Avaya Firewall-1 User's Manual
Contents
1. ree rk S ee einen A 1 Pineal FOI aR A 2 List FireWall Intefaces Parameters n asuundarkiasganarnaannavk sn ba ar ksadk dana da A 3 vi 117384 B Rev 00 Figures Figure 2 1 Choose Destination Location Window aaaaaaaaaaaaansaanssaassaaassaasasaanaaaa 2 6 Figure 2 2 Selecting Product Type Window uaaaaiaaaaaaaaaaaaaaaaaasaasananansaaanannaanaannana 2 7 Figure 23 Licenses WINDOW cossaire aea lalaki A alara r lll asr a daprar 2 8 Figure 2 4 Administrators WINGOW 2 ssssinosdninnss naa k K ma NN R Kkr 2 9 Figure 2 5 Add Administrators Window SA SST SR S 2 9 Figure 26 Key Hit Session WINdOW silanmssludsstuslusladba sk kar dgand danan sakir 2 10 Figure 2 7 Choose Destination Location Window aaiaaaaaaaaaaassasaassassaasaaasanana 2 11 Figure 2 8 Select Components Window aaaaaaaaaaaasaaaanaaaannnannnnnnnnnnnnnnsnansanannnani 2 12 Figure 3 1 Configuration Manager Window aaaaaaaaaaaaaaaaaaansanansnansnnansanansnanannananaa 3 2 Figure 3 2 Create Firewall Dialog BOX 212202 vuiacanaisss s ussanndtdasnva la aanank a anda nun 3 3 Figure 3 3 List Firewall Interfaces Window 11 212 ssdnasasdindabasksndassi dada kk nang stylnamur 3 7 Foue k VANES WING OW taka sk l rr AA Rk 3 8 Figure 35 Boor Router WOME stastvisb ssabonildsbuk pl a kviindlkk ta naal R H rete 3 10 117384 B Rev 00 vii About This Guide If you are respon2. Add licenses for this machine Cancel Figure 2 3 Licenses Window 6 Enter the license information you obtained from Check Point 2 8 117384 B Rev 00 Installing FireWall 1 Management Software 7 Click on Next The Administrators window Figure 2 4 opens m Administrators Add Edit Remove Specify Firewall 1 Administrators who are permitted to use the GUI applications to log into this Management Server You must define at least one adminstrator ZEE Figure 2 4 Administrators Window You must specify at least one administrator 8 Click on Add The Add Administrator window Figure 2 5 opens Add Administrator xi Administrator Name Password Confirm Password OD Permissions Read wrie 0 E cod Figure 2 5 Add Administrators Window 9 Enter the administrator s user name and password which is limited to eight characters and a password confirmation and click on OK You return to the Administrators window 117384 B Rev 00 2 9 Configuring BaySecure FireWall 1 10 Click on Next The GUI Clients window opens Do not enter any GUI clients at this time 11 Click on Next The Remote Modules window appears Do not enter any remote modules at this time 12 Click on Next The Key Hit Session window Figure 2 6 opens Pet Se In order to generate random seed for the cryptographic processes of Fire Wall 1 please enter
3. Configuring BaySecure FireWall 1 BayRS Version 12 10 Site Manager Software Version 6 10 Part No 117384 B Rev 00 February 1998 M Bay Networks a Bay Networks 4401 Great America Parkway 8 Federal Street Santa Clara CA 95054 Billerica MA 01821 Copyright O 1997 Bay Networks Inc All rights reserved Printed in the USA February 1998 The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Bay Networks Inc The software described in this document is furnished under a license agreement and may only be used in accordance with the terms of that license A summary of the Software License is included in this document Trademarks BN and Bay Networks are registered trademarks and Advanced Remote Node ARN ASN BayRS BaySecure and the Bay Networks logo are trademarks of Bay Networks Inc Microsoft MS MS DOS Win32 Windows and Windows NT are registered trademarks of Microsoft Corporation FireWall 1 is a trademark or registered trademark of Check Point Technologies Ltd All other trademarks and registered trademarks are the property of their respective owners Restricted R
4. LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT UNDERSTANDS IT AND AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS LICENSEE FURTHER AGREES THAT THIS AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN BAY NETWORKS AND LICENSEE WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS AGREEMENT NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST BAY NETWORKS UNLESS BAY NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT INCLUDING AN EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT iv 117384 B Rev 00 Contents About This Guide BO a a a terre a ter a rr ere ee ant errT x RHINE UCAS sra A E x PAC PONV 1 SOR A EA pene Ea eI xi Bay Networks Technical Publications cicccsccccuussecocneibcenusctiosaxusisacesuusddeocuus K ka R KU xi Bay Nehworks Customer SeMiGe ss alis tase dari aiid xii Hov Ger REID rina canta peayaua diets inne da sede phi AAR xii Bay Networks Educational Services aaaaaaaaaaaaasaaassaanannansnnnna Creer Te eter E xiii Chapter 1 BaySecure FireWall 1 Managing Firewall Operatia decorassa Aae danska a E k sr 1 1 How the Firewall SoflWale WoOIKS saasiasaonmabslarballab maskktvsudda la us ibb ssdin sr kan 1 2 Where You Shu Go from HEE ears crise kl va i S ne eines 1 2 Chapter 2 Installing FireWall 1 Management Software Obtaining Salware LICansdS sn u salan a ALKA 2 1 Obtaining a FireWall 1 License for the
5. Installing the Check Point FireWall 1 Software Once you have extracted the Check Point FireWall 1 files you can install the management software To install the software change directories so that you re in the directory where you put the extracted files and then issue the fwinstall command For example if you extracted the files into your tmp directory install the software by issuing the following commands lab cd tmp lab fwinstall Installation Options Note that during the installation the script asks you to select the Fire Wall 1 option you want to install To be compatible with BaySecure FireWall 1 enter selection 3 FireWall 1 Enterprise Management Console Product A sample follows Which of the following FireWall 1 options do you wish to install 1 FireWall 1 Enterprise Product 2 FireWall 1 Single Gateway Product 3 FireWall 1 Enterprise Management Console Product 4 5 FireWall 1 FireWall Module FireWall 1 Inspection Module Enter your selection 1 7 a 3 Sample Installation The following sample installation takes the Check Point FireWall 1 software from a CD ROM and installs it onto a SparcStation running SunOS Use this sample installation to familiarize yourself with the FireWall 1 installation script Note In the following sample installation all user input is in bold kkkkkkkkkkkkkkk FireWall 1 v3 0 Installation X X X X XXXXXXXX Reading fwinstall configur
6. see the following topics Topic Page Creating a Firewall on the Router 3 1 Enabling or Disabling the Firewall on the Router 3 4 Setting Up Communications Between the Firewall Management Station and 3 4 the Router Enabling the Firewall on Router Interfaces 3 6 Activating the Firewall 3 9 Defining a Firewall Security Policy 3 11 Installing the Security Policy on the Router and Its Interfaces 3 11 Deleting Firewall from the Router 2 12 Troubleshooting Checklist 3 14 Creating a Firewall on the Router This section explains how to create a firewall on a Bay Networks router using Site Manager 117384 B Rev 00 3 1 Configuring BaySecure FireWall 1 You can also use the Technician Interface which lets you modify parameters by issuing set and commit commands that specify the MIB object ID This process is equivalent to modifying parameters using Site Manager For more information about using the Technician Interface to access the MIB refer to Using Technician Interface Software Caution Unlike using Site Manager the Technician Interface does not verify that the value you enter for a parameter is valid Entering an invalid value can corrupt your configuration Before You Begin Before you begin you must first configure and enable IP on the router and enable TCP on all slots on the router For instructions see Quick Starting Routers Using Site Manager Begin by starting Site
7. you must first obtain a permanent software license from Check Point Software Technologies for e The firewall management station You need one software license for the firewall management station a PC or UNIX workstation used to manage the firewall software on the Bay Networks router e The router You need one software license for each Bay Networks router protected by the firewall software 117384 B Rev 00 2 1 Configuring BaySecure FireWall 1 Obtaining a FireWall 1 License for the Management Station To obtain a FireWall 1 license for the firewall management station follow these instructions Note You need one license for each FireWall 1 management station To obtain a license for each additional management station you must repeat the steps outlined in this section 1 Locate your certificate key A certificate key serial number is located on a sticker on the inside of the CD folder containing the Check Point FireWall 1 management software media If you lose the certificate key bearing the FireWall 1 serial number contact Bay Networks 2 Contact Check Point Software Technologies To obtain a permanent license you must contact Check Point with your certificate key information You can reach Check Point in any of these ways e Via the World Wide Web at http Jlicense CheckPoint com e By sending mail to license checkpoint com e By phoning Check Point 800 429 4391 North America 972 3 613 1833 outsi
8. C Check Point contacting 2 2 2 4 commands commit 3 2 fw putlic 2 19 fwconfig 2 18 fwinstall 2 14 fwputkey 2 19 fwstart 2 19 fwstop 2 19 fwui amp 2 20 set 3 2 Configuration Manager 3 2 configuring a firewall 3 1 creating a firewall 3 1 customer support programs xii Technical Solutions Centers xii D daemons 2 19 117384 B Rev 00 Index E enabling the firewall on an interface 3 6 on the router 3 4 extracting tar files 2 13 F FireWall 1 License for the Management station obtaining 2 1 for the router obtaining 2 1 fw putlic command 2 19 fwconfig command 2 18 fwinstall command 2 14 fwputkey command 2 19 fwstart command 2 19 fwstop command 2 19 fwui amp command 2 20 G groups adding 2 18 GUI clients adding 2 12 2 18 inspection code 3 11 installation options 2 14 sample 2 6 2 14 installing management software 2 14 Index 1 L license adding 2 12 2 18 installing on management station 2 19 management station 3 4 primary 3 5 modules firewall stateful inspection 1 2 mounting a CD drive 2 13 R refreshing the display 3 10 remote modules adding 2 12 2 18 Reset button 3 9 rule base verifying 3 11 S security policy configuring 3 11 downloading 3 11 security rules 3 11 serial number obtaining 2 2 2 4 starting the daemons 2 19 stateful inspection module 1 2 static route configuring 3 9 sy
9. Help If you purchased a service contract for your Bay Networks product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller for assistance If you purchased a Bay Networks service program call one of the following Bay Networks Technical Solutions Centers Technical Solutions Center Telephone number Fax number Billerica MA 800 2LANWAN 508 916 3514 Santa Clara CA 800 2LANWAN 408 495 1188 Valbonne France 33 4 92 96 69 68 33 4 92 96 69 98 Sydney Australia 61 2 9927 8800 61 2 9927 881 1 Tokyo Japan 81 3 5402 0180 81 3 5402 0173 xii 117384 B Rev 00 About This Guide Bay Networks Educational Services Through Bay Networks Educational Services you can attend classes and purchase CDs videos and computer based training programs about Bay Networks products Training programs can take place at your site or at a Bay Networks location For more information about training programs call one of the following numbers Region Telephone number United States and Canada 800 2LANWAN then enter Express Routing Code ERC 282 when prompted 978 916 3460 direct Europe Middle East and 33 4 92 96 15 83 Africa Asia Pacific 61 2 9927 8822 Tokyo and Japan 81 3 5402 7041 117384 B Rev 00 xiii Chapter 1 BaySecure FireWall 1 TM BaySecure FireWall 1 builds
10. KKK KKK KKK DO NOT FORGET TO 1 add the line setenv FWDIR etc fw to cshre or FWDIR etc fw export FWDIR to profile 2 add etc fw bin to path 3 add etc fw man to MANPATH environment KKK KK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KK KKK KKK KKK KKK KK KKK KKK KKK You may configure FireWall 1 anytime by running fwconfig K KKKAKKKKKKKKKKA Installation completed successfully KAKKKKKK KKK KKK KKK Customizing the FireWall 1 Installation You can use the fweonfig command to customize your Fire Wall 1 installation Using fwconfig you can add or remove e A license e Administrators e Groups e GUI clients e Remote modules e CA keys Note To add an administrator you must first add a group to which the user is a member If you do not add a group then you can run the GUI using only the fwui command if you are logged in as root For further details refer to your Check Point FireWall 1 documentation 2 18 117384 B Rev 00 Installing FireWall 1 Management Software Installing a License on the Management Station To install a license on the firewall management station use the following command fw putlic lt hostid gt lt lic_string gt pfmx controlx routers motif embedded The lt hostid gt is the host ID of the management station The lt ic_string gt is a string of alphanumeric characters that Check Point provides with your Fire Wall 1 license Starting and Stopping th
11. from the Internet Go to support baynetworks com library tpubs Find the Bay Networks products for which you need documentation Then locate the specific category and model or version for your hardware or software product Using Adobe Acrobat Reader you can open the manuals and release notes search for the sections you need and print them on most standard printers You can download Acrobat Reader free from the Adobe Systems Web site www adobe com Documentation sets and CDs are available through your local Bay Networks sales office or account representative 117384 B Rev 00 xi Configuring BaySecure FireWall 1 Bay Networks Customer Service You can purchase a support contract from your Bay Networks distributor or authorized reseller or directly from Bay Networks Services For information about or to purchase a Bay Networks service contract either call your local Bay Networks field sales office or one of the following numbers Region United States and Canada Telephone number Fax number 800 2LANWAN then enter Express Routing 978 916 3514 Code ERC 290 when prompted to purchase or renew a service contract 978 916 8880 direct Europe 33 4 92 96 69 66 33 4 92 96 69 96 Asia Pacific Latin America 61 2 9927 8888 561 988 7661 61 2 9927 8899 561 988 7550 Information about customer service is also available on the World Wide Web at support baynetworks com How to Get
12. user manuals in whole or in part The Software and user manuals embody Bay Networks and its licensors confidential and proprietary intellectual property Licensee shall not sublicense assign or otherwise disclose to any third party the Software or any information about the operation design performance or implementation of the Software and user manuals that is confidential to Bay Networks and its licensors however Licensee may grant permission to its consultants subcontractors and agents to use the Software at Licensee s facility provided they have agreed to use the Software only in accordance with the terms of this license 3 Limited warranty Bay Networks warrants each item of Software as delivered by Bay Networks and properly installed and operated on Bay Networks hardware or other equipment it is originally licensed for to function substantially as described in its accompanying user manual during its warranty period which begins on the date Software is first shipped to Licensee If any item of Software fails to so function during its warranty period as the sole remedy Bay Networks will at its discretion provide a suitable fix patch or workaround for the problem that may be included in a future Software release Bay Networks further warrants to Licensee that the media on which the Software is provided will be free from defects in materials and workmanship under normal use for a period of 90 days from the date Software is first ship
13. your Check Point FireWall 1 documentation 3 4 117384 B Rev 00 Configuring a Firewall on a Router To identify the management station to the router Site Manager Procedure You do this System responds 1 From Configuration Manager choose The Platform menu opens Platform 2 Choose FireWall The FireWall menu opens 3 Choose FireWall Parameters 4 Set the Log Host IP Address parameter Click on Help or see the parameter description on page A 2 5 Click on OK You return to the Configuration Manager window Establishing a Static Route You may need to establish a static route between the router and the management station before you configure the parameters By default Fire Wall 1 filters in bound routing protocol packets from RIP or OSPF Therefore if your router and firewall management station are on different subnets you will need to establish a static route on the router pointing to the management station s subnet otherwise your management station will be unable to communicate with the router For information about creating a static route see Configuring IP Services Identifying the Router To identify the router protected by the firewall Site Manager Procedure You do this System responds 1 From Configuration Manager choose The Platform menu opens Platform 2 Choose FireWall The FireWall menu opens 3 Choose FireWall Parameters The FireWall Par
14. Configuring a Firewall on a Router ioteating a Firewall op ihe Router sn sn s kkslst lat aar rr rrr 3 1 Before You Begin Sr H PE PREN PE ere mene PR a Using Sile WAR seiccctsscprcacccatedacs irnn aa i kaa ral Salla a 3 2 Enabling or Disabling the Firewall on the Router aaaaaaaaaaaasaasvaasasssasanassasanasanaaana 3 4 Setting Up Communications Between the Firewall Management Station and the Router 3 4 Establishing the Firewall Management Station aaaaaaaasaassaaassaasssaassanasananna 3 4 Establishing Stati ROWIE suresinin toriai va a ka Sa ar 3 5 kdentiying TNS ROUTE sas slasslla Var a R arka 3 5 Enabling the Firewall on Router Interfaces aaiisvvssvssisusinsnsskssssinnnssnnnnsssssnnsnannninnnnnnni D Activating the Firewall 2 aaa aaa aavai r SR rere cine S sann 9 Defining a Frewall Security POlWOY sosisiicro ikeneen aina ar aaao eoar laras f lakari 3 11 Installing the Security Policy on the Router and Its Interfaces a 3 11 Deleting Firewall from the Router Sr ee rer cren etter rere meade ri 3 12 Deleting Firewall Locally or Remotely ising Site Manani PEIE EET rr 3 12 Deleting Firewall Dynamically Using the Technician Interface 3 13 Troubleshoot Checklist asas bonnassadavd kiekadla la a a a ala E 3 14 Appendix A Parameter Descriptions FireWall Enable Parameter
15. Management Station a 22 aaa 2 2 Sample Response from CHECK POW ssrin 2 3 Obtaining a FireWall 1 License for the Router aaaiaaaaaaassaaasaaaasnaaannaasnnnnnnnnna 2 4 Sample Response T m Check POW gscisccciasieceseccscduacswessrescescacdante balda ska dina lan d 2 5 Installing and Running the FireWall 1 Management Software 22aaiaaaaaasaaaaaainna 2 5 Installing on a Computer Running Windows NT iaaaaaaaaaaaaaaasaasaaasanananaanananananana 2 5 Samplelnstalla l 3iiscsesiocducsbarouiadiehareieseeesauiecteeines Geseit S S 2 6 Customizing the FireWall 1 Installation aaaaaaaaaavaaaavaaasanasanansaanssaansaaanaaaa 2 12 Installing on a UNIX PLATO irisscan ia anak Vk aa 2 13 Belis YOu INStal lssaa llar a a r k a 2 13 Mounting the CD and Extracting the Tar File a2aaaaasaaas saas nnassnannannna 2 13 Installing the Check Point FireWall 1 Software aaaaaaaaaaaaaaaassavassaassaanaaaa 2 14 117384 B Rev 00 V heal alan COIS asus 2 14 Sample Installation 1144 1221 idiv sssvi dinnenvi i SR S h ska S S 2 14 Customizing the FireWall 1 instalan E E T T daalsaeeeeninels 2 18 Installing a License on the Management Station 2 aaiaaiaiasanaasaasassassana 2 19 Starting and Stopping the FireWall 1 Daemons S S 2 19 Synchronizing the Management Station and the Router Basswords ERSE 2 19 an FEN AEN aaronii SA saa 2 20 Chapter 3
16. Manager Then follow these steps 1 Select Configuration Manager in either local remote or dynamic mode from the Tools menu The Configuration Manager window opens Figure 3 1 E Configuration Mode local SNMP Agent LOCAL FILE File Name tmp_mnt usr21 techpubs mary_s Bridge bridge Model Backbone Link Node BLN MIB Version x9 00 er Used Description Connectors 5430 Dual Sync Dual Ethernet _ COM COM1 CVR2 Empty Slot __ Empty Slot oo _ Empty Slot _ 0 0_ System Resource Module _ _ Figure 3 1 Configuration Manager Window 3 2 117384 B Rev 00 Configuring a Firewall on a Router 2 If local or remote mode is selected open a configuration file 3 Create a firewall Site Manager Procedure You do this System responds 1 From Configuration Manager choose The Platform menu opens Platform 2 Choose FireWall The FireWall menu opens 3 Choose Create A dialog box opens See Figure 3 2 4 Click on OK You return to the Configuration Manager window By default the firewall is automatically enabled on the router To change this status see Enabling or Disabling the Firewall on the Router on page 3 4 Figure 3 2 IP forwarding will be disabled upon reboot by virtue of the default security policy on the router and will remain in this state until the desired policy is installed Cancel Create Firewall Dialog Box 117384 B Re
17. W 1 license y n y N Do you wish to start FireWall 1 automatically from etc rc local y n y N Welcome to FireWall 1 Configuration Program This program will guide you through several steps where you will define your FireWall 1 configuration In any later time you can reconfigure these parameters by running fwconfig Configuring Licenses The following licenses are installed on this host Eval 15Mar97 3 x pfmx controlx routers connect motif Do you want to add licenses y n n N Configuring Administrators No FireWall 1 Administrators are currently defined for this Management Station Do you want to add users y n y N Configuring GUI clients GUI clients are trusted hosts from which FireWall 1 Administrators are allowed to log on to this Management Station using Windows X Motif GUI Do you want to add GUI clients y n y N Configuring Remote Modules Remote Modules are FireWall or Inspection Modules that are going to be controlled by this Management Station Do you want to add Remote Modules y n y N 2 16 117384 B Rev 00 Installing FireWall 1 Management Software Configuring Groups FireWall 1 access and execution permissions Usually FireWall 1 is given group permission for access and execution You may now name such a group or instruct the installation procedure to give no group permissions to FireWal
18. all 1 by clicking Cancel to exit etup C Program Files CheckPoint FireWall 1 Browse Cancel Figure 2 7 Choose Destination Location Window Destination Directory You can either accept the default directory Program Files or make another selection 117384 B Rev 00 2 11 Configuring BaySecure FireWall 1 3 Click on Next The Select Components window Figure 2 8 opens Select Components E To install a program click the check box next to it If the check box is clear the program will not be installed IV System Status Log Viewer lt Back Cancel Figure 2 8 Select Components Window 4 Install the Security Policy System Status and Log Viewer components by clicking on each item Customizing the FireWall 1 Installation You can customize your FireWall 1 installation by running the FireWall 1 Configuration file To execute the file enter p Start Programs FireWall 1 FireWall 1 Configuration Using the Fire Wall 1 Configuration file you can add A license Administrators GUI clients Remote modules CA keys For more information refer to your Check Point documentation 2 12 117384 B Rev 00 Installing FireWall 1 Management Software Installing on a UNIX Platform Use the following sections as a guide to installing the FireWall 1 software on a computer running UNIX For more details refer to your Check Point Fire Wall 1 documentation Before Yo
19. ameters Default 0 0 0 0 Options Any valid IP address Function Identifies the IP address of the router to be protected by the firewall Instructions Enter the IP address of the router you intend to have protected by the firewall If the IP address of the firewall management station and the IP address of the router are on different subnets then you must configure a static route to the local host IP address to enable communication between the router and the firewall management station Configuring IP Services provides information about configuring a static route A 2 117384 B Rev 00 Parameter Descriptions List FireWall Interfaces Parameters Parameter Path Default Options Function Instructions Parameter Path Default Options Function Instructions Name Protocols gt IP gt FIREWALL None Any string of alphanumeric characters Identifies an interface by name Enter a meaningful name in alphanumeric characters Disable Protocols gt IP gt FIREWALL Disable Enable Disable Enables or disables the firewall on one or more interfaces Highlight one or more interfaces and choose Enable to allow the firewall to be active on the interfaces Choose Disable to deactivate the firewall on the interfaces 117384 B Rev 00 A 3 A activating FireWall 1 3 9 adding administrators 2 18 groups 2 18 GUI clients 2 12 2 18 license 2 12 2 18 remote modules 2 12 2 18 booting the router 3 9
20. ameters window opens 117384 B Rev 00 3 5 Configuring BaySecure FireWall 1 Site Manager Procedure continued You do this 4 Set the Local Interface IP Address parameter Click on Help or see the parameter description on page A 3 System responds Click on OK You return to the Configuration Manager window Enabling the Firewall on Router Interfaces After you have created a firewall on the router you can enable it on one or more interfaces To enable a firewall on router interfaces Site Manager Procedure You do this 1 From Configuration Manager choose Protocols Choose IP System responds The Protocols menu opens The IP menu opens 3 Choose FIREWALL The List FireWall Interfaces window opens See Figure 3 3 Click on Add The Values window opens See Figure 3 4 Click on All to display all router interfaces or choose a connection button to display router interfaces by connection type Site Manager lists the interfaces at the top of the screen Click on Check All to highlight all listed interfaces or highlight individual interfaces Click on OK Site Manager returns you to the List FireWall Interfaces window See Figure 3 3 Set the FireWall Name parameter for the highlighted interface Click on Help or see the parameter description on page A 4 3 6 117384 B Rev 00 Configuring a Firewall o
21. and subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause of DFARS 252 227 7013 for agencies of the Department of Defense or their successors whichever is applicable 6 Use of Software in the European Community This provision applies to all Software acquired for use within the European Community If Licensee uses the Software within a country in the European Community the Software Directive enacted by the Council of European Communities Directive dated 14 May 1991 will apply to the examination of the Software to facilitate interoperability Licensee agrees to notify Bay Networks of any such intended examination of the Software and may procure support and assistance from Bay Networks 7 Term and termination This license is effective until terminated however all of the restrictions with respect to Bay Networks copyright in the Software and user manuals will cease being effective at the date of expiration of the Bay Networks copyright those restrictions relating to use and disclosure of Bay Networks confidential information shall continue in effect Licensee may terminate this license at any time The license will automatically terminate if Licensee fails to comply with any of the terms and conditions of the license Upon termination for any reason Licensee will immediately destroy or return to Bay Networks the Software user manuals and all copies Bay Networks is not liable to Licensee for damages in any form
22. ation This might take a while 2 14 117384 B Rev 00 Installing FireWall 1 Management Software Please wait Configuration loaded Running FireWall 1 Setup Checking available options Please wait 0 Which of the following FireWall 1 options do you wish to install configure 1 FireWall 1 Enterprise Product 2 FireWall 1 Single Gateway Product 3 FireWall 1 Enterprise Management Console Product 4 5 FireWall 1 FireWall Module FireWall 1 Inspection Module Enter your selection 1 5 a 3 Installing Configuring FireWall 1l Enterprise Management Console Product Please wait Selecting where to install FireWall 1 FireWall 1l requires approximately 9017 KB of free disk space Additional space is recommended for logging information Enter destination directory etc fw lt RETURN gt Checking disk space availability Installing FW under etc fw 50836 KB free Are you sure y n y y Software distribution extraction Extracting software distribution Please wait Software Distribution Extracted to etc fw Installing license Reading pre installed license file fw LICENSE done 117384 B Rev 00 2 15 Configuring BaySecure FireWall 1 The following evaluation License key is provided with this FireWall 1 distribution Eval 15Mar97 3 x pfmx controlx routers connect motif Do you want to use this evaluation F
23. ay Networks router software inspects all data packets traveling between the data link and network layers and communicates the results to the management station If the data packets meet the security requirements specified in the security policy the router forwards the data If the data packets violate the security policy the router drops the data packets and logs the information to the management station Where You Should Go from Here To get a firewall up and running on your Bay Networks router For information on how to Go to page Obtain licenses from Check Point 2 1 Install the Check Point Management software 2 5 Create a firewall 3 1 Enable the firewall on the router 3 4 Establish a relationship between the management station and the router 3 4 Enable the router on specific interfaces 3 6 Activate the firewall 3 9 Configure a firewall security policy 3 11 and see your Check Point FireWall 1 documentation Install the security policy on the router 3 11 and see your Check Point FireWall 1 documentation 117384 B Rev 00 Chapter 2 Installing FireWall 1 Management Software To install the FireWall 1 software see the following sections Topic Page Obtaining Software Licenses 2 1 Installing and Running the FireWall 1 Management Software 2 5 Obtaining Software Licenses Before you can install the FireWall 1 software and create a firewall on the router
24. ce Request Details Certificate Key 7XXX xxx lxxx Customer Name Bay Networks Product BABN IM U Version 3 0 Host ID 012 012 012 012 License Issued Host ID 012 012 012 012 Features embedul License String 7 6161 408d3b21 al6l1clo0f License Installation run fw putlic 012 012 012 012 7fff6161 408d3b21 a161c10f embedul Installing and Running the FireWall 1 Management Software Once you obtain a FireWall 1 license from Check Point you can install the Check Point Fire Wall 1 management software on a computer running either Windows NT or UNIX Installing on a Computer Running Windows NT Use the following sections as a guide to installing the FireWall 1 management software on a computer running Windows NT For more details refer to your Check Point FireWall 1 documentation 117384 B Rev 00 2 5 Configuring BaySecure FireWall 1 Sample Installation The following sample installation takes the Check Point Fire Wall 1 software from a CD and installs it onto a PC running Windows NT Use this sample installation to familiarize yourself with a basic Fire Wall 1 installation Note This sample installation shows only those screens necessary for a basic installation Installing the Management Software 1 Insert the CD into the CD ROM drive and run the Setup program setup exe To specify the name and location of the program to run type where D is the name of your CD ROM drive p window
25. d to endorse or promote products derived from such portions of the software without specific prior written permission SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE In addition the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure that may incorporate by reference certain limitations and notices imposed by third parties 117384 B Rev 00 Bay Networks Inc Software License Agreement NOTICE Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre enabled software each of which is referred to as Software in this Agreement BY COPYING OR USING THE SOFTWARE YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH BAY NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE If you do not accept these terms and conditions return the product unused and in the original shipping container within 30 days of purchase to obtain a credit for the full purchase price 1 License Grant Bay Networks Inc Bay Networks grants the end user of the Software Licensee a personal nonexclusive nontransferable license a to use the Sof
26. de North America When requesting a license you must also be prepared to provide the IP address of the management station on which you plan to install the license 2 2 117384 B Rev 00 Installing FireWall 1 Management Software Sample Response from Check Point Your license request with the following details has been accepted Below you will find the corresponding license string We recommend printing this page and saving it in your files for future reference Request Details Certificate Key 5xxx 5XXX xxx Customer Name Bay Networks Product CPFW ESC U Version 340 Host ID 123 123 4123 123 License s Issued Host ID 123 123 123 123 Features control License String 7XXXXXXX 8XXXXXXX XXXXXXX License s Installation run fw putlic 123 123 123 123 7xxxxxxx 8xxxxxxx fxxxxxxx control Contact Information This Check Point product has been purchased through Bay Networks Note If you need to change the IP address of the Fire Wall 1 management station contact Check Point at 800 429 4391 North America or 972 3 613 1833 locations outside of North America For information about how to install the license refer to the section Installing and Running the FireWall 1 Management Software on page 2 5 and the Check Point Fire Wall 1 documentation 117384 B Rev 00 2 3 Configuring BaySecure FireWall 1 Obtaining a FireWall 1 License for the Router To obtain a FireWal
27. e lt s ot gt lt port gt _all lt slot gt lt port gt Deletes a firewall from a specific slot port combination _all Deletes a firewall from the router entirely Warning The firewall delete all command deletes the MIB This action disables the Fire Wall functionality on the router but it does not affect internal resources that were originally allocated for the FireWall 1 application After using the firewall delete all command you should save the configuration file and reboot the router to free internal resources You can then reconfigure Fire Wall dynamically 117384 B Rev 00 3 13 Configuring BaySecure FireWall 1 Troubleshooting Checklist If you experience problems with Fire Wall 1 verify that you have performed these steps Enabled IP on the router Enabled TCP on all slots on the router Created a firewall using Site Manager Created a static route if the router and firewall management stations are on different subnets Synchronized the router and management station passwords by executing the fwputkey command on both the router and the firewall management station Defined a security policy and added a network object for the router using the FireWall 1 GUI Saved the configuration and booted the router Installed the security policy on the router If you have performed these steps and are still having system problems contact your Bay Networks Technical Solutions Center 117384 B Rev 00 Append
28. e able to communicate with the router through Site Manager until you change the FireWall 1 default security policy For more information see Defining a Firewall Security Policy on page 3 11 Caution If your firewall management station and router are on different subnets you will not be able to communicate with the router from the management station unless you establish a static route from the management station to the router before you activate the firewall For information about creating a static route see Configuring IP Services Activating the Firewall Before the FireWall 1 security policy can take effect on the router you must first activate the firewall by booting the router using Site Manager on the management station Booting a router warm starts every processor module in the router Pressing the Reset button on the front panel of the router performs the same procedure Note When you activate the firewall the default security policy prevents all interfaces supported by the firewall from communicating with the router If the firewalled router and management station are on different subnets you must establish a static route to enable communication between the router and the management station before you activate the firewall For information about configuring a static route see Configuring IP Services 117384 B Rev 00 3 9 Configuring BaySecure FireWall 1 To reboot the router using Site Mana
29. e FireWall 1 Daemons To start the FireWall 1 daemons use the fwstart command For example at the system prompt type lab fwstart To stop the FireWall 1 daemons use the fwstart command For example at the system prompt type lab fwstop Synchronizing the Management Station and the Router Passwords Once you have installed licenses on the firewall management station and the router you must synchronize your password on the two systems To synchronize the router and the management station passwords enter the following commands e On the firewall management station fw putkey p lt password gt lt ip_address_fwall_router gt e On the router fwputkey lt password gt lt ip_address_mgmt_station gt where is lt password gt A string of alphanumeric characters that specifies your password lt ip_address_fwall_router gt The IP address of your firewalled router lt ijp_address_mgmt_station gt The IP address of your FireWall 1 GUI management station 117384 B Rev 00 2 19 Configuring BaySecure FireWall 1 Starting FireWall 1 To start FireWall 1 enter the fwui amp command For example at the system prompt type lab fwui amp Optionally you can use the FireWall 1 XMotif GUI For instructions on how to install and start the XMotif GUI see you Check Point documentation 2 20 117384 B Rev 00 Chapter 3 Configuring a Firewall on a Router To configure a firewall on the router
30. ewall from the router To dynamically delete a firewall from the router you must use the Technician Interface Deleting Firewall Locally or Remotely Using Site Manager Site Manager allows you to delete a firewall from the entire router in local and remote modes only To delete a firewall Site Manager Procedure You do this System responds Platform 1 From Configuration Manager choose The Platform menu opens 2 Choose FireWall The FireWall menu opens 3 Choose Delete 4 Click on OK A dialog box opens asking if you are sure that you want to delete the firewall You return to the Configuration Manager window Warning Deleting a firewall using Site Manager deletes the firewall A management information base MIB This action disables firewall functionality on the router but it does not affect internal resources that were originally allocated for the FireWall 1 application After you delete a firewall using Site Manager you should save the configuration file and reboot the router to free internal resources You can then reconfigure Fire Wall dynamically 117384 B Rev 00 Configuring a Firewall on a Router Deleting Firewall Dynamically Using the Technician Interface To delete a firewall dynamically you must use the Technician Interface The Technician Interface allows you to delete a firewall on a slot port basis or from all ports on the router firewall delet
31. firewall security features into Bay Networks router software It does this by integrating the stateful inspection module from Version 2 1 of the Check Point Software Technologies FireWall 1 software into the Bay Networks router operating system of Bay Networks BN ASN and ARN routers BaySecure FireWall 1 provides all of the security features from Version 2 1 of the Check Point Software Technologies FireWall 1 software except for user authentication address translation statistics and encryption Managing Firewall Operation A firewall is the hardware and or software that limits the exposure of a computer or network to an invasion from an external source To control the operation of the firewall on the router you use the Check Point FireWall 1 management software You install this management software on either a computer running Windows NT or on a UNIX workstation to create a firewall management station From the management station you can use the FireWall 1 management software to define a security policy and download it to the router The security policy specifies how the firewall operates For instructions on how to install the FireWall 1 management software see Chapter 2 Installing FireWall 1 Management Software To learn how to configure a security policy see your Check Point documentation 117384 B Rev 00 1 1 Configuring BaySecure FireWall 1 How the Firewall Software Works The stateful inspection module in the B
32. ger 1 From the main Site Manager window select Administration gt Boot Router The Boot Router window opens Figure 3 5 act Router Si Se SS ca aflentig _ Figure 3 5 Boot Router Window 2 Specify the correct volume and boot image 3 Select the correct router volume and configuration file Then click on Boot A confirmation window appears 4 Click on OK in the confirmation window and wait a few minutes to give the router time to reboot 5 Select View gt Refresh Display from the main Site Manager window to verify that the router booted correctly If the router booted correctly system information appears in the main Site Manager window If the router did not boot correctly system information does not appear In this case make sure that you followed the procedures described in this section If you have any questions refer to Configuring and Managing Routers with Site Manager or call your local Bay Networks Technical Solutions Center 3 10 117384 B Rev 00 Configuring a Firewall on a Router Defining a Firewall Security Policy A security policy is a collection of rules that define the way the firewall operates The default FireWall 1 security policy drops all attempts at communication with the router This security policy goes into effect when you first activate the firewall on the router You must establish a security policy that explicitly defines acceptable communication to the rou
33. ights Legend Use duplication or disclosure by the United States Government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 Notwithstanding any other license agreement that may pertain to or accompany the delivery of this computer software the rights of the United States Government regarding its use reproduction and disclosure are as set forth in the Commercial Computer Software Restricted Rights clause at FAR 52 227 19 Statement of Conditions In the interest of improving internal design operational function and or reliability Bay Networks Inc reserves the right to make changes to the products described in this document without notice Bay Networks Inc does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Portions of the code in this software product may be Copyright 1988 Regents of the University of California All rights reserved Redistribution and use in source and binary forms of such portions are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California Berkeley The name of the University may not be use
34. ix A Parameter Descriptions This appendix contains parameter descriptions for BaySecure Fire Wall 1 parameters FireWall Enable Parameter Parameter Enable Path Platform gt Fire Wall gt Global Default Enable Options Enable Disable Function Enables or disables the firewall on the entire router Instructions Choose Enable to allow the firewall to be active on the router Choose Disable to disable the firewall on the router 117384 B Rev 00 A 1 Configuring BaySecure FireWall 1 FireWall Parameters Parameter Log Host IP Address Path Platform gt FireWall gt Fire Wall Parameters Default 0 0 0 0 Options Any valid IP address Function Identifies the IP address of the primary firewall management station Instructions Enter the IP address of the PC or UNIX workstation where you installed the Check Point FireWall 1 management software If you have installed Fire Wall 1 management software on more than one PC or UNIX workstation enter in the IP address of the workstation you plan to use as your primary FireWall 1 management station If the IP address of the management station and the IP address of the router are on different subnets then you must configure a static route to the router to enable communication between the router and the management station Configuring IP Services provides information about configuring a static route Parameter Local Interface IP Address Path Platform gt FireWall gt FireWall Par
35. l 1 In the latter case only the Super User will be able to access and execute FireWall 1 Please specify group name lt RET gt for no group permissions No group permissions will be granted Is this ok y n y y Configuring Random Pool You are now asked to perform a short random keystroke session The random data collected in this session will be used for generating Certificate Authority RSA keys Please enter random text containing at least six different characters You will see the symbol after keystrokes that are too fast or too similar to preceding keystrokes Thes keystrokes will be ignored Please keep typing until you hear the beep and the bar is full Thank you Configuring CA Keys fw no license for ca The installation procedure is now creating an FWZ Certificate Authority Key for this host This can take several minutes Please wait fw no license for ca Configuration ended successfully KKKKKKKKKKKKKKKK FirewWwall 1 is now installed KKKKKKKKKKKKKKKK Do you wish to start FW 1 now y n y N KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KK KKK KKK KKK KKK KK KKK KK KKK KKK KKK 117384 B Rev 00 2 17 Configuring BaySecure FireWall 1 Configuration ended successfully KKKKKKKKKKKKKKKK FirewWall 1 is now installed KKKKKKKKKKKKKKKK Do you wish to start FW 1 now y n y N KKK KKK KK KKK KKK KKK KKK KK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KK
36. l 1 license for a router you plan to protect with a firewall follow these instructions Note You need one license for each router that you plan to protect with a firewall To obtain a license for each additional router you must repeat the steps outlined in this section 1 Locate your certificate key A certificate key serial number is located on a sticker on the inside of the CD folder containing the Check Point FireWall 1 software media If you lose the certificate key bearing the FireWall 1 serial number contact Bay Networks 2 Contact Check Point Software Technologies To obtain a permanent license you must contact Check Point To process your request Check Point requires your certificate key and the IP address of the router you plan to protect with a firewall You can reach Check Point in any of these ways e Via the World Wide Web at http flicense CheckPoint com e By sending mail to license checkpoint com e By phoning Check Point 800 429 4391 North America 972 3 613 1833 outside North America To synchronize the Fire Wall 1 password on the router and the management station use the fw putkey command See Synchronizing the Management Station and the Router Passwords on page 2 19 2 4 117384 B Rev 00 Installing FireWall 1 Management Software Sample Response from Check Point The following license was generated We recommend printing this page and saving it in your files for future referen
37. n a Router Site Manager Procedure continued You do this System responds 9 Set the Disable parameter Click on Help or see the parameter description on page A 4 10 Click on Done You return to the Configuration Manager window ID 5 1 XCVR1 Slot 5 Refresh Done Apply Delete Add Values Help z Fire Wall Name Mmy_ethernet Disable ENABLE Figure 3 3 List Firewall Interfaces Window 117384 B Rev 00 3 7 Configuring BaySecure FireWall 1 Note Once the firewall is protecting your router if you put firewall protection on a new interface the new interface will use the default security policy supplied by Check Point which prevents the new interface from communicating with the router You can download your customized security policy to the new interface using the Check Point FireWall 1 command line You can also use the Check Point FireWall 1 graphical user interface GUI download the security policy The GUI however downloads the same security policy to all interfaces For further information and instructions see your Check Point documentation Select Deselect Connectors m COM2 Slot 5S m COM1 Slot 5S XCYR2 Slot S XCYR1 Slot 5 HSSI ENET FENET FDDI SYNC Token Check All Uncheck All Cancel Figure 3 4 Values Window 117384 B Rev 00 Configuring a Firewall on a Router Once you enable the firewall on an interface and reboot the router you will not b
38. nchronizing the router and management station 2 19 T tar files extracting 2 13 Technical Solutions Centers xii Technician Interface 3 2 Index 2 117384 B Rev 00
39. ped to Licensee Bay Networks will replace defective media at no charge if it is returned to Bay Networks during the warranty period along with proof of the date of shipment This warranty does not apply if the media has been damaged as a result of accident misuse or abuse The Licensee assumes all responsibility for selection of the Software to achieve Licensee s intended results and for the installation use and results obtained from the Software Bay Networks does not warrant a that the functions contained in the software will meet the Licensee s requirements b that the Software will operate in the hardware or software combinations that the Licensee may select c that the operation of the Software will be uninterrupted or error free or d that all defects in the operation of the Software will be corrected Bay Networks is not obligated to remedy any Software defect that cannot be reproduced with the latest Software release These warranties do not apply to the Software if it has been i altered except by Bay Networks or in accordance with its instructions ii used in conjunction with another vendor s product resulting in the defect or iii damaged by improper environment abuse misuse accident or negligence THE FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL OTHER WARRANTIES EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE Licensee i
40. s fw1 setup exe The Choose Destination Location window Figure 2 1 opens Choose Destination Location x Setup will install Firewall 1 in the following directory To install to this directory click Next To install to a different directory click Browse and select another directory You can choose not to install FireWall 1 by clicking Cancel to exit Setup Destination Directory C Program Files CheckPoint FireWall 1 Browse Figure 2 1 Choose Destination Location Window 2 Choose a destination directory You can either accept the default directory Program Files or make another selection 3 Click on Next 2 6 117384 B Rev 00 Installing FireWall 1 Management Software The Selecting Product Type window Figure 2 2 opens Selecting Product Type Please specify the FireWall 1 Product Type you are about to install C FireWall 1 Enterprise Product C Firewall Single Gateway Product C FireWall 1 Firewall Module C Firewall 1 Inspection Module lt Back Cancel Figure 2 2 Selecting Product Type Window 4 Choose the FireWall 1 component you want to install To be compatible with BaySecure FireWall 1 choose FireWall 1 Enterprise Management Console Product 117384 B Rev 00 2 7 Configuring BaySecure FireWall 1 5 Click on Next The Licenses window Figure 2 3 opens Current Licenses E Remove All New Licenses Add Remove
41. s responsible for the security of 117384 B Rev 00 iii its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files data or programs 4 Limitation of liability IN NO EVENT WILL BAY NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY COST OF SUBSTITUTE PROCUREMENT SPECIAL INDIRECT INCIDENTAL OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE EVEN IF BAY NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO EVENT SHALL THE LIABILITY OF BAY NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT EXCEED THE PRICE PAID TO BAY NETWORKS FOR THE SOFTWARE LICENSE 5 Government Licensees This provision applies to all Software and documentation acquired directly or indirectly by or on behalf of the United States Government The Software and documentation are commercial products licensed on the open market at market prices and were developed entirely at private expense and without the use of any U S Government funds The license to the U S Government is granted only with restricted rights and use duplication or disclosure by the U S Government is subject to the restrictions set forth in subparagraph c 1 of the Commercial Computer Software Restricted Rights clause of FAR 52 227 19 and the limitations set out in this license for civilian agencies
42. sible for network security you need to read this guide to learn TM about BaySecure and activate a firewall on a Bay Networks router FireWall 1 and the steps you need to take to install configure If you want to Go to page Obtain a Check Point FireWall 1 license 2 1 Install Check Point firewall management software 2 5 Create a firewall on the router 3 1 Enable the firewall on the router 3 4 Establish a relationship between the management station and the router 3 4 Enable the firewall on one or more router interfaces 3 6 Activate the firewall 3 9 Configure a security policy 3 11 Install the security policy on the router 3 11 Delete a firewall from the router 3 12 You will also need to consult the FireWall 1 document from Check Point Technologies 117384 B Rev 00 Configuring BaySecure FireWall 1 Before You Begin Before using this guide you must complete the following procedures For a new router e Install the router refer to the installation guide that came with your router e Connect the router to the network and create a pilot configuration file refer to Quick Starting Routers Configuring BayStack Remote Access or Connecting ASN Routers to a Network Make sure that you are running the latest version of Bay Networks Site Manager and router software For instructions refer to Upgrading Routers from Version 7 11 xx to Version 12 00 Conventions angle brackets l
43. solely by reason of the termination of this license 8 Export and Re export Licensee agrees not to export directly or indirectly the Software or related technical data or information without first obtaining any required export licenses or other governmental approvals Without limiting the foregoing Licensee on behalf of itself and its subsidiaries and affiliates agrees that it will not without first obtaining all export licenses and approvals required by the U S Government i export re export transfer or divert any such Software or technical data or any direct product thereof to any country to which such exports or re exports are restricted or embargoed under United States export control laws and regulations or to any national or resident of such restricted or embargoed countries or ii provide the Software or related technical data or information to any military end user or for any military end use including the design development or production of any chemical nuclear or biological weapons 9 General If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction the remainder of the provisions of this Agreement shall remain in full force and effect This Agreement will be governed by the laws of the state of California Should you have any questions concerning this Agreement contact Bay Networks Inc 4401 Great America Parkway PO Box 58185 Santa Clara California 95054 8185
44. some random text of at least 6 different keys until you hear the beep and the bar is full Note Strokes that are too fast or too similar to the predecessor strokes are ignored Random Characters HK Figure 2 6 Key Hit Session Window 13 Follow the directions in the window and enter random characters with a delay of a few seconds between them until the indicator bar is full Be sure not to type the same character twice in a row to vary the delay between the characters 2 10 117384 B Rev 00 Installing FireWall 1 Management Software 14 Click on Next The CA Key window opens 15 Click on Generate to generate a new key The host uses the RSA key to generate a digital signal for authenticating its communications in its capacity as a Certificate Authority Generating the key may take several minutes 16 Click on Finish Installing the GUI Client 1 Insert the CD into the CD ROM drive and run the setup exe file To specify the name and location of the program to run type where D is the name of your CD ROM drive D windows gui_client disk1 setup exe The Choose Destination Location window Figure 2 7 opens 2 Choose a destination directory Choose Destination Location x Setup will install Firewall 1 in the following directory To install to this directory click Next To install to a different directory click Browse and select another directory You can choose not to install Firew
45. t gt Indicate that you choose the text to enter based on the description inside the brackets Do not type the brackets when entering the command Example if command syntax is ping lt p_address gt you enter ping 192 32 10 12 bold text Indicates text that you need to enter command names and buttons in menu paths Example Enter wfsm amp Example Use the dinfo command Example ATM DXI gt Interfaces gt PVCs identifies the PVCs button in the window that appears when you select the Interfaces option from the ATM DXI menu italic text Indicates variable values in command syntax descriptions new terms file and directory names and book titles quotation marks Indicate the title of a chapter or section within a book screen text Indicates data that appears on the screen Example Set Bay Networks Trap Monitor Filters x 117384 B Rev 00 separator gt Acronyms GUI IP LAN MIB OSI TCP IP About This Guide Separates menu and option names in instructions and internal pin to pin wire connections Example Protocols gt AppleTalk identifies the AppleTalk option in the Protocols menu Example Pin 7 gt 19 gt 20 graphical user interface Internet Protocol local area network management information base Open Systems Interconnection Transmission Control Protocol Internet Protocol Bay Networks Technical Publications You can now print technical manuals and release notes free directly
46. ter based on the source address destination address and type of service For details about how to configure a security policy see your Check Point FireWall 1 documentation Installing the Security Policy on the Router and Its Interfaces Once you have defined a security policy you must install it on the router Installing a security policy means downloading it to the firewalled objects that will enforce it When you download the security policy the FireWall 1 software e Verifies that the rule base is logical and consistent e Generates an inspection script from the rule base e Compiles the inspection script to generate inspection code for the router e Downloads the inspection code to the router Note Once the firewall is protecting your router if you put firewall protection on a new interface the new interface will use the default security policy supplied by Check Point which prevents the new interface from communicating with the router You can download your customized security policy to the new interface using either the Check Point FireWall 1 command line or the Check Point FireWall 1 graphical user interface GUI The GUI however downloads the same security policy to all interfaces For instructions on how to install the security policy see your Check Point Fire Wall 1 documentation 117384 B Rev 00 Configuring BaySecure FireWall 1 Deleting Firewall from the Router You can use Site Manager to delete a fir
47. tware either on a single computer or if applicable on a single authorized device identified by host ID for which it was originally acquired b to copy the Software solely for backup purposes in support of authorized use of the Software and c to use and copy the associated user manual solely in support of authorized use of the Software by Licensee This license applies to the Software only and does not extend to Bay Networks Agent software or other Bay Networks software products Bay Networks Agent software or other Bay Networks software products are licensed for use under the terms of the applicable Bay Networks Inc Software License Agreement that accompanies such software and upon payment by the end user of the applicable license fees for such software 2 Restrictions on use reservation of rights The Software and user manuals are protected under copyright laws Bay Networks and or its licensors retain all title and ownership in both the Software and user manuals including any revisions made by Bay Networks or its licensors The copyright notice must be reproduced and included with any copy of any portion of the Software or user manuals Licensee may not modify translate decompile disassemble use for any competitive analysis reverse engineer distribute or create derivative works from the Software or user manuals or any copy in whole or in part Except as expressly provided in this Agreement Licensee may not copy or transfer the Software or
48. u Install Before you attempt to install the Check Point FireWall 1 software be sure that you have completed these tasks e Obtain a FireWall 1 license for each firewall management station and router that you plan to protect with a firewall e Add setenv FWDIR etc fw to your cshrc file oraddFWDIR etc fwtoyour cshrcfileand ifusingthekornshell exportF WDIR to your profile file if using the c shell setenv FWDIR to your profile file e Add ete fw bin to your path e Add etc fw man to your MANPATH environment Mounting the CD and Extracting the Tar File Check Point distributes its FireWall 1 software on CD ROM You must supply the UNIX commands to mount the CD drive and extract the tar files The commands to mount a CD drive and extract the tar files vary depending on the device name of the CD drive the operating system used and other environmental factors Use the instructions that follow only as guidelines for mounting the CD drive and extracting the tar files The commands you need may differ For SunOS lab mount r t hsfs dev sr0 cdrom lab cd tmp lab tar xvf cdrom sunos4 fw1 fw sunos4 tar For Solaris lab mount F hsfs r dev sr0 cdrom lab cd tmp lab tar xvf cdrom solaris2 fw1 fw solaris2 tar For HPUX lab mount r dev dsk c1t2d0 or your specific CD ROM address cdrom 117384 B Rev 00 2 13 Configuring BaySecure FireWall 1 lab cd tmp lab tar xvf edrom HPUX FW1 FW HPUX TAR 1
49. v 00 Configuring BaySecure FireWall 1 Enabling or Disabling the Firewall on the Router Note When you first create a firewall it is enabled by default To enable or disable the firewall on the router Site Manager Procedure You do this System responds 1 From Configuration Manager choose The Platform menu opens Platform 2 Choose FireWall The FireWall menu opens 3 Choose Global The FireWall Enable window opens 4 Set the Enable parameter Click on Help or see the parameter description on page A 1 5 Click on OK You return to the Configuration Manager window Setting Up Communications Between the Firewall Management Station and the Router The firewall cannot protect your router until you set up communications between the firewall management station and the router To establish this relationship you must use the same IP address you used to obtain FireWall 1 licenses for the firewall management station and the router Establishing the Firewall Management Station The firewall management station is the PC or UNIX workstation where you installed the FireWall 1 software You use the firewall management station to enforce the firewall security policy that you created for the router The management station also logs all attempted violations of the security policy To define a security policy see Defining a Firewall Security Policy on page 3 11 You will also need to consult
Download Pdf Manuals
Related Search