to include ports 1 and 2 or an entirely new VLAN can be configured VLANs are configured in the Virtual LAN Table window Device VLAN Note To operate the load balancing in a VLAN network topology you must set your VLAN to be a Regular VLAN type Define an IP interface with the address 10 1 1 10 to be associated with the VLAN defined in step 1 above If there is an existing IP interface with a 10 1 1 10 address it should be edited so that the 10 1 1 10 address is associated with the VLAN If there is no existing IP interface with a 10 1 1 10 address one must be created In the Firewalls Table window FireProof Firewall Table insert firewalls 10 1 1 11 and 10 1 1 12 The default router of the FireProof should be one of the firewall s internal interfaces for example 10 1 1 11 The default gateway of clients on the 10 1 1 X subnet should be the FireProof at 10 1 1 10 No route to 10 1 1 X is required on the firewalls It is recommended to use Full Path Health Monitoring to ensure the remote side of the firewall is operational In the Firewall Table window FireProof Firewall Table select a firewall and click Full Path Health Monitoring For example configure the router at 100 1 1 10 as the Check Address for each of the firewalls FireProof User Guide A 5 gt aaa vs Appendix A Example Configurations Oe radware
113. emp get bwm service basic temp get name FireProof User Guide O OO0 0O Oe radware Description Enables the user to update information for an existing BWM temporary policy table Example bwm service adv temp update local cmpcl t filter Enables the user to delete an existing BWM temporary policy table Example bwm service adv temp destroy local ompcl Enables the user to create a new BWM temporary policy table Example bwm service adv temp create local ompc2 Enables the user to retrieve information for the BWM Service Basic Filter Table Example bwm service basic actual get Enables the user to retrieve information for an existing entry in the BWM Temporary Basic Filter Table Example bwm service basic temp get http C 13 O OO0 0O e radware C 14 BWM Service Command Syntax BWM service basic temp update bwm service basic temp update lt name gt lt Switch gt lt value gt BWM service basic temp destroy bwm service basic temp destroy lt name gt BWM srvice basic temp create bwm service basic temp create lt name gt lt Switch gt lt value gt BWM service group actual get bwm service group actual get BWM service group temp get bwm service group temp get lt group gt lt entry gt Appendix C ASCII Command Line Interface Description Enables the user to update information for an existing entry in the BWM Temporary Basic Filter Table Ex
114. eparately but all use the same firewall Enabling this option can produce finer load balancing and at the same time ensure all sessions from the same client to the same server use the same firewall When disabled all the sessions of one client are considered a single session to enable better performance Select New Firewall For Different Source Port When enabled different sessions opened by a client s application to the same destination will be served by different firewalls according to the load balancing algorithms This option overrides the New Entry On Source Port option Session Tracking When enabled both inbound and outbound traffic will be handled When disabled FireProof will only manage outbound traffic Client Table Mode below will be set to layer 3 and New Entry on Source Port and Select Server on Source Port will be disabled Client Mode Indicates what layer of address information will be used to categorize packets in the client table Layer 3 Source and destination IP addresses only An entry exists in the Client Table for each source IP and destination IP combination of packets passing through the device Layer 4 Source and destination IP addresses and TCP UDP port information An entry exists in the Client Table for each source IP source port destination IP and destination port combination of packets passing through the device Client IP Only Enables traffic to be load balanced based on the I
115. er Guide A 11 6 OO 0O Oe radware A 12 Appendix A Example Configurations Properties e The Local Network Side and the Firewall Side are on different subnets e Firewalls must be configured with the Network Address Translation feature enabled Note Only the primary FireProof is active the backup is idle The reason for this is that the local network can have only one of the FireProof units configured as its default router FireProof 1 in this case so traffic coming from FireProof 2 will not be returned through it but through FireProof 1 FireProof 1 does not hold session information about sessions that were sent via FireProof 2 and thus is unable to send it back to the firewalls correctly If FireProof 1 fails and FireProof 2 is configured as its backup the traffic will be managed by FireProof 2 The firewall will still send the traffic to its next hop router but FireProof 2 will take over the failing FireProof 1 IP addresses and handle the traffic correctly Configuration 1 Define two IP interfaces on FireProof 1 One with a 10 1 1 10 address on port 1 and one with a 20 1 1 10 address on port 2 2 Inthe Firewall Table window FireProof Firewall Table insert firewalls 20 1 1 1 and 20 1 1 2 3 Define two IP interfaces on FireProof 2 similarly One with a 10 1 1 11 address on port 1 and one with a 20 1 1 11 address on port 2 4 Follow step 2 to configure the firewalls on FireProof 2 All par
116. er to Diffserv manipulate the data of the BWM Diffserv Entering the bwm diffserv dscp command will display the following options actual e temp Note The possible Switch Values for the bwm network temp command are the following e pr priority e bw bandwidth Command Syntax Description BWM Diffserv DSCP actual get Displays the DSCP Actual Table bwm diffserv dscp actual Example bwm diffserv dscp get lt index gt actual get 4 BWM Diffserv DSCP temp get Enables the user to retrieve bwm diffserv dscp temp information from the DSCP Temporary get lt index gt Table Example bwm diffserv dscp temp get 4 BWM Diffserv DSCP temp Enables the user to update update information for an existing DSCP bwm diffserv dscp temp Temporary Table update lt index gt Example bwm diffserv dscp temp update 4 FireProof User Guide C 7 Q vee Appendix C ASCII Command Line Interface e radware BWM This group of commands enables the user to Network manipulate the data of the BWM Network Entering the bwm Network command will display the following options actual e temp Note The possible Switch Values for the bwm network temp command are the following e a IP s Mask t To Ip m Mode f From IP Command Syntax Description BWM Network actual get Displays the Rule Networks Table bwm network actual get Example bwm network actual get BWM Network temp get Enables the user to retrieve bwm networ
117. er to print the following stat Typing the set rea stat command resets the REA counters timeout trapecho FireProof User Guide C 61 O OO0 0O Oe radware C 62 Smart NAT Appendix C ASCII Command Line Interface This group of commands enables the user to manipulate the data of the Smart NAT tables For more information refer to Smart NAT in Chapter 3 page 3 25 Entering the smartnat command will display the following options e dynamic The Dynamic NAT table mode Smart NAT mode status e static The Static Smart NAT table Command Syntax smartnat dynamic get smartnat dynamic get router address NAT address smartnat dynamic destroy smartnat dynamic destroy lt router address gt lt NAT address gt smartnat dynamic create smartnat create lt router address gt lt NAT address gt m lt NAT modes smartnat mode get smartnat mode get Description Enables the user to view the Dynamic Smart NAT table Example smartnat dynamic get Tred LOs lebel Enables the user to delete an entry in the Dynamic Smart NAT table Example smartnat dynamic destroy 1 1 1 1 10 1 1 1 Enables the user to create an entry in the Dynamic Smart NAT table The possible value for the NAT Mode field are the following 1 Regular e 2 Backup Example smartnat dynamic create 1 1 1 1 10 1 1 1 m 1 Enables the user to view the Smart NAT Mode s status Example smartnat mode get Fire
118. ered requests for a variable will make it be ignored in the load balancing decision To configure Windows NT load balancing In the Windows NT Parameters window choose a server Click Edit The Windows NT Parameters Edit dialog box is displayed Adjust the appropriate values Click Update The Windows NT Parameters Edit dialog box closes In the Windows NT Parameters window click Set The algorithm is Private Parameters There are two private servers load balancing algorithms These parameters are used to load balance the users of the farms that are configured with private 1 or private 2 dispatch methods You use the Private Parameters Table window to configure private load balancing algorithms C amp To access the Private Parameters Table window From the FireProof select Load Balancing Algorithms and then choose Private Parameters FireProof User Guide 3 53 O OO Oe radware 3 54 RANE Chapter 3 Configuring FireProof The Private Parameters Table window is displayed i Private Parameters Table 176 200 99 99 Serial Number Special Check Period Yarl OBJECT ID Yarl Weight Yar2 OBJECT ID VYar2 Weight Retries Community 1 30 0 0 3 0 0 5l 3 public 2 30 0 0 3 0 0 3 3 public Status Fme e Error HEH The Private Parameters Table window includes the following fields Serial Number The serial no of the scheme Scheme no 1 is used for dispatch meth
119. erface data Example vlan get 100000 Enables the user to update the specified SSD VLAN interface data Example vlan destroy 100000 a active Enables the user to delete the specified SSD VLAN interface data Example vlan destroy 100000 Enables the user to create a new SSD VLAN interface Example vlan create 100000 ip t regular FireProof User Guide Appendix C ASCII Command Line Interface ae Oe radware Command Syntax Description VLAN switch help list Enables the user to view an online vlan help help for the VLAN command lt Switch gt Example vlan help t FireProof User Guide C 73 O OO0 0O Oe radware C 74 VLAN Port Appendix C ASCII Command Line Interface This group of commands enables the user to manipulate the SSD VLAN Port data For more information refer to Setting Up a VLAN in Chapter 3 page 3 12 The possible Switch Values for the vlanport command are the following e t Port Tag Command Syntax VLAN port get vlanport get interface number port interface number VLAN port update vlanport update lt interface numbers lt port interface number gt lt Switch gt lt value gt VLAN port destroy vlanport destroy lt interface number gt lt port interface number gt VLAN port create vlanport create lt interface numbers lt port interface number gt lt Switch gt lt value gt VLAN port switch help list vlanport help lt Switch gt De
120. es are recorded FireProof User Guide 3 15 O se Chapter 3 Configuring FireProof Oe radware Setting Interface Addresses and IP Router Options For your FireProof to perform IP routing you must configure IP interfaces IP interfaces consist of two parts An IP Address and an P Network Mask e IP Address The IP Address is defined for a physical port or VLAN e IP Network Mask The IP Network Mask is determined by your network setup IP interfaces comprise a particular IP Address coupled with a particular IP Network Mask FireProof will perform IP routing between all defined IP interfaces c To configure your device as an IP router 1 From the Router menu select IP Router and then choose Interface Parameters The P Router Interface Parameters window is displayed listing current IP interfaces car IP Router Interface Parameters 176 200 99 99 TE gan af If Num IP Address WNetwork Mask Fwd Broadcast Broadcast Type 1 F 1 1 1 1 1 255 0 0 0 Enabled One Fill 2 100001 176 200 99 99 255 255 0 0 Enabled One Fill ee eee PO i nn nn ee eS ES es SSS PO PO EE SS LSE _ LL Eee SS DS Status Finished Error 2 Click Insert The P Router Interface Parameters Insert dialog box is displayed 3 16 FireProof User Guide O Chapter 3 Configuring FireProof P Oe radware 3 From the IF Num dropdown list choose an IF Interface Number The list contains all physical inter
121. ess you require to edit Click Edit The Global ARP Table Edit dialog box opens Adjust MAC Address Click Update The Global ARP Table Edit dialog box closes In the Global ARP Table window click Set Your changes are recorded 3 71 O OO Oe radware 3 72 Chapter 3 Configuring FireProof Setting Up Security Configuring Management Station Access You can define the level of access different management stations have to FireProof You use the Community Table window to configure access privileges To view this window you must have super access rights f To insert a new community management station 1 From the Security menu choose Community Table The Community Table window is displayed oek Community Table 176 200 105 191 Management Address Community Sting Community Access Send Traps 1 0 0 0 0 public SUPER Enabled Status Finished Error i The Community Table window shows the following for each station that can manage the device e Management Address IP address of the management station The 0 0 0 0 address enables any management address e Community String Community name of the management station e Community Access Whether the access of the management Station is Read Only or Read Write Choose Super Community to set the name used to access this Community Table Send Traps Whether FireProof sends traps to the management Station Enable or not Disable FireProof Use
122. et global newentry get global new entry on source port update global newentry update lt value gt Appendix C ASCII Command Line Interface Description Enables the user to view the global New Entry on Source Port status The values for the value field are the following 1 Enable 2 Disable Example global fwportid get Enables the user to change the global New Entry on Source Port status Example global fwportid update 2 FireProof User Guide Appendix C ASCII Command Line Interface ae Oe radware Global Include Source and Destination Port on Client Table Hashing Command Syntax Description global include source and Enables the user to view the global destination port on client Include Source and Destination Port table hashing get on Client Table Hashing status The global porthash get values for the value field are the following 1 Enable 2 Disable Example global porthash get global include source and Enables the user to change the global destination port on client Include Source and Destination Port table hashing update on Client Table Hashing status global porthash update Example global porthash lt value gt update 2 FireProof User Guide C 31 O OO0 0O Oe radware C 32 Global Remove Entry at Session End Command Syntax global remove entry at session end get global remsess get global remove entry at session end update global remsess update
123. ewall with the least amount of users NT 1 Queries the firewalls for Windows NT SNMP statistics According to the reported statistics FireProof redirects the clients to the least busy firewall To use this method the firewalls must be firewalls for Windows NT The parameters are considered according to the weights configured in the first Windows NT weights scheme FireProof User Guide O Chapter 3 Configuring FireProof Hee Oe radware NT 2 Similar to nt 1 but uses the second weights scheme Private 1 Queries the Firewalls for private SNMP parameters as defined in the first private weights scheme The ratios of users on the firewalls will be balanced according to the reported statistics Private 2 Same as private 1 using the second weights scheme Fewest Bytes Number Directs traffic to the firewall through which the least number of bytes has passed e Client Aging Time The amount of time a non active client is kept in the clients table in seconds As long as a client is kept in the Clients Table the client is attached to the same firewall e Client Connect Denials Indicates the number of connection requests from clients that were denied by the dispatcher e Timeout for SYN This feature improves the FireProof s SYN attack resilience Enter the number of seconds that the FireProof assigns to a new session started by a SYN packet default is Regular aging time The value can be a number be
124. faces and all IP VLANs If you want a combination of physical interfaces that is not listed use the Virtual LAN Table window see page 3 11 to define the desired combination 4 Enter the IP Address and Network Mask as determined by your network setup 5 Click Update The new IP interface is added and the P Router Interface Parameters Insert dialog box closes 6 Repeat steps 2 6 for all IP interfaces 7T Optionally select an interface from the IP Router Interface Parameters window and click Edit to edit the ICMP and RIP parameters of the interface 8 Click Update The P Router Interface Parameters Insert dialog box closes 9 Inthe IP Router Interface Parameters window click Set The new IP interface definitions are sent to the device IP routing is performed between the defined IP interfaces tS To define a default router 1 From the Router menu choose Routing Table The P Routing Table window is displayed as shown below i IP Routing Table 176 200 99 99 Dest IP Address Network Mask Next Hop IfNum Metric Protocol Type 1 0 0 0 255 0 0 0 0 0 0 0 F 1 1 Local Local 176 200 0 0 25a 2S 0 0 0 0 100001 1 Local Local _ N Status Fnshed 2 Error FO E 2 Click Insert The P Routing Table Insert dialog box is displayed FireProof User Guide 3 17 O OO Oe radware Chapter 3 Configuring FireProof In the P Routing Table Insert window adjus
125. fied in RFC 1583 and RFC 1850 with some limitations The various routing protocols can access each other s direct routing tables for routing information allowing packets to leak between routing protocols IP interfaces must be configured properly for a Radware device to work as an IP router IP interfaces consist of two parts An IP Address and an IP Network Mask e IP Address The IP Address is defined for a physical port or VLAN e IP Network Mask The IP Network Mask is determined by your network setup A particular IP Address together with a particular IP Network Mask address comprises an IP interface Radware devices will perform IP routing between all defined IP interfaces FireProof User Guide O OO0 Oe radware 3 55 O OO Oe radware 3 56 Chapter 3 Configuring FireProof This section includes the following information Adjusting Operating Parameters below Configuring Interface Parameters page 3 57 RIP Protocol Parameters page 3 58 RIP Interface Parameters page 3 60 OSPF Protocol Parameters page 3 61 OSPF Interface Parameters page 3 63 OSPF Area Parameters page 3 65 OSPF Link State Database page 3 66 OSPF Neighbor Table page 3 67 Configuring the Router page 3 68 ARP Addresses page 3 69 Adjusting Operating Parameters You use the P Router Parameters window to monitor add and edit router settings CS To access the IP Router Parameters window From the Router selec
126. firewall load and number of attached clients per firewall enabling unique monitoring and utilization of the firewalls The Client Table is dynamic containing the current active users and their connection time Traps are initiated in case of special events Application Health Monitoring FireProof allows the monitoring of firewall application status for improved fault tolerance Application failures can occur even when the firewall machine is up FireProof can detect these failures and redirect the clients to another firewall Backup Firewall Configuration FireProof allows the configuration of any firewall as backup FireProof will not redirect clients to the backup firewalls unless all the regular firewalls are inactive When several backup firewalls are configured the load is balanced between them similar to the load balancing of the regular firewalls G 1 O OO 0O Oe radware G 2 BootP For easy installation FireProof is a BootP client A BootP server on the network will automatically configure the site dependent parameters of the FireProof when it is first connected to the network and powered up readying your unit for SNMP configuration In addition FireProof is a BootP relay relaying BootP requests to remote networks Bridging FireProof is a fully functional transparent bridge Bridging occurs at full wire speed and extremely low latency is maintained Configuration File The Configuration File feature a
127. from date of shipment e Software for a period of 12 months from date of software registration During the warranty period Radware will at its option either repair or replace products which prove to be defective For warranty service or repair this product must be returned to a service facility designated by Radware Buyer shall prepay shipping charges duties and taxes for products returned to Radware and Radware shall pay shipping charges to return the product to Buyer Radware warrants that its firmware designed by Radware for use with an instrument will execute its programming instructions when properly installed on that instrument Radware does not warrant that the operation of the instrument or firmware will be uninterrupted or error free LIMITATION OF WARRANTY The foregoing warranty shall not apply to defects resulting from improper or inadequate maintenance by Buyer Buyer supplied firmware or interfacing unauthorized modification or misuse operation outside of the environmental specifications for the product or improper site preparation or maintenance No other warranty is expressed or implied Radware specifically disclaims the implied warranties of merchantability and fitness for a particular purpose FireProof User Guide O Safety Instructions se Oe radware EXCLUSIVE REMEDIES The remedies provided herein are Buyer s sole and exclusive remedies Radware shall not be liable for any direct indirect special inc
128. g Area and Pie Data Buffer Size The number of past graph samples stored The greater the number the more samples are stored for later review 4 2 FireProof User Guide Chapter 4 Monitoring FireProof Performance wee Oe radware Monitor Size The number of graph samples that are displayed on the screen Sample Time The amount of time between samples in seconds Presentation Units The average number of events per number of seconds entered here based on the the total number of events recorded for the duration of the Sample Time For example if the Presentation Units is set as 1 and the Sample Time is set as 5 the graph will display the average number of events per 1 second based on the last 5 seconds of data Changing the value of the Presentation Units will change the display of all graphs still in the buffer C To review the last compiled graph e Click Show Last The last graph that was compiled is displayed The following counters can be graphed Discarded IP datagrams The number of input datagrams due to header error discarded due to errors in their IP headers including bad checksums version number mismatch other format errors time to live exceeded errors discovered in processing their IP options etc Discarded IP datagrams The number of input datagrams due to invalid address discarded because the IP address in their IP header s destination field was not a valid address to be received at this entity Th
129. g FireProof vos Oe radware Getting Device Information You use the Device Information window to view information regarding the device specifications C To access the Device Information window e From the Device menu choose Device Information The Device Information window is displayed as shown below es Lal A u Device Information FireProof Configuration Device Type Fire Pro Platform PPE 750 Processor Number Of Ports S Version zza Build hay 1 2001 14 12 24 Hi Version 1 10 Flash Size MB le RAM Size MB fes Base MAC Address 00 00 80 00 00 00 Status Finished Error The Device Information window contains the following fields Device Type The type of device Platform The device platform Number of Ports The number of ports SW Version The software version Build Number The build number of the software FireProof User Guide 3 81 woes Chapter 3 Configuring FireProof radware e HW Version The hardware version e Flash Size MB The size of the flash permanent memory in megabytes e RAM Size MB The amount of RAM in megabytes Base MAC Address The MAC address of the first port on the device Viewing Interface Parameters From time to time you may wish to view the parameters of each individual interface You do so by accessing the Interface Parameters for Port window To view the Interface Parameters 1 Inthe Zoom View select a specific port
130. g Nodes page 3 6 Bridge Operating Parameters You use the Bridge Parameters window to set bridge operating parameters To access the Bridge Parameters window e From the Bridge menu choose Operating Parameters The Bridge Parameters window is displayed Bridge Parameters 176 200 959 599 Operation Parameters Bridge Address 00 03 62 04 98 40 Bridge Type Transparent only Forwarding Table Aging Time 3600 Status Finished Error The Bridge Parameters window includes the following fields e Bridge Address The MAC Address used by the device e Bridge Type Types of bridging the device can perform FireProof User Guide 3 75 O woes Chapter 3 Configuring FireProof Oe radware e Forwarding Table Aging Time How many seconds learned entries remain in the Forwarding Table The counter is reset each time the entry is used After this time entries are deleted from the table Minimum ten seconds f To configure bridge operating parameters 1 Inthe Bridge Parameters window adjust the appropriate values 2 Click Set Your changes are recorded Bridge Forwarding Nodes You use the Global Forwarding Table window to monitor add and edit bridge forwarding nodes To access the Global Forwarding Table window e From the Bridge menu choose Global Forwarding Table The Global Forwarding lable window is displayed ie Global Forwarding Table 176 200 99 99 HMAC Address Port St
131. g update lt value gt Description Enables the user to view the Ids NCP Aging frequency Example ids ncpaging get Enables the user to update the Ids NCP Aging frequency Example ids ncpaging update 1000 FireProof User Guide Appendix C ASCII Command Line Interface Command Syntax IDS ncpdsize get ids ncpdsize get IDS ncpdsize update ids ncpdsize update lt value gt IDS policy get ids policy lt policy name gt get FireProof User Guide O OO0 0O adware Description Enables the user to view the Ids NCPD Size Example ids ncpdsize get Enables the user to update the Ids NCPD Size Example ids ncpdsize update 8250 This group of commands enables the user to view the Intruder Detection Service Policies Entering the ids policy command will display the following options for the policy name field e Any Any Policy Apache Apache Policy Basic Basic Policy Bdoors Backdoors e Coldfus Cold Fusion Compaq Compaq Policy Front Front Policy e Irix Irix Policy Lotus Lotus Policy Msiis MMSIIS Ncsa NCSA Policy Netscape Netscape Policy Novell Novell Policy e Omni Omni Policy e Oracle Oracle Policy Unix Unix Policy e Website Website Policy Example ids policy any get C 41 O OO0 0O Oe radware Command Syntax IDS policy update ids policy lt policy name gt update lt Status gt IDS statistics get ids stats get IDS statsi
132. ge or subnet of local hosts You use the Dynamic Smart NAT window to assign NAT addresses to firewall IP addresses To access the Smart Dynamic NAT window e From the FireProof menu select Smart NAT and then choose Dynamic NAT The Smart Dynamic NAT window is displayed Smart Dynamic NAT 176 200 116 21 From Local IP ToLocalIP RouterIP Dynamic NATIP NAT Redundancy Mode Status Finished Error y FireProof User Guide 3 27 O OO Oe radware 3 28 AN Se aS Chapter 3 Configuring FireProof The Smart Dynamic NAT window contains the following fields e From Local IP Displays the range of local IP addresses e To Local IP Displays the range of local IP addresses e Router IP The IP of a router that is being load balanced The router IP is chosen from the Firewalls table e Dynamic NAT IP The IP address to be used when forwarding traffic from that client range to the router IP above e NAT Redundancy Mode Whether the NAT address is regular or backup To perform dynamic NAT From the FireProof menu choose Global Configuration The Global Configuration Table window is displayed Ensure that Smart NAT is enabled From the FireProof menu select Smart NAT and then choose Dynamic NAT The Smart Dynamic NAT window is displayed Click Insert The Smart Dynamic NAT Insert dialog box is displayed Enter the appropriate information Clic
133. guration Send configuration to device File Hame Po if Progress Status 0 Status Error i In the File Name field enter the name you want to send Alternatively click Browse to search the directory tree for the file Configware will look for the file in the directory lt Configware_Install_Dir gt NMS Configuration Optionally check the External TFTP Server IP Address checkbox If do not want to use the default TFTP server provided with the device check the External TFTP Server IP Address checkbox and enter the IP address of the machine running the server To use the default TFTP server do not select the checkbox Click Set The status of the upload is displayed in the Progress Status field FireProof User Guide 3 91 O OO0 Chapter 3 Configuring FireProof Oe radware Setting Up Application Security The Application Security feature enables you to set up another line of defense within your network Once configured the FireProof is able to detect and prevent attacks to your network in real time Note This feature is only available with a SynApps license t To start the protection 1 From the Security menu select Application Security and then choose Global Parameters The Application Security Global Parameters dialog box is displayed atts Application Security Global Parameters _ M Fa Global Parameters Start Protection Alerts Table Size 1000 Traps Sending Enabled Status Fini
134. gure the aging time e Aging Time The duration in seconds of the client lifetime To assign application aging times In the Application Aging Table window adjust the appropriate parameters Click Set Your changes are made FireProof User Guide 3 33 O OO0 Oe radware 3 34 Chapter 3 Configuring FireProof Configuring Firewall Grouping You can set up a policy list in FireProof to govern which firewall s to use according to the traffic type You can define firewall groups according to the destination subnet of the traffic the source subnet of the traffic and or the application type of the traffic For example you can have HTTP traffic load balanced between two out of your four firewalls while having traffic to a particular subnet load balanced between two other firewalls Note that firewalls can be grouped in more than one group This section includes the following information e Setting Up Destination Grouping below e Setting Up Source Grouping page 3 35 e Setting Up Application Grouping page 3 36 Setting Up Destination Grouping Destination grouping allows you to determine which firewalls will handle traffic to a specific destination subnet You use the Destination Grouping Table window to configure destination grouping To access the Destination Grouping Table window e From the FireProof menu select Firewalls Advanced Configuration select Grouping then select Destination Grouping The Destin
135. h update lt dispatch method gt 2 FireProof User Guide C 27 C 28 Global Identify Firewall by Port Command Syntax global identify firewall by port get global fwportid get global identify firewall by port update global fwportid update lt sStatus gt Appendix C ASCII Command Line Interface Description Enables the user to view the global Identify Firewall by Port data The values for the status field are the following 1 Enable 2 Disable Example global fwportid get Enables the user to change the global Identify Firewall by Port data Example global fwportid update 2 FireProof User Guide Appendix C ASCII Command Line Interface Global Outbound Translation Mode Command Syntax global outbound translation mode get global fwportid get global outbound translation mode update global fwportid update lt translate outbound tratrac to virtual address gt FireProof User Guide O OO0 0O Oe radware Description Enables the user to view the global Outbound Translation Mode The values for the translate outbound traffic to virtual address field are the following d 1 Enable 2 Disable Example global fwportid get Enables the user to change the global Outbound Translation Mode Example global fwportid update 2 C 29 O OO0 0O Oe radware C 30 Global New Entry on Source Port Command Syntax global new entry on source port g
136. hanging any values in this window can drastically effect normal operation Fire Proof With SymApps Qos Application Security Max Entries In Current Value After Reset Bridge Forwarding Table 1024 IP Forwarding Table fsi92 s192 ARF Forwarding Table hoas foz Client Table feaa a eses Routing Table E 512 Static NAT JE 512 No NAT 512 512 All NAT O l ldlttti a_ Error Report Level fo Status Finished Error f FireProof User Guide O OO0 Chapter 3 Configuring FireProof O Oe radware The Device Tuning Table window contains three tabs with the following information FireProof With SynApps Tab e Bridge Forwarding Table The limit on number of local station addresses e IP Forwarding Table Displays the limit on the number of IP destinations The values are concurrent Note Using 64M DRAM FireProof 3 20 supports up to 128 000 entries in the IP Forwarding Table Using 128M DRAM FireProof 3 20 supports up to 250 000 entries in the IP Forwarding Table e ARP Forwarding Table The limit on the number of entries in the ARP table e Client Table The limit on the number of entries in the Client Table The values are concurrent e Routing Table The limit on the number of entries in the Routing Table e Static Table The limit on the number of entries in the URL Table e No NAT Table The limit on the number of entries in the SSL Table QoS Tab e Policy Table Displays the number of po
137. he Firewall Table window FireProof Firewall Table Configure the FireProof to send mail traffic only to firewall 3 In the Application Port Grouping window FireProof Firewalls Advanced Configuration Grouping Application Grouping insert the Application Port Number for example SMTP or type 25 and the Firewall IP Address for example 20 1 1 3 If different aging is required for mail traffic configure this in the Application Aging Table window FireProof Firewalls Advanced Configuration Aging by Application Port In the Application Port field select SMTP or type 25 In the Aging Time field select the required aging In the Global Configuration window FireProof Global Configuration set Client Mode to Layer 4 in the Client Table tab and set Open New Entry for Different Source Port to Enabled FireProof User Guide O Appendix A Example Configurations ae Oe radware Example 9 QoS Used for Access Control Server X 200 1 1 1 Firewall 2 Firewall 1 20 1 1 2 20 1 1 1 _ 20 1 1 10 FireProof W 10 1 1 10 11 1 1 10 10 1 1 X 11 1 1 X 10 1 1 4 Properties e Server X at IP address 200 1 1 1 can communicate to the internal server using telnet or FIP Otherwise the server can be accessed using HTTP only e Internal users cannot access the 200 1 1 1 server e All other traffic through the device is blocked FireProof User Guide A 21 8 ee Appendix A Example Configurations Oe radware Configuration
138. he VLAN automatically assigned by the device This parameter applies to IP and IPX VLANs only FireProof User Guide 3 13 O OO Oe radware SRN E A Chapter 3 Configuring FireProof The Fast Ethernet platform contain the following additional field e Auto Config When this parameter is enabled the device will automatically detect and add interfaces to this IP VLAN in accordance with incoming IP broadcasts and ARP requests This means that a network device can be moved to a different device port and remain in the same VLAN This will be done only if the IP VLAN Auto Config is enabled This parameter applies to IP VLANs only To create new VLANs In the Virtual LAN Table window click Insert The Virtual LAN Insert dialog box is displayed Adjust the appropriate values Click Update The Virtual LAN Insert dialog box closes In the Virtual LAN Table window click Set The VLAN is added to the list To add physical ports to the VLAN In the Virtual LAN Table window select the VLAN entry for which you require to add a physical port Click Adding Ports to VLAN The Ports Table for VLAN window is displayed in which you can define or edit the Port Number and the Port Tagging To edit existing VLANs In the Virtual LAN Table window select a VLAN to edit Click Edit The Virtual LAN Edit dialog box is displayed Adjust the appropriate values Click Update The Virtual LAN Edit closes In the Virtual LAN Table window
139. he recipient e Priority Enables you to set the priority of the policy which can be on a scale of O 7 or in real time 4 Click Update The Edit Default Policy dialog box closes 5 Your changes are recorded i e C To delete policies 1 Inthe Modify Policies Table window select the policy you require to delete 2 Click Delete The policy is highlighted in red 3 Click Set The policy is deleted f To change the order of existing policies 1 From the QoS menu choose Modifying Policies and then select Policies The Modify Policies Table window is displayed Select the policy in the table for which you require to change the order Click Insert The Modify Policies Table Insert dialog is displayed From the Policy Order dropdown list select the new order you require for the policy Note Policies can only be moved upwards in order 5 Inthe Modify Policies Table window click Refresh The order of the policies is changed according to your requirements eS FireProof User Guide 3 103 O OO0 O Oe radware 3 104 Chapter 3 Configuring FireProof Modifying Networks Configware enables you to view active networks as well as configure new ones You can define networks that will be used by the device which are kept in the active part of the database and you can define networks that will kept in a separate temporary database until such time as they are required Refer to Viewing Active P
140. her the device is a regular device or a backup device To set up a remote virtual IP address In the Remote Virtual IP window adjust the appropriate values Click Set Your changes are made Make sure to configure the remote virtual IP on the main device and backup device Also make sure that the device performing the remote connectivity checks queries this address a NPA FireProof User Guide 3 51 O woes Chapter 3 Configuring FireProof Oe radware Defining Load Balancing Algorithms You choose the FireProof load balancing method in the General tab of the Global Configuration window using the Dispatch Method dropdown list In addition to the methods provided Cyclic Least Traffic and Least Users Number you can also use native Windows NT load balancing algorithms or private algorithms Windows NT Load Balancing There are two Windows NT servers load balancing algorithms These parameters are used to load balance the users of the farms that are configured with nt 1 or nt 2 dispatch methods You use the Windows NT Parameters window to configure the Windows NT load balancing algorithm To access the Windows NT Parameters window e From the FireProof select Load Balancing Algorithms then and then choose Windows NT Parameters The Windows NT Parameters window is displayed i Windows NT Parameters 176 200 99 99 zE g 9 42 A Serial Number Check Period Open Sessions Weight Incoming Traffic Weight Outgoing Traffi
141. ick Connect The Zoom View of the device is displayed as shown below ee Fire Proof FE 176 200 99 99 Fie Device Bridge Router Fire Proof Security Performance Services Help pp ladware PWR RESET MODE S75 OK Note If Configware is unable to connect to a server a Device or Connection Error dialog box is displayed in which you can try to reconnect by entering a new IP address or the correct community name or exit and return to the Configware window FireProof User Guide 3 7 O woes Chapter 3 Configuring FireProof Oe radware Zoom View Zoom View is a real time representation of a Radware device Each of the device s interfaces is represented Zoom View for FireProof units also includes the color coded LED s located on the FireProof front panel All Configware options are accessed through Zoom View as shown on the previous page Understanding Zoom View Colors Zoom View has labels representing the various interfaces of the Radware unit The labels are color coded to indicate the following Label Color Explanation Green Interface is Okay Red The Interface has generated an Error message or the interface is not connected or it has been put on standby by the spanning tree algorithm Refreshing Zoom View You may wish to refresh Zoom View so you can see the current status of the device and its interfaces C To refresh Zoom View e Open the Services menu and choose Refresh The device is polled f
142. idental or consequential damages whether based on contract tort or any legal theory TRADEMARKS FireProof MultiVu and Configware are trade names of Radware Ltd This document contains trademarks registered by their respective companies SPECIFICATION CHANGES Specifications are subject to change without notice NOTE This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules and EN55022 Class A EN 50082 1 For CE MARK Compliance These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense FireProof DC If you purchased one of these devices make note of the following additional instructions RESTRICT AREA ACCESS This device should only be installed in a restricted access area INSTALLATION CODES This device must be installed in accordance with the National Electrical Code Articles 110 16 110 17 and 110 18 and the Canadian Electrical Code Section 12 FireProof User Guide V O Onar Safety Instructi
143. ill in the buffer To review the last compiled graph Click Show Last The last graph that was compiled is displayed The following counters can be graphed Subnetwork unicast The number of subnetwork unicast packets delivered packets delivered to a higher layer protocol Input non unicast packets The number of non unicast i e subnetwork broadcast or subnetwork multicast packets delivered to a higher layer protocol Input discarded packets The number of inbound packets which fine packets were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol One possible reason for discarding such a packet could be to free up buffer space FireProof User Guide O Chapter 4 Monitoring FireProof Performance wee Oe radware Input packets with errors The number of inbound packets that not delivered contained errors preventing them from being deliverable to a higher layer protocol Input discarded packets The number of packets received via protocol problems the interface which were discarded because of an unknown or unsupported protocol Output subnetwork unicast The total number of packets that packets higher level protocols requested be transmitted to a subnetwork unicast address including those that were discarded or not sent Output non unicast packets The total number of packets that higher level protocols requested be transmitted to a non u
144. in FLASH memory allowing updates to be conveniently sent to the unit via TFTP Almost all FireProof parameter changes are implemented immediately without the need to reset the unit unless the Configuration File feature is enabled Mirroring Redundant units mirror one another s Client s Tables so that when one device fails clients are entirely unaffected when the second device takes over Native Windows NT Resources Agent Support The Windows NT operating system has a built in server utilization monitoring module that is fully supported by Radware s FireProof By taking into account the parameters of the NT module the actual firewall load is reflected in parameters such as CPU utilization average response time and so on FireProof User Guide O OO 0O Oe radware FireProof can be configured to poll these parameters and incorporate them in the load balancing scheme This way the balancing scheme is customized according to actual firewall load and no additional software is required for the NT servers Physical Interface One of the actual Ethernet ports of FireProof FireProof can have either 2 or 4 physical interfaces depending on the hardware configuration Physical IP address An IP address assigned to a FireProof interface This address belongs to FireProof and is used for SNMP management and or routing purposes Session Balancing Modes FireProof offers four options for the distribution of sessions between
145. is count includes invalid addresses e g 0 0 0 0 and addresses of unsupported Classes e g Class E For entities which are not IP Gateways and therefore do not forward datagrams this counter includes datagrams discarded because the destination address was not a local address FireProof User Guide 4 3 6 OO 0O Oe radware 4 4 Discarded IP datagrams that were received correctly Input IP datagrams discarded protocol problems Input IP datagrams forwarded IP datagram fragments generated IP datagrams successfully fragmented IP datagrams discarded not fragmented Chapter 4 Monitoring FireProof Performance The number of input datagrams that were received correctly The number of locally addressed datagrams received successfully but discarded because of an unknown or unsupported protocol The number of input datagrams for which this entity was not their final IP destination as a result of which an attempt was made to find a route to forward them to that final destination In entities which do not act as IP Gateways this counter will include only those packets which were Source Routed via this entity and the Source Route option processing was successful The number of IP datagram fragments that have been generated as a result of fragmentation at this entity The number of IP datagrams that have been successfully fragmented at this entity The number of IP datagrams that have been
146. isplayed C To save traps to file e From the General Traps Table window click Save to File The file is saved as traps dat in the directory lt Configware Directory Nms Configuration gt To clear the traps table e From the General Traps Table window click Delete All FireProof User Guide 3 9 O OO Oe radware Chapter 3 Managing the FireProof with ConfigWare You can also view traps for specific functions These specified traps tables may be viewed under two categories Security Traps and Traps Monitor The Security Traps window contains information about security events detected by the Application Security module such as when an attack started and its status For more information refer to Setting Up Application Security page 3 92 The Traps Monitor window contains information about all traps except those reported by the Application Security module To access the Traps Monitor window From the Services menu select Trap Log The Trap Monitor window is displayed as shown below i Trap monitor LP 3 20 int 5 2 off ndex everity Date Time Source Information 2 ee ee ee eee SE e E a a Status Sending TRAP request Error y FireProof User Guide Chapter 3 Managing the FireProof with ConfigWare O OO0 0O Oe radware The Traps Monitor window records the following Index The number of the trap Traps are numbered in the order that they occur Severity The level of the trap s
147. istics window is displayed as shown below i Element Statistics 176 200 99 99 Optional Counters Selected Discarded IP datagrams due to invalid address Discarded IP datagrams that were received correctly Input IP datagrams discarded protocol problems Input IP datagrams forwarded IP datagam fragments generated IP datagrams successfully fragmented IP datagrams discarded not fragmented IP fragments failed reassembely IP fragments successfully reassembled IP fragments received need reassembly Outgoing discarded IP datagrams that have no error Output IP datagrams discarded no route found Resource Utilization RIP changes made to IP Route Database RIP global responses sent to RIP queries SNMP get requests retrieved successfully SNMP Get Next PDUs processed SNMP Get Request PDUs processed SNMP set requests retrieved successfully SNMP Set Request PDUs processed SNMP generated Get Response PDUs SNMP generated Trap PDUs DALA 2 From the Optional Counters list choose the counters to graph Click Show Graph The Element Statistics Graph window is displayed You can change the look and behavior of the graph using the control panel 2 To access the control panel e Click Control Panel The Control Panel contains the following menus Graph Type The graph type menu contains a selection of different graph views including Bar Area Plot Scatter Plot Stacking Bar Stackin
148. k Insert The nsert New Filter Groups Parameters dialog box is displayed In the Enter filter group name field enter the name you require or select it from the dropdown list FireProof User Guide 3 109 O OO Oe radware 3 110 Chapter 3 Configuring FireProof 4 Using the right and left arrow buttons move the Optional Filters you require to the Selected Filters field 5 Click Update The nsert New Filter Groups Parameters dialog box closes 6 Inthe Modify Filter Groups Table window click Set Your changes are made Cf To delete filter groups 1 Inthe Modify Filter Groups Table window select the filter group you require to delete 2 Click Delete The filter group is highlighted in red 3 Click Set The filter group is deleted Viewing and Modifying Differentiated Services Differentiated Services Diffserv provides differentiated classes of service to Internet traffic Supporting various types of applications as well as specific business requirements The problem in providing different classes of service to different types of traffic is that each network device must examine various parameters in each packet in order to identify the class of service it should receive Diffserv uses a small bit pattern in each packet to identify the type of service it should receive Radware support for Diffserv can act as either a classifier marking each packet as it enters the network and providing the appropriate type of
149. k State Database The OSPF Link State Database window is displayed as shown below OSPF Link State Database 176 200 99 99 Link Type Link State ID Originating Router ID OSPF Sequence Number Link State Age Checksum Area ID 70 0 0 0 1 Hl 2147483645 522 42243 heal 1 Status Fme Error E The OSPF Link State Database window contains the following fields e Link Type Each link state advertisement has a specific format The link can be a Router Link Network Link External Link Summary Link or Stub Link FireProof User Guide O Chapter 3 Configuring FireProof 80 Oe radware e Link State ID Identifies the piece of the routing domain that is described by the advertisement It can be either a router ID or an IP address e Originating Router ID Identifies the originating router in the autonomous system e OSPF Sequence Number The number for the link Use this parameter to detect old and duplicate links state advertisements The larger the sequence number the more recent the advertisement e Link State Age The age of the link state advertisement in seconds e Checksum This parameter is a checksum of the complete contents of the advertisement except for the Age value e Area ID The IP address of the area OSPF Neighbor Table gt To access the OSPF Neighbor Table window e From the Router menu select OSPF and then choose
150. k Update The Smart Dynamic NAT Insert dialog box closes In the Smart Dynamic NAT window click Set Your changes are made FireProof User Guide O Chapter 3 Configuring FireProof P Oe radware No NAT Configuration You can use No NAT to enable a simple configuration where internal hosts have IP addresses that belong to a range of one of the ISPs Traffic from or to these hosts should not be NATed if the traffic is forwarded to the router of that ISP If you do not configure any NAT address for a server via a firewall that firewall will not be used by traffic from that server In order to use a firewall for a server when NAT is not required use the No NAT configuration C To access the No NAT Table window e From the FireProof menu select Smart NAT and then choose No NAT The No NAT Table window is displayed as shown below P No NAT Table 176 200 116 21 e aB 5 2 From Local Server Address To Local Server Address Port Number Router Address ee a a aa Doo o O T EE T ee O T ee O C eee eee eee ee ee Status Finished Error i FireProof User Guide 3 29 O OO Oe radware 3 30 WN Se aS Chapter 3 Configuring FireProof The No NAT Table window contains the following fields e From Local Server Address The range of local server addresses e To Local Server Address The range of local server addresses e Port Number This is the destination port for which traffic is not
151. k temp get information from the Temporary name index Network Table Example bwm network temp get radware 0 BWM Network temp update Enables the user to update bwm network temp update information for an existing BWM lt name gt lt index gt temporary network table lt Switch gt lt value gt Example bwm network temp update radware 0 a 762100050 8 255 255 00 BWM Network temp destroy Enables the user to delete an existing bwm network temp destroy BWM temporary network table lt name gt lt 1index gt Example bwm network temp destroy radware 0 C 8 FireProof User Guide Appendix C ASCII Command Line Interface ae Oe radware BWM Network Command Syntax Description BWM Network temp create Enables the user to create a new bwm network temp create BWM temporary network table lt name gt lt index gt Example bwm network temp create lt Switch gt lt value gt radware O a 176 0 0 0 s 255 0 0 0 m ipMode FireProof User Guide C 9 O OO0 0O Oe radware C 10 Appendix C ASCII Command Line Interface This group of commands enables the user to manipulate the data of the BWM policy Entering the Policy command will display the following options actual temp Note The possible Switch Values for the temp command are the following Command Syntax BWM Policy actual get actual get BWM Policy temp get temp get name i Index ds Destination S Source ac Action d
152. lays the amount of bandwidth dedicated to policies carrying the Diffserv value Number of Packets Matched Displays the actual number of packets matched to the policy Bandwidth Used Displays the amount of bandwidth used in the last second kbps Average Bandwidth Displays the average amount of bandwidth used per second kbps since the device was booted or since the policies were last updated Peak Bandwidth Displays the peak average amount of bandwidth used per second kbps since the device was booted or since the policies were last updated FireProof User Guide 3 111 O OO Oe radware 3 112 iar aa 2 Chapter 3 Configuring FireProof To modify a Diffserv policy From the QoS menu select Diffserv and then choose Modify Diffserv Policies The Modify Diffserv Policies Table window is displayed as shown below P Modify Diffserv Policies Table Ed Zaan 3 DSCP Pronty Bandwidth Note A definition of the field in this window are provided in the previous procedure Select the policy you require to edit and click Edit The Modify Diffserv Policies Table Edit dialog box is displayed Adjust the appropriate values Click Update The dialog box closes In the Modify Diffserv Policies Table window click Set Your changes are recorded To set the default Diffserv policies From the QoS menu select Diffserv and then choose Set Diffserv Policies The Set Diffserv Policies dialog box is display
153. lick Full Path Health Monitoring FireProof User Guide A 13 O VRS Appendix A Example Configurations Oe radware Example 6 Redundant FireProof Configuration Using VLAN Firewall 2 Firewall 1 FireProof 1 Primary 10 1 1 10 FireProof 2 Backup 10 1 1 11 Local Network Figure A 6 DMZ Support with Port Connectivity Rules A 14 FireProof User Guide O Appendix A Example Configurations Sais Oe radware Properties e The Local Network side and the Next Hop Router side are on the same subnet Note Only the primary FireProof is active the backup is idle The reason for this is that each host on the local subnet can have a single default gateway and the same is true for each of the routers a single next hop router towards the internal subnet The FireProof must see all the packets from every session in order to make sure a single firewall is used for each session The internal hosts and the firewalls should all use the same FireProof as their gateway If FireProof 1 fails and FireProof 2 is configured as its backup the traffic will be managed by FireProof 2 The next hop router will still send the traffic to its router but FireProof 2 will take over the failing FireProof 1 IP addresses and handle the traffic correctly Active FireProof Configuration FireProof 1 1 Define an IP VLAN that includes ports 1 and 2 The FireProof includes an IP VLAN by default This VLAN can be edited to inc
154. licy entries in the table e Network Table Displays the number of ranges entered in the table e Filter Table Displays the number of filter entries in the table e Advanced Table Displays the number of grouped filter entries in the table e Group Table Displays the number of grouped filter entries in the table Application Security Tab Targets Table Size Represents the size of the table for destination entries Source amp Target Table Size Represents the size of the table for both source and destination entries which are counted as one FireProof User Guide 3 87 O woes Chapter 3 Configuring FireProof Oe radware e TCP Table Size Represents the size of the table for TCP entries e TCP Table Free Up Frequency Refers to the lifetime of a TCP entry in milliseconds e Security Tracking Free Up Frequency Refers to the lifetime of both the source and or destination entries e Alerts Table Polling Time ms The lifetime of statistic entries in milliseconds C To tune the device 1 Inthe Device Tuning window edit the number of entries for each field 2 Click Set Your entries are recorded Configuring One Trap The One Trap feature determines how traps are issued when a firewall fails When the feature is enabled a single trap is generated to report a firewall failure When disabled traps are issued continuously until the firewall is brought on line again 3 88 FireProof User Guide O Chap
155. ll the Configware management software in a specified location Using the Select drive dropdown box and the path dropdown box you can navigate to the folder in which you require to install Configware FireProof User Guide 2 13 O aaa vs Chapter 2 Installing FireProof O9 radware 6 Click Select The Select your browser path window is displayed as shown below Select your browser path El x Look in Sy CW 40 for gennad al Al ee z build ersion ini cw install ns Atml 9 logo gif B shortcuts ET configware cab af diramelcon gif Msvcp60 dll B SsWiiCense configware jar E Index tral E readme Atm ET ow install cab ET install zip readme txt a cw install jar java setup bat an setup cl install te html iew setup bat Shortcuts exe Filename J Files of type All Files Cancel T Navigate to your browser usually located in your Program Files folder and select the exe file for your browser 8 Click Open The Configware files are extracted to your selected destination folder When the installation is complete a success message dialog box is displayed 9 Click OK The installation is complete Notes Configware software takes up approximately 15MB of disk space You can access Configware management software from the Start menu or via a shortcut on your desktop or from the configure bat file located in the Configware folder containing the software 2 14 FireProof User Guide
156. llows you to transfer entire device configurations via SNMP offering easy updating to new software versions Supplied by Radware This feature also enables instantaneous application of many parameter changes by allowing you to upload the configuration file make all the desired parameter changes and download the complete file to FireProof You can also keep a library of past configurations Connectivity FireProof Supports one port with both a 10BaseT and an AUI interface and one or three ports for connection to firewalls one port with both 10BaseT and AUI interface and the other two ports with only 10BaseT interfaces The Fast Ethernet platform supports connections of two or four 100BaseT ports The Application Switch platform supports connections of eight to ten 100BaseT ports and two 1000BaseSxX ports FireProof User Guide O OO 0O Oe radware Connectivity Rules You can create rules for port connection so that traffic entering a certain port always exits via a specified port For example you can create a rule whereby traffic entering port 1 always exits via port 2 This enables the creation of two virtual FireProofs within one device or four in 4 port devices or eight in 8 port devices Customized Agent Support Customized agents can now be created on individual firewalls providing the network manager with greater flexibility when configuring a load balancing scheme The network manager can define a customized index for
157. lobal conchk retries get Enables the user to change the global Connectivity Check Retries Example global conchk retries update 5 Enables the user to view the global Connectivity Check Status The values for the check connectivity status field are the following 1 Enable 2 Disable Example global conchk status get C 25 O OO0 0O Oe radware C 26 Global Connectivity Check Command Syntax global connectivity check status update global conchk status update lt check connectivity status gt Global Data Command Syntax global data get global data get Appendix C ASCII Command Line Interface Description Enables the user to change the global Connectivity Check Status Example global conchk status update 1 Description Enables the user to view the Global Fireproof Table Example global data get FireProof User Guide Appendix C ASCII Command Line Interface mae Oe radware Global Dispatch Method Command Syntax Description global dispatch method get Enables the user to view the global global dspmeth get Dispatch Method The values for the dispatch method field are the following 1 Cyclic 2 Least Traffic 3 Least Users Number 4 nt 5 nt 2 6 private 1 T private 2 8 LeastBytes Example global dspmeth get global dispatch method Enables the user to change the global update Dispatch Method global dspmeth update Example global dspmet
158. log box is displayed containing the previously described fields Enter the parameters of the new policy in the fields provided Click Update The nsert New Policy Parameters dialog box closes In the Modify Policies Table window click Set Your changes are made To edit a policy In the Modify Policies Table window select the policy you want to edit Click Edit The Edit New Policy Parameters dialog box is displayed Adjust the values of the appropriate fields Click Update The Edit New Policy Parameters dialog box closes In the Modify Policies Table window click Set Your changes are made To edit a the default policy In the Modify Policies Table window click Edit Default Policy The Edit Default Policy dialog box is displayed Select the default policy and click Edit An additional Edit Default Policy dialog box is displayed FireProof User Guide O Chapter 3 Configuring FireProof OO0 Oe radware 3 Select the parameters you require from the Action and Priority dropdown lists e Action Enables you to define the action of the default policy from the following Forward Enables traffic to pass through the device Block Prevents traffic from passing through the device Block amp reset Prevents traffic from passing through the device and sends a reset message to the sender Block amp bi directional reset Prevents traffic from passing through the device and sends a reset message to both the sender and t
159. lude ports 1 and 2 or an entirely new VLAN can be configured VLANs are configured in the Virtual LAN Table window Device VLAN Note To operate the load balancing in a VLAN network topology you must set your VLAN to be a Regular VLAN type 2 Define an IP interface with the address 10 1 1 10 to be associated with the VLAN defined in step 1 above If there is an existing IP interface with a 10 1 1 10 address it should be edited so that this address is associated with the VLAN If there is no existing IP interface with a 10 1 1 10 address one must be created 3 In the Firewall Table window FireProof Firewall Table insert firewalls 10 1 1 1 and 10 1 1 2 Configure Full Path Health Monitoring as required 4 Inthe Global Redundancy Configuration window FireProof Redundancy Global Configuration ensure that in the Interface Grouping field is Enabled and the IP Redundancy Admin Status field is Disabled Ensure that in the VLAN Redundancy Device Mode is set to Active Refer to page 3 41 for further details about Global Configuration parameters FireProof User Guide A 15 6 OO Oe radware Appendix A Example Configurations Backup FireProof Configuration FireProof 2 1 Define an IP VLAN that includes ports 1 and 2 VLANs are configured in the Virtual LAN Table window Device VLAN Note To operate the load balancing in a VLAN network topology you must set your VLAN to be a Regular VLAN type Define an IP interface
160. menu select Reset Element The Reset for Device dialog box is displayed 2 Click OK The device is reset FireProof User Guide 3 83 O woes Chapter 3 Configuring FireProof Oe radware Setting Device Global Parameters You can set various administrative parameters for the FireProof device C To set the global parameters e From the Device menu choose Global Parameters The Device Global Parameters window is displayed a Device Global Parameters FireProof Pel x Bs 32 Global Parameters Description FireProofApplication Switch Name FireProot Location FO Contact Person PO System Up Time 5 hours 4 minutes 33 seconds 00 System Time os 04 30 System Date ddimmiyy foroaaro BootP Relay Server Address 000 0 BootP Threshald OO S Version a E HV Version 1 10 Status Finished Error Hi 3 84 FireProof User Guide O Chapter 3 Configuring FireProof OO0 Oe radware You can use the Device Global Parameters window which displays the following fields e Description General description of the device e Name User assigned name of the device which appears in the windows describing the device e Location Geographic location of the device Contact Person The person or people responsible for the device e System Up Time Time elapsed since the last reset e System Time Current user defined device time System Date Current user defined device date Fireproof is year 2000 co
161. mpliant supporting dates of the form dd mm yyyy e BootP Relay Server Address The IP address of the BootP server FireProof forwards BootP requests to the BootP server and acts as a bootp relay e BootP Threshold How many seconds the device will wait before relaying requests to the BootP server This delay allows local BootP Servers to answer first e Software Version Version of software that is currently f To set the global parameters 1 From the Device menu choose Global Parameters The Global Parameters window is displayed 2 Adjust the appropriate values 3 Click Set Your changes are recorded FireProof User Guide 3 85 O OO0 O Oe radware 3 86 Chapter 3 Configuring FireProof Device Tuning IMPORTANT It is strongly advised that Device Tuning only be carried out after consulting with Radware s technical support Use the FireProof with SynApps QoS and Application Security tabs in the Device Tuning window to determine the maximum amount of entries allowed in the various tables listed As well as define the security parameters for your previously defined security policy The changes are only implemented after reset Note The tabs described above only exist in a device with SynApps To access the Device Tuning window e From the Services menu choose Device Tuning The Device Tuning Table window is displayed as shown below i Device Tuning Table 176 200 116 21 Advanced users only C
162. n Enables the user to update the Ids Status Example ids status update enable Enables the user to view the IDS TCP Aging frequency Example ids tcpaging get Enables the user to update the IDS TCP Aging frequency Example ids tcpaging update 1000 Enables the user to view the IDS TCP Size Example ids tcpsize get Enables the user to update the IDS TCP Size Example ids tcpsize update 64000 Enables the user to view the IDS Tracking Table Example ids track get F ICMP Enables the user to create a new IDS Tracking Table entry Example ids track create F ICMP tti 10 C 43 O OO0 0O Oe radware Command Syntax IDS track update ids track update lt name gt lt switch gt lt value gt IDS track destroy ids track destroy lt name gt IDS traps get ids traps get IDS traps update ids traps update lt sStatus gt C 44 Appendix C ASCII Command Line Interface Description Enables the user to update a specific IDS Tracking Table entry Example ids track update F ICMP tti 5 Enables the user to delete a specific entry in the IDS Tracking Table Example ids track destroy F ICMP Enables the user to view the IDS Traps status Example ids traps get Enables the user to update the IDS Traps status Example ids traps update enable FireProof User Guide Appendix C ASCII Command Line Interface man Oe radware This group of commands enables the user to ma
163. n use a remote connectivity check to check the connectivity between the firewalls to the external FireProof This connectivity check is typically performed by a ping sent from the internal to the external device or vice versa In a redundant configuration the redundancy scheme ensures that when the main device is not operating the backup device backs up the main device transparently This means the backup device answers ARPs with the IP address of the main device therefore ensuring smooth failover However the backup device does not respond to pings or SNMP requests in the same way so as not create administrative problems In this situation when a main external device fails the backup device does not answer remote connectivity checks sent from the internal device This problem can be solved using a remote Virtual IP The remote Virtual IP is always online and is usually owned by the main device but can also belong to the backup device should the main device fail It should be used as the remote connectivity check IP address in internal FireProof You use the Remote Virtual IP window to configure remote virtual IP addresses Cf To access the Remote Virtual IP window e From the FireProof choose Remote Virtual IP The Remote Virtual IP window is displayed The Remote Virtual IP window contains the following fields e Virtual Connectivity IP The virtual IP address that you will have devices check for e Virtual Connectivity Mode Whet
164. nce Virtual number of hops assigned to the interface This enables fine tuning of the RIP routing algorithm 3 Click Update The RIP Interface Table Edit dialog box closes 4 Inthe RIP Interface Table window click Set The changes are reflected in the RIP Interface Table list OSPF Protocol Parameters You use the OSPF Parameters window to set OSPF operating parameters C To access the OSPF Parameters window e From the Router menu select OSPF then choose Operation Parameters FireProof User Guide 3 61 O OO0 O Oe radware 3 62 Chapter 3 Configuring FireProof The OSPF Parameters window is displayed n OSPF Parameters 176 200 99 99 OSPF Parameters Administrative Status Enabled Router ID 1 4 4 1 Number of External LSAs fo External LS Checksum Sum O Leak RIF Routes Disabled Leak Static Routes Enabled Leak External Direct Routes Enabled Status Finished Error i The OSPF Parameters window includes the following fields Administrative Status The administrative status of the OSPF in the router Enabled means that the OSPF process is active on at least one interface Disabled means the process is not active on any interfaces Router ID The ID number of the router To ensure uniqueness the router ID should equal one of the router IP addresses Number of External LSAs The number of external Link State Advertisements in the link state database External LS Checksum Sum The s
165. ncy Table FireProof User Guide 3 47 O OO0 Oe radware 3 48 salt Chapter 3 Configuring FireProof The IP Redundancy Table window is displayed 1 IP Redundancy Table 176 200 99 99 Ex SES FoB 43 M Interface IP Address Primary Device Address Operating Status Poll Interval Time Out Status Finished Error E The IP Redundancy Table window includes the following fields Interface IP Address The IP address of the backup interface Primary Device Address Refers to the corresponding IP address of the interface on the main FireProof which this Fireproof is backing up Operating Status The redundancy status Read only Active The backup FireProof is now active on this interface Inactive The backup FireProof is not active Poll Interval The polling interval for the main FireProof interfaces in seconds If the interval is O the FireProof is not polled Time Out The interval in seconds during which the FireProof must respond If the main FireProof does not respond within this interval it is considered inoperative If Time Out is O the backup FireProof ignores the row To setup IP router redundancy In the I P Redundancy Table window click Insert The IP Redundancy Table Insert dialog box is displayed Adjust the appropriate parameters Click Update The P Redundancy Table Insert dialog box closes In the IP Redundancy Table window click Set Yo
166. ng window of FireProof The Client Table size by default is 8192 This can be increased to higher numbers to accommodate different applications If FireProof has 4MB of memory this setting can be as high as 32 000 If it has 8MB the setting can be as high as 100 000 Other table sizes may need to be lowered in order to accommodate the larger Client Table sizes Ensure that the router of each firewall to the local network is the physical IP address assigned to FireProof Ensure that the local network can access the Internet The default router of the local network must always the internal IP address of the FireProof To ensure that FireProof can access the Internet the default router of FireProof must always be one of the firewalls or the router for an external FireProof This can be done by adding an entry to the FireProof routing table with destination IP network and mask set to 0 0 0 0 with the next hop as the IP address one of the firewalls This can also be done via the ASCII terminal during initial IP address configuration When working in Regular VLAN mode the firewall configuration does not need to be changed only the client s configuration so that the FireProof can act as their default gateway and not the firewalls When operating two redundant FireProof units make sure the redundancy is enabled for the backup FireProof under Router IP Router Operating Parameters that the redundant interfaces are configured in the redundan
167. ng the MAC addresses of devices connected to different ports The device processes only packets destined to its MAC address Available in C H platforms only Switched The device acts as a switch Packets between devices connected to different ports that belong to the same switched VLAN and are processed by the ASICs rather then by the CPU This section also contains the following information e Creating VLANs page 3 13 e Configuring VLAN Parameters page 3 14 3 12 FireProof User Guide O Chapter 3 Configuring FireProof P Oe radware Creating VLANs You use the Virtual LAN Table window to monitor insert and edit VLANs f To access the Virtual LAN Table window e From the Device menu choose VLAN The Virtual LAN Table window iS displayed as shown below This represents the new Application Switch platform P Virtual LAN Table Oy x Ee Fos a Interface Number LAN Type Protocol WLAN MAC Address 1 100000 Regular other inne 2 100001 Regular ip 00 00 60 00 00 04 hse o hs Se as Status Finished Error y The Virtual LAN Table window includes the following fields e Interface Number The interface number of the VLAN automatically assigned by the management station e VLAN Type Either a regular a broadcast or a switch type VLAN Protocol The protocol of the VLAN For an explanation of the VLAN protocols see above e VLAN MAC Address Permanent MAC address of t
168. ng this type of connection the first command must be the Logon command once logon has been performed successfully the Telnet CLI commands will be accessible An initial hyper terminal and Telnet password is provided with the FireProof and this should be changed upon first time configuration Command Formats General Description Each CLI command consists of the following arguments 2 9 Get Retrieves the required data Update Changes the specified data Destroy Delete Deletes the specified data this argument may not be available for all commands Create Add Creates a new data entry this argument may not be available for all commands Help Displays all available arguments including Switches and Switch values see page C 3 CLI Commands that contain status fields may be updated with the following S We oe oe oe 1 This value is equal to Enable 2 This value is equal to Disable enable disable The syntax of each command for the CLI consists of the following 1 2 Command Text The text syntax for each command for example arp get Optional Fields These fields may be added to select a specific item for example arp get interface net address These fields will appear in this appendix with if these fields are not added the command will display all available items in a table format FireProof User Guide Appendix C ASCII Command Line
169. nicast i e a subnetwork broadcast or subnetwork multicast address including those that were discarded or not sent Output discarded packets The number of outbound packets fine packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted One possible reason for discarding such a packet could be to free up buffer space Packets with errors not The number of outbound packets that transmitted could not be transmitted because of errors FireProof User Guide 4 17 O OO0 O O0 radware Example Configurations This chapter discusses FireProof example configurations The following examples are included e Example 1 Simple FireProof Configuration page A 2 e Example 2 VLAN Configuration pagel A 4 e Example 3 One Leg Lollipop Configuration page A 6 e Example 4 Typical FireProof Configuration page A 8 e Example 5 Redundant FireProof Configuration pag e Example 6 Redundant FireProof Configuration Using VLAN page A 14 e Example 7 DMZ Support with Port Connectivity Rules pagd A 17 e Example 8 Application Grouping with FireProof pag e Example 9 QoS Used for Access Control pag e Example 10 Bandwidth Management pag J FireProof User Guide A 1 O eo Appendix A Example Configurations Oe radware Example 1 Simple FireProof Configuration Router 100 1 1 10 100 1 1 2 100 1 1 1 Firewall
170. ning the previously described fields Enter the parameters of the new basic filter in the fields provided Click Update The nsert New Basic Filter Parameters dialog box closes In the Modify Basic Filter Table window click Set Your changes are made To edit a basic filter In the Modify Basic Filter Table window select the basic filter you require to edit Click Edit The Edit Basic Filter Parameters dialog box is displayed Adjust the values of the appropriate fields Click Update The Edit Basic Filter Parameters dialog box closes In the Modify Basic Filter Table window click Set Your changes are made To delete basic filters In the Modify Basic Filter Table window select the basic filter you require to delete Click Delete The basic filter is highlighted in red Click Set The basic filter is deleted FireProof User Guide 3 107 O OO Oe radware 3 108 Chapter 3 Configuring FireProof To create a new advanced filter From the QoS menu select Modify Policies and then choose Services From the secondary menu select Advanced Filters The Modify Advanced Filters Table window is displayed as shown below Status Sending Data Error In the Modify Advanced Filters Table window the following information is displayed e Advanced Filter Name The user defined name of the advanced filter Advanced filters are a logical AND between other filters e Basic Filter Name The user defined name of the b
171. nipulate the data of the Interface Table For more information refer to Setting Up Interface Addresses and IP Router Options in Chapter 3 page 3 16 Command Syntax INF get inf get interface address INF update inf update lt interface address gt lt network mask gt lt IF num gt INF destroy inf destroy lt interface address gt INF create inf create add lt interface address gt lt network mask gt lt IF num gt FireProof User Guide Description Enables the user to view an existing Interface Example inf get 1 1 1 1 Enables the user to update change an existing Interface Example inf update 1 1 1 1 25540070 L Enables the user to delete an existing Interface Example inf destroy 1 1 1 1 Enables the user to create a new Interface Example inf create 1 1 1 1 255 000 2 C 45 O OO0 0O Oe radware C 46 Appendix C ASCII Command Line Interface License This group of commands enables the user to Commands view or change the device s license number Command Syntax license get license get license set license set lt value gt Login Logout Commands Command Syntax login login lt password gt Description Enables the user to view the device s license number Example license get Enables the user to update change the device s license number Example license set fp synapps Deghj yGS Description Enables the user to Login to the FireProof Command
172. not be removed from the firewall table This limitation is set to ensure that routing to the Internet will always be available It is important that one of the firewalls be configured as a default router to the Internet or as a next hop router to the clients subnet as in the case of an external FireProof Note Once a firewall is no longer a router it can be deleted FireProof User Guide B 3 O OO0 O Oe radware ASCII Command Line Interface Configuration of the FireProof may be completed using several different types of applications such as Configware refer to Chapter 3 Configuring FireProof and the ASCII CLI described in this appendix The Configware management software is user friendly ideal for on site configuration and for users accustomed to windows based software but some users may simply prefer to configure the system through a command line This Appendix defines the commands for the FireProof s ASCII CLI in alphabetical order and refers the user to previous chapters for more information as these commands are identical to those described previously in the Configware chapter FireProof User Guide C 1 6 OO Oe radware C 2 Appendix C ASCII Command Line Interface The CLI is password protected therefore Hyper Terminal Connection Using this type of connection the first command must be the Password command once the password is correctly entered all other commands will be accessible Telnet Usi
173. o be problematic Installing a firewall on a more powerful machine is costly and does not fully solve capacity related problems since the new firewall will eventually reach its maximum growth potential Additionally a single firewall is a single point of failure causing an interruption in service when the firewall iS busy or down Organizations encounter numerous problems when installing multiple firewalls First different client groups must be configured which is a time consuming procedure Furthermore multiple points of failure are created with the addition of each firewall Since the traffic load is not dynamically shared between units the firewalls are not used optimally Finally to achieve fault tolerance and redundancy between firewalls hot Standby or idle units must be deployed on the network The Solution Radware s FireProof system answers the challenges of firewall performance and availability by providing load balancing and fault tolerance between all firewall units In addition Radware has designed the SynApps Architecture which provides the following solutions Health monitoring Traffic re direction Bandwidth management Application security Using this architecture FireProof maximizes your site s performance providing a high level of service at all times 1 The SynApps architecture is only available in the Application Switch platform 1 2 FireProof User Guide O Chapter 1 Introducing FireProof wee ra
174. od private 1 etc Special Check Period The time interval between queries for the requested parameters Var1 Object ID The SNMP ID of the first private variable to check Var1 Weight The relational weight for considering the value of the first parameter Var2 Object ID The SNMP ID of the second private variable to check Var2 Weight The relational weight for considering the value of the second parameter Retries Describes how many unanswered requests for a variable will make it be ignored in the load balancing decision Community The community name to use when addressing the server To configure private parameters load balancing In the Private Parameters Table window choose a server Click Edit The Private Parameters Table Edit dialog box is displayed Adjust the appropriate values Click Update The Private Parameters Table Edit dialog box closes In the Private Parameters Table window click Set The algorithm is set FireProof User Guide Chapter 3 Configuring FireProof Configuring Router Settings FireProof offers IP routing compliant with RFC1812 router requirements Dynamic addition and deletion of IP interfaces is supported IP routing occurs at full Ethernet wire speed 1OMbps and extremely low latency is maintained IP router Supports RIP I RIP Il and OSPF OSPF is an intra domain IP routing protocol intended to replace RIP in bigger or more complex networks OSPF and its MIB are supported as speci
175. ode fp synapps GHJplK4 5 Status Finished Error I Enter your new license code located on your CD case in the Insert your license code field Note The license code is case sensitive Click Set The Reset the Device window is displayed You must reset the device in order to validate the license aik Reset the Device Miel x In order for the license to be valid the device must be reset NOTE If you choose to perform this later please remember to reset the device and then close and reconnect to the Config yare F OK x Cancel LI Click OK to perform the reset The reset may take a few minutes A success message is displayed on completion FireProof User Guide Appendix D Software License Upgrade s Oe radware The following procedure enables you to upgrade your software license using the ASCII CLI To upgrade the software license using ASCII commands 1 In the command line interface type license get 2 Click Enter The current license code is displayed 3 Type license set lt new license code gt 4 Click Enter A license updated message is displayed in the command line Note In order for the upgrade to be implemented the device must be reset 5 Type quit in order to reset the device then type yes to confirm the reset FireProof User Guide D 3 O OO0 0O O radware Advanced Monitoring and Statistics FireProof provides various statistics including current
176. of assures that this single public IP is always online and is load balanced among the firewalls a In the Virtual IP Table window Device VLAN insert a virtual IP address for example 10 1 1 100 This is the public IP address representing the internal server 10 1 1 30 b In the Virtual IP Table window Device VLAN select the virtual IP address and click Opens Mapped Table or select Mapped IP from the FireProof menu For each Firewall IP address insert the firewall IP and for each Firewall NAT address insert the Firewall NAT for the server For example NAT 30 1 1 30 for firewall 1 and NAT 30 1 1 31 for firewall 2 When proxy firewalls are used a Virtual IP should be configured on FireProof 1 It is recommended to use Full Path Health Monitoring to ensure the remote side of the firewall is operational In the Firewall Table window FireProof Firewall Table select a firewall and click Full Path Health Monitoring For example configure the internal IP of FireProof 2 30 1 1 10 as the Check Address for each of the firewalls configured in FireProof 1 and vice versa Use IP 20 1 1 10 for the Check Address of the firewalls configured in FireProof 2 FireProof User Guide O Appendix A Example Configurations ae Oe radware Example 5 Redundant FireProof Configuration Firewall 2 Firewall 1 20 1 1 11 20 1 1 10 FireProof 1 Primary FireProof 2 Backup Figure A 5 Redundant FireProof Units FireProof Us
177. og box closes In the Modify Network Table window click Set Your changes are made To edit a network In the Modify Network Table window select the network you require to edit Click Edit The Edit New Network Parameters dialog box is displayed Adjust the values of the appropriate fields Click Update The Edit New Network Parameters dialog box closes In the Modify Network Table window click Set Your changes are made To delete networks In the Modify Network Table window select the network you require to delete Click Delete The network is highlighted in red Click Set The network is deleted Modifying Services Configware enables you to view active services as well as configure new ones You can define services that will be used by the device which are kept in the active part of the database and you can define services that will kept in a separate temporary database until such time as they are required Refer to Viewing Active Policies on page 3 100 for further details You can create basic filters and then combine them them with logical conditions to achieve more sophisticated filters as shown in the Modify Advanced Filters Table window Use filter groups for logical OR between filters and advanced filters for logical AND between filters FireProof User Guide 3 105 O OO 0O Oe radware 3 106 Chapter 3 Configuring FireProof You can also add modify and delete the filters that build the service
178. olicies on page 3 99 for further details You can add modify and delete these networks according to your requirements t To create a new network 1 From the QoS menu select Modify Policies and then choose Networks The Modify Network Table window is displayed as shown below i Modify Network Table 176 200 116 21 Status Finished Error Network Name Network Mode IP ddress Address Wask From ddress To Address any IP range 0 0 0 0 0 0 0 0 0 0 0 0 255 265 255 255 ee p In the Modify Network Table window the following information is displayed Network Name The user defined network name Network Mode The network mode is either P Mask or IP Range IP Address The IP address of the subnet Address Mask The mask address of the subnet From Address The first IP address in the range of addresses To Address The last IP address in the range of addresses FireProof User Guide O OO Chapter 3 Configuring FireProof O a eS Oe radware Note In order to simplify configuration a network can consist of a combination of network subnets and ranges For example Range 176 200 100 0 176 200 100 255 Subnet 172 0 0 0 255 0 0 0 Click Insert The nsert New Network Parameters dialog box is displayed containing the previously described fields Enter the parameters of the new network in the fields provided Click Update The nsert New Network Parameters dial
179. on window IP address The IP address of the interface is the only mandatory parameter This address is used for SNMP management IP subnet mask The IP subnet mask address of the device The default value of this parameter is the mask of the IP address class Port number The port number to which the IP interface is defined The default value is 1 Other possible values include 1 2 or 1 2 3 4 or 1 2 3 4 5 6 7 8 9 10 or 100001 If you enter 100001 all the ports are included in the IP VLAN and the IP interface therefore sits on the IP VLAN Default router IP address The IP Address of the router through which the NMS can be reached The default value for this parameter is disable the default router IP address FireProof User Guide O Chapter 2 Installing FireProof wee Oe radware RIP version The RIP version used by the network router The default value for this parameter is disable OSPF enable This parameter enables or disables the OSPF protocol The default value is disable OSPF area ID When the OSPF protocol is enabled you can enter an area ID other than the default value Enter an ID in the form of an IP address The default value is 0 0 0 0 The three remaining parameters are only necessary when the NMS is remote to the device They offer three different ways to connect to the remote NMS If the NMS is remote enter a value for at least one of the three options NMS IP addres
180. ons O0 radware OVERCURRENT PROTECTION A readily accessible listed branch circuit over current protective device 15 A must be incorporated in the building wiring Caution To Reduce the Risk of Electrical Shock and Fire 1 All servicing should be undertaken only by qualified service personnel There are not user serviceable parts inside the unit 2 DO NOT plug in turn on or attempt to operate an obviously damaged unit 3 Ensure that the chassis ventilation openings in the unit are NOT BLOCKED 4 Replace a blown fuse ONLY with the same type and rating as is marked on the safety label adjacent to the power inlet housing the fuse 5 DO NOT operate the unit in a location where the maximum ambient temperature exceeds 40 degrees C 6 Be sure to unplug the power supply cord from the wall socket BEFORE attempting to remove and or check the main power fuse Attention Pour Reduire Les Risques d Electrocution et d Incendie 1 Toutes les op rations d entretien seront effectu es UNIQUEMENT par du personnel d entretien qualifi Aucun composant ne peut tre entretenu ou remplac par l utilisateur 2 NE PAS connecter mettre sous tension ou essayer d utiliser un ensemble qui est d fectueux de mani re vidente 3 Assurez vous que les ouvertures de ventilation du ch ssis NE SONT PAS OBSTRUEES 4 Remplacez un fusible qui a saut SEULEMENT par un fusible du m me type et de m me capacit comme indiqu sur l tiquette
181. oof oe Oe radware 2 Inthe General Options window click Configuration The Configuration options are displayed in the General Options window as shown below General Options P Configuration 3 Click Edit Device List The Edit the Device List window is displayed as shown below Edit The Device List Radware 1 76 222 757 7102 FireProof User Guide 3 5 O OO Oe radware 3 6 ee 4 N Chapter 3 Configuring FireProof In the Edit the Device List window click Insert The nsert a Device dialog box is displayed as shown below are Insert a Device null O x Device Mame ee Address 176 100 100 100 W OK Cancel Enter the Device Name and IP Address in the fields provided Click OK The Device Name and IP Address are displayed in the Edit the Device List window Click Set to save the device information you entered then click Close Screen To edit existing devices in the device list From the Configware window click Options The General Options window is displayed In the General Options window click Configuration The Configuration options are displayed in the General Options window In the Configuration window click Edit Device List The Edit the Device List window is displayed From the list choose the device you require to edit Click Edit The Edit a Device dialog box is displayed Edit the Device Name and the IP Address in the fields provided Click OK The Edit
182. or current status of the device and its interfaces Viewing Traps Use the General Traps Table window to view the traps that have occurred on all of the devices monitored by Configware To access the General Traps Table 1 From the Configware window click Options The General Options window is displayed 3 8 FireProof User Guide O Chapter 3 Configuring FireProof P Oe radware 2 Inthe General Options window click Traps The General Traps Table iS displayed as shown below i General Options Of x S General Traps Table Traps m T L namoraoeonomonaraoenmmo nn i Trap number Severity Date Time Source Information Configuration Statistics V Beep when a trap arrives Status F inished Error i The General Traps Table window records the following e Trap number The number of the trap Traps are numbered in the order that they occur e Severity The level of the trap s severity Trap severity ratings include in increasing order of severity Informational Warning Error and Fatal Date The date that the trap occurred Time The time that the trap occurred Source The IP Address that caused the trap Information Description of the trap Note Traps are only displayed in this window when the device is configured to send traps to the management station and only traps that are sent whilst this window is open are d
183. or further details Configuring Static Smart NAT You use Static Smart NAT to ensure delivery of specific traffic to a particular server on the internal network For example FireProof uses Static Smart NAT meaning predefined addresses mapped to a single internal host to load balance traffic to this host among multiple transparent traffic connections This ensures that return traffic uses the same path and also allows traffic to this single host to use multiple ISPs transparently You assign multiple Static Smart NAT addresses to the internal server one for each ISP address range Note Static Smart NAT addresses cannot be part of the Dynamic NAT IP pool FireProof User Guide 3 25 O ss Chapter 3 Configuring FireProof Oe radware You use the Smart Static NAT Table window to assign NAT addresses to a local server C To access the Smart Static NAT Table window e From the FireProof menu select Smart NAT and then choose Static NAT The Smart Static NAT Table window is displayed as shown below i Smart NAT Static Table 176 200 116 21 From Local Server IP To Local Server IP Router IP From Static NAT To Static N T Redundancy Mode Status Finishea Note The ranges must be of equal size The Smart Static NAT Table window contains the following fields e From Local Server IP The IP address of the local server e To Loc
184. oring For example configure the router at 20 1 1 100 as the Check Address for each of the firewalls FireProof User Guide A 7 gt aaa vs Appendix A Example Configurations Oe radware Example 4 Typical FireProof Configuration e 100 1 1 20 ai 100 1 1 10 FireProof 2 i 30 1 1 10 NAT 30 1 1 31 for 10 1 1 30 NAT 30 1 1 30 for 10 1 1 30 Firewall 2 FireProof 1 ay 10 1 1 10 Local Network 10 1 1 X 10 1 1 30 Figure A 4 Typical FireProof Configuretion A 8 FireProof User Guide O Appendix A Example Configurations ss Oe radware Properties e Typical configuration when inbound traffic is required to servers on the local subnet with or without NAT configured for the firewalls The Local Network Side and the Firewall Side are on different subnets e The firewalls can be configured with NAT for all the clients on the local network or for some of them This configuration caters to transparent firewalls and firewalls that implement NAT When static NAT is used on the firewalls a virtual IP address is created on the external FireProof to ensure that different NAT addresses on different firewalls for a single internal host are seen as a single public address This provides load balancing and high availability between the NAT addresses Configuration 1 Define two IP interfaces on FireProof 1 One with a 10 1 1 10 address and one with a 20 1 1 10 address 2
185. ort number e Available Bandwidth kbps The bandwidth available to the Specific port e Used Bandwidth kbps The amount of bandwidth used on the Specific port Select the port for which you require to edit the bandwidth Click Edit The Edit Port Bandwidth Parameters dialog box is displayed Edit the information in the appropriate fields according to your requirements Click Update The Edit Port Bandwidth Parameters dialog box closes In the Port Bandwidth Table window click Set Your changes are recorded In the Port Bandwidth Table window click Close Screen The Global Parameters window is displayed FireProof User Guide O Chapter 3 Configuring FireProof 80 Oe radware Viewing Active Policies Configware enables you to view active policies as well as configure new ones The Bandwidth Management solution uses a policy database which is made up of two sections The first is the temporary or inactive portion These policies can be altered and configured without affecting the current operation of the device As these policies are adjusted the changes are not in effect unless the inactive database is activated The activation basically updates the active policy database which is what the classifier uses to sort through the packets that flow through it You can modify these policies according to your requirements at any given time These options are discussed in the following section f To view active policies
186. pair of the opened instrument under voltage should be avoided as much as possible and when inevitable should be carried out only by a skilled person who is aware of the hazard involved Capacitors inside the instrument may still be charged even if the instrument has been disconnected from its source of supply GROUNDING Before connecting this instrument to the power line the protective earth terminals of this instrument must be connected to the protective conductor of the mains power cord The mains plug shall only be inserted in a socket outlet provided with a protective earth contact The protective action must not be negated by use of an extension cord power cable without a protective conductor grounding FireProof User Guide 1i O Onar Safety Instructions O0 radware FUSES Make sure that only fuses with the required rated current and of the specified type are used for replacement The use of repaired fuses and the short circuiting of fuse holders must be avoided Whenever it is likely that the protection offered by fuses has been impaired the instrument must be made inoperative and be secured against any unintended operation LINE VOLTAGE Before connecting this instrument to the power line make sure the voltage of the power source matches the requirements of the instrument WARRANTY This Radware Ltd product is warranted against defects in material and workmanship as follows Hardware for a period of 15 months
187. pfftbl update lt table size gt tune router table get tune routtbl get tune router table update tune routtbl update lt table size gt Appendix C ASCII Command Line Interface Description Enables the user to update the Client Table size Example tune clnttbl update 20000 Enables the user to view the Tune Dynamic Proximity Table Example tune dynamic Proximity tbl get Enables the user to update the Dynamic Proximity Table size Example tune dynamic Proximity tbl update 1 Enables the user to view the Tune IP FFT Table Example tune ipfftbl get Enables the user to update the IP FFT Table size Example tune ipfftbl update 8000 Enables the user to view the Tune Router Table Example tune routtbl get Enables the user to update the Router Table size Example tune routtbl update 512 FireProof User Guide Appendix C ASCII Command Line Interface man Oe radware Unset IP This command enables the user to reset the IP OSPF Oh ad n Debug data The syntax for this command is as follows unset ip ospf debug lt flag name gt The possible flags for the unset ip ospf debug command are the following hello dd req Isu ack build_Isa run_spt tx_Isa rx_Isa trap timer trans packet mem general error rx_all Group Flag all Group Flag Example unset ip ospf debug hello FireProof User Guide C 69 O OO0 0O Oe radware C 70 Appendix C ASCII Command Line
188. r Direction pr Priority po Physical Port t Type de Description bw Bandwidth pt Policy Type p Policy os Operational Status Description Displays the Policy Table Example bwm policy actual get Enables the user to retrieve information for an existing BWM temporary policy table Example bwm policy temp get httpPolicy FireProof User Guide Appendix C ASCII Command Line Interface Command Syntax BWM Policy temp update temp update lt name gt lt switch gt lt value gt BWM Policy temp destroy temp destroy lt name gt lt index gt BWM Policy temp create temp create lt name gt ds lt destination gt S lt source gt 1 lt index gt lt Switch gt lt value gt FireProof User Guide O OO0 0O Oe radware Description Enables the user to update information for an existing BWM temporary policy table Example bwm policy temp update httpPolicy bw 500 Enables the user to delete an existing BWM temporary policy table Example bwm policy temp destroy httpPolicy Enables the user to create a new BWM temporary policy table Example bwm policy temp create httpPolicy 1 2 ds any s any pt filter p http bw 200 C 11 Q vee Appendix C ASCII Command Line Interface e radware BWM This group of commands enables the user to Service manipulate the data of the BWM service Entering the bwm service command will display the following options Ad
189. r Guide O Chapter 3 Configuring FireProof Hee Oe radware 2 Click Insert The Community Table Insert dialog box is displayed In the Management Address field enter the IP address of the management station In the Community String field enter the name of the management Station In the Community Access field choose the type of access In the Send Traps field enable or disable the traps feature Click Update The Community Table Insert dialog box closes In the Community Table window click Set Sis gt Pee To edit an existing community management station In the Community Table window click Edit The Community Table Edit dialog box is displayed In the Community Access field choose the type of access In the Send Traps field enable or disable the traps feature Click Update The Community Table Edit dialog box closes In the Community Table window click Set q ERES Setting Physical Port SNMP Restrictions SNMP provides its own inherent security mechanism through the use of the Community table Although SNMP community tables provide security extra provisions may be necessary especially given FireProof s role in providing overall network security FireProof provides additional security by allowing you to restrict which physical ports accept SNMP messages By restricting SNMP access to specific ports you can limit access to FireProof management to those areas on the network where authorized users are
190. rams Total SNMP messages received Total SNMP output messages passed Chapter 4 Monitoring FireProof Performance The total number of input datagrams received from interfaces including those received in error The total number of Messages delivered to the SNMP entity from the transport service The total number of SNMP Messages which were passed from the SNMP protocol entity to the transport service FireProof User Guide O OO Chapter 4 Monitoring FireProof Performance Ye Oe radware IP Interface Statistics C To graph IP interface statistics 1 a ee From the Performance menu choose IP Statistics The P Statistics window is displayed as shown below Interface Humber IP Address WAA 1 2 100001 176 200 99 99 Status Finished Error i From the P Statistics window select a table entry Click Perform The IP Statistics Table window is displayed From the Optional Counters list choose the counters to graph Click Show Graph The IP Statistics Graph window is displayed You can change the look and behavior of the graph using the control panel Cs To access the control panel FireProof User Guide Click Control Panel The Control Panel contains the following menus Graph Type The graph type menu contains a selection of different graph views including Bar Area Plot Scatter Plot Stacking Bar Stacking Area and Pie Data Buffer Size The number of past graph
191. re more than one FireProof device on a network so that one will act as a back up to a main device In this case a failure of any network interface on the main FireProof will fail the whole device and the backup device previously idle will take over all activity Note Two FireProof devices in a network should be configured in exactly the same way with the exception of the redundancy configuration and IP addresses t To enable the back up device 1 From the FireProof menu select Redundancy and then choose Global Configuration The Global Redundancy Configuration window is displayed as shown below Global Redundancy Configuration IP Redundancy Admin Status Disabled Interface Grouping Disabled VLAN Redundancy Active Backup Fake ARP Enabled Status Finished Error i In the Global Redundancy Configuration window ensure that IP Redundancy Admin Status is enabled Ensure that Interface Grouping is disabled Ensure that VLAN Redundancy is set to active only when the device is configured in VLAN Redundancy mode This means no traffic is forwarded by this redundant or back up device if the main device is active Note If your network is set up as a VLAN configure the back up device before you configure your main device Enable Backup Fake ARP to allow the backup device to perform a fake ARP Fake ARP is an ARP packet sent by the backup device that FireProof User Guide O Chapter 3 Configuring FireP
192. ring Service Parameters 3 78 Configuring Static NAT 3 25 Configuring Via File 3 89 Configuring VLAN Parameters 3 14 Connecting to a Device 3 7 Controlling Traffic to Newly Booted Firewalls 3 39 Creating Rules for Port Connection Creating Virtual IP Addresses 3 22 Creating Fone Configuration File G 2 Configuring the IP Host Parameters Configware Software Installation 2 11 Connecting FireProof to Your Network Connectivity G 2 Connectivity Rules G 3 Customized Agent Support G 3 D Defining Load Balancing Algorithms Defining the Number of Retrievable Entries 3 41 Device Tuning 3 86 Diagnostics DMZ Support with Port Connectivity Rules A 17 Dynamic NAT G 3 Index E Element Statistics 4 2 Example Configurations A 1_ Extended Health Monitoring G 4 Event Log 3 8 F Full Path Health Monitoring 3 38 FireProof Redundancy G 4 FireProof Specifications and Requirements 2 9 Firewall Grouping G 4 Firewall Recovery Period G 4 G Getting Device Information 3 81 Getting Started Global Configuration 3 41 H Hardware Application Switch Platform 2 9 Hardware Fast Ethernet Platform Hardware Requirements 2 10 Installing FireProo 2 1 Introducing FireProof FP 1 1 The Problem 1 2 The Solution 1 2 IP Interface G 5 FireProof User Guide Index IP Interface Statistics 4 9 IP Routing G 5 L LAN Connections 2 4
193. rity 3 92 Setting Up Securit Setting Up a VLANI 3 12 Setting Up Application Grouping 3 36 6 OO Oe radware Index Setting Up Destination Grouping 3 34 V Setting Up Firewalls 3 19 Setting Up Redundant FireProof Viewing Active Clients 3 40 Devices 3 46 Viewing Differentiated Services Setting Up Source Grouping 3 35 Smart NA Viewing Interface Parameters 3 82 Standalone Viewing Traps 3 8 Software License JperedelDz Virtual Interface VLAN G 9 Software Requirements 2 10 Virtual IP mupporieet Static NAT G 8 VLAN Configuration A 4 SYSLog suppor esl VLAN Types G 10 Syslog Reporting 3 79 7 W Troubleshooting B 1 Tune Table G 9 Web Based Typical FireProof A 8 Windows NT Load Balancing 3 52 U Z Updating Sonate 8413 Zoom View 3 8 Using Buttons 3 3_ FireProof User Guide Configware Action Buttons Index 9 Adding Ports to VLAN ee Browse Cancel kd Cancel Close Screen Control Panel Convert files Delete Delete All Delete Data Files radware Edit Default Policy Edit Device List Error Log Full Path Health Monitor An Generate Graph Generate Graph i Insert 4 Left Arrow Delete Data Files Configware Action Buttons Index radware y Ai M Show Graph o o ia S Er i ee Opens Mapped Table 30 Start Data Collection Start Pata Collection Stop Data Perform L Collection Properties Update Refresh Return
194. roof Hee Oe radware announces when the main device is back online The default is enabled Note In networks with layer 3 switches the Fake ARP may confuse the switch during the redundancy process In this case disable this option 6 Click Set Your changes are made t To enable the main device Note Before you enable the main device ensure that VLAN Redundancy Device Mode is set to Regular 1 From the FireProof menu select Redundancy and then choose Global Configuration The Global Redundancy Configuration window iS displayed 2 Inthe Global Redundancy Configuration window ensure that that IP Redundancy Admin Status is disabled 3 Ensure that Interface Grouping is enabled 4 Ensure that VLAN Redundancy is set Active or Backup depending on your requirements Note If your network is working in VLAN mode the Firewall configuration does not need to be changed but clients should be configured to the FireProof so that it acts as their Default Gateway or next hop router 5 Click Set Your changes are made Configuring IP Router Redundancy You should define the interfaces of the backup device and the associated interfaces of the main FireProof When the backup FireProof detects a failure at the main FireProof interfaces it will take over You use the P Redundancy Table window to configure redundancy gt To access the IP Redundancy Table window e From the FireProof menu select Redundancy and then choose Redunda
195. roof User Guide O OO0 0O Oe radware 3 49 O OO0 O Oe radware 3 50 E Chapter 3 Configuring FireProof To access the Backup Device Mirroring Parameters window From the FireProof select Redundancy then Mirroring and then choose Backup Device Parameters The Backup Device Mirroring Parameters window is displayed a Backup Device Mirronng Parameters 176 200 99 99 O x Mirroring Mirroring Status Enabled IP Address of the Active Device Status Finished Error i The Backup Device Mirroring Parameters window contains the following fields e Mirroring Status Enable or disables the mirroring feature e IP Address of the Active Device The IP address to which the traffic containing the mirrored information is sent To set up mirroring In the Active Device Mirroring Parameters window adjust the appropriate values Click Set Your changes are made Close the Active Device Mirroring Parameters window From FireProof menu select Redundancy then Mirroring and then choose Backup Device Parameters The Backup Device Mirroring Parameters window is displayed Adjust the appropriate values Click Set Restart the device FireProof User Guide O Chapter 3 Configuring FireProof P Oe radware Configuring a Remote Virtual IP Address Most FireProof installations require two devices one for internal and another for external use In this setup the internal FireProof ca
196. ror active address Appendix C ASCII Command Line Interface Description Enables the user to view the Mirror Polling time Example redund mirror active polling get Enables the user to change the Mirror Polling time Example redund mirror active polling update 10 Enables the user to view the Mirror Backup Status Example redund mirror backup Status get Enables the user to change the Mirror Backup Status Example redund mirror backup status update enable Enables the user to view the Application Mirror Table Example redund mirror backup status get 0 0 0 0 FireProof User Guide Appendix C ASCII Command Line Interface Redundant Mirror Table Command Syntax redundant mirror backup table destroy redund mirror backup table destroy lt mirror active address gt redundant mirror backup table create redund mirror backup table create lt mirror active address gt Redundancy Status Command Syntax redundancy status get redund status get redundancy status update redund status update lt value gt FireProof User Guide O OO0 0O Oe radware Description Enables the user to delete an entry for the Application Mirror Table Example redund mirror backup status destroy 0 0 0 0 Enables the user to create an entry for the Application Mirror Table Example redund mirror backup status create 0 0 0 0 Description Enables the user to view the Redundant Admin Status
197. roy vip virtual destroy lt virtual ip gt VIP virtual create vip virtual create lt virtual ip gt m lt mode gt FireProof User Guide O OO0 0O Oe radware Description Enables the user to view the Virtual IP table Example vip virtual get 215 a ewe bores Enables the user to update an entry in the Virtual IP table Example vip virtual update Zo edie teL Moa Enables the user to delete an entry in the Virtual IP table Example vip virtual destroy E E ENa D eek Enables the user to create an entry in the Virtual IP table Example vip virtual create 25d Tel SEZ C 71 O soso Appendix C ASCII Command Line Interface Oe radware This group of commands enables the user to manipulate the SSD VLAN table data For more information refer to Setting Up a VLAN in Chapter 3 page 3 12 The possible Switch Values for the vlan command are the following e a Auto Configure e t Type e ta VLAN Tag p Priority The possible Values for the Protocol field for the vlan command are the following e other IP swVLAN C 2 Command Syntax VLAN get vlan get interface number VLAN update vlan update lt interface number gt lt Switch gt s lt value gt s VLAN destroy vlan destroy lt interface number gt VLAN create vlan create lt interface number gt lt protocol gt lt switch gt lt value gt Description Enables the user to view the specified SSD VLAN int
198. s according to your requirements f To create a new basic filter 1 From the QoS menu select Modify Policies and then choose Services From the secondary menu select Basic Filters The Modify Basic Filter Table window is displayed as shown below f Modify Basic Filter Table 176 200 116 21 Basic Filter Name Description 1 hde4 High Drop Class 4 IP 0 0 0 oneByte 1 gja 2 mdc4 Medium Drop Class 4 IP 0 0 0 oneByte 1 9 3 Idce4 Low Drop Class 4 IP 0 0 0 oneByte 1 8 4 hde3 High Drop Class 3 IP 0 0 0 oneByte 1 7 5 mdc3 Medium Drop Class 3 IP 0 0 0 oneByte 1 7 6 Ide3 Low Drop Class 3 IP 0 0 0 oneByte 1 6 ty hde2 High Drop Class 2 IP 0 0 0 oneByte 1 5 8 mdc2 Medium Drop Class 2 IP 0 0 0 oneByte 1 5 9 Idc2 Low Drop Class 2 IP 0 0 0 oneByte 1 4 10 hdc1 High Drop Class 1 IP 0 0 0 oneByte 1 3 11 mde Medium Drop Class 1 IP 0 0 0 oneByte 1 3 12 Ide1 Low Drop Class 1 IP 0 0 0 oneByte 1 2 13 000 Routine IP 0 0 0 oneByte 1 0 14 001 Priority IP 0 0 0 oneByte 1 2 15 010 Immediate IP 0 0 0 oneByte 1 4 16 011 Flash IP 0 0 0 oneByte 1 6 17 100 ToS Flash Override IP 0 0 0 oneByte 1 8 18 101 CRITIC ECP IP 0 0 0 oneByte 1 A 19 110 Internetwork Control IP 0 0 0 oneByte 1 Cc Status Finisheal eh In the Modify Basic Filter Table window the following information is displayed e Basic Filter Name The user define
199. s The required NMS IP address Enter a value if you require to limit the device to a single specified NMS The default value is 0 0 0 0 any NMS Community name The community name of the device The default community name is public Enter a different name that you want as the community name Configuration file name The name of the file in a format required by the server which contains the configuration Select this parameter when you require to download a configure file an NMS The must however be located on the NMS and the NMS must be located on a TFIP server When you exit the Startup Configuration window the device loads that configuration file from the NMS resets and starts operating with the new configuration The default value is no name Note FireProof enters a default value for the parameters that are incomplete with the exception of the IP Address which is mandatory A validity check of all the parameters is then performed FireProof User Guide 2 1 O OO0 0O e radware 2 8 Chapter 2 Installing FireProof To manually configure the IP host parameters of the device in the Fast Ethernet platform Ensure that the ASCII terminal is connected to the device Turn on the power to the device The terminal displays the Startup Menu window as shown below within three seconds Startup Menu 1 Download sw 2 Erase config 3 Erase nvram Select one of the three options to either download soft
200. s Enable rule The SNMP Ports table The possible port states for the snmp rule command are the following 1 Accept 2 Ignore Command Syntax SNMP community get snmp communty get mng station address com string SNMP community update snmp communty update lt mng station address gt lt com string gt lt Switch gt lt vakue gt SNMP community destroy snmp communty destroy lt mng station address gt lt com String gt Description Enables the user to view the SNMP Community table Example snmp communty get 1 1 11 public Enables the user to update an entry in the SNMP Community table Example snmp communty update 1 1 1 1 public o super Enables the user to delete an entry in the SNMP Community table Example snmp communty destroy Telet Oude FireProof User Guide Appendix C ASCII Command Line Interface Command Syntax SNMP community create snmp communty create lt mng station address gt lt com string gt lt Switch gt lt vakue gt SNMP rule get snmp rule get port number SNMP rule update snmp rule update lt port number gt lt port state gt Synattack O OO0 0O Oe radware Description Enables the user to create an entry in the SNMP Community table Example snmp communty create 1 1 1 1 public o super Enables the user to view the SNMP Ports table Example snmp rule get 1 Enables the user to update an entry in the SNMP Ports table Example snmp rule
201. s displayed He Community Change New Community password ed 2 Type in the new community name 3 Click OK Syslog Reporting FireProof can issue syslog messages when a device running the syslog service syslogd is present ts To enable syslog messages 1 From the Device menu choose Syslog Reporting The Syslog Reporting window is displayed Syslog Reporting Syslog Operation isable Syslog Station Address 0 0 0 0 Status Finished Error i 2 Set the Syslog Operation to Enable 3 Enter the IP address of the device running the syslog service syslogd in Syslogd Station Address 4 Click Set Syslog reporting is enabled 3 79 FireProof User Guide O OO 0O Oe radware 3 80 Chapter 3 Configuring FireProof Event Log You can view a log of the events on the device f To view the event log From the Services menu choose Event Log The Event Log window is displayed as shown below Event Log 176 200 116 66 Event Description 01 00 1970 00 00 14 ERROR INIT_ifT able illegal MAC Address in 100001 01 00 1970 00 00 54 ERROR Errors occured during init N Status Finished Error i To refresh the event log From the Event Log window click Refresh t To clear the event log From the Event Log window click Delete All FireProof User Guide Chapter 3 O Configurin
202. s gt lt Subnet mask gt lt firewall ip address gt destination subnet group table destroy group dest destroy lt dest subnet address gt lt Subnet mask gt lt firewall ip address gt FireProof User Guide O OO0 0O Oe radware Description Enables the user to create an Application Port Group Table entry Example group applport create i Eile peed pes ned Enables the user to view the Destination Subnet Group Table Example group dest get 2 2 2 2 a eed ira et Enables the user to update a Destination Subnet Group Table entry Example group dest update 282i ae Coos 0a bed td Enables the user to delete a Destination Subnet Group Table entry Example group dest destroy PO Zee eo SVC Oe lie id oe C 37 Q vee Appendix C ASCII Command Line Interface e radware Command Syntax Description destination subnet group Enables the user to delete a table create Destination Subnet Group Table entry group dest create Example group dest create lt dest subnet address gt Pree COV E O GO Aedes dei lt Subnet mask gt lt firewall ip address gt destination subnet group Enables the user to view the Source table get Subnet Group Table group source get Example group source get source subnet IP 2 i DePee 25 OO eds ed adress source mask firewall ip address destination subnet group Enables the user to update a Source table update Subnet Group Table entry group source update Ex
203. samples stored The greater the number the more samples are stored for later review Monitor Size The number of graph samples that are displayed on the screen Sample Time The amount of time between samples in seconds 4 9 6 OO Chapter 4 Monitoring FireProof Performance Presentation Units The average number of events per number of recorded for the duration of the Sample Time For example if the Presentation Units is set as 1 and the Sample Time is set as 5 the graph will display the average number of events per 1 second based on the last 5 seconds of data Changing the value of the Presentation The number of RIP response packets received by the RIP process which were subsequently discarded for any reason e g a version O packet or an unknown command type The number of routes in valid RIP packets which were ignored for any reason e g unknown address family or invalid metric The number of triggered RIP updates actually sent on this interface This explicitly does NOT include full updates sent containing new information 0 Oe radware seconds entered here based on the the total number of events Units will change the display of all graphs still in the buffer C To review the last compiled graph e Click Show Last The last graph that was compiled is displayed The following counters can be graphed Interface s RIP response packets discarded Interface s RIP routes ignored Interface s RIP
204. scription Enables the user to view the specified vian interface port data Example vlanport get 100001 4 Enables the user to update the specified vlan interface port data Example vlanport update 100001 4 t tag Enables the user to delete the specified vlan interface port data Example vlanport destroy 100001 4 Enables the user to create a new vlan interface port Example vlanport create 100001 4 t untag Enables the user to view an online help for the vilanport command Example vlanport help t FireProof User Guide O OO0 0 O radware Software License Upgrade This appendix describes software license upgrade Radware releases updated versions of FireProof software that can be uploaded to your device using the following procedures e To upgrade the software license using Configware page D 2 e To upgrade the software license using ASCII commands page D 3 D 1 6 OO 0O Oe radware D 2 Appendix D Software License Upgrade The following procedures explain how to upgrade your software via Configware or ASCII CLI To upgrade the software license using Configware 1 2 5 Access Configware From the Device menu select License Upgrade The License Upgrade dialog box is displayed as shown below The old license number is displayed in the Insert your license code field te License Upgrade f el a 3 MAC Address 00 00 80 00 00 00 Insert your license c
205. service or aS a network node which reads the Type of Service ToS bits in order to provide the appropriate type of service as indicated by the bits In addition you can define Diffserv polices that will be used by the device which are kept in the active part of the policy database and you can define polices that will kept in a separate temporary database until such time as they are required Refer to Viewing Active Policies on page 3 100 for further details The following procedures enable you to view modify and set Diffserv policies FireProof User Guide O OO0 Chapter 3 Configuring FireProof 0O Oe radware f To view the Active Diffserv Policies Table e From the QoS menu select Diffserv and then choose View Active Diffserv Policies The Active Diffserv Policies Table window is displayed as shown below Status Finished Error i Active Diffserv Policies Table 176 200 116 21 DSCP Priority Bandwidth Number of Packets Matched Bandwidth Used Average Bandwidth Peak Bandwidth ee In the Active Diffserv Policies Table window the following information iS displayed DSCP Refers to Differentiated Services Code Point which is the Diffserv value Priority The priority for packets carrying the Diffserv value by which it is forwarded is either Real time or a value of O 7 7 being the lowest priority The default is 4 Bandwidth Disp
206. shed Error 7 The following fields are displayed in this dialog box e Start Protection Select Enabled to enable application security e Alerts Table Size Define the size of the Alerts Table e Traps Sending Select Enabled to enable traps to be sent When enabling Trap Sending traps are sent to the management station as configured in Setting Up Security on page 3 71 2 Click Set 3 Click Close Screen to exit the dialog box 3 92 FireProof User Guide Chapter 3 Configuring FireProof O OO0 0O Oe radware You can define the security policy for your network using the Security Policy window f To define the security policy 1 From the Security menu select Application Security and then choose Security Policy The Security Policy window is displayed ae Securty Policy 1 100 100 100 Please select the components that best describe your web environment Protection Standard Protection Web Servers Generic Web Server Protection Unix Platform Based IBM Lotus Microsoft lls Microsoft FrontPage extensions Apache web server os 2 2 S Metscape web server Web Applications L Allaire Coldfusion web application 2 amp i A hs E BackdoorTrojan Protection Novell web server Oracle web server Omni web server WebSite amp WwebsitePro web servers SGl s IRIX web server NCSA web server Compaq web server Status Finished Error i The che
207. st packet was transferred during the current session e Attachment Time The time that the client was first attached to the firewall To find a specific client From the FireProof menu select Clients and then choose Find Client The Client Searching window is displayed In the Client IP field enter the IP address of the client Click Refresh Information about the client is displayed FireProof User Guide O Chapter 3 Configuring FireProof Hee Oe radware Defining the Number of Retrievable Entries The number of entries retrieved for any table in Configware can be pre defined in the Configuration part of the General Options window This is particularly beneficial for the Client Table which supports 1 000 000 entries in the Application Switch platform and the Client Table window cannot accommodate this quantity of entries C To define the number of retrievable entries 1 2 3 From the opening Configware window click Options The General Options window is displayed Select Configuration from the right hand side of the window From the three fields displayed in the SNMP TFTP Configuration area select the SNMP Get Next Limit field Adjust the number in the field to the required number of retrievable entries to be displayed in the Configware software tables and then click Set Click Refresh in the Client Table window for example to view the pre defined number of retrievable entries Global Configuration
208. t ARP Table FireProof User Guide 3 69 O OO Oe radware 3 70 IN Chapter 3 Configuring FireProof The Global ARP Table window is displayed as shown below Global ARP Table 176 200 99 99 e 7aB 3 Interface IP Address Mac Address Class 1 100001 176 200 102 74 00 02 B3 17 1F E4 Dynamic 2 100001 176 200 104 35 00 D0 B7 80 30 03 Dynamic Status Finished Error E The Global ARP Table window includes the following fields e Interface Number The interface number on which the station resides e IP Address The station s IP address MAC Address The station s MAC address e Class Entry type Dynamic The entry is learned from the ARP protocol If the entry is not active for a predetermined time the node is deleted from the table Static The entry has been configured by the network management station and is permanent To define new ARP addresses In the Global ARP Table window click Insert The Global ARP Table Insert dialog box is displayed Adjust the appropriate values Click Update The G obal ARP Table Insert dialog box closes In the Global ARP Table window click Set Your changes are recorded FireProof User Guide O OO0 Chapter 3 Configuring FireProof O O0 radware f To edit an existing ARP address 1 Sh eS FireProof User Guide In the Global ARP Table window choose the ARP addr
209. t IP Router and then choose Operating Parameters The IP Router Parameters window is displayed as shown below rate IP Router Parameters 176 200 99 99 ab i IP Router Parameters Inactive ARP Time Out Bo000 ARP Proxy Disabled ICMP Error Messages Enabled Status Finished Error i FireProof User Guide Chapter 3 Configuring FireProof O OO0 O Oe radware The P Router Parameters window contains the following fields e Inactive ARP Time Out How many seconds can pass between ARP requests concerning an entry in the ARP table After this period the entry is deleted from the table e ARP Proxy Whether the device responds to ARP requests for nodes located on a different direct sub net The device responds with its own MAC address When ARP Proxy is disabled the device responds only to ARP requests for its own IP addresses e ICMP Error Messages Whether ICMP error messages are generated f To adjust IP Router operating parameters 1 2 In the IP Router Parameters window adjust the appropriate values Click Set Your changes are recorded Configuring Interface Parameters C amp To access the IP Router Interface Parameters window From the Router select IP Router and then choose Interface Parameters The P Router Interface Parameters window is displayed as shown below i IP Router Interface Parameters 176 200 99 99 If Num IP Address Network Mask Fwd Broadcast Broad
210. t the values in the following fields Destination IP Address Set to x x x x Network Mask Set to X X x x Next Hop Address of the next system of this route local to the interface IF Number The IF Index of the local interface through which the next hop of this route is reached Metric Number of hops to the destination network Protocol Through which protocol the route is known Type How remote routing is handled Remote Forwards packets Reject Discards packets Click Update The P Routing Table Insert dialog box closes In the IP Routing Table window click Set The default router is set FireProof User Guide O OO0 Chapter 3 Configuring FireProof 0O Oe radware Setting Up Firewalls FireProof balances loads among firewalls transparently This section includes the following information Configuring Firewalls page 3 20 Creating Virtual IP Addresses page 3 22 Mapping NAT Addresses to Virtual IP Addresses page 3 24 Smart NAT page 3 25 Creating Rules for Port Connection page 3 31 Configuring Application Aging page 3 32 Configuring Firewall Grouping page 3 34 Full Path Health Monitoring page 3 38 Controlling Traffic to Newly Booted Firewalls page 3 39 Viewing Active Clients page 3 40 Global Configuration page 3 41 Setting Up Redundant FireProof Devices page 3 46 Configuring IP Router Redundancy page 3 47 Configuring Mirroring page 3 49 Configuring a Remote
211. ter 3 Configuring FireProof 80 Oe radware Configuring Via File You can configure the FireProof hardware by downloading the configuration file The process of configuring the device from your management station includes the following steps Note You must have Super privileges to perform this action Download the BER file from the device Convert the BER file to an ASCII file Make changes to the configuration Convert the ASCII file to a BER file Upload the BER file to the device he re tS To download the configuration file 1 From the Configuration menu choose Receive From Device The Get Configuration From Device window is displayed ah Get Configuration from Device 1 6 200 99 99 File Name it relative to lt Contigw are dirt Nma Configuration Get configuration from device File Name fo id Progress Status 0 Status Error i 2 Inthe File Name field enter the name you want to assign to the file Alternatively click Browse to search the directory tree for the file The file will be saved in the directory lt Configware_Install_Dir gt NMS Configuration FireProof User Guide 3 89 O OO0 Oe radware 3 90 Chapter 3 Configuring FireProof Optionally check the External TFTP Server IP Address checkbox If do not want to use the default TFTP server provided with the device check the External TFTP Server IP Address checkbox and enter the IP address of the machine running the server
212. ter 3 page 3 49 Entering the redund mirror command will display the following options active e backup Command Syntax redundant mirror active mode get redund mirror active mode get redundant mirror active mode update redund mirror active mode update lt mirror protocol mode gt redundant mirror active percent get redund mirror active percent get redundant mirror active percent update redund mirror active percent update lt mirror percentage gt FireProof User Guide Description Enables the user to view the Mirror Protocol Mode status Example redund mirror active mode get Enables the user to change the Mirror Protocol Mode status Example redund mirror active mode update enable Enables the user to view the Mirror Percentage Example redund mirror active percent get Enables the user to change the Mirror Percentage Example redund mirror active percent update 95 C 53 O OO0 0O e radware C 54 Redundant Mirror Table Command Syntax redundant mirror active polling get redund mirror active polling get redundant mirror active polling update redund mirror active polling update lt mirror polling time gt redundant mirror backup status get redund mirror backup Status get redundant mirror backup status update redund mirror backup status update lt mirror status gt redundant mirror backup table get redund mirror backup table get mir
213. terface Oe radware This group of commands enables the user to manipulate the data of the Port Rules table For more information refer to Setting Up Security in Chapter 3 page 3 72 Entering the rules command will display the following options delete e get e set Command Syntax Description rules delete Enables the user to delete a specific rules delete lt ports gt bi directional rule Example rules delete 2 rules delete all Enables the user to delete the entire rules delete all port rules table Example rules delete all rules get Enables the user to view the Rules rules get table Example rules get rules get Enables the user to view the Rules rules get table Example rules get rules set Enables the user to set a specific rules set bi directional rule lt in port gt lt out pores Example rules set 2 5 C 60 FireProof User Guide Appendix C ASCII Command Line Interface ae Oe radware Send Arp This command enables the user to send an ARP Broadcast broadcast For more information refer to Configuring Router Settings in Chapter 3 page 3 55 The syntax for this command is the following send arp brdcst This group of commands enables the user to set parameters Entering the set command will display the following options all All parameters to default baud Baud Rate for the CLI ip logfile Os private rea Typing the set rea command displays an additional sub menu enabling the us
214. the update Redundant Interface Grouping status redund infgroup update Example redund infgroup update lt value gt enable FireProof User Guide C 51 O OO0 0O e radware C 52 Redundancy Command Syntax redundancy table get redund iprd get interface address main router address redundancy table update redund iprd update lt interface address gt lt main router address gt lt Switch gt lt value gt s redundancy table destroy redund iprd destroy lt interface address gt lt main router address gt redundancy table create redund iprd create lt interface address gt lt main router address gt lt Switch gt lt value gt Appendix C ASCII Command Line Interface Description Enables the user to view the Redundancy Table Example redund iprd get i ages lege aed Kea 070700 Enables the user to update change an entry in the Redundancy Table Example redund iprd update 1 1 1 1 0 0 0 0 t 10 Enables the user to delete an entry in the Redundancy Table Example redund iprd destroy A sede OUOU Enables the user to crea te a new entry in the Redundancy Table Example redund iprd create etek 10000 p 5 FireProof User Guide Appendix C ASCII Command Line Interface man Oe radware Redundant Mirror Table This group of commands enables the user to manipulate the data of the redundant mirror tables For more information refer to Configuring Mirroring in Chap
215. the user to view the BWM priority details Example bwm utils priority get Enables the user to view the BWM RED Queue Table Example bwm utils info get Enables the user to view the BWM RED mode Example bwm utils mode get Enables the user to update the BWM RED mode Example bwm utils mode update global FireProof User Guide O Appendix C ASCII Command Line Interface ss Oe radware Client This command enables the user to view the RS Client Table information For more details refer to Viewing Active Clients in Chapter 3 Configuring FireProof page 3 40 Command Syntax Description client get Enables the user to view the RS client get Client table Example client get This group of commands enables the user to manipulate the driver s parameters Entering the drv command will display the following options Get e Set Command Syntax Description DRV get auto Enables the user to retrieve the Driver drv get auto Auto status port Example drv get auto 1 DRV get duplex Enables the user to retrieve the DRV drv get duplex Duplex status lt port gt Example drv get duplex 1 DRV get speed Enables the user to retrieve the DRV drv get speed Speed value lt port gt Example drv get speed 1 FireProof User Guide C 19 O OO0 0O Oe radware Command Syntax DRV set auto drv set auto lt port gt lt auto gt DRV set duplex drv set duplex lt port gt lt duplex gt DRV set spee
216. tions ae Oe radware Example 7 DMZ Support with Port Connectivity 200 1 1 10 200 1 1 2 200 1 1 1 ae 100 1 1 10 10 1 1 X 100 1 1 X Local Network D MZ Figure A 7 DMZ Support with Port Connectivity Rules FireProof User Guide A 17 6 OO Oe radware A 18 Appendix A Example Configurations Properties e The Local Network and the DMZ are on different subnets e Each firewall has 3 interfaces external internal and DMZ Load balancing is required for the DMZ and internal sides Typically two devices can be used however the same functionality can be acheived using a single device and port rules Firewalls should be configured with the Network Address Translation feature enabled or an external FireProof can be used Configuration 1 Define four IP interfaces on FireProof One with a 10 1 1 10 address on port 1 one with a 20 1 1 10 address on port 2 one with a 110 1 1 10 address on port 3 and one with a 100 1 1 10 address on port 4 In the Firewall Table window FireProof Firewall Table insert firewalls 20 1 1 1 20 1 1 2 110 1 1 1 and 110 1 1 2 Define FireProof port rules that ensure that traffic to and from port 1 arrives and exits only via port 2 and that traffic to and from port 3 arrives and exits only via port 4 This ensures separation of the DMZ and the local network This configuration is available only from the console type rules set 1 2 and rules set 3 4 e
217. tly active users attached to this firewall Frames peak rate Maximum number of frames per second dispatched to the firewall since the last reset Frames current rate Number of frames per second dispatched to the firewall Frames maximum rate Maximal number of frames per second dispatched to the firewall 4 12 FireProof User Guide Chapter 4 Monitoring FireProof Performance Policy Statistics You can generate statistics regarding the policies you have created Refer to Configuring Bandwidth Management BWM in Chapter 3 for further details Cf To monitor policy statistics 1 From the Performance menu choose Policy Statistics The Active Policies Selection Table window is displayed Active Policies Table 176 200 116 21 krd Policy Name Source Destination Direction Action Priority Bandwidth Service Description Matche Default Oneway Forward 4 2916352 1 Status Finishea eS 2 Select a policy name 3 Click Perform The Policy Statistics window is displayed 4 From the Optional Counters list choose the counters you require to graph 5 Click Show Graph The Graph of Policy Statistics window is displayed You can change the look and behavior of the graph using the control panel To access the control panel e Click Control Panel The Control Panel contains the following menus Graph Type The graph typ
218. tocol intended to replace RIP in larger or more complex networks OSPF and its MIB are supported as specified in RFC 1583 and RFC 1850 with various limitations The various routing protocols can access each other s direct Routing Tables for routing information allowing packets to leak between routing protocols Large Client Table Size The FireProof Client Table is limited only by the specific memory size of the unit There is a default limit to the amount of entries that can be made in the Client Table but this can be adjusted using tuning facilities included in FireProof FireProof User Guide G 5 6 OO Oe radware G 6 Load Sharing Sophisticated load sharing algorithms distribute the load among multiple firewalls The firewall administrator can choose one of the included load sharing algorithms taking into account the firewalls processing powers By assigning priority to the firewalls more traffic can be diverted to stronger firewalls optimizing the usage of data flow Management and Configuration FireProof is SNMP compliant RFC1213 RFC1253 RFC1286 RFC1354 RFC1389 RFC1493 RFC1525 RFC15 73 RFC1850 Radware enterprise MIB and can be managed by any SNMP based management station including Configware Radware s SNMP based management stations MultiVu is available on the HP OpenView Solaris as well as the HP OpenView for Windows platform Configware runs directly on Windows FireProof software is stored
219. tween 1 and 10 Regular aging time indicates that this feature is disabled i e every new session will be assigned the user configured aging time from its beginning e Translate Outbound Traffic to Virtual Address When using virtual IP addresses determines whether sessions originated by hosts NATed on the firewalls should use the VIP address as a source address or not Enable Changes a NAT address to a virtual IP address Disable Does not change NAT addresses e Smart NAT Enables the Smart NAT feature including Dynamic Static and No NAT Connectivity Check Tab e Check Connectivity Status Enables disables firewall polling e Check Connectivity Method Indicates the method of checking for firewall availability The value can be Ping or any TCP port number entered manually If Ping is selected FireProof pings the firewalls to verify valid communication Any other value causes FireProof to attempt to connect to the specified application port If the operation fails the firewall is considered down 3 43 FireProof User Guide O OO0 Oe radware 3 44 Chapter 3 Configuring FireProof Polling Interval How often FireProof polls the firewalls in seconds Number of Retries After how many unanswered polling attempts is a firewall considered inactive Client Table Tab Open New Entry For Different Source Port When enabled different sessions from the same client to the same destination are counted s
220. um of LS checksums of external LS advertisements contained in the LS database Use this sum to determine if there has been a change in a router s LS database and to compare the LS database of two routers Leak RIP Routes Controls the redistribution of routes from RIP into OSPF When this parameter is enabled all routes inserted into the IP routing table via SNMP are advertised into OSPF as external routes Leak Static Routes Controls redistribution of routes from static routes to RIP When this parameter is enabled all static routes learned via static are advertised into RIP FireProof User Guide O OO0 Chapter 3 Configuring FireProof e Leak External Direct Routes Controls redistribution of direct routes which are external to OSPF into OSPF If this parameter is enabled all external routes are advertised into OSPF as external routes f To set OSPF operation parameters 1 In the OSPF Parameters window adjust the appropriate values 2 Click Set Your changes are recorded OSPF Interface Parameters You use the OSPF Interface Table window to set OSPF interface parameters C To access the OSPF Interface Table window e From the Router menu select OSPF then choose Interface Parameters The OSPF Interface Table window is displayed mes OSPF Interface Table 176 200 99 99 lol x Gyo ff IP Address Designated Router Backup Designated Router Interface State Administrative Status Interface Type Priority
221. updates sent 4 10 FireProof User Guide O OO Chapter 4 Monitoring FireProof Performance Ye Oe radware Firewall Statistics C To monitor application statistics 1 a ee From the Performance menu choose Firewall Statistics The Firewall Statistics window is displayed as Server Selection Table 176 200 99 99 Status Finished Error iT Select a server farm Click Perform The Firewall Statistics window opens From the Optional Counters list choose the counters to graph Click Show Graph The Device Application Specifics Graph is displayed You can change the look and behavior of the graph using the control panel To access the control panel Click Control Panel The Control Panel contains the following menus Graph Type The graph type menu contains a selection of different graph views including Bar Area Plot Scatter Plot Stacking Bar Stacking Area and Pie Data Buffer Size The number of past graph samples stored The greater the number the more samples are stored for later review Monitor Size The number of graph samples that are displayed on the screen Sample Time The amount of time between samples in seconds FireProof User Guide 4 11 O ag Chapter 4 Monitoring FireProof Performance eo radware C To review the last compiled graph e Click Show Last The last graph that was compiled is displayed The following counters can be graphed Active users Number of curren
222. ur changes are made FireProof User Guide Chapter 3 Configuring FireProof Configuring Mirroring Mirroring enables a backup redundant device to mirror the Client Table of an active device The backup device informs the main device to which IP address updates should be sent the main device sends snapshot information about the Client Table updates every predefined interval If the active device fails the backup device can seamlessly resume the sessions You use the Active Device Mirroring Parameters and the Backup Device Mirroring Parameters windows to configure mirroring f To access the Active Device Mirroring Parameters window From the FireProof select Redundancy then Mirroring and then choose Active Device Parameters The Active Device Mirroring Parameters window is displayed P Active Device Mirroring Parameters 176 200 99 99 Of x Actie Device Mirroring Parameters Client Table Mirroring Enabled Percentage of Client Table to Backup 100 Chent Mirror Update Time 10 Status Finished Error The Active Device Mirroring Parameters window contains the following fields e Client Table Mirroring Enables or disables the mirroring of the Client Table i e sends the mirror messages e Percent of Client Table to Backup The percentage of the client table to send to the backup device e Client Mirror Update Time How often to send information to the backup device FireP
223. v The possible Switch Values for the bwm Service adv command are the following t Type Basic The possible Switch Values for the bwm service basic command are the following p Protocol dp Destination Port f Source From to Source To o Offset om Mask op Pattern oc Condition ol Length co C Offset cd Data ct Data Type t Type Group The possible Switch Values for the bwm service group command are the following t Type SS KS SS S e KS SSS KS SS KS SS SS KS SS KS SS KS SS KS SS KS SS KS SS KS Command Syntax Description BWM service advanced actual Displays the Advanced Filter table get Example bwm service adv actual bwm service adv actual get get BWM service advanced temp Displays the Temporary Advanced get Filter table bwm service adv temp get Example bwm service adv temp adv filter get C 12 FireProof User Guide Appendix C ASCII Command Line Interface BWM Service Command Syntax BWM service advanced temp update bwm service adv temp update lt adv gt lt filter gt lt switch gt lt value gt BWM service advanced temp destroy bwm service adv temp destroy lt adv gt lt filter gt BWM service advanced temp create bwm service adv temp create lt adv gt lt filter gt lt switch gt lt value gt BWM service basic actual get bwm service basic actual get BWM service basic t
224. w the Leak Static to RIP Example rip stat2rip get Enables the user to update change the Leak Static to RIP Example rip stat2rip update enable FireProof User Guide Appendix C ASCII Command Line Interface man Oe radware This group of commands enables the user to manipulate the data of the routing table For more information refer to Configuring the Router in Chapter 3 page 3 68 The possible switch values for the route command are the following l Interface Number e m Metric 1 Command Syntax route get route get destination address network mask next hop route update route update lt destination address gt lt Switch gt lt value gt s route destroy route destroy lt destination address gt network mask next hop route create route create lt destination address gt lt network mask gt lt next hop gt lt interface num gt lt Switch gt lt value gt s FireProof User Guide Description Enables the user to view the Routing table Example route get 1 1 1 1 255 0 0 0 WOO O20 Enables the user to update an entry in the Routingtable Example route create 1 1 1 1 aT 4 Enables the user to delete an entry in the Routing table Example route destroy 1 1 1 1 255 0 0 0 10 0 0 0 Enables the user to create an entry in the Routing table Example route create 1 1 1 1 255 0 0 0 10 0 0 0 I 1 m 2231 C 59 O soso Appendix C ASCII Command Line In
225. ware erase the existing configuration or to erase nvram If you do not select or require any of these options the boot sequence continues The device detects whether or not it has the necessary configuration and if not the Startup Configuration window is displayed Enter the number of the parameter for which you require to define the information Enter the parameters configuration and click Enter The value of the parameter is displayed in the screen FireProof User Guide O Chapter 2 Installing FireProof wee Oe radware FireProof Specifications and Requirements Hardware Fast Ethernet Platform CPU Microprocessor Intel 960i HD Ethernet Controller Intel 82557 Ethernet co processor ASCII Terminal Port 9 pin female RS 232 connector DCE Setup 19200 bps 8 bits one stop bit no parity Memory 4 MB Flash 8 32 MB DRAM 8 MB buffer 8 KB NVRAM Hardware Application Switch Platform CPU Power PC Power PC 750 Switch Architecture Galileo GalNet II ASCII Terminal Port 9 pin female RS 232 connector DCE Setup 19200 bps 8 bits one stop bit no parity Memory 8 MB Flash 64 128 MB SDRAM 32 KB NVRAM LAN Interfaces Fast Ethernet Platform FireProof comes with two four priority RJ45 ports for IEEE 802 3 10 100 BaseT The two four ports are auto sensing but can be defined to a specific speed using Configware FireProof supports half and full duplex communication on 100 Mbps 2 9 FireProof User Guide 6
226. ze get ids statsize get IDS statsize update ids statsize update lt value gt IDS stattime get ids stattime get IDS stattime update ids stattime update lt value gt IDS status get ids status get C 42 Appendix C ASCII Command Line Interface Description This group of commands enables the user to update the Intruder Detection Service Policies status Example ids policy unix update enable Enables the user to view the IDS Statistics Table Example ids stats get Enables the user to view the IDS Statistics Table s Size Example ids statsize get Enables the user to update the IDS Statistics Table s Size Example ids statsize update 1000 Enables the user to view the IDS Statistics Table s Time Example ids stattime get Enables the user to update the IDS Statistics Table s Time Example ids stattime update 1000 Enables the user to view the IDS Status Example ids status get FireProof User Guide Appendix C ASCII Command Line Interface Command Syntax IDS status update ids status update lt status gt IDS tcpaging get ids tcpaging get IDS tcpaging update ids tcpaging update lt value gt IDS tcpdsize get ids tcpsize get IDS tcpdsize update ids tcpsize update lt value gt IDS track get ids track get filter group name IDS track create ids track create lt name gt lt switch gt lt value gt FireProof User Guide O OO0 0O Oe radware Descriptio
Download Pdf Manuals
Related Search