Avaya FireWall-1 User's Manual
Contents
1. 1 FireWall 1 Enterprise Product 2 FireWall 1 Single Gateway Product 3 FireWall 1 Enterprise Management Console Product 4 5 FireWall 1 FireWall Module FireWall 1 Inspection Module Enter your selection 1 5 a 3 Installing Configuring FireWall 1 Enterprise Management Console Product Please wait Selecting where to install FireWall 1 FireWall 1 requires approximately 9017 KB of free disk space Additional space is recommended for logging information Enter destination directory etc fw lt RETURN gt Checking disk space availability Installing FW under etc fw 50836 KB free Are you sure y n y y 116751 A Rev A 1 5 Configuring BaySecure FireWall 1 Software distribution extraction Extracting software distribution Please wait Software Distribution Extracted to etc fw Installing license Reading pre installed license file fw LICENSE done The following evaluation License key is provided with this FireWall 1 distribution Eval 15Mar97 3 x pfmx controlx routers connect motif Do you want to use this evaluation FW 1 license y n y n Do you wish to start FireWall 1 automatically from etc rc local y n y n Welcome to FireWall 1 Configuration Program This program will guide you through several steps where you will defined your FireWall 1 configuration In any later time you can reconfigure thes2. Santa Clara CA 1 800 2LANWAN 408 495 1188 Valbonne France 33 4 92 96 69 68 33 4 92 96 69 98 Sydney Australia 61 2 9927 8800 61 2 9927 881 1 Tokyo Japan 81 3 5402 0180 81 3 5402 0173 For More Information For information about Bay Networks and its products visit the Bay Networks Worldwide Web WWW site at http www baynetworks com To learn more about Bay Networks Customer Service select Customer Service on the opening web page xii 116751 A Rev A Chapter 1 BaySecure FireWall 1 BaySecure FireWall 1 integrates version 2 1 of Check Point Software Technologies Ltd Fire Wall 1 software with the exception of user authentication address translation statistics and encryption features into the Bay Networks GAME router operating system The result is a security system that provides fully secure bidirectional anti spoofing communication for all Internet applications and services such as FTP Telnet and SMTP The Check Point FireWall 1 software consists of these two modules e Firewall module the firewall module inspects all data packets traveling between the data link and network layers and either forwards or drops them according to the security policy you specify It also provides communication between the firewall module and the control module Bay Networks integrates the firewall module into the router operating system e Control module the co
3. Configuring BaySecure FireWall 1 Router Software Version 11 02 Site Manager Software Version 5 02 Part No 116751 A Rev A May 1997 Bay Networks Bay Networks 4401 Great America Parkway 8 Federal Street Santa Clara CA 95054 Billerica MA 01821 Copyright 1988 1997 Bay Networks Inc All rights reserved Printed in the USA May 1997 The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Bay Networks Inc The software described in this document is furnished under a license agreement and may only be used in accordance with the terms of that license A summary of the Software License is included in this document Restricted Rights Legend Use duplication or disclosure by the United States Government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 Notice for All Other Executive Agencies Notwithstanding any other license agreement that may pertain to or accompany the delivery of this computer software the rights of the United States Government regarding its use reprodu
4. ree E ree taredcari ceed for ee pemain af nda pies ashe wore ta reat od at aa E deed bee amii pou heer the beep ard the bee hell Fide Shokan thet aaa too bead of foo render be a peace bee ae gee Paai Chamim chat Meas Conn Figure 1 7 CA Key Window 15 Click on Generate to generate a new key The host uses the RSA key to generate a digital signal for authenticating its communications in its capacity as a Certificate Authority Generating the key may take several minutes 16 Click on Finish Installing the GUI Client 1 Begin by inserting the CD into the CD drive and executing the setup exe file For example D windows gui_client disk1 setup exe The Choose Destination Location window Figure 1 8 opens 2 Choose a destination directory 116751 A Rev A Configuring BaySecure FireWall 1 Chosen harina Locahan E Saho mi raai Fecal miha birar deeco To mnia 90 the deio cick Hod To mabi na eer heroy click ferar at skeci arahe desnim T CA PCS ood 00 U F Dy Clg H L ee Figure 1 8 Choose Destination Location Window For this sample installation accept the default directory 3 Click on Next The Select Components window Figure 1 9 opens To eh a paapa obok Das ghaak hee Pete Op F tha chech best or chem Hee pepan val rat Tahate F Eemia Fr phm gia F bag Wiens eek Tie _ ewe Figure 1 9 Select Components Window 1 16 116751 A Rev A BaySecure
5. 1 10 set 1 17 Configuration Manager 1 18 configuring a firewall 1 17 control module defined 1 1 creating a firewall 1 17 customer support 116751 A Rev A Index programs xi technical response centers xii D daemons 1 9 E enabling a firewall 1 21 extracting tar files 1 3 F firewall module 1 1 Fire Wall 1 License obtaining 1 2 fw putlic command 1 9 fwconfig command 1 8 fwinstall command 1 4 fwputkey command 1 9 fwstart command 1 9 fwstop command 1 9 fwui amp command 1 10 G groups adding 1 8 GUI clients adding 1 8 1 17 inspection code 1 24 installation Index 1 options 1 4 sample 1 5 1 10 installing management software 1 4 L license adding 1 8 1 17 installing on management station 1 9 obtaining 1 2 Local Host IP Address parameter 1 21 Log Host IP Address parameter 1 20 modules control 1 1 firewall 1 1 mounting a CD drive 1 3 P publications ordering xi R refreshing the display 1 23 remote modules adding 1 8 1 17 Reset button 1 22 rule base verifying 1 24 rules defined 1 23 S security policy configuring 1 23 downloading 1 24 serial number obtaining 1 2 starting the daemons 1 9 static route 1 22 Index 2 synchronizing the router and management station 1 9 T tar files extracting 1 3 technical response centers xii Technician Interface 1 17 W World Wide Web page Bay Networks xii 11675
6. 17 Enabling the FireWall on All Router Interfaces 0 c cccccceeceseeeeeeeeeeeaeeeseeeeeseaeeeeeneees 1 21 PVE Me FIRS serisini anderen ie ntearads 1 22 116751 A Rev A y Comiguring a FireWall Security Paley sss nsussstnte sacra acess anette eras 1 23 Installing the Security Policy on the Router ceca ecscceiiessceesiwan coarsraesveciadesicessnattinceararaar 1 24 Troubleshooting CHECAUGT scrstidnsriiuiai a A 1 24 Index vi 116751 A Rev A Figures Figure 1 1 Choose Destination Location Window cceccccceseeeeeeeeeteeeeeeeteeesenees 1 11 Figure 1 2 Selecting Product Type Window cccceeceseceeeeeeeeeeeeeeeeeeeeeeeeeeteeneaees 1 11 Figure 1 3 Licenses VOI cc tanccct tensed ccciasnnesinaceansseatardemedacaccanet EE AE Caa 1 12 Figure 1 4 Administrators WiINdOW sesscresssnencnnsssenunisiiiaiiinidni 1 13 Figure 1 5 Add Administrators Window E E E A E E cers 1 13 Figure 1 6 Hit Key Session WINGOW wosuctccctencie rae dhestiadierianieti ia 1 14 Fiore tet SO NO eucoir a a iaai 1 15 Figure 1 8 Choose Destination Locatation Window sseesseeseeee EE TT 1 16 Figure 1 9 Select Components Window ccccccesscceesececeeeceeeesaeeeeeceeeeeaeseeaaeeeneaees 1 16 Figure 1 10 Configuration Manager Window cscccceeceeeeeeceeeeaeeseeseneeseneeeneees 1 18 Figure T ri EW GIO Dal VIRION scticcicoe ected gist eee hig a Rateeetaaacsis 1 19 Figure 1 12 FW Router Parameters Window cc
7. FireWall 1 Local Host IP Address 0 0 0 0 Any valid IP address Shows the IP address of the router on which the firewall resides Enter the IP address of the host where you installed the firewall module If the log host IP address and the local host IP address you specify are on different subnets then you must configure a static route to the local host IP address to enable communication between the router and the management station Configuring IP Services provides information about configuring a static route 1 3 6 1 4 1 18 3 5 1 11 2 6 Enabling the FireWall on All Router Interfaces After you have created a firewall on the router you can enable it on all interfaces by selecting Protocols gt Global Protocols gt FWALL gt Interfaces from the Configuration Manager window The FW on ALL Interfaces window Figure 1 13 opens to verify that you enabled the firewall on all interfaces Figure 1 13 FW on ALL Interfaces Window Click on OK to enable the firewall on all router interfaces Otherwise click on Cancel 116751 A Rev A 1 21 Configuring BaySecure FireWall 1 When you click on OK a message box opens confirming that you are enabling the firewall on all interfaces Once you enable the firewall on all interfaces and reboot the router you will not be able to communicate with the router through Site Manager until you change the FireWall 1 default security policy Caution If your firewall mana
8. Rev A Configuring BaySecure FireWall 1 Conventions angle brackets lt gt bold text italic text quotation marks screen text separator gt Indicate that you choose the text to enter based on the description inside the brackets Do not type the brackets when entering the command Example if command syntax is ping lt ijp_address gt you enter ping 192 32 10 12 Indicates text that you need to enter command names and buttons in menu paths Example Enter wism amp Example Use the dinfo command Example ATM DXI gt Interfaces gt PVCs identifies the PVCs button in the window that appears when you select the Interfaces option from the ATM DXI menu Indicates variable values in command syntax descriptions new terms file and directory names and book titles Indicate the title of a chapter or section within a book Indicates data that appears on the screen Example Set Bay Networks Trap Monitor Filters Separates menu and option names in instructions and internal pin to pin wire connections Example Protocols gt AppleTalk identifies the AppleTalk option in the Protocols menu Example Pin 7 gt 19 gt 20 Acronyms GUI graphical user interface IP Internet Protocol LAN local area network OSI Open Systems Interconnection TCP IP Transmission Control Protocol Internet Protocol xX 116751 A Rev A About This Guide Ordering Bay Networks Publications To purchase additional c
9. cscis cae doreedscaeeieaweinnneds 1 20 Figure 1 13 FW on ALL Interfaces Window 0 06 PE EE PE 1 21 Figure 1 14 Bogt Router VOW sisinio si ana aaa iS 1 23 116751 A Rev A vii About This Guide If you are responsible for network security you need to read this guide to learn about BaySecure FireWall 1 and the steps you need to take to install configure and activate a firewall on a Bay Networks router If you want to Go to Obtain a Check Point FireWall 1 license page 1 2 Install Check Point firewall management software page 1 3 Create and configure a firewall on the router page 1 17 Enable the firewall on all router interfaces page 1 21 Activate the firewall page 1 22 Configure a security policy page 1 23 Install the security policy on the router page 1 24 Before You Begin Before using this guide you must complete the following procedures For a new router e Install the router refer to the installation manual that came with your router e Connect the router to the network and create a pilot configuration file refer to Quick Starting Routers Connecting AN and ANH Systems to a Network or Connecting ASN Routers to a Network Make sure that you are running the latest version of Bay Networks Site Manager and router software For instructions refer to Upgrading Routers from Version 7 10 xx to Version 11 0 and Release Notes for Router Software Version 11 02 116751 A
10. 1 A Rev A
11. FireWall 1 4 Install the Security Policy System Status and Log Viewer components by clicking on each item Customizing the FireWall 1 Installation You can customize your FireWall 1 installation by executing the Fire Wall 1 Configuration file To execute the file enter p Start Programs FireWall 1 FireWall 1 Configuration Using the FireWall 1 Configuration file you can add A license Administrators GUI clients Remote modules CA keys Refer to your Check Point documentation for details Creating and Configuring a FireWall on the Router This section explains how to create a firewall on the router using Site Manager You can also use the Technician Interface which lets you modify parameters by issuing set and commit commands that specify the MIB object ID This process is equivalent to modifying parameters using Site Manager For more information about using the Technician Interface to access the MIB refer to Using Technician Interface Software Caution The Technician Interface does not verify that the value you enter for a parameter is valid Entering an invalid value can corrupt your configuration Before you begin you must first configure and enable IP on the router and enable TCP on all slots on the router Refer to Quick Starting Routers for instructions 116751 A Rev A Configuring BaySecure FireWall 1 Begin by starting Site Manager Then follow these steps 1 Select Configuration Manager in eith
12. ck on OK 116751 A Rev A Configuring BaySecure FireWall 1 The F W Router Parameters window opens Figure 1 12 Lew Howat Up Ahia Lecal Hont Ip kiireen Figure 1 12 F W Router Parameters Window 8 Parameter Default Options Function Instructions MIB Object ID Complete the F W Router Parameters window To configure a firewall you must supply values for all of the parameters that appear in the F W Router Parameters window Refer to the parameter descriptions that follow When you finish configuring the parameters click on OK to make all parameter settings take effect Log Host IP Address 0 0 0 0 Any valid IP address Shows the IP address of the host on which you installed the Fire Wall 1 management software This host becomes the firewall management station from which you control the firewall The management station also logs all violations of the security rule base Enter the IP address of the host where you installed the control module If the log host IP address and the local host IP address you specify are on different subnets then you must configure a static route to the local host IP address to enable communication between the router and the management station Configuring IP Services provides information about configuring a static route 1 3 6 1 4 1 18 3 5 1 11 2 4 1 20 116751 A Rev A Parameter Default Options Function Instructions MIB Object ID BaySecure
13. ction and disclosure are as set forth in the Commercial Computer Software Restricted Rights clause at FAR 52 227 19 Trademarks of Bay Networks Inc ACE AFN AN BCN BLN BN BNX CN FN FRE GAME LN Optivity PPX Bay Networks SynOptics SynOptics Communications Wellfleet and the Wellfleet logo are registered trademarks and Advanced Remote Node ANH ARN ASN BayeSIS BayStack BayStream BCNX BLNX EZ Install EZ Internetwork EZ LAN IP AutoLearn PathMan PhonePlus Quick2Config RouterMan SN SPEX Switch Node Bay Networks Press the Bay Networks logo and the SynOptics logo are trademarks of Bay Networks Inc Third Party Trademarks All other trademarks and registered trademarks are the property of their respective owners Statement of Conditions In the interest of improving internal design operational function and or reliability Bay Networks Inc reserves the right to make changes to the products described in this document without notice Bay Networks Inc does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Portions of the code in this software product are Copyright 1988 Regents of the University of California All rights reserved Redistribution and use in source and binary forms of such portions are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation adve
14. e parameters by running fwconfig Configuring Licenses The following licenses are installed on this host Eval 15Mar97 3 x pfmx controlx routers connect motif Do you want to add licenses y n n n Configuring Administrators No FireWall 1 Administrators are currently defined for this Management Station Do you want to add users y n y n Configuring GUI clients GUI clients are trusted hosts from which FireWall 1 Administrators are allowed to log on to this Management Station using Windows X Motif GUI Do you want to add GUI clients y n y n 1 6 116751 A Rev A BaySecure FireWall 1 Configuring Remote Modules Remote Modules are FireWall or Inspection Modules that are going to be controlled by this Management Station Do you want to add Remote Modules y n y n Configuring Groups FireWall 1l access and execution permissions Usually FireWall 1l is given group permission for access and execution You may now name such a group or instruct the installation procedure to give no group permissions to FireWall 1l In the latter case only the Super User will be able to access and execute FireWall 1 Please specify group name lt RET gt for no group permissions No group permissions will be granted Is this ok y n y y Configuring Random Pool You are now asked to perform a short random keystroke session The rand
15. ended from time to time shall apply for interoperability purposes Licensee must notify Bay Networks in writing of any such intended examination of the Software and Bay Networks may provide review and assistance Notwithstanding any foregoing terms to the contrary if licensee licenses the Bay Networks product Site Manager licensee may duplicate and install the Site Manager product as specified in the Documentation This right is granted solely as necessary for use of Site Manager on hardware installed with licensee s network This license will automatically terminate upon improper handling of Software such as by disclosure or Bay Networks may terminate this license by written notice to licensee if licensee fails to comply with any of the material provisions of this license and fails to cure such failure within thirty 30 days after the receipt of written notice from Bay Networks Upon termination of this license licensee shall discontinue all use of the Software and return the Software and Documentation including all copies to Bay Networks Licensee s obligations under this license shall survive expiration or termination of this license 116751 A Rev A Contents About This Guide BE ye Bel 1 erence reentr nce rt re sey trtere err hint rear enc aen nner rent mnrose hart erent renee ix Conventions 0 PEE E E E E ip xX PETO a a aiase pA eon xX Ordering Bay Networks PUDICANONS anissercncccuddantiasusssdara
16. er local remote or dynamic mode from the Tools menu The Configuration Manager window opens Figure 1 10 Deter iki ee Naste Seauurce Models Figure 1 10 Configuration Manager Window 2 Open a configuration file if local or remote mode is selected 3 Select Protocols gt Global Protocols gt FWALL gt Create The following confirmation box appears to verify that you have created a firewall on the router CREATE FALL EMTHY OMHE 4 Click on OK 1 18 116751 A Rev A BaySecure FireWall 1 Note After you create a firewall on the router you cannot remove it 5 To enable the firewall select Protocols gt Global Protocols gt FWALL gt Global The F W Global window opens Figure 1 11 to verify that you want to enable a firewall to be active on the router Click on OK Figure 1 11 F W Global Window 6 To configure the firewall select Protocols gt Global Protocols gt FWALL gt FWALL Router PARAMS A warning box appears indicating that you may need to establish a static route between the router and the management station before you configure the parameters MARHIMG STATIC ROUTE ey bo Pooded te cormect roubar to OF Control Station cy If you do not establish a static route and your management station and router are on different subnets you will be unable to communicate with the router Refer to Configuring IP Services for information about creating a static route 7 Cli
17. fwinstall command For example if you extracted the files into your tmp directory install the software by issuing the following commands lab cd tmp lab fwinstall Installation Options Note that during the installation the script asks you to select the Fire Wall 1 option you want to install To be compatible with BaySecure FireWall 1 enter selection 3 FireWall 1 Enterprise Management Console Product A sample follows Which of the following FireWall 1 options do you wish to install 1 FireWall 1 Enterprise Product 2 FireWall 1 Single Gateway Product 3 FireWall 1 Enterprise Management Console Product 4 5 FireWall 1 FireWall Module FireWall 1 Inspection Module Enter your selection 1 7 a 3 1 4 116751 A Rev A BaySecure FireWall 1 Sample Installation The following sample installation takes the Check Point FireWall 1 software from a CD ROM and installs it onto a SparcStation running SunOS Use this sample installation to familiarize yourself with the FireWall 1 installation script Note In the following sample installation all user input is in bold KAKKKKKKKKKKKAKKKK Fi reWall 1 v3 0 Installation KKKKKKKKKK Reading fwinstall configuration This might take a while Please wait Configuration loaded Running FireWall 1 Setup Checking available options Please wait 6 Which of the following FireWall 1 options do you wish to install configure
18. gement station and router are on different subnets you will not be able to communicate with the router from the management station unless you establish a static route from the management station to the router before you activate the firewall Refer to Configuring IP Services for information about creating a static route Activating the Firewall Before the FireWall 1 security policy will take effect on the router you must first activate the firewall by booting the router Booting a router warm starts every processor module in the router Pressing the Reset button on the front panel of the router performs the same procedure Note When you activate the firewall the default security policy prevents all interfaces supported by the firewall from communicating with the router If the firewalled router and management station are on different subnets you must establish a static route to enable communication between the router and the management station before you activate the firewall For information about configuring a static route refer to Configuring IP Services Use the Administration menu to reboot the router 1 From the main Site Manager window select Administration gt Boot Router 1 22 116751 A Rev A BaySecure FireWall 1 The Boot Router window opens Figure 1 14 Figure 1 14 Boot Router Window 2 Specify the correct volume and boot image 3 Select the correct router volume and configuration file Then c
19. hronize your password on the two systems To synchronize the router and the management station passwords enter the following commands e On the firewall management station fw putkey p lt password gt lt ip_address_fwall_router gt e On the router fwputkey lt password gt lt ip_address_mgmt_station gt where lt password gt is a string of alphanumeric characters that comprise your password lt ip_address_fwall_router gt is the IP address of your firewalled router lt ijp_address_mgmt_station gt is the IP address of your FireWall 1 GUI management station 116751 A Rev A Configuring BaySecure FireWall 1 Starting the FireWall 1 GUI To start the FireWall 1 GUI enter the fwui amp command For example at the system prompt type lab fwui amp Installing on the Windows NT Platform Use the following sections as a guide to installing the FireWall 1 software on the Windows NT platform For more details refer to your Check Point documentation Sample Installation The following sample installation takes the Check Point FireWall 1 software from a CD ROM and installs it onto a PC running Windows NT Use this sample installation to familiarize yourself with the way the screens appear during a basic FireWall 1 installation Note This sample installation shows only those screens necessary for a basic installation Installing the Management Software 1 Begin by inserting the CD int
20. idestcaavadens naana iada xi Bay Networks Customer SIGS asridan deas roia ree o E xi Hon a GE HE iiaia E N xii For More MOMAN assaceccshadaccarslaasecneniatuaroanisnescetaeatenacenonite PEE E A xii Chapter 1 BaySecure FireWall 1 COUGHLIN a Fre wali LEENE sirsiran aaaea AN EENS 1 2 Installing and Running the FireWall 1 Management Software cccesceeseeeeeteeeeees 1 3 Metaling on the UNIX PRON sascdivccees nisi R 1 3 Mounting the CD and Extracting the Tar File sssssessssseessseesseesssessssessrnesrersssns 1 3 Installing the Check Point FireWall 1 Software 0 ccccceesseeeeeeeeeeeeeeeeeees 1 4 LMS EAE UCN NOUNS sess cantante scien ons E A E EE E guna wade saaiuilunes 1 4 Sample nsialation cca cicasiecsesasindsntessiacwatanncsies aenaran Rr PA T P Customizing ihe FireWall 1 Installation scssirisiiiiisisiasiin 1 8 Installing a License on the Management Station ccecceeseeeeeeeeeeteeeeeeeees 1 9 Starting and Stopping the FireWall 1 Daemons eccceceeeeeeeeeeeteeeeeteeeesees 1 9 Synchronizing the Management Station and the Router Passwords 0 1 9 Starting the FireWali GUI os sccssasctrasssdeseeccouiecersasennasenteavee Re oaae 1 10 installing on the WindowsNT PlatfOriii ccccicp sciatic a s 1 10 Samne ne aiaia RE 1 10 Customizing the FireWall 1 Installation ssssiissrinenaiaiinenii neniesan 1 17 Creating and Configuring a FireWall on the Router 0 cccceeseceeeeseeeeeeeeeeseaeeeseeeeees 1
21. ing fwconfig KKKKKKKKKKKKKKKK Tostallation completed successfully KKKK KKK KKK KKK KKK Customizing the FireWall 1 Installation You can use the fwconfig command to customize your FireWall 1 installation Using fweonfig you can add e A license e Administrators e GUI clients e Remote modules e Groups e CA keys Note To add an administrator you must first add a group to which the user is a member If you do not add a group then you can run the GUI using only the fwui command if you are logged in as root Refer to your Check Point documentation for details 1 8 116751 A Rev A BaySecure FireWall 1 Installing a License on the Management Station To install a license on the management station use the following command fw putlic lt hostid gt lt lic_string gt pfmx controlx routers motif embedded The lt hostid gt is the host ID of the management station The lt lic_string gt is a string of alphanumeric characters that Check Point provides when you request your Fire Wall 1 license Starting and Stopping the FireWall 1 Daemons To start the FireWall 1 daemons use the fwstart command For example at the system prompt type lab fwstart To stop the FireWall 1 daemons use the fwstart command For example at the system prompt type lab fwstop Synchronizing the Management Station and the Router Passwords Once you have installed licenses on the management station and the router you must sync
22. j EH Heres Scape Ferala 1 djer ey e aj bite a GLE ba log ints the Mangere Se Tou mul dana ai aed ora achrarcineda chah deo Cont Figure 1 4 Administrators Window You must specify at least one administrator 8 Click on Add The Add Administrator window Figure 1 5 opens Ahi Adrani alri Figure 1 5 Add Administrators Window 9 Enter the administrator s user name and password which is limited to eight characters and a password confirmation and click on OK You return to the Administrators window 116751 A Rev A Configuring BaySecure FireWall 1 10 Click on Next The GUI Clients window opens Do not enter GUI clients at this time 11 Click on Next The Remote Modules window appears Do not enter remoter modules at this time 12 Click on Next The Hit Key Session window Figure 1 6 opens forte tp gens ei need ks ihe oppo pace ot Farah pleat sees para Larter beat od w ied ener baa atl pou bea the beet adiba bate i Pull Hobe Sisan thal ata foo jan n foo cedar io Da peeiecesor kim me grai Figure 1 6 Hit Key Session Window 13 Follow the directions in the window and enter random characters with a delay of a few seconds between them until the indicator bar is full Be sure not to type the same character twice in a row and vary the delay between the characters 14 Click on Next 116751 A Rev A BaySecure FireWall 1 The CA Key window opens Figure 1 7
23. license certificate bearing the FireWall 1 serial number contact Bay Networks Contact Check Point To obtain a permanent license you must contact Check Point You can reach Check Point e Via the world wide web at http license CheckPoint com e By sending mail to license checkpoint com e By phoning Check Point 800 429 4391 North America 972 3 613 1833 outside North America When requesting a license you must provide the serial number from the license certificate as well as information such as IP addresses regarding the end user and the hosts on which you plan to install the FireWall 1 software 1 2 116751 A Rev A BaySecure FireWall 1 Note If you need to change the IP address of the FireWall 1 management station contact Check Point at 800 429 4391 North America or 972 3 613 1833 locations outside of North America Refer to the section Installing and Running the FireWall 1 Management Software and the Check Point documentation for information about how to install the license Installing and Running the FireWall 1 Management Software Once you obtain a FireWall 1 license from Check Point you can install the Check Point Fire Wall 1 management software on either the UNIX or Windows NT platform Installing on the UNIX Platform Before you install the Check Point software be sure to e Contact Check Point to get a license e Add setenv FWDIR etc fw to your cshrc file or add FWDIR etc f
24. lick on Boot A confirmation window appears 4 Click on OK in the confirmation window and wait a few minutes to give the router time to reboot 5 Select View gt Refresh Display from the main Site Manager window to verify that the router booted correctly If the router booted correctly system information appears in the main Site Manager window If the router did not boot correctly system information does not appear In this case make sure that you followed the procedures described in this section If you have any questions refer to Managing Routers or call your local Bay Networks Technical Response Center Configuring a FireWall Security Policy A security policy is a collection of rules that define the way the firewall operates Check Point supplies a default security policy that drops all attempts at communication with the router This security policy goes into effect when you first activate the firewall on the router 116751 A Rev A 1 23 Configuring BaySecure FireWall 1 You must define a security policy that explicitly defines acceptable communication to the router based on the source address destination address and type of service Refer to your Check Point Fire Wall 1 documentation for details about how to configure a security policy Installing the Security Policy on the Router Once you have defined a security policy you must install it on the router Installing a security policy means downloading it t
25. ntrol module allows you to manage the firewall and to define a security policy The security policy determines the rules the Fire Wall 1 software uses to determine whether to let data pass or to log an error and alert the management station The control module resides on a workstation called the firewall management station For detailed information about the Check Point FireWall 1 software refer to your Check Point documentation 116751 A Rev A 1 1 Configuring BaySecure FireWall 1 To configure a firewall on a router see the following sections Obtaining a FireWall 1 License on 1 2 Installing and Running the FireWall 1 Management Software on 1 3 Creating and Configuring a FireWall on the Router on 1 17 Enabling the FireWall on All Router Interfaces on 1 21 Activating the Firewall on 1 22 Configuring a FireWall Security Policy on 1 23 Installing the Security Policy on the Router on 1 24 Obtaining a FireWall 1 License Before you can install the Check Point Fire Wall 1 software and create a firewall on the router you must first obtain a FireWall 1 license You need a separate FireWall 1 license for each router To obtain a license 1 Locate your license certificate A FireWall 1 license certificate accompanies the Check Point FireWall 1 software media On the license certificate you will find a Fire Wall 1 serial number You must have your serial number to obtain a FireWall license If you lose the
26. o the CD drive and executing the setup exe file For example p windows fw1 setup exe The Choose Destination Location window Figure 1 1 opens 116751 A Rev A BaySecure FireWall 1 Dhoses estates locaton Ei shp m roal Fea all miha bisang cheer To malal io the Aecio eck Hed Tomais n a Aae Gieo ich feran ani eki anhe dami TR DA DPWH Cane a FA ey oag G Ob a Diatoraton Dendu E Program Piles herioa Bren eE Figure 1 1 Choose Destination Location Window 2 Choose a destination directory For this sample installation we accept the default directory 3 Click on Next The Selecting Product Type window Figure 1 2 opens Pham gacip ba Fmi ah Poduri ppa you ma abad be nui Feet Enter Peira D Fast Ging Gasan Ponds Fadia spe Manager Fists fpawial keiu C Festal jupan Hrhii Figure 1 2 Selecting Product Type Window 116751 A Rev A 1 11 Configuring BaySecure FireWall 1 4 Choose the Fire Wall 1 component you want to install To be compatible with BaySecure Fire Wall 1 choose FireWall 1 Enterprise Management Console Product 5 Click on Next The Licenses window Figure 1 3 opens 1 Sie panics Canis ene Cones re g Theil Eo pw coea rote roared et j Figure 1 3 Licenses Window 6 Enter the license information you obtained from Check Point 7 Click on Next 116751 A Rev A BaySecure FireWall 1 The Administrators window Figure 1 4 opens Biki
27. o the firewalled objects that will enforce it When you download the security policy the FireWall 1 software e Verifies that the rule base is logical and consistent e Generates an inspection script from the rule base e Compiles the inspection script to generate inspection code for the router e Downloads the inspection code to the router For information about how to install the security policy refer to your Check Point documentation Troubleshooting Checklist If you experience problems with FireWall 1 verify that you have performed these steps e Enabled TCP on all slots on the router e Created a firewall using Site Manager e Created a static route if the router and firewall management stations are on different subnets e Rebooted the router with a firewall configuration file e Synchronized the router and management station passwords e Defined a security policy e Installed the security policy on the router If you have performed these steps and are still having system problems contact Bay Networks 1 24 116751 A Rev A A activating FireWall 1 1 22 adding administrators 1 8 groups 1 8 GUI clients 1 8 1 17 license 1 8 1 17 remote modules 1 8 1 17 Bay Networks Press xi Bay Networks World Wide Web page xii booting the router 1 22 Cc Check Point contacting 1 2 commands commit 1 17 fw putlic 1 9 fwconfig 1 8 fwinstall 1 4 fwputkey 1 9 fwstart 1 9 fwstop 1 9 fwui amp
28. om data collected in this session will be used for generating Certificate Authority RSA keys Please enter random text containing at least six different characters You will see the symbol after keystrokes that are too fast or too similar to preceding keystrokes Thes keystrokes will be ignored Please keep typing until you hear the beep and the bar is full Thank you Configuring CA Keys fw no license for ca The installation procedure is now creating an FWZ Certificate Authority Key for this host This can take several minutes Please wait fw no license for ca Configuration ended successfully KAKKKKKKKKKKKAKKKK Fi reWall 1 is now installed KKKKKKKKKKK 116751 A Rev A 1 7 Configuring BaySecure FireWall 1 Do you wish to start FW 1 now y n y n KEKE KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKKKKKKKK KK KKK KKK K Configuration ended successfully KKEKKKKKKKKKKKKKK FirewWall 1 is now installed KKKKKKKKKKKKKKKK Do you wish to start FW 1 now y n y n KKK KK KKK KKK KK KKK KK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KK KK DO NOT FORGET TO 1 add the line setenv FWDIR etc fw to cshre or FWDIR etc fw export FWDIR to profile 2 add etc fw bin to path 3 add etc fw man to MANPATH environment KKK KK KKK KKK KK KK KKK KKK KK KKK KK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKKKKKKKK You may configure FireWall 1 anytime by runn
29. opies of this document or other Bay Networks publications order by part number from Bay Networks Press at the following numbers e Phone U S Canada 1 888 422 9773 e Phone International 1 510 490 4752 e FAX U S Canada and International 1 510 498 2609 Bay Networks Customer Service You can purchase a support contract from your Bay Networks distributor or authorized reseller or directly from Bay Networks Services For information about or to purchase a Bay Networks service contract either call your local Bay Networks field sales office or one of the following numbers Region Telephone number Fax number United States and 1 800 2LANWAN then enter Express 1 508 670 8766 Canada Routing Code ERC 290 when prompted to purchase or renew a service contract 1 508 916 8880 direct Europe 33 4 92 96 69 66 33 4 92 96 69 96 Asia Pacific 61 2 9927 8888 61 2 9927 8899 Latin America 561 988 7661 561 988 7550 116751 A Rev A xi Configuring BaySecure FireWall 1 How to Get Help If you purchased a service contract for your Bay Networks product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller for assistance If you purchased a Bay Networks service program call one of the following Bay Networks Technical Support Centers Technical Support Center Telephone number Fax number Billerica MA 1 800 2LANWAN 508 670 8765
30. rtising materials and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California Berkeley The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE In addition the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure that may incorporate by reference certain limitations and notices imposed by third parties ji 116751 A Rev A Bay Networks Software License Note This is Bay Networks basic license document In the absence of a software license agreement specifying varying terms this license or the license included with the particular product shall govern licensee s use of Bay Networks software This Software License shall govern the licensing of all software provided to licensee by Bay Networks Software Bay Networks will provide licensee with Software in machine readable form and related documentation Documentation The Software provided under this license is proprietary to Bay Networks and to third parties from whom Bay Network
31. s has acquired license rights Bay Networks will not grant any Software license whatsoever either explicitly or implicitly except by acceptance of an order for either Software or for a Bay Networks product Equipment that is packaged with Software Each such license is subject to the following restrictions 1 Upon delivery of the Software Bay Networks grants to licensee a personal nontransferable nonexclusive license to use the Software with the Equipment with which or for which it was originally acquired including use at any of licensee s facilities to which the Equipment may be transferred for the useful life of the Equipment unless earlier terminated by default or cancellation Use of the Software shall be limited to such Equipment and to such facility Software which is licensed for use on hardware not offered by Bay Networks is not subject to restricted use on any Equipment however unless otherwise specified on the Documentation each licensed copy of such Software may only be installed on one hardware item at any time Licensee may use the Software with backup Equipment only if the Equipment with which or for which it was acquired is inoperative Licensee may make a single copy of the Software but not firmware for safekeeping archives or backup purposes Licensee may modify Software but not firmware or combine it with other software subject to the provision that those portions of the resulting software which incorpora
32. te Software are subject to the restrictions of this license Licensee shall not make the resulting software available for use by any third party Neither title nor ownership to Software passes to licensee Licensee shall not provide or otherwise make available any Software in whole or in part in any form to any third party Third parties do not include consultants subcontractors or agents of licensee who have licensee s permission to use the Software at licensee s facility and who have agreed in writing to use the Software only in accordance with the restrictions of this license Third party owners from whom Bay Networks has acquired license rights to software that is incorporated into Bay Networks products shall have the right to enforce the provisions of this license against licensee Licensee shall not remove or obscure any copyright patent trademark trade secret or similar intellectual property or restricted rights notice within or affixed to any Software and shall reproduce and affix such notice on any backup copy of Software or copies of software resulting from modification or combination performed by licensee as permitted by this license 116751 A Rev A ili Bay Networks Software License continued 10 11 12 Licensee shall not reverse assemble reverse compile or in any way reverse engineer the Software Note For licensees in the European Community the Software Directive dated 14 May 1991 as may be am
33. w to your cshrc file and export FWDIR to your profile file e Add ete fw bin to your path e Add ete fw man to your MANPATH environment Use the following sections as a guide to installing the FireWall 1 software on the UNIX platform For more details refer to your Check Point documentation Mounting the CD and Extracting the Tar File Check Point supplies its FireWall 1 software on CD ROM You must mount the CD drive and extract the tar files Commands used to mount a CD drive and extract the tar files vary depending the device name of the CD drive the operating system used and other environmental factors Use the instructions that follow only as guidelines for mounting the CD drive and extracting the tar files The commands you need may differ 116751 A Rev A Configuring BaySecure FireWall 1 For SunOS lab mount r t hsfs dev sr0 cdrom lab cd tmp lab tar xvf cdrom sunos4 fw1 fw sunos4 tar For Solaris lab mount F hsfs r dev sr0 cdrom lab cd tmp lab tar xvf cdrom solaris2 fw1 fw solaris2 tar For HPUX lab mount r dev dsk c1t2d0 or your specific CD ROM address cdrom lab cd tmp lab tar xvf edrom HPUX FW1 FW HPUX TAR 1 Installing the Check Point FireWall 1 Software Once you have extracted the Check Point FireWall 1 files you can install the management software To install the software change directories so that you re in the directory where you put the files and then issue the
Download Pdf Manuals
Related Search