Symantec VelociRaptor 1100 Firewall
Contents
1. 0000 00 Manage log files suoria k bce cere sae eed cei valet ad EEA bvk oo eyes Add Symantec Raptor Management Consoles 000 Use secure remote login srera dentin est En E Laa Eie E Y Front panel keypad locking sss reros ereis resia erii eee Usea locked keypad 5 0 5 hri ccou a trarsrgs eeceteee ere itresetecetenn eet wierd ete Antivirus Scanning Configuring antivirus scanning proxy services 0005 Configuring antivirus scanning for the FTP HTTP and SMIE Proxies ar we itecd oss evra KE E EAN AEA Enabling antivirus scanning ina rule 00 e cece eee Symantec Gateway Security appliance setup 0000 Symantec Gateway Security antivirus configuration High Availability and Load Balancing HA LB Implementation ssie hisense cece eee eee Three appliance cluster example 0 0c cee eee eee Setting Up VIPS ce se conte cs aS hg ie dee cite ee Be ole HALB terms ie aside oe Seid Walaa eee gle vest desde gland we RS About the cluster wizard 1 0 0 cece eee eee eee Preparing to create acluster ccc Creating a cluster for software high availability load balancing Creating a cluster for appliance file propagation or hardware HA LB rrea 1 eee e ns Vering a cluster cerr sctenae saan oer eh eed wey soles be bette Modifying a cluster srren ias cece eee eee Deleting a cluster sc o ilies aaa y BMG ete es Viewing Cluster Properties 00 c2. Figure 6 4 Symantec Raptor Management Console hosts list 3 To create a new host right click the DNS Records icon and choose New gt Host The DNS Record Properties page appears see Figure 6 5 YRONEFIYE DNS Record Properties New DNS Record Specify the parameters associated with the chosen DNS record type Accessibility Private Public Type Name Server C Mail Server Root Server C Forwarder Host Interface Authority C Recursion C Subnet Map Name Network Address Aliasfes Subnet Mask Description Domain s Served Figure 6 5 DNS Record Properties page 4 Under Accessibility check whether the host is Private or Public 99 100 Routes and DNS Configure the DNS proxy If you select Private the data you typed is added to the hosts file If you select Public the data is added to the hosts pub file See Provide hosts pub file information on page 101 for information on the hosts pub file 5 Under Type check Host if it is not already selected When you select a Type the fields in the DNS Record Property page that require data entry become available In the Name field type a fully qualified host name In the Network Address field type the IP address for the host In the Alias es field type the host s nickname s You can type several nicknames at once into this field separating each by a space 9 In the Description field type a Description
3. Figure 5 7 Local protected entity pull down menu In this example we select Subnet from the pull down menu to create the 192 168 10 0 manufacturing subnet displayed in Figure 5 1 A New Subnet dialog box appears see Figure 5 8 78 VPN Configure S2S tunnels using the wizard New Subnet manufacturing 192 168 10 0 Figure 5 8 New Subnet dialog local end 8 Inthe dialog box type a Name for your subnet entity in this case manufacturing and type the IP address of the subnet in this case 192 168 10 0 9 Click OK your subnet entity will be used as the local network entity VPN 79 Configure S2S tunnels using the wizard 525 Tunnel Wizard 7 Ss symantec e _ _ _ Introduction Local End boeze To configure the local end of your secure tunnel you select a local security gateway generally your Raptor system s outside interface and the protected Remote End network entity that acts as the originator of the packets being sent or the final VPH Policy destination of the packets passing through the tunnel Finish Setup 1 Select West using an already configured security gateway entity Or Cancel Setup Select a local interface to create a new local security gateway 2 Select manufacturing using an already configured network entity Or Create a new local protected network entity to serve as the originator of tunnel packets or the final destination for tunnel packets Once your local end s
4. Figure 5 18 Configured S2S secure tunnel in Symantec Raptor Management Console You must configure both ends of the tunnel Run the S2S Wizard on the remote end of the tunnel and specify the setup information in the reverse manner as the procedure in Configure S2S tunnels using the wizard on page 72 For example local would be East and finance and remote would be West and manufacturing Configure VPN Client tunnels using the wizard The VPN client tunnel configuration displayed in Figure 5 19 is an example of a secure tunnel set up between a LAN behind a VelociRaptor 1 5 appliance and a VPN client in the field The following pages walk you through the process of using the VPN Client Tunnel Wizard to set up the components of this tunnel In Figure 5 19 West is once again our local VPN Server in this example and JSmith is the user name for our Symantec Enterprise VPN Client SEVPN The goal of this configuration is to establish a VPN uniting the subnet behind the local VelociRaptor 1 5 appliance with the SEVPN client JSmith VPN 89 Configure VPN Client tunnels using the wizard Local West SecurityGateway 206 7 7 2 The Subnet Manufacturing Internet 192 168 10 0 Netmask SEVPN Client 255 255 255 0 JSmith Figure 5 19 VPN Client secure tunnel To configure a VPN Client tunnel To begin using the wizard from the Symantec Raptor Management Console Configuring your Symantec System taskpad see Figure 4 1 click the VPN Clie
5. Manage log files When a logfile exceeds a certain size default 200MB the system automatically starts another logfile by running the Changelog command This prevents a single logfile from exhausting the available disk space Through Symantec Raptor Management Console you can perform a manual Changelog command on the VelociRaptor system to rollover the current logfile to the oldlogs directory For more detailed information on Changelog see the Symantec Enterprise Firewall and Symantec Enterprise VPN Guide provided as a PDF file Management Console 119 Add Symantec Raptor Management Consoles To perform a manual ChangeLog command 1 Inthe left pane from within Symantec Raptor Management Console click on the Select All Tasks gt ChangeLog see Figure 7 10 Disconnect View gt Editor Anangelcons Save and Reconfigure Line up Icons Stop Help System Shutdown System Reboot Restore Backup Patch SRL Client Save All Change Log Import Users Import VPN Figure 7 10 ChangeLog menu 2 The current logfile is placed in the oldlogs directory and named according to the Symantec Raptor Management Console logfile dating convention For example 2002315 Mar 15 2002 A new logfile is then started Add Symantec Raptor Management Consoles The appliance can be managed by more than one Symantec Raptor Management Console although not at the same time Only one Symantec Raptor Management Console
6. Please select any miscellaneous attributes to this rule IV Application Data Scanning Figure 8 2 Rule Properties page 4 Write the rule in accordance with the chapter on Rules in the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide Click the Miscellaneous tab Make sure that the Application Data Scanning check box is checked Click the Services tab oOo N OO WwW Continue with one of the following procedures for FTP HTTP or SMTP To configure the FTP proxy for antivirus scanning 1 Select ftp from the Excluded Services list and use the gt gt button to move it to the Included Services list Antivirus Scanning 129 Enabling antivirus scanning in a rule 2 Select ftp in the Included Services list and click Configure to display the FTP Rule Properties page Ftp Rule Properties E 21x General Antivirus Please specify if this rule will include antivirus scanning of FTP traffic Application Data Scanning has to be enabled for enabling this option Figure 8 3 FTP Rule Properties Page Click the Antivirus tab Check the Enable Antivirus Scanning check box Click OK ou A W When you have finished writing the rule click OK To configure the HTTP proxy for antivirus scanning 1 Select http from the Excluded Services list and use the gt gt button to move it to the Included Services list 2 Select http in the Included Services list and click Configure to display th
7. ID 37 38 information 38 menu factory reset 40 network setup 39 shutdown 39 system ID 39 UPS setup 39 messages at setup 23 name 52 restarting 114 settings changing 110 shutdown from SRMC 113 T TCP IP addresses address transforms 6 Temperature 26 28 Tera Term Pro 120 tgz file 118 Time and date changing 111 U UPS setup 39 User documentation 11 V VelociRaptor Models 1100 9 1200 10 1300 10 Verifying clusters 156 connectivity 101 VIPs configuring addresses 140 Ww Warranty 172 Web setup 57 Wizards cluster 145 S2S tunnel 71 setup 50 tunnels 72 88 Worksheets network configuration 32 Index 187 188 Index
8. Network Interface Figure 5 6 New Security Gateway dialog box local end 5 Click OK your new security gateway will be used as the local security gateway VPN 77 Configure S2S tunnels using the wizard Step 2 of the Local End screen gives you two ways to specify the originator or the endpoint for tunnel packets a By selecting an existing network entity By creating a new local protected entity In this case we will create a new entity to represent our manufacturing subnet shown in Figure 5 1 From the second part of step 2 select the Create a new local protected entity link to display a pull down menu of allowed entity types see Figure 5 7 s 525 Tunnel Wizard E x Ss symantec a OL Introduction Local End Local End To configure the local end of your secure tunnel you select a local security R te End gateway generally your Raptor system s outside interface and the protected omote in network entity that acts as the originator of the packets being sent or the final VPH Policy destination of the packets passing through the tunnel Finish Setup 1 Select West using an already configured security gateway entity Or Cancel Setup Select a local interface to create a new local security gateway 2 Select an existing network entity using an already configured network entity Or Y to serve as the originator of tunnel packets or the final tunnel packets Once ya Group plections are made click the Remote End link
9. 115 propagating 162 restoring from SRMC 116 network worksheets 32 proxy services for antivirus scanning 123 Quickstart wizard 57 reports 7 Setup wizard 50 SMTP wizard 63 Connectivity to VelociRaptor 48 verifying 101 Custom services configuring 6 D Date and time changing 111 Default routes configuring using Setup wizard 95 configuring using SRMC 95 Denial of Service Attacks 7 Display system information 38 DNS configuring proxy 97 private file address statements 98 split level 98 Documentation supplied 11 Domain Name 52 E Electric shock 166 184 Index F Factory reset 40 File propagation 154 FireProof 145 Firewall software patches applying from SRMC 117 Flat network 93 Front panel features model 1100 25 models 1200 1300 27 using locked key pad 121 FTP configuring for antivirus scanning 124 G GNU general public license 167 H HA LB cluster properties 161 creating clusters 147 154 deleting clusters 160 implementation 135 overview 8 verifying clusters 156 VIPs 140 Heartbeat network description 144 High Availability and Load Balancing see HA LB Host ID see System ID 37 38 Host IP address for SRMC 36 hosts pub file 101 defining alias 100 HTTP configuring for antivirus scanning 124 Incident node 144 Initial setup procedure 35 Installation connecting power cord 20 22 to network 20 22 powering on model 1100 21 models 1200 1300 23 rack mount appliance 17 SRMC 43 44 Uninterr
10. 24 network This network could contain many machines and subnets Note A heartbeat network does not have to be a dedicated network dedicated to only heartbeat communications as shown in this example Heartbeat communications can run on any internal network with other traffic and subnets To create this cluster use the Create Cluster Wizard and follow the steps in Creating a cluster for software high availability load balancing on page 147 When you get to the Cluster members screen you would add cluster members using their IP Addresses as shown in Figure 9 4 Create Cluster Wizard am xi Cluster members Use the buttons to Add or Delete cluster members Use the checkboxes to enable or disable the propagation of configuration files to cluster members Cluster members MAES 16910102 MAES 16910103 Yes MAS 1591010 4 Yes Figure 9 4 Cluster members screen 140 High Availability and Load Balancing HA LB Implementation Setting Up VIPs Setting up VIPs for this cluster is the next step Each machine in the cluster shares the same VIP address for a given subnet and is viewed as a potential candidate to receive packets If one appliance fails another appliance handles any new requests providing continued connectivity to your network Figure 9 5 shows our example with VIPs Because the VIP is assigned to a subnet all of the machines in the cluster on the subnet are viewed as a single IP address With load b
11. 61 QuickStart wizard 4 The Configuration Options screen provides two check boxes a Ifyou check Configure mail services when you click Next the following screen prompts you for the IP address of your mail server Continue at Step 5 on page 61 a If you check Configure rules to allow internal users to access web and FTP services QuickStart automatically configures these services without requiring any further input If this is the only options you select continue at Step 10 on page 62 SMTP Configuration Wizard F x Internal Mail Server SMTP requests addressed to the external interfaces of the system will be directed to the internal mail server Please enter the server s IP or DNS address f192 246 115 4q lt Back Cancel Figure 4 4 Internal Mail Server screen 5 On the Internal Mail Server screen enter the IP address or DNS name of your site s internal mail server In specifying an internal mail server you are indicating where SMTP mail addressed to the appliance s external interface will be directed 6 Click Next to display the Allow Internal Hosts Out screen see Figure 4 5 62 Firewall QuickStart wizard SMTP Configuration Wizard x Allow Internal Hosts Out If selected the wizard will create rules that allow internal systems to send mail directly to external mail servers Otherwise rules that may have been previously created to support this option will be removed If this option is not se
12. IKE enabled mobile user for your tunnel Cancel Setup Or Alternatively if you have already configured user groups in SRMC you can select an existing user group to serve as both the remote security gateway and tunnel endpoint Once your remote end selection is made click the VPH Policy link Figure 5 20 Remote End screen VPN Client Tunnel Wizard For the network example in Figure 5 19 we are creating a new VPN Client user named Jsmith 2 From the Remote End VPN Client Wizard page see Figure 5 20 click the Create a new IKE enabled VPN Client user link available in step 1 The New IKE enabled User dialog box appears see Figure 5 21 VPN 91 Configure VPN Client tunnels using the wizard New IKE enabled User a x Name Smith An authentication method must be specified for a mobile user You can select using Certificate or Shared Secret or both IV Certificate M Shared Key OxDang84D SASDF84SDOS409SDFLQJESC Cancel Figure 5 21 IKE enabled User dialog box In the New IKE enabled User dialog box type the Name of the VPN Client user JSmith Select the authentication method s this user will use You can select Certificate or Shared Key or both Ifyou select Certificate you must create an Entrust Certificate and provide it to the user See the section on configuring certificate authentication in the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide Ifyou select S
13. Program on a volume of a storage or distribution medium does not bring the other work under the scope of this License You may copy and distribute the Program or a work based on it under Section 2 in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following Accompany it with the complete corresponding machine readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or Accompany it with a written offer valid for at least three years to give any third party for a charge no more than your cost of physically performing source distribution a complete machine readable copy of the corresponding source code to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or Accompany it with the information you received as to the offer to distribute corresponding source code This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer in accord with Subsection b above The source code for a work means the preferred form of the work for making modifications to it For an executable work complete source code means all the source code for all modules it contains plus any associated interface definition files plus the scripts used to control compilat
14. Services configuration In the configuration for each proxy service you configure the way in which antivirus is implemented for that proxy When you create specific rules for a given proxy and enable antivirus scanning for those rules the antivirus settings you configure via the Proxy Services configuration apply to the antivirus scanning for that proxy 124 Antivirus Scanning Configuring antivirus scanning proxy services The proxy configuration for each proxy lets you specify the following m The IP address and port number of the Symantec Gateway Security appliance that will provide scanning services m The handling of files when the Symantec Gateway Security appliance is unavailable m The handling of infected files and the types of files by extension that will be submitted to the Symantec Gateway Security appliance for scanning The proxy establishes a TCP IP connection to the Symantec Gateway Security appliance and passes the file to be scanned to the Symantec Gateway Security appliance The Symantec Gateway Security appliance scans the file and handles it based on the configuration settings established for that proxy Configuring antivirus scanning for the FTP HTTP and SMTP proxies The Proxy Services configuration you set up for FTPD HTTPD or SMTPD respectively determines how virus scanning is implemented for all rules for which FTP HTTP or SMTP is enabled as a service and for which antivirus scanning is enabled To co
15. Uncheck the check box to the left of a cluster member s icon to disable the cluster member This causes the cluster member to be ignored when appliance configuration files are propagated If a cluster member has been disabled select the check box to enable the cluster member to participate in the propagation of appliance configuration files When you have completed all changes to the cluster member screen click Next If the cluster is not an HA LB cluster the final screen of the wizard is displayed Go to Step 13 If the cluster is an HA LB cluster the Define primary subnet and virtual IP addresses screen is displayed Complete steps 7 through 12 To change the subnet that is selected to act as the heartbeat network click Clear All VIPs then use the Subnet drop down list to select a different subnet You must then create virtual IP addresses VIPs for all subnets To change or create a VIP select a subnet in the Cluster member information list and click Edit to display the VIP Addresses dialog box The VIP Addresses dialog box provides the following options Select an existing VIP and click Edit to edit it or Delete to delete it To add a new VIP click Add Clicking Add or Edit displays the Add a Virtual IP Address dialog box Complete the Add a Virtual IP Address dialog box as follows Note Symantec recommends that the VIP address is higher than the physical IP address of the nodes in the cluster Type a Virtua
16. You for the defective Appliance Defective Appliances returned to Symantec will become the property of Symantec Symantec does not warrant that the Appliance will meet your requirements or that operation of the Appliance will be uninterrupted or that the Appliance will be error free THE ABOVE WARRANTIES ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE 4 Disclaimer of Damages SOME STATES AND COUNTRIES INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE IN NO EVENT WILL SYMANTEC OR ITS LICENSORS BE LIABLE TO YOU FOR ANY SPECIAL CONSEQUENTIAL INDIRECT OR SIMILAR DAMAGES INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE 176 Licenses SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO CASE SHALL SYMANTEC S OR ITS LICENSORS LIABILITY EXCEED THE PU
17. a Ifthe option to automatically connect was not checked on the previous screen the Connect to cluster members screen is displayed to allow you to connect Type the password and if necessary change the management port for the cluster member whose IP address is shown Click Next to connect When all members of the cluster are connected the Completing the Wizard screen is displayed Click Finish to delete the cluster configuration from all members Viewing Cluster Properties Note Although you can view the properties of a cluster the details you see are read only If you want to make changes you must do so by using the Modify Cluster wizard For more information see Modifying a cluster on page 157 To view the properties of a cluster 1 2 Expand the cluster s folder in the left pane Connect to a member of the cluster You must be connected because the cluster configuration information is stored on the cluster members Right click on the cluster s icon and choose Properties The cluster s Properties pages are displayed The General tab shows the name and description of the cluster and tells you what type of cluster it is The Member field gives the IP address of the connected member Click the Members tab This tab lists the members of the cluster and indicates whether they are enabled for propagation 162 High Availability and Load Balancing Preparing to create a cluster 5 Ifthe cluster is an Int
18. activity Ethernet connections and hard disk drive activity The network activity indicator blinks when there is K e gt traffic on the network interfaces labeled 0 for outside and 1 for inside The Ethernet connections indicator glows steadily to indicate an active connection on the network interfaces labeled 0 for outside and 1 for inside CO The hard disk drive activity indicator blinks when there is SS activity on the hard disk drive labeled 0 1 through 3 are not used The Temp indicator blinks to indicate temperature status blinking slowly for temperature warnings and quickly for temperature failures If the VelociRaptor appliance is in danger of overheating a log message is sent to the Symantec Raptor Management Console The Power button turns the power to the appliance on and off Initial Setup Front panel controls Table 3 2 Model 1200 and 1300 front panel descriptions 4 The LCD screen displays the VelociRaptor appliance version number and system health monitoring information The LCD screen is the same on all models It allows you to monitor appliance status modify configuration parameters and re initialize the appliance The available LCD screen displays include m System startup self tests m Performance monitoring m System menu see Use the system menu on page 39 As the appliance boots up the LCD displays status messages 5 The front panel push buttons let you enter n
19. and your connection is verified Repeat steps 10 and 11 for each cluster member to be added When all the cluster members have been added click Next to display the Define primary subnet and virtual IP address screen High Availability and Load Balancing 151 Preparing to create a cluster Create Cluster Wizard p xi Define primary subnet and virtual IP addresses Choose the subnet to be used as the heartbeat or control network Click the Edit button to specify the virtual IP addresses VIPs for the members of the cluster Subnet 192 168 30 0 ns Cluster member information Subnet Vitus IP adcress BB 192 168 30 0 BA 172 168 6 0 BB 192 168 1 0 m 169 10 10 0 Edit Clear All VIPs Eee Figure 9 11 Define primary subnet and virtual IP addresses page 14 Use the Subnet list to choose a subnet to be used as the controlling network The inside network is selected by default 15 Select a Subnet from the Cluster member information list and click Edit to display the VIP Addresses dialog box 152 High Availability and Load Balancing Preparing to create a cluster are Virtual IP addresses assigned to a subnet Subnet 169 10 10 0 Virtual IP addresses Figure 9 12 VIP Addresses dialog box 16 Click Add to display the Add a Virtual IP Address dialog box Add a Virtual IP Address 21x Add virtual IP address for subnet 169 10 10 0 Virtual IP Address z i I This VIP is sticky Preferr
20. appliance configuration setup information You must complete this wizard before you can begin managing VelociRaptor appliance See instructions in the next section Caution Anyone who can access the Symantec Raptor Management Console can connect to the VelociRaptor appliance once the password has been entered Be sure to keep the password for the administering computer a secret The VelociRaptor appliance Setup wizard automatically starts when you connect to a VelociRaptor appliance for the first time from the Symantec Raptor Management Console The Setup Wizard prompts you for the following setup information to run VelociRaptor appliance System name Domain name Default gateway License key System features Network interfaces Date and time Caution If you cancel out of this wizard without completing it at least once you cannot connect to the VelociRaptor appliance You will have to run it again in order to access the appliance Once you have completed the VelociRaptor appliance Setup Wizard you can use the Setup Wizard to edit system information at any time Initial Setup 51 Setup wizard To configure the appliance using the Setup Wizard 1 Click on the VelociRaptor Setup Wizard icon in the Configuring your Symantec System window The VelociRaptor Setup wizard automatically starts when you connect to a VelociRaptor appliance for the first time from the Symantec Raptor Management Console Setup Wizard x xj Welcom
21. completed form in a secure location This form can serve as a permanent record for each VelociRaptor appliance installed at your site For details on the worksheet items listed below see Initial network configuration procedure on page 35 Make a copy of this worksheet to record the output data 34 Initial Setup Network configuration worksheet Network configuration worksheet User input during initial setup Interface IP address Netmask Gateway address SRMC address VelociRaptor appliance output during initial setup SRMC password SRL Secure Remote Login password Root password System ID 1 Passwords are output during the hardware configuration process Initial Setup 35 Initial network configuration procedure Initial network configuration procedure The VelociRaptor appliance first prompts you to enter the IP address of the network port that will communicate with the Symantec Raptor Mobile Console To perform the initial network appliance configuration 1 Press the E Enter button to start the appliance initial setup 2 Choose whether the Symantec Raptor Management Console system is inside In the network protected by VelociRaptor appliance or outside Out the network SRMC location In Out By default In is selected Either press the E button to accept this default or press the right arrow gt key to select Out for outside Then press the E button to enter
22. configuration and allows you to update the configuration based on a selected cluster member Modify Cluster Allows you to add members to a cluster after it is created to delete members to change the cluster s control network and to change virtual IP addresses You can also use the Modify Cluster wizard to enable or disable members of a cluster when you are preparing to propagate configuration changes from one member of a cluster to the rest of the cluster Delete Cluster Allows you to delete the cluster configuration information from all the members of the cluster This does not delete any appliances It removes the configuration information that associates them with a cluster Preparing to create a cluster Every VelociRaptor appliance to be added to a cluster must meet the following prerequisites All members must have the same number of configured interfaces All members must run the same operating system version The network configuration of all cluster members must match every cluster member must have IP addresses on the same subnets as the other cluster members Each appliance must have a different system name HA LB must be enabled on all appliances In addition the IP address specified to connect to the VelociRaptor appliance must lie on the same subnet as the IP addresses specified to connect to the other members Before you create a cluster Define the IP addresses of all the appliances you want to add to the
23. field enter your Symantec Raptor Management Console password 3 Inthe SRL field enter your SRL password You need this password to establish a secure connection The VelociRaptor appliance displayed this password to you during the initial setup procedure You can change the SRL password through Symantec Raptor Management Console as described in Managing passwords on page 106 4 Click OK Once connected through SRL you can securely perform any necessary administrative functions on the VelociRaptor appliance Management Console 121 Front panel keypad locking Front panel keypad locking Locking the VelociRaptor appliance provides additional security against personnel who should not have access privileges to the appliance If the front panel is locked only individuals with knowledge of the Root System Password can disable the lock in order to continue working with the front panel To enable locking 1 From the Symantec Raptor Management Console select the VelociRaptor appliance icon and right click Click Properties to display the appliance s Properties page Select the System tab Beside Front Panel Keypad Locking check the Enable radio button to lock the front keypad see Figure 7 12 RONEFI E Connected Properties 2 x General Status Paths Passwords Date Time System License The current system name domain name and default gateway address System Name vR ONEFIVE Domain Name yourdo
24. is not visible pull down the View menu and click Taskpad In the right pane start the wizard by clicking the SMTP Wizard icon Click Next 64 Firewall SMTP Wizard SMTP Configuration Wizard Exi Internal Mail Server A aly requests addressed to the external interfaces of the system will be directed to the interna mail server 192 246 115 494 Figure 4 6 Internal Mail Server 4 Enter the IP address or DNS name of your internal mail server 5 Click Next Firewall 65 SMTP Wizard SMTP Configuration Wizard Allow Internal Hosts Out If selected the wizard will create rules that allow internal systems to send mail directly eT mail oe Otherwise rules that may have been previously created to support this option will be removi Figure 4 7 Allow Internal Hosts Out screen 6 Ifyou want to create a rules that will allow the internal systems to send mail directly to external mail servers check the Allow Internal Hosts Out check box 7 Click Next 66 Firewall SMTP Wizard SMTP Configuration Wizard E x Anti Spam Define the anti spam settings for all smtp mail You can later change these settings from the SMTPD and or individual rule properties Check Sender s Address against RBL hosts New RBL site Add 1 blackholes mail abuse org Remove coca Figure 4 8 Anti Spam screen On the Anti Spam page define the anti spam settings for all SMTP mail Check Sender s Address
25. license your rights and obligations with respect to the use of this Software are as follows You may A use the Software solely as part of the Appliance for no more than the number of users as have been licensed to you by Symantec under a License Module B use the Restore Software solely to restore the Appliance to its original factory functionality in the event the Software preloaded on the Appliance is corrupted or becomes unusable C make copies of the printed documentation which accompanies the Appliance as necessary to support your authorized use of the Appliance and D after written notice to Symantec in connection with a transfer of the Appliance transfer the Software on a permanent basis to another person or entity provided that you retain no copies of the Software Symantec consents to the transfer and the transferee agrees in writing to the terms of this agreement You may not A sublicense rent or lease any portion of the Software reverse engineer decompile disassemble modify translate make any attempt to discover the source code of the Software or create derivative works from the Software B use the Restore Software for any purpose other than to restore the Appliance to the original factory functionality C use if you received the Software distributed on an Appliance containing multiple Symantec products any Symantec software on the Appliance for which you have not received a permission in a License Module o
26. network behind the VelociRaptor appliance For the routed network to work properly the router or routers must be properly configured Use the ping command to check the ability of computers on routed networks to connect to the VelociRaptor appliance It is recommended that you use contiguous networks to reduce the number of static routes required The network in Figure 6 1 requires a route for the 192 168 3 0 and 192 168 5 0 networks Routes and DNS 97 Configure the DNS proxy To create a route 1 From the left pane of the Symantec Raptor Management Console select the Routes icon right mouse click and choose New gt Route The Route Properties window opens see Figure 6 3 Route R Please specify the route properties gt Destination Address 192 168 3 0 Netmask 255 255 255 0 Gateway Address 192 168 1 62 OK Cancel Figure 6 3 Route Properties New screen 2 Type the Destination network In our example it is the network behind the inside router 192 168 3 0 Type the appropriate netmask In our example 255 255 255 0 In the Gateway Address field type the address of the router For example 192 168 1 62 This is the router address on the same network as the VelociRaptor appliance inside interface 5 Click OK to save route information and close the Route Properties window Any connection for an address in the range of 192 168 3 0 to 192 168 3 254 is directed to the router 192 168 1 62 Y
27. or new versions of the General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is given a distinguishing version number If the Program specifies a version number of this License which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Program does not specify a version number of this License you may choose any version ever published by the Free Software Foundation If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE PROGRAM TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IM
28. prevent attack You can create the DNS entries using the Symantec Raptor Management Console DNSD Dynamic Name Server Daemon Properties window For more information see the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide To create the DNS entries using the Symantec Raptor Management Console 1 From the left pane of the Symantec Raptor Management Console expand the Base Components folder in the Symantec Raptor Management Console 2 Select the DNS Records icon The existing DNS entries appear in the right pane see Figure 6 4 Routes and DNS Configure the DNS proxy 0 onsole Roo ante erprise Manageme antec Raptor Manag onso RONEI onnected Bas O x Ba Console Window Help D S GA we 18 x Action view Eavortes e gt Alm B S Se ESB Tree Favorites Name i Aliases Domai Description _ Console Root EB Loopback Inter Private 12 amp rme yourdomain com Host Private 10 rme Eeth Inter Private 19 Inside Inte amp YRONEFIVE yourdomain com Host Private 19 WRONE amp localhost yourdomain com Host Private 12 gt localhost 127 in addr arpa Auth Private B 7 Symantec Enterprise Management 8 amp Symantec Raptor Management Cons A VRONEFIVE Connected B Base Components System Features Routes Remote Management Pe DNS Records E Network Interfaces DOnna smaa rf
29. re initialize the appliance The available LCD screen displays include m System startup self tests m Performance monitoring m System menu see Use the system menu on page 39 As the appliance boots up the LCD displays status messages Initial Setup 27 Front panel layout models 1200 and 1300 Table 3 1 Model 1100 front panel descriptions 4 The factory reset pinhole when pressed resets the VelociRaptor Model 1100 appliance in the following manner Network IP address information is erased Symantec Raptor Management Console workstation connection information is erased m License information remains intact 5 The front panel push buttons let you enter network information directly into the appliance see Front panel controls on page 29 Front panel layout models 1200 and 1300 The VelociRaptor appliance models 1200 and 1300 front panel as shown in Figure 3 2 contains six data entry and navigation keys and a two line 16 character liquid crystal display area The initial configuration of the VelociRaptor appliance takes place at the unit s front panel where you enter and modify parameters such as system and network IP addresses 28 Initial Setup Front panel layout models 1200 and 1300 gt Figure 3 2 Table 3 2 a gt a 3 VelociRaptor appliance model 1200 and 1300 front panel Model 1200 and 1300 front panel descriptions The Status Indicators signal network
30. then click OK The information you enter is written to the hosts file The hosts file includes lines with an address and name More than one name can be included for an address 10 Click OK to close the DNS Record Properties page The entries for the 192 168 1 0 and 192 168 3 0 subnets in the hosts file for the example network in Figure 6 1 would look like this Items are separated by one or more spaces 192 168 1 17 VelociRaptor xyz com VelociRaptor 192 168 1 22 server xyz com server 192 168 1 1 wkst1 xyz com 192 168 1 2 wkst2 xyz com 192 168 1 3 wkst3 xyz com 192 168 3 10 wkst10 xyz com 192 168 3 11 wkst11l xyz com 192 168 3 12 wkst12 xyz com Note Aliases are acceptable as long as every line has a fully qualified host name Your hosts file should also contain the following line specifying the localhost or loopback address 127 0 0 1 localhost xyz com localhost The hosts file is the first place where the DNS proxy looks for an address when the request comes from a private system You can add any other addresses to this Routes and DNS 101 Verify connectivity file For example you might want to add outside machines from your network as follows 169 254 1 2 news xyz com news 169 254 1 3 web xyz com www You can also add frequently used hosts on the Internet to this file Doing so can skip several name request steps Provide hosts pub file information The hosts pub file provides host to IP address a
31. this shutdown A System Shutdown shuts down the VelociRaptor appliance software the Linux OS and all its applications The appliance remains powered on but no software is running It is safe to turn the VelociRaptor appliance off when the LCD display reads PLEASE SWITCH POWER OFF NOW You must now power cycle the appliance to bring it back up Perform a system reboot from the Symantec Raptor Management Console In the Symantec Raptor Management Console All Tasks menu you can remotely perform system reboots To reboot from Symantec Raptor Management Console 1 Right click on the appliance icon from within Symantec Raptor Management Console and in the All Tasks menu click System Reboot Confirm this reboot by reconnecting to the appliance A System Reboot restarts the VelociRaptor appliance software The Linux OS and all its applications are brought down and then restarted Management Console 115 Back up configuration files Back up configuration files In the Symantec Raptor Management Console All Tasks menu you can perform manual system backups of your configuration files Configuration files are stored the VelociRaptor appliance Back up files are stored on the Symantec Raptor Management Console machine Backed up files are identified by hostname date and time with an rfwcfg extension For example VelociRaptor 2002 March 15 13 51 48 rfwcfg To do a manual configuration file backup 1 In the left pane r
32. we will create the local security gateway using the local interface Click the local interface link available in step 1 on the configuration page to display the pull down menu see Figure 5 5 76 VPN Configure S2S tunnels using the wizard s 525 Tunnel Wizard xi Ss symantec MOS UR Introduction Local End Local End To configure the local end of your secure tunnel you select a local security gateway generally your Raptor system s outside interface and the protected JEDIT network entity that acts as the originator of the packets being sent or the final VPH Policy destination of the packets passing through the tunnel Finish Setup 1 Select an existing local security gateway using an already configured security gateway entity Cancel Setup Or Select to create a new local security gateway ethl 2 Select network entity using an already configured network entity Or Create a new local protected entity to serve as the originator of tunnel packets or the final destination for tunnel packets Once your local end selections are made click the Remote End link Figure 5 5 Local interface pull down menu 3 From the interfaces available in the pull down menu select the outside interface eth0 to become your local security gateway This displays the New Security Gateway dialog box 4 In the dialog box type a name for your gateway Our example uses West see Figure 5 6 New Security Gateway E xj Name west
33. 1 Plug the UPS into the wall socket 2 Turn on the UPS 3 Plug the VelociRaptor appliance into the UPS power socket 4 Connect the UPS serial cable to the UPS unit and the VelociRaptor appliance Refer to Figure 2 5 for the location of the UPS port 5 on the model 1100 back panel Refer to Figure 2 6 for the location of the UPS port 4 on the models 1200 and 1300 back panel Note To configure UPS support on the VelociRaptor appliance access the System Menu as described in Use the system menu on page 39 You can also turn UPS support on from the Symantec Raptor Management Console VelociRaptor Setup wizard See Setup wizard on page 50 24 Installation Connect an uninterruptible power supply Chapter Initial Setup This chapter describes the procedures for configuring the VelociRaptor appliance network parameters for use with the Symantec Raptor Management Console SRMC installing the Symantec Raptor Management Console connecting the Symantec Raptor Management Console to the appliance and running the Setup Wizard This chapter also describes the various VelociRaptor appliance hardware features VelociRaptor appliance has an integral LCD display located on the front of the unit Using the appropriate buttons you can enter basic configuration information into the VelociRaptor appliance as well as monitor certain system operating parameters Front panel layout model 1100 The VelociRaptor appliance model 1100 fr
34. 172 168 6 250 Service 192 168 1 0 24 192 168 1 250 Internal The next step is to set the default gateway of our dedicated heartbeat network machines to VIP 192 168 30 250 Then set the default gateway of our internal network machines everything on the 192 168 1 0 24 network to VIP 192 168 1 250 Then change the default gateway of the interface on the servers residing on our service network to point to VIP 172 168 6 250 Each of these are different networks and therefore need to have a different VIP configured for each one DNS resolvers must be configured to point to the individual IP addresses of the appliances not the VIP addresses Finally configure a static route on the 169 10 10 1 router outside network Internet that says that all traffic destined for the 169 10 10 0 24 network should go through the VIP 169 10 10 250 To configure VIPS use the Create Cluster Wizard and follow the steps in Creating a cluster for software high availability load balancing on page 147 When you get to the Define primary subnet and virtual IP addresses screen you would assign a subnet to be the heartbeat network and assign VIP addresses to cluster members as shown in Figure 9 6 High Availability and Load Balancing HA LB Implementation 143 Create Cluster Wizard a My x Define primary subnet and virtual IP addresses Choose the subnet to be used as the heartbeat or control network Click the Edit button to specify the v
35. EMENT CAREFULLY BEFORE USING THE APPLIANCE THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND SYMANTEC BY OPENING THIS PACKAGE BREAKING THE SEAL CLICKING ON THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY REQUESTING A LICENSE KEY OR USING THE SOFTWARE AND THE APPLIANCE YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS CLICK ON THE I DO NOT AGREE OR NO BUTTON IF APPLICABLE AND DO NOT USE THE SOFTWARE AND THE APPLIANCE 1 Software License Except for the software if any described in the Excluded Software section at the end of this agreement the Excluded Software the software the Software Licenses 173 SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT which accompanies the appliance you have purchased the Appliance is the property of Symantec or its licensors and is protected by copyright law While Symantec continues to own the Software you will have certain rights to use the Software after your acceptance of this license This license governs any releases revisions or enhancements to the Software that the Licensor may furnish to you as well as the copy of the Software provided to you on a CD ROM or other media in connection with the Appliance the Restore Software Except as may be modified by a Symantec license certificate license coupon or license key each a License Module which accompanies precedes or follows this
36. Entity manufacturing 192 168 10 0 ote Si ity G E 206 7 7 2 Frua Coin Remote Security Gateway East 6 7 Remote Network Entity finance 192 168 20 0 Cancel Setup YPN Policy ike_default_crypto_strong Click on Finish to accept the changes or Save to save and reconfigure If you need to make any changes click on the left pane links Although this wizard creates the secure tunnel and all the necessary tunnel components for you once you ve completed the wizard you can access the property pages for all the items you ve selected and make changes Name manufacturingtofinance Finish Save Figure 5 17 Finish Setup S2S Tunnel Wizard The Finish Setup screen see Figure 5 17 displays the selections you have made in the previous screens If you have failed to make a required selection that item appears with the word undefined beside it in the Finish Setup screen and that link has no check mark beside it on the left side of the screen If you were unable to complete any of the screens up to this point simply click on that screen s link in the left pane to go back 2 The Finish Setup screen assigns a default name to your tunnel In the Name field enter your own name for the secure tunnel before you save In Figure 5 17 we have named the tunnel manufacturingtofinance 3 If each left pane item has a check mark beside it you can now click the Save button to save your secure tunnel configuration If there are any errors in your c
37. In Figure 5 1 there are two sites Each site is protected by a VelociRaptor 1 5 appliance West is the local appliance in this example and East is the remote VPN server The goal of this configuration is to establish a VPN tunnel uniting the subnets behind each firewall Local West Remote East Security Gateway Security Gateway 206 7 7 3 206 7 7 2 VelociRaptor Me ras VelociRaptor West East The Subnet Manufacturing Internet Subnet Finance 192 168 10 0 192 168 20 0 Netmask Netmask 255 255 255 0 255 255 255 0 Figure 5 1 Site to site secure tunnel To begin using the wizard from the Symantec Raptor Management Console Configuring your Symantec System taskpad see Figure 5 2 click the 2S Tunnel Wizard icon The Introduction screen shown in Figure 5 3 appears VPN Configure S2S tunnels using the wizard 0 Console Roo antec Enterprise Manageme antec Raptor Manage onsole RO i olx h Console window Help D S Gl w lelxl action wew Favortes e gt lm e 6 70 Rn FSR Tree Favorites C Console Root E F Symantec Enterprise Management E Symantec Raptor Management Console VRONEFIVE Connected Base Components Access Controls Virtual Private Networks Monitoring Controls Configuring your Symantec System B g g QuickStart SMTP Wizard 52S Tunnel VPN Client Tunnel Wizard Wizard wl AT VelociRaptor Disconnect f
38. Incident node Only one machine has control of the VIP at any given time This machine is referred to as the incident node The incident node receives ownership of the VIP and all communication requests directed to the VIP are handled by the incident node When a communication request comes in to the incident node the incident node is responsible for m serving the request m passing on the initial request to another node in the cluster m passing on the request to the node that is currently serving the connection If a failure occurs on the incident node another node in the cluster becomes the incident node claims ownership of the VIP and assumes responsibility for all new connection requests entering the cluster Heartbeat network A heartbeat network is an internal network that acts as the heartbeat or control network The heartbeat network is used by each appliance in the cluster to exchange state information about the cluster The heartbeat network does not have to be dedicated to heartbeat communications only however this a preferred configuration Sticky node A sticky node is a node in the cluster that can be designated as a sticky node If a node is marked as sticky and requests are currently being sent to it requests will continue to be sent to this node until this node is no longer available due to a failure If one node gives up the sticky bit it will jump to the next node picked to be the incident node and remain ther
39. LAN into the inside network connection 7 Plug the RJ 45 connector from any other service network if present into the Aux 1 network connection 3 Plug the RJ 45 connector from any other service network if present into the Aux 2 network connection 3 Connect the power cord to models 1200 and 1300 To connect power to appliance models 1200 and 1300 1 2 Plug the power cord into the appropriate connector on the rear panel 1 Connect the power supply cord from the appliance to an electrical outlet or UPS supply unit For UPS configuration details see Connect an uninterruptible power supply on page 23 Installation 23 Power on the models 1200 and 1300 Power on the models 1200 and 1300 Turn on the power by pressing the On Off button on the front of the VelociRaptor appliance models 1200 and 1300 You will know the box has powered on properly if m The hard disk spins up the fans turn on and the LCD screen lights up m A number of status messages are displayed on the LCD screen as the appliance completes its boot process Connect an uninterruptible power supply When the VelociRaptor appliance is configured to use an UPS the appliance can power down in an orderly manner in the event of a power failure The appliance communicates directly to the UPS unit through the serial port The recommended supplier for UPS units is American Power Conversion www apcc com To configure VelociRaptor for UPS support
40. PLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME 172 Licenses SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION 2 INNO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT SYMANTEC CORPORATION AND OR ITS SUBSIDIARIES SYMANTEC IS WILLING TO LICENSE THE SOFTWARE INCLUDED WITH THE APPLIANCE YOU HAVE PURCHASED TO YOU AS AN INDIVIDUAL THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE REFERENCED BELOW AS YOU OR YOUR AND TO PROVIDE WARRANTIES ON THE APPLIANCE ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AND WARRANTY AGREEMENT READ THE TERMS AND CONDITIONS OF THIS LICENSE AND WARRANTY AGRE
41. Program independent of having been made by running the Program Whether that is true depends on what the Program does You may copy and distribute verbatim copies of the Program s source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee You may modify your copy or copies of the Program or any portion of it thus forming a work based on the Program and copy and distribute such modifications or work under the terms of Section 1 above provided that you also meet all of these conditions You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change You must cause any work that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License If the modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to p
42. R 97401 USA or ii Symantec Customer Service Center PO BOX 5689 Dublin 15 Ireland 8 Excluded Software The Excluded Software consists of the open source code software known as Linux included with the Appliance All Excluded Software is licensed under the GNU General Public License Version 2 June 1991 a copy of which is included with the user documentation for the Appliance The license entitles You to receive a copy of the source code for Linux only upon request at a nominal charge If you are interested in obtaining a copy of such source code please contact Symantec Customer Service at one of the above addresses for further information 178 Licenses SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT Appendix serial Port Cable Serial 9 Pin Cable Specifications Use a cable the meets the following specifications to connect to the serial port of your appliance Table C 1 Serial 9 Pin Cable Connections 1 lt DCD Data Carrier Detect 2 lt RX Receive Data 3 gt TX Transmit Data 4 gt DTR Data Terminal Ready 5 i GND Signal Ground 6 lt DSR Data Set Ready 7 gt RTS Request To Send 8 lt CTS Clear to Send 9 lt RI Ring Indicator 180 Serial Port Cable Serial 9 Pin Cable Specifications Appendix Troubleshooting Troubleshooting Up to date troubleshooting information for the VelociRaptor 1 5 and all Symantec products is available on the Symant
43. RCHASE PRICE FOR THE APPLIANCE The disclaimers and limitations set forth above will apply regardless of whether you accept the Software or the Appliance 5 U S Government Restricted Rights RESTRICTED RIGHTS LEGEND All Symantec products and documentation are commercial in nature The software and software documentation are Commercial Items as that term is defined in 48 C F R section 2 101 consisting of Commercial Computer Software and Commercial Computer Software Documentation as such terms are defined in 48 C F R section 252 227 7014 a 5 and 48 C F R section 252 227 7014 a 1 and used in 48 C F R section 12 212 and 48 C F R section 227 7202 as applicable Consistent with 48 C F R section 12 212 48 C F R section 252 227 7015 48 C F R section 227 7202 through 227 7202 4 48 C F R section 52 227 14 and other relevant sections of the Code of Federal Regulations as applicable Symantec s computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users according to the terms and conditions contained in this license agreement Manufacturer is Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 6 Export Regulation 7 General You agree to comply strictly with all applicable export control laws including the US Export Administration Act and its associated regulations and acknowledge Your responsibility t
44. Raptor appliance host must have the default route set to 169 254 0 254 When you first configure the VelociRaptor appliance using the setup wizard you enter the default gateway information on the first screen If for some reason the default gateway was not specified then you can specify it by accessing the VelociRaptor appliance Properties page To specify the default gateway 1 From the left pane of the Symantec Raptor Management Console select the icon of the VelociRaptor appliance you are configuring 2 From the Action menu select Properties 96 Routes and DNS Setting up routes The VelociRaptor appliance Properties page displays General Status Paths Passwords Date Time System License The current system name domain name and default gateway address System Name vno NEFIVE Domain Name yourdomain com Default Gateway Address fi 69 254 0 254 UPS Support Stop C Start Front Panel Keypad Locking Disable Enable Cancel Help Figure 6 2 Route properties window 3 Select the System tab and enter the default gateway information as shown in Figure 6 2 4 Click OK to save your updated default gateway information You must save and reconfigure the VelociRaptor appliance for your changes to take effect Right click in the left pane Choose All Tasks gt Save and Reconfigure Creating static routes Static routes are necessary if you have a routed
45. Symantec VelociRaptor 1 5 Appliance Implementation Guide April 17 2002 gt symantec Part Number 16 30 00053 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Copyright notice Copyright 1998 2002 Symantec Corporation All Rights Reserved Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation Portions copyright c eHelp Corporation All rights reserved No warranty The technical documentation is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use Any use of the technical documentation or the information contained therein is at the risk of the user Documentation may include technical or other inaccuracies or typographical errors Symantec reserves the right to make changes without prior notice No part of this publication may be copied without the express written permission of Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 Trademarks VelociRaptor Symantec Raptor Management Console Symantec Gateway Security Symantec Security Response Team Symantec LiveUpdate Symantec Norton Antivirus Extension NAVEX and Bloodhound are registered trademarks of Symantec Corporation Microsoft MS DOS Windows and Windows NT are registered trademarks of Micr
46. a BIOS that allows you to boot from a CD ROM m An installed 100 MB network interface card m Either a crossover cable to connect the VelociRaptor appliance directly to the network interface on the PC or a connection to a switch or hub to which the appliance is attached Note Laptop PCs may not run the restore program properly 41 42 Initial Setup Restoring the VelociRaptor 1 5 appliance operating system During the restore process the appliance may automatically reboot itself and perform other installation tasks This process must be allowed to complete without interruption for a successful restore of the appliance software to its original factory condition This process may take 15 minutes To restore the appliance operating system 1 Ou A W DN 10 11 12 13 14 15 Press any button on the front panel of the appliance until the System Menu displays on the LCD screen Press the down v arrow button until the Shutdown option appears Select the Shutdown option by pressing the E button When prompted turn off the power using the power switch Insert the VelociRaptor CD ROM into the CD ROM drive of your PC Reboot your PC turn off and restart with the VelociRaptor CD in the CD drive Wait until the PC is rebooted before proceeding Turn on the power to VelociRaptor appliance using the power switch while pressing and holding down the Select S button on the LCD console Continue holding down the Sele
47. against DNS check box is checked by default This validates the originator s envelope address by checking the format and ensuring the domain name is fully qualified It also checks whether a mail exchange MX record exists for the domain name in DNS Domain Name System Email from recipients who fail the DNS registration test is rejected Check Sender s address against RBL hosts checks the sender s address against the addresses in the a list of known spam originators known as the Real time Blackhole List RBL Any incoming connection attempts will be denied if the address is found in the RBL If you check the list provided the RBL of the Mail Abuse Prevention System project is used You can also enter the domain name of another RBL provider in New RBL Site field and add it to the list of RBL sites by clicking Add Click Next Firewall 67 SMTP Wizard SMTP Configuration Wizard xj Anti Relay Define the default anti telay settings for all smtp mail rules You can later change these settings from the SMTPD and or individual rule properties IV No Source Routed Address allowed m Specify recipient s domain below m Check against REL Add New site Add O telays mail abuse org Remove Remove lt Back Cancel Figure 4 9 Anti Relay screen 10 On the Anti Relay page define the default anti relay settings for your SMTP mail rules No Source Routed Address allowed is enabled by defa
48. age 40 If you do not type a license key here the VelociRaptor appliance will run for a 30 day grace period Check the Lock Front Panel Keyboard checkbox if you want to disable the buttons on the front panel of the appliance Click Next Initial Setup 53 Setup wizard The System Features page appears Only features enabled by the license key are shown For more information on System Features see the Product Overview on page 5 Setup Wizard E x System Features Specify the system features you want to enable on this system Check the features you want to enable and clear the features you want to disable The system features shown here are based on the license key in the previous page not the system s current setting System Feature m Description The High Availablity Load Balancing feature supports the use of clusters allowing another system to take over the work of a failed system and enabling multiple systems to share the work load Firewall PN W Full PN Client Support High Availability Load Balancing lt Back Cancel 10 Figure 3 13 System Features page Un check any features you do not want to use You can run the Setup Wizard again to enable any feature or use the System Features item under Base Components Click Next The Network Interfaces page appears see Figure 3 14 You configured one Ethernet interface the interface closest to the mana
49. ailability and Load Balancing The VelociRaptor appliance provides High Availability and Load Balancing HA LB features Load balancing allows the members of a cluster to share the work A special case or feature of load balancing is referred to as high availability meaning that if one appliance fails the remaining member or members of the cluster can take over and continue to share the load HA LB is an optional feature You must purchase an HA LB Crossgrade License for each appliance in a cluster Check with your system administrator for license requirements HA LB Implementation The VelociRaptor appliance is a critical component of network security A single appliance configuration a network without HA LB may not be appropriate for all situations for the following reasons m Single point of failure m Possible bottleneck 136 High Availability and Load Balancing HA LB Implementation As a single point of failure if the appliance is down your external users no longer have access to internal resources and your internal users are cut off from external networks Although the network is still secure it is off line until the appliance is restored to service Internet Router Server Server Server Service Network Router Internal Network Figure 9 1 Non HA LB network One solution is to add additional appliances to your company network Multiple appliances can be configured to act as if they wer
50. alancing configured this allows the cluster to spread the connections more evenly over several different appliances instead of always sending requests to one appliance Note The VIP should be assigned using an IP address higher than any of the nodes supporting that VIP High Availability and Load Balancing 141 HA LB Implementation Internet 169 10 10 1 Router VIP Out 169 10 10 250 External Network 169 10 10 2 169 10 10 4 VIP In 192 168 30 250 Dedicated Heartbeat Network 192 168 30 0 24 Server Server Server VIP In 172 168 6 250 Service Network 172 168 6 0 24 VIP In 192 168 1 250 Internal Network 192 168 1 0 24 192 168 10 2 Figure 9 5 HA LB cluster with VIPs The next step is to modify the routing tables on each of the each of the machines and servers on each of the networks All machines and servers must now point to the VIPs instead of the real IP addresses for HA LB to work properly If the machines and servers continued to point to the real IP addresses of the appliances and one of the appliances failed all of the machines and servers 142 High Availability and Load Balancing HA LB Implementation pointing to that security gateway would be cut off from the network Table 9 1 shows the VIP settings for our cluster network Table 9 1 VIP addresses 169 10 10 0 24 169 10 10 250 Outside Internet 192 168 30 0 24 192 168 30 250 Dedicated Heartbeat 172 168 6 0 24
51. ance Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option repair or replace any defective Software returned to Symantec within the warranty period or refund the money you paid for the Appliance Symantec warrants that the hardware component of the Appliance the Hardware shall be free from defects in material and workmanship under normal use and service and substantially conform to the written documentation accompanying the Appliance for a period of three hundred sixty five 365 days from the date of purchase of the Appliance Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option repair or replace any defective Hardware returned to Symantec within the warranty period or refund the money you paid for the Appliance The warranties contained in this agreement will not apply to any Software or Hardware which A has been altered supplemented upgraded or modified in any way or B has been repaired except by Symantec or its designee Additionally the warranties contained in this agreement do not apply to repair or replacement caused or necessitated by i events occurring after risk of loss passes to You such as loss or damage during shipment ii acts of God including without limitation natural acts such as fire flood wind earthquake lightning or similar disaster iii improper use environment installation or electrical supply improper mai
52. ance system icon of the connected appliance Right click the icon and choose Properties The appliance s properties page opens Select the Date Time tab see Figure 7 4 112 Management Console Change system settings RONEFIVE Connected Properties TES General Status Paths Passwords Date Time System License pa Please set date time and time zone as necessary wd Time and Date 03 15 2002 13 34 qi Timezone US Eastern Figure 7 4 Change date and time Check the Change Date and Time checkbox to change the current settings From the Time and Date and Timezone pull down fields select the appropriate settings 7 Click OK when finished Changes take effect immediately Define a license key If necessary you can enter a license key for the first time or change the current VelociRaptor appliance license key through Symantec Raptor Management Console from the license tab of the appliance s properties page For further license key information see Get your license key on page 40 To enter or change your license key 1 Inthe left pane select the appliance s icon 2 Right click the icon and choose Properties to display the appliance s properties page Management Console 113 Perform a system shutdown from the Symantec Raptor Management Console YRONEFIYE Connected Properties q 2 x General Status Paths Passwords Date Time System License fa Current license informa
53. and return to the top menu level Network address information When the appliance boots for the first time you must enter the network address information of the Symantec Raptor Management Console that will manage the appliance Refer to the network configuration in Figure 3 4 for the examples of address setup instructions 32 Initial Setup Network configuration worksheet Internet news xyz com SRMC 169 254 1 2 169 254 10 1 169 254 10 254 Internet Router 169 254 0 254 Outside 169 254 0 1 web xyz com Aux 2 169 254 1 3 169 254 1 1 Aux 1 192 168 6 6 Inside 192 168 6 1 192 168 1 17 mrg Route 192 168 1 62 192 168 5 1 192 168 1 22 192 168 1 1 192 168 1 2 192 168 1 3 192 168 3 65 192 168 5 2 192 168 5 3 192 168 5 4 192 168 3 10 192 168 3 11 192 168 3 12 Figure 3 4 VelociRaptor appliance protected network Network configuration worksheet During the VelociRaptor appliance setup process you are prompted to enter network address information Once those addresses are entered VelociRaptor s LCD panel displays three passwords that you will need to initiate remote Initial Setup 33 Network configuration worksheet management Use the worksheet on the next page to make note of these passwords Passwords can be changed once you have set up the Symantec Raptor Management Console to begin remote management For details on changing passwords see Managing passwords on page 106 Store this
54. anding unit Note Models 1200 and 1300 do not come with rubber feet 16 Installation Stand alone hardware installation To install the VelociRaptor appliance as a stand alone device 1 Make sure that the installation site has a smooth and level surface such as the top of a computer table Also avoid placing the VelociRaptor appliance in an area with a lot of clutter such as books or other hardware devices Attach the rubber feet to the five indentations on the bottom of the appliance See Figure 2 1 Figure 2 1 Freestanding Model 1100 with rubber feet Place the unit in a secure location away from busy areas The installation site must meet minimum environmental specifications as described in Table 1 1 Check that the power source is adequate for the VelociRaptor appliance and that the outlet is located within reach of the supplied power cord without stretching or putting strain on the cord Refer to Connect model 1100 to the network on page 20 or Connect models 1200 and 1300 to the network on page 22 for details on attaching signal cables Warning Do not use an extension cord to supply power to this unit After cabling the unit into the network properly dress the cables and position them away from foot traffic to avoid a potential tripping hazard Installation 17 Rack mount instructions Rack mount instructions The following rack mount instructions apply to all appliance models Note Because
55. antec VelociRaptor is a member of Symantec s growing line of security appliances and its integrated Symantec Enterprise Firewall meets the most stringent industry interoperability and ICSA Labs Cryptography Product Certification requirements 6 Product Overview Key Features Firewall Delivers multi function firewall VPN security capabilities in a fully integrated rack mountable appliance Provides enterprise class gateway security with full inspection application proxy technology and automatic system hardening and monitoring Offers a true plug and protect solution with quick installation pre configured software and secure remote management Securely extends networks with a Proxy Secured IPSec compliant integrated VPN The VelociRaptor appliance includes technologies from Symantec s Enterprise Firewall to protect enterprise assets and business transactions with one of the most secure high performance solutions for ensuring safe connections with the Internet and between networks Its unique architecture delivers security and speed providing strong and transparent firewall protection against unwanted intrusion without slowing the flow of approved traffic on enterprise networks Features include Standard proxies These proxies handle common services such as telnet HTTP FTP RealAudio and others Standard proxies offer the highest level of logging and ease of use Unless specifically stated otherwise when this manual d
56. ard 57 R Radware FireProof 156 Rear view power switch 22 Remote login 119 Reset 40 Restart system from SRMC 114 Restore Files from SRMC 116 Root password 37 108 Routable addresses 6 Routed network 93 Routes configuring default using SRMC 95 Rules antivirus 127 S S2S Tunnel wizard 71 Safety electric shock 166 equipment rack 166 Lithium battery 165 Scanning antivirus 123 Secure Remote Login password 108 Remote login 119 Tunnel wizards 72 88 186 Index Setup procedure initial 35 wizard 50 Shutdown 39 SMTP wizard 63 Software patches applying to the firewall 117 Split level DNS 98 SRL client 120 password 37 SRMC adding SRMCs 119 applying software patches to firewall 117 backing up configuration files 115 changing date and time 111 license key 112 log command 118 system settings 110 configuring private DNS entries 98 host IP Address 36 installing 43 44 overview password 36 50 managing 108 root 108 Quickstart wizard 57 restarting system 114 restoring configuration files 116 root password 37 Secure Remote Login SRL 108 Setup wizard 50 SMTP wizard 63 system shutdown 113 Static routes setting 93 Status indicators 100 M 26 28 active connection 28 Col 26 28 Disk 26 28 hard disk drive 28 Link 26 28 Temp 26 28 traffic 28 Transmit Receive 26 28 Web activity 28 Sticky node 144 Symantec Raptor Management Console see SRMC Symantec warranty 172 Symmetric routing 145 System
57. based on the Program you indicate your acceptance of this License to do so and all its terms and conditions for copying distributing or modifying the Program or works based on it Each time you redistribute the Program or any work based on the Program the recipient automatically receives a license from the original licensor to copy distribute or modify the Program subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties to this License If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Program at all For example if a patent license would not permit royalty free redistribution of the Program by all those who receive copies directly or indirectly through you then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under an
58. can be in read write mode managing mode at a time all others are in read only mode view configuration and logs To configure remote management by another Symantec Raptor Management Console follow the instructions in Managing passwords on page 106 Be sure to type the IP address of the new Remote Host in the appropriate field You can then connect to this appliance with an Symantec Raptor Management Console with that specified address Type the appropriate hostname and password into the login window Use secure remote login Secure Remote Login lets a user on a machine with Symantec Raptor Management Console to login to the VelociRaptor appliance and review system files reboot the machine or perform other troubleshooting or debugging tasks 120 Management Console Use secure remote login that are outside of normal appliance operations All remote traffic is encrypted You must use the Symantec Raptor Management Console version of Tera Term Pro and not the standalone version To make an SRL connection from Symantec Raptor Management Console to the VelociRaptor system 1 Select the appliance icon from Symantec Raptor Management Console right click and choose All Tasks gt SRL Client to display the Tera Term Pro window logon dialog box see Figure 7 11 i Tera Term connecting YT ol xi File Edit Setup Control Window Help SRL Passwords xi Passwords Figure 7 11 Tera Term Pro window 2 In the Management
59. cc eee eee eee eee Propagating appliance configuration files 000 Important safeguards Safeguard Instructions sereni oea oe cee eee eee eee eee E Licenses GNU GENERAL PUBLIC LICENSE 0 0c eee cece ee eee NO WARRANTY ssc cisiee ina vet oe EAE E ein SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT 2 0 0 cece c eee eee eens B 172 ls Software Licenses aoa cis ese eee ee E EEEIEE E wiles B 172 2 Content Updates oi go cb cesar oes whee Celie ees B 173 3 Limited Warranty ceciascnseieeie ence cea ee eens eeu ee nes B 174 4 Disclaimer of Damages vereers issar reirs Uran eee eee B 175 5 U S Government Restricted Rights 0 000008 B 176 6 Export Regulation 0 0 0 0 eee eee eee B 176 7 GONE ALE E E E amp cube ayela s dears cag gy aaa dons athena B 176 8 Excluded Sottwatels sic tetctadeae vents tote iaa A B 177 Chapter 12 Serial Port Cable Serial 9 Pin Cable Specifications 0 c cece eee eee eee C 179 Chapter 13 Troubleshooting Troubleshooting 0 cece eee eee ees D 181 Chapter Product Overview The Symantec VelociRaptor is an integrated hardware and software firewall VPN appliance that employs full inspection technology to provide a fast and secure connection to the Internet delivering enterprise class network security The single rack unit high 1RU plug and protect appliance ensures complete control of information entering and leaving the network wi
60. ce is rebooted the LCD enters a monitoring mode that it remains in during normal system operations When in monitoring mode the VelociRaptor appliance alternately displays system information related to the health and status of the appliance It displays date time and status in this manner Nov 14 14 00 00 System OK The LCD next displays system version and resource utilization information V 1 5 running CPU 40 Log 20 Finally the LCD displays the network interface load information in packets per second In 0 s Out 0 s Auxl 0 s Aux2 0 s Initial Setup 39 Use the system menu These interfaces are generally configured as follows In Inside Interface eth0 Out Outside Interface eth1 Aux1 Auxiliary 1 Interface eth2 Aux2 Auxiliary 2 Interface eth3 Use the system menu When the VelociRaptor appliance is up and running you can access the system menu on the appliance by pressing the E button on the front panel You can select a system menu option by pressing the E button again or continue to the next system menu entry by pressing either the down v arrow key or the right gt arrow key For descriptions of the buttons on the VelociRaptor appliance front panel and the functions they perform see Front panel controls on page 29 The available System Menu options are 1 Network Setup When you select this menu item you are prompted to re enter or change network settings configured during th
61. changes at any time by selecting the system icon to display the Configuring your Symantec System Taskpad Firewall QuickStart wizard 0 Console Roo RO o d 10l x i Console window Help D S Gl w lelxl action wew Favortes e gt lm e 6 70 Rn FSR Tree Favorites E Console Root Configuring your Symantec System EB Symantec Enterprise Management E Symantec Raptor Management Console 4B VRONEFIVE Connected Base Components amp E Access Controls D gs g 2 Virtual Private Networks Monitoring Controls QuickStart SMTP Wizard 525 Tunnel VPN Client Tunnel wizard wizard a g VelociRaptor Disconnect from Setup Wizard VRONEFIVE Done Figure 4 1 Configuring your Symantec System taskpad 2 Click the QuickStart icon in the taskpad The Welcome to the QuickStart Wizard screen appears see Figure 4 2 59 60 Firewall QuickStart wizard QuickStart Wizard Welcome to the QuickStart Wizard This wizard will Configure basic mail services e Configure rules to allow internal users to access web and FTP services To continue with QuickStart click Next Figure 4 2 QuickStart Wizard introduction 3 Click Next to begin using the QuickStart wizard QuickStart Wizard Configuration Options You have the option of configuring mail services web and FTP services or both D Figure 4 3 QuickStart Wizard Configuration Options Firewall
62. ck OK to close the status box 164 High Availability and Load Balancing Preparing to create a cluster Appendix Important safeguards Safeguard Instructions For your protection please read all these instructions regarding your VelociRaptor 1 5 appliance Read Instructions Read and understand all the safety and operating instructions before operating the appliance Ventilation The VelociRaptor 1 5 appliance s vents on the front and the fan opening s on the back panel are provided for ventilation and reliable operation of the product and to protect it from overheating These openings must not be blocked or covered This product should not be placed in a built in installation unless proper ventilation is provided Lithium Battery The lithium battery on the system board provides power for the real time clock and CMOS RAM The battery has an estimated useful life expectancy of 5 to 10 years Power Cord Caution The power supply cord is used as the main disconnect device Ensure that the socket outlet is located or installed near the equipment and is easily accessible Caution Fran ais Le cordon d alimentation sert d interrupteur g n ral La prise de courant doit tre situ e or install e proximit du mat rial et offrir un acc s facile 166 Important safeguards Safeguard Instructions Caution Deutsch Zur sicheren Trennung des Ger tes vom Netz ist der Netzstecker zu ziehen Verge
63. cluster High Availability and Load Balancing 147 Preparing to create a cluster Define the remote management passwords of all the appliances you want to add to the cluster using the Symantec Raptor Management Console Creating a cluster for software high availability load balancing The following procedure describes how to create a cluster for software HA LB An HA LB cluster can also be used to propagate appliance configuration files from one cluster member to all other enabled members of the cluster See Creating a cluster for appliance file propagation or hardware HA LB on page 154 Before you create the cluster make sure that the IP addresses and passwords of all the appliances you want to add to the cluster have been defined on all the appliances that will be added to the cluster To create a software HA LB cluster 1 Click the Symantec Raptor Management Console icon to display the Getting Connected taskpad in the right pane If the Taskpad is not displayed pull down the View menu and choose Taskpad Click the New Cluster icon to display the Create Cluster Wizard Create Cluster Wizard A xj Welcome to the Cluster Create Wizard This wizard will Define members of a cluster e Define the heartbeat subnet and virtual IP addresses assigned to the cluster e Enable or disable the members of the cluster During propagation of confiquation files other than the cluster configuration files the disabled membe
64. cluster member to all other members If the member you chose is not valid a message box tells you that the member s information is incorrect and cannot be restored d Modifying a cluster Click OK to clear the message and return to the Cluster configuration not in sync screen The invalid cluster is marked Choose another cluster member from which the cluster information will be copied and click Next Repeat until the Cluster configuration chosen screen is displayed This screen is read only Click Next to display the Completing the Wizard screen Click Finish to write the configuration of the selected cluster member to all other members There are two reasons to modify a cluster m To make changes to the cluster configuration information and copy those changes to all members of the cluster m To enable or disable a cluster member prior to using the Propagate option Propagate copies the appliance configuration files from a selected appliance s sg directory to all enabled members of that appliance s cluster 158 High Availability and Load Balancing Preparing to create a cluster To access the Modify Cluster Wizard you must be connected to at least one cluster member To modify a cluster 1 In the left pane right click the cluster name 2 Choose All Tasks gt Modify Cluster to display the Modify Cluster Wizard 3 Click Next to display the Modifying a cluster screen You can change the cluster name and descripti
65. configure tunnels to VPN clients Note Before you use the tunnel wizards you may want to configure the network entity and security gateway building blocks selected for your tunnel although the wizards do let you create these See the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide for Network Entity Security Gateway and Certificate configuration procedures To access either of the tunnel wizards in Symantec Raptor Management Console 1 Select the system icon for the VelociRaptor 1 5 appliance you are managing from the left pane The Configuring your Symantec System taskpad appears in the right pane see Figure 4 1 2 Click on the 2S Tunnel Wizard icon or the VPN Client Tunnel Wizard icon to begin configuring your tunnel 72 VPN Configure S2S tunnels using the wizard The VelociRaptor 1 5 appliance can create VPN tunnels to other VelociRaptor appliances Symantec Gateway Security appliances Symantec Firewall VPN appliances systems running Symantec Enterprise Firewall with VPN or to any IPsec compliant device It can also create tunnels to remote clients running Symantec Enterprise VPN clients with the full VPN function crossgrade license Configure S2S tunnels using the wizard The secure tunnel configuration displayed in Figure 5 1 is an example of a site to site tunnel The following pages walk you through the process of using the 2S Tunnel Wizard to set up the components of this tunnel
66. ct S button until Select Option appears on the LCD display Press and release the Select S button until the Boot From Net option appears on the LCD display Press and release the Enter E button to begin net booting the VelociRaptor appliance from the VelociRaptor CD ROM The LCD display shows the Loading Kernel message This step may take 15 minutes and includes the system rebooting itself Wait until PLEASE SWITCH OFF POWER NOW appears on the LCD display The restore process is now complete Turn off the VelociRaptor appliance Remove the VelociRaptor CD ROM from the CD ROM drive on your PC Restart your PC without VelociRaptor CD ROM in the PC to return it to normal service Turn on the VelociRaptor appliance and perform the initial setup process again For more information see Initial network configuration procedure on page 35 The VelociRaptor appliance is managed from a computer on your network using the Symantec Raptor Management Console Graphical User Interface Initial Setup 43 Install Symantec Raptor Management Console The Symantec Raptor Management Console installs on a Windows NT or Windows 2000 machine and can manage all VelociRaptor appliance functions including secure tunnels and hardware system management such as reboots or shutdowns You can use the same Symantec Raptor Management Console to manage a mixture of VelociRaptor versions 1 0 1 1 and 1 5 appliances Symantec Gate
67. cting an existing remote security gateway entity By creating a new remote security gateway entity For the network example in Figure 5 1 we will create a new remote security gateway for the appliance called East by selecting the Create a new remote security gateway link available in step 1 The New Security Gateway dialog box appears see Figure 5 11 VPN Configure S2S tunnels using the wizard New Security Gateway x Name East Enter the IP address or a DNS resolvable name for your new Security Gateway 206 7 7 2 Authentication method Certificate C Shared Key Note that both gateways of a tunnel must be using the same authentication method and the same shared secret if using it Cancel Figure 5 11 New Security Gateway dialog box Remote End In the dialog box type a Name and an IP address for your remote gateway In this case East and 206 7 7 2 Also decide which authentication method is to be used see Figure 5 11 In this example we have selected Certificate for authentication For details on authentication see the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide Click OK the name of your new security gateway will be used as the Remote Security Gateway Step 2 of the Remote End screen gives you two ways to specify the remote originator or endpoint for tunnel packets Byselecting an existing network entity By creating a new protected network enti
68. d ccc cece eee 5 72 Configure VPN Client tunnels using the wizard 5 88 Routes and DNS Setting Up routes sis cis cel eg Paw E EE Gang afarhavshe engi bales Ge lated 6 93 Specifying the default gateway cece eee 6 95 Creating static routes eee cece eee eee 6 96 Configure the DNS proxy 0 eee eee eee eee ee 6 97 Provide private DNS file address statements 6 98 Provide hosts pub file information 0000 eee 6 101 Verify connectivity sr rosas RAET oe dee tae adda ae eae 6 101 Management Console Monitor VelociRaptor appliance 0 eee eee eee 7 105 Managing passwords 0 0 i ccc eee eee ees 7 106 Remote management password 0 0 c cece eee eee eee 7 107 Root and secure remote login passwords 000000 7 108 Change system settings 0 cece eee eee eee 7 110 Change the date and time 0 cc eee cece ee eee eee teenie 7 111 Define a licerise key erai vag cue iare aia dead ERAEN eee as 7 112 Perform a system shutdown from the Symantec Raptor Management Console 0ee eee eeee 7 113 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Perform a system reboot from the Symantec Raptor Management Console 0 eee eee Back up configuration files 1 6 0 cece cece eee Restore configuration files 0 cc cece cece eee eee eee Apply patches to the VelociRaptor software
69. dels 1200 and 1300 specifications Dimensions 17 50 in x 22 75 in x 1 75 in 44 5 cm x 57 8 cm x 4 5 cm Fits a standard 19 equipment rack single rack unit height Weight 20 lbs 9 kg Network interfaces Four 10 100Base T Ethernet connections User interface 2 x 16 liquid crystal display on front panel LEDs transmit receive 2 link 2 disk activity 1 temperature Operating environment 32 to 95 F 0 to 35 C 10 to 90 humidity non condensing Power requirements Input rating 100 240V 50 60Hz Maximum power 100 watts typical 130 watts max consumption Documentation The VelociRaptor appliance functionality is described in three manuals The Symantec VelociRaptor 1 5 Appliance Implementation Guide This guide covers all the functionality of the VelociRaptor appliance except firewall and VPN features Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide This guide covers topics related to the firewall and VPN features including base components access controls secure tunnels VPN policies remote policies and monitoring controls It is provided in PDF format on the VelociRaptor appliance Software CD ROM Symantec Enterprise Firewall Symantec Enterprise VPN and VelociRaptor Firewall Appliance Reference Guide This guide provides advanced technical information about network security and advanced configuration examples 11 12 Product Ove
70. dentical cluster information the Verify Cluster wizard allows you to choose a cluster member so that its configuration can be copied to all other members To verify a cluster 1 Connect to a member of the cluster you want to verify In the left pane right click on the cluster name Choose All Tasks gt Verify Cluster to display the Verify Cluster Wizard Click Next oa fF W N If there are cluster members that are not connected the Connect to cluster members screen is displayed Type the password for the system whose IP address is displayed and click Next High Availability and Load Balancing 157 Preparing to create a cluster 6 Repeat Step 5 on page 156 until all members are connected at which point one of the following screens is displayed If the Completing the Wizard screen displays saying that the configuration is in a consistent state the verification process has been completed successfully Click Finish to close the Verify Cluster Wizard If the Cluster configuration not in sync screen is displayed continue at Step 7 on page 159 7 Choose a cluster member from the list and click Next If the member you chose is valid the Verify cluster screen is displayed showing the cluster information of the member a Click Next The Cluster configuration chosen screen is displayed This screen is read only Click Next to display the Completing the Wizard screen Click Finish to write the configuration of the selected
71. down the VIP is transferred to another node in the cluster When the node the VIP was originally assigned to is back up the VIP returns to it Note With symmetric routing turned on sticky VIPs do not effect the node that actually owns the connections simply where the traffic is first seen You can implement your own symmetric routing by having sticky VIPs bound to particular machines and then distribute them in a load balanced way Then turn asymmetric routing on and the incident node is the owner node for the traffic See HA LB terms on page 144 for more information Click OK to process the Add a Virtual IP Address dialog box then click OK again to close the VIP Addresses dialog box The VIPs you have assigned are shown in the Cluster member information list Repeat Step 15 on page 151 through Step 18 on page 153 for each subnet then click Next to display the final screen of the Cluster Wizard 153 154 High Availability and Load Balancing Preparing to create a cluster xl Completing the Wizard The New Cluster Wizard will now attempt to write the cluster information to all members In order for these changes to take effect you must reboot all the nodes to which changes were made Would you like to reboot now No will reboot later To exit the wizard click Finish lt Back Cancel Figure 9 14 Completing the Wizard page 20 Decide whether to reboot the cluster members now or la
72. e HTTP Rule Properties page 3 Click the Antivirus tab 130 Antivirus Scanning Enabling antivirus scanning in a rule 4 Check the Enable Antivirus Scanning check box arip Rue Properties SE Protocols Restrictions Web Proxy Antivirus Please specify if this rule will include antivirus scanning of HTTP traffic Application Data Scanning has to be enabled for enabling this option I Enable Antivirus Scanning Figure 8 4 HTTP Rule Properties Antivirus page 5 Click OK 6 When you have finished writing the rule click OK To configure the SMTP proxy for antivirus scanning 1 Select smtp from the Excluded Services list and use the gt gt button to move it to the Included Services list 2 Select smtp in the Included Services list and click Configure to display the SMTP Rule Properties page Antivirus Scanning 131 Symantec Gateway Security appliance setup 3 Click the Antivirus tab SMTP Rule Properties aixi Anti Spam Relay Advanced ESMTP Antivirus Please specify if this rule will include antivirus scanning of SMTP traffic Application Data Scanning has to be enabled for enabling this option T Enable Antivirus Scanning Cancel Help Figure 8 5 SMTP Rule Properties Antivirus Page 4 Check the Enable Antivirus Scanning check box Click OK 6 When you have finished writing the rule click OK Symantec Gateway Security appliance setup On the Symantec Gateway Security appliance you must specif
73. e initial setup process To continue to the next system menu entry press either the down v arrow key or the right gt arrow key 2 Reboot When you select this menu item you are prompted to select Yes or No No is selected by default To reboot use an arrow button to move the cursor to Yes and press the E button to enter it 3 Shutdown When you select this menu item you are prompted to confirm system shutdown Select Yes or No Press the E button again to enter your selection 4 UPS setup When you select this menu item UPS Uninterruptible Power Supply you are prompted to choose start or stop To use a UPS unit select start and press the E button 5 System ID Selecting this menu item causes the VelociRaptor appliance to display the system s ID You need to provide this system ID to Symantec to obtain a license key Press the E button to return to the system menu once the system ID is displayed on the LCD Press either the down arrow v key or the right arrow gt key to move to the next menu item 40 Initial Setup Get your license key 6 Factory reset If you select this menu item you are prompted to confirm with Yes or No If you select Yes the VelociRaptor appliance resets in the following manner Network IP address information is erased Symantec Raptor Management Console workstation connection information is erased License information remains intact Caution If you choose Yes the a
74. e lists to determine what to scan when there are container files a All files All files regardless of extension are sent to the Symantec Gateway Security appliance for scanning m Only those in include list Only files with the extensions listed in the include list are sent to the Symantec Gateway Security appliance If you select this option you can edit the include list to add or delete file extensions The default include list contains those file types considered at risk of infection a All except those in exclude list All files except those with the extensions listed in the exclude list are sent to the Symantec Gateway Security appliance If you select this option you can edit the exclude list to add or delete file extensions The default list includes those file types not likely to be infected Note The default include and exclude lists contain the recommended file types to protect your network against viruses and other types of malicious code To minimize potential exposure to infection use care in editing extension lists For maximum security you can select to scan all file types regardless of extension but be aware that performance may be impacted during periods of peak usage If you have selected Only those in include list from the Which file extensions to scan list optionally edit the Include list to add or remove file extensions Add any additional file extensions you want to scan Delete any extensions that you do no
75. e one gateway This is referred to as a cluster If one member of a cluster has a failure the others will continue to operate and pick up the load network traffic of the failed appliance without any interruption of service to the users of the network The following example depicts a three appliance software HA LB cluster The first step in creating this cluster is to physically setup and configure the appliances on the network Internal and external interfaces on each appliance must be configured properly and the networks that each appliance talks to must also be configured The second step is the setup of VIPs on the network See Cluster members screen on page 139 High Availability and Load Balancing 137 HA LB Implementation Three appliance cluster example In this example each of the three VelociRaptor appliances uses all four of its network ports located on the back panel of the appliance as shown in Figure 9 2 to connect to the networks shown in Figure 9 3 Outside Port Aux 2 Port Outside Network Internal Network Internet 192 168 1 0 24 169 254 0 0 24 Aux 1 Port Inside Port Service Network Dedicated 172 168 6 0 24 Heartbeat Network 192 168 30 0 24 Figure 9 2 VelociRaptor appliance back panel Each of the three appliances is configured and connected to the network in the same way Even if two of the appliances fail the third appliance will pick up the load The three internal networks will still be secure a
76. e to YelociRaptor Setup Wizard You MUST complete this wizard to begin managing the system This wizard configures the following information system name domain name default gateway license key system features network interfaces system date and time If you cancel out of this wizard without completing it at least AA i once you cannot connect to the system PIRA t Click Next to continue lt Back Figure 3 11 Setup Wizard Welcome page 2 Click Next to began using the Setup Wizard 52 Initial Setup Setup wizard Setup Wizard x System Information Specify the system information to be used by this system System name VRONEFVE sss Ss Domain name fyoudomaincom Default gateway IP 10 0 O 22 License evalpvre36fred63 I Lock Front Panel Keyboard cmos Figure 3 12 Setup Wizard System Information page Enter a System Name for the VelociRaptor appliance Each appliance ships with a pre configured system name You can change this name here if necessary Type the Domain Name for the system A domain name is displayed by default Change this to match your domain The Default Gateway IP field displays the information you typed during the appliance initial setup process You can change this IP address if necessary Type the License Key To obtain this license key you must provide your System ID and product serial number see Get your license key on p
77. e until that node is no longer available even if the first node comes back up High Availability and Load Balancing 145 About the cluster wizard Preferred node A preferred node is a node in the cluster that can also be designated as a preferred node A preferred node can be thought of as a persistent sticky node By specifying that a node is preferred communication requests will always be sent to this machine when it is available If this machine is unavailable another machine on the cluster will become the incident node but will not be marked as the preferred node If the first machine comes back up communication requests will revert back to the first machine until it is no longer available Symmetric routing Symmetric routing assures that any return packets for a connection go back out through the same security gateway Asymmetric routing Asymmetric routing is the default mode for the appliance until the Cluster Wizard is run for the first time Asymmetric routing allows a return packet for a connection to go back out through any security gateway in the cluster Asymmetric routing provides for better network performance especially if the incident node is busy State information must be maintained between all of the nodes in the cluster for asymmetric routing to work properly About the cluster wizard The VelociRaptor appliance provides a Cluster wizard to group appliances into a cluster for three purposes m Integrated So
78. ec website www symantec com To access VelociRaptor troubleshooting information 1 Go to www symantec com 2 Click the service amp support button on the top of the welcome screen 3 Click the I am an enterprise user button in the middle of the service amp support screen Select Symantec VelociRaptor from the Select a product pull down list Select version 1 5 form the Select a version pull down list Click the continue button N OO oF f Click the Knowledge Base link next to the solve a technical issue section in the middle of the Support Solutions page You can search or browse the VelociRaptor knowledge base for troubleshooting information using the directions provided on the Knowledge Base page 182 Troubleshooting Troubleshooting A Adding SRMCs 119 Address configuring during first system boot 31 statements private entries for DNS 98 transforms 6 Alias 101 defining in host file 100 Antivirus scanning configuring proxy services 123 enabling in a rule 127 Asymmetric routing 145 Back panel features model 1100 19 models 1200 1300 21 Backup files 115 Battery 165 C Change log command executing from SRMC 118 Cluster configuring VIPs 140 creating for hardware HA LB or file propagation 154 creating for software HA LB 147 preparation 146 verification 156 Wizard deleting 146 modifying 157 using 145 Component list 12 Configuration enabling antivirus scanning in a rule 127 files backing up from SRMC
79. ect of the Internet Viruses can easily spread in the Internet environment and pose major threats to critical business operations and financial investment Implementing antivirus protection at the firewall is a critical step in protecting your network against viruses and other related threats The VelociRaptor appliance provides comprehensive virus protection when configured as a client of a Symantec Gateway Security appliance running the antivirus scan server The VelociRaptor lets you configure antivirus scanning and email filtering by individual proxy The FTP HTTP and SMTP proxies on the VelociRaptor appliance can be configured to pass files to a Symantec Gateway Security appliance which in turn scans the files for viruses and mail policy violations Files that have unrepairable infections or that violate the established mail policy are blocked while clean files and infected files that can be repaired are allowed to pass through The Proxy Services configuration for each individual proxy lets you select the IP address and port number of the Symantec Gateway Security appliance that will handle the antivirus scanning for that proxy All antivirus scanning and email filtering is based on the specific antivirus configuration of the Symantec Gateway Security appliance serving the VelociRaptor Configuring antivirus scanning proxy services The client component of the antivirus implementation is configured through the FTPD HTTPD and SMTPD Proxy
80. ed machine v Figure 9 13 Add a Virtual IP Address dialog box This dialog box allows you to provide a Virtual IP address VIP for the cluster member This IP address is used to represent the identity of the cluster to outside machines and routers Note You must assign at least one VIP address to each subnet of the cluster High Availability and Load Balancing Preparing to create a cluster 17 The VIP address can be assigned in three different ways depending on your cluster requirements 18 19 Type a Virtual IP Address for the cluster member without doing anything else in this dialog box This creates a normal VIP that is free to participate in load balancing It does not have any type of stickiness associated with it Type a VIP address for the cluster member and check the This VIP is sticky check box This creates a sticky VIP that will stay on the node it is assigned to as long as that node is healthy If the node goes down the VIP is transferred to another node in the cluster When the original node comes back up the VIP stays with the node that it transferred to Type a VIP address for the cluster member check the This VIP is sticky check box and choose the IP address of a preferred appliance for the VIP to be associated with This creates a sticky VIP that has a preference for the IP address you select It will stay with the node it is assigned to as long as that node is healthy If the node goes
81. eft pane Expand the Base Components folder Click the System Features icon The licensed features and their status Enable or Disable is displayed in the right pane If you want to change the status of a feature double click on the feature to display the feature s properties page GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright C 1989 1991 Free Software Foundation Inc 59 Temple Place Suite 330 Boston MA 02111 1307 USA TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 1 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License The Program below refers to any such program or work and a work based on the Program means either the Program or any derivative work under copyright law that is to say a work containing the Program or a portion of it either verbatim or with modifications and or translated into another language Hereinafter 168 Licenses GNU GENERAL PUBLIC LICENSE translation is included without limitation in the term modification Each licensee is addressed as you Activities other than copying distribution and modification are not covered by this License they are outside its scope The act of running the Program is not restricted and the output from the Program is covered only if its contents constitute a work based on the
82. egistration link Contacting support Customers with a current support agreement may contact the Technical Support team via phone or Web at www symantec com techsupp When contacting support please be sure to have the following information available m Product release level m Hardware information Available memory disk space NIC information m Operating System Version and patch level m Network topology Router gateway and IP address information m Problem description Customer service error messages log files troubleshooting performed prior to contacting Symantec recent software configuration changes and or network changes Contact Enterprise Customer Service online at www symantec com select the appropriate Global Site for your country then click Service and Support Customer Service assists with the following types of issues Questions regarding product licensing or serialization Update product registration with address or name changes General product information for example features language availability dealers in your area Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program m Advise on Symantec s technical support options m Non technical presales questions m Missing or defective CD ROMs or manuals vi Contents Chapter 1 Chapter 2 Chapter 3 Product Overview Key Features e ccne
83. egrated Software HA LB cluster click the VIPS tab to view information about the Virtual IP VIP addresses in use by the cluster m The virtual IP addresses list shows the cluster subnets and the VIP addresses that are assigned to them To see details about a specific subnet double click the subnet to display the VIP addresses dialog box To see details about a specific VIP address double click the address m Click OK to close each additional dialog box you display 6 Click OK to close the cluster s Properties page Propagating appliance configuration files When you secure your network using multiple appliances it is important to have consistency between appliance configurations You want to be sure that entities are defined in the same way on all systems and that the same authorization rules and authentication procedures are in place Propagation allows you to configure one appliance and copy the configuration information to other appliances that are grouped in a cluster Among the files that are copied to the other appliances is the host file from the source machine The source host file overwrites the target host files rather than merging with them Do the following before running Propagate so that DNS entries are not overwritten 1 On the appliance from which you will propagate use the DNS Records Properties page to create an entry in the Hosts file for each of the other appliances in the cluster 2 Create entities
84. elections are made click the Remote End link Figure 5 9 Completed Local End screen S2S Tunnel Wizard The local end of your secure tunnel is now configured To configure the Remote End of an S2S tunnel using the S2S Tunnel Wizard 1 Click the Remote End link on the left side of the screen The Remote End screen is displayed with a check mark beside the Local End link to indicate completion as shown in Figure 5 10 80 VPN Configure S2S tunnels using the wizard e 525 Tunnel Wizard d J Ss symantec o Introduction Remote End Local End To configure the remote end of your secure tunnel you select a remote security gateway and the protected network entity that acts as the originator of the Remote End packets being sent or the final destination of the packets passing through the i YPH Policy mane Finish Setup 1 Select an existing remote security gateway using an already configured security gateway entity Cancel Setup Or Create a new remote security gateway for your tunnel 2 Select an existing network entity using an already configured network entity Or Create a new remote protected entity to serve as the originator of tunnel packets or the final destination for tunnel packets Once your remote end selections are made click the VPN Policy link Figure 5 10 Remote End Screen S2S Tunnel Wizard 2 Step 1 on the Remote End screen gives you two ways to select the remote security gateway By sele
85. ere to decrypt your secret keys on the second machine Note If you did not enter a password when you originally backed up these files you can restore the configuration files to the same machine but you cannot successfully restore the files to another machine 4 Click OK Apply patches to the VelociRaptor software Patches or hot fixes may be provided for your existing VelociRaptor software The Patch option available from the Symantec Raptor Management Console All Tasks menu lets you push a patch from the Symantec Raptor Management Console machine to the VelociRaptor appliance 118 Management Console Manage log files To apply a patch 1 Once you have downloaded the patch tgz file from the Symantec Web site to your Symantec Raptor Management Console machine you can select All Tasks gt Patch from within Symantec Raptor Management Console Open System Software Patch E 4 2 x Look in Security ae fa ve 3des 1 0 326 install Files of type System Patch tgz x Cancel Figure 7 9 Open System Software Patch page 2 The Symantec Raptor Management Console prompts you to browse to the patch on your local system 3 When you locate the patch click Open The patch unpacks and installs to the VelociRaptor appliance Note Once the patch or hot fix is applied the VelociRaptor appliance automatically restarts and the Symantec Raptor Management Console disconnects from the appliance
86. ering as well as our Security Research Centers to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts Highlights of our support offerings include m A range of support options giving you the flexibility to select the right amount of service for any size organization m Telephone and Web support components providing rapid response and up to the minute information m Upgrade insurance delivering automatic software upgrade protection m Content updates for virus definitions and security signatures ensuring the highest level of protection m Global support from Symantec Security Response experts available 24x7 world wide in a variety of languages m Advanced features such as the Symantec Alerting Service and Technical Account Manager role offering enhanced response and proactive security support Please reference our website for current information on support programs The specific features available may vary based on the level of support purchased and the specific product you are using Registration and licensing If the product you are implementing requires registration and or a license key the fastest and easiest way to register your service is to access our licensing and registration site at www symantec com certificate Alternatively you may go to www symantec com techsupp ent enterprise html select the product you wish to register and from the Product Home Page select the Licensing and R
87. escribes how traffic is passed it does so using standard proxies Custom protocols You can use the Symantec Raptor Management Console SRMC Protocol Properties page to configure generic services provided by the hosts residing on either side of the gateway Custom or generic service proxies include any service not supported by one of the VelociRaptor s proxy server applications Address transforms Address transforms give you the ability to control addressing letting you present routable addresses for connections passing through a system interface or secure tunnel This helps you to route connections to the correct destination when your site has addressing overlap issues or other routing problems VPN Product Overview m Configuration reports You can generate and print full reports for every configurable item of the VelociRaptor appliance m Defense Against Denial of Service Attacks A denial of service attack prevents legitimate users from accessing Internet services by consuming network resources with an onslaught of continuous service requests You can configure your VelociRaptor appliance to quickly recognize this type of attack and immediately drop all packets coming from a hostile source See the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide for more information The VelociRaptor appliance includes technology from the Symantec Enterprise VPN server which allows organizations to secu
88. etwork information directly into the appliance see Front panel controls on page 29 Front panel controls The front panel controls are the same on all models Use the following push button instructions to enter all required setup information detailed in the Initial network configuration procedure on page 35 into the VelociRaptor appliance Note The front panel buttons perform dual functions These functions depend upon whether the appliance is in initial setup mode see Initial network configuration procedure on page 35 or if the system menu has been entered see Use the system menu on page 39 Refer to the bulleted descriptions below 29 30 Initial Setup Front panel controls Figure 3 3 Front panel controls Up and down Vv arrow buttons Use these buttons to increment and decrement the current number displayed on the LCD or to move to the previous menu item or to the next v menu item Left lt and right gt arrow buttons Use the left lt and right gt arrow buttons to move across the LCD panel or to move to the previous menu item lt or to the next gt menu item Initial Setup 31 Network address information E Enter button Use the E button to launch the System Menu when the appliance is in monitoring mode and also to accept the current value displayed in the LCD when entering information S Select button Use the S button to cancel out of a menu item
89. for the all configured interfaces of all the nodes in the cluster To propagate appliance configuration files 1 Associate the appliances protecting your network into a cluster See Creating a cluster for appliance file propagation or hardware HA LB on page 154 2 Make your changes to a selected appliance system in the cluster Decide whether to propagate appliance configuration files to all members of the cluster or to disable some cluster members so that their configuration files remain unchanged See also Modifying a cluster on page 157 Note Symantec recommends that you propagate to all cluster members High Availability and Load Balancing 163 Preparing to create a cluster In the left pane click on the icon of the appliance where changes have been made Right click and choose All Tasks gt Propagate or display the Action menu and choose All Tasks gt Propagate A message box asks if you are sure you want to propagate Click Yes The Result of configuration propagation status box is displayed For each appliance in the cluster the appliance service is temporarily stopped so that the configuration files can be copied to the appliances The status box displays the following messages as the backup file from the source appliance is restored Processing Wait Updating SRMC view Wait Restarting Services Wait Propagation Done When the configuration has been propagated to all enabled members of the cluster cli
90. ftware HA LB To configure software high availability and load balancing on appliances with HA LB enabled using built in clustering functionality m Hardware HA LB To configure hardware high availability and load balancing on appliances with HA LB enabled that are connected to a Radware FireProof device Radware s FireProof is an intelligent traffic management device for multiple firewalls and Virtual Private Network VPN devices See www radware com for more information Other third party hardware HA LB devices can be used but are not supported by Symantec An option is provided to configure third party hardware HA LB devices m Other replication To enable the propagation of configuration files from one appliance to other appliances VelociRaptor appliance configuration information is stored in the var lib sg directory When you select an 146 High Availability and Load Balancing Preparing to create a cluster appliance in your cluster and click on Propagate all files from that appliance s sg directory are copied to the sg directories of enabled members of the cluster This allows all members of the cluster to appear as one appliance with the same users network entities rules and all other properties After you have created a cluster you can manage it by right clicking the cluster name and choosing one of the following options from the All Tasks menu Verify Cluster Identifies cluster members that may not have the same
91. ging Symantec Raptor Management Console system with an IP address and netmask at the front panel during the initial appliance setup procedure That interface should appear in the Setup Wizard Network Interfaces page 54 Initial Setup Setup wizard Setup Wizard i xj Network Interfaces Specify the inside and outside network interfaces Network Interfaces Name IPAddress Mask Type Description 10 1 1 11 255 0 0 0 Inside Inside Interface 1 0 10 0 255 0 0 0 Outside Outside Interfa Outside Aurillary 1 Int Outside Auxillary 2 Int Interface IP address Mask Type fethi 1 0 10 0 255 0 0 0 Outside J Use DHCP Apply m 11 12 13 14 Figure 3 14 Setup Wizard Network Interfaces page From the list of Ethernet interfaces displayed in the Network Interfaces field shown in Figure 3 14 select the interface that you want to configure The VelociRaptor appliance provides a maximum of four Ethernet connections You can configure and edit the Ethernet connections displayed but you cannot add new ones After you select the interface to configure type the interface IP address in the corresponding field Type the interface netmask From the Type pull down list select where this interface is on the network Inside or Outside Note When you configure eth0 and eth1 interfaces Inside or Outside the values in this field cannot be changed If you want to enable DHCP Dynamic H
92. gs tab to view or modify the screen resolution Software Requirements TCP IP must be installed Microsoft Management Console MMC 1 2 must be installed The executable that is used to install MMC is located on the VelociRaptor CD in the following location ClientSoftware mmc immc exe Your system must have Internet Explorer version 5 0 or higher The computer must have network connectivity with VelociRaptor appliance Ping an address on the same network as VelociRaptor appliance to check Check the release notes and the Symantec Service and Support website www symantec com techsupp from time to time to see if new service packs are recommended Symantec recommends that the system and Symantec Raptor Management Console partition s be formatted using NTFS To install Symantec Raptor Management Console 1 2 3 Log on as Administrator Insert the VelociRaptor 1 5 appliance distribution CD ROM Use your file browser to locate the Setup exe file It is located in the directory ClientSoftware SymantecRMC 3DES or DES Double click on the Setup exe file The Symantec Raptor Management Console Setup Welcome window appears Click Next to display the Symantec Raptor Management Console License Agreement window Read the license agreement then click Yes to proceed or No to exit the SMRC installation If you click Yes the Choose Destination Location window is displayed see Figure 3 5 Initial Setup 45 Install Syma
93. guration files From the Symantec Raptor Management Console All Tasks menu you have the option of restoring backed up configuration files to your VelociRaptor appliance or to another VelociRaptor appliance If you originally backed up these files using a password to restore and decrypt the keys files on a another machine you must enter this same password on the new machine when you restore Caution This procedure assumes that the new machine has the same IP addresses and hostname as the original Otherwise you may have to edit configuration files by hand using SRL after restoring them to the new machine To restore backup configuration files to your VelociRaptor appliance 1 Right mouse click from within Symantec Raptor Management Console and in the All Tasks menu select Restore from to display the Restore Property window see Figure 7 8 Management Console 117 Apply patches to the VelociRaptor software fa Please enter the local backup file name A Local backup file name Files Symantec Raptor Management Console backup Browse IV Set Recover password Recover password Verify Cancel Help Figure 7 8 Restore property page 2 Inthe Local backup file name field use the Browse button to locate the backed up rfwefg file you created 3 If you typed a recovery password when you backed up the files on the original machine click the Set Recover password check box and type the same password h
94. hared key enter a shared key of 20 or more printable characters Record the shared key so that you can provide it to the VPN Client user This example shows the use of both a certificate and shared key Click OK Your new user JSmith is automatically entered in the first part of step 1 see Figure 5 22 92 VPN Configure VPN Client tunnels using the wizard s YPN Client Tunnel Wizard 9 symantec oo Introduction Finish Setup Local End 2 Here are your current selections Remote End r abaz Local Security Gateway West 10 1 1 1 VPH Policy P Local Network Entity manufacturing Remote Security Gateway N A Remote Network Entity JSmith Cancel Setup VPN Policy ike_detault_crypto_strong Finish Setup Click on Finish to accept the changes or Save to save and reconfigure If you need to make any changes click on the left pane links Although this wizard creates the secure tunnel and all the necessary tunnel components for you once you ve completed the wizard you can access the property pages for all the items you ve selected and make changes Name JSmithWestVPN Finish Save Figure 5 22 Finish Setup screen VPN Client Tunnel Wizard Once you have made your remote VPN Client selection click the VPN Policy link to continue configuring your tunnel The VPN Policy configuration procedure is the same as in the S2S example Refer to the steps after the figure VPN Policy screen S2S Tunnel Wizard on page 85 t
95. he VelociRaptor appliance There is no router or gateway system behind the appliance 94 Routes and DNS Setting up routes Internet news xyz com 169 254 1 2 109 20410 169 254 10 254 Internet Router 169 254 0 254 web xyz com Aux 2 Outside 169 254 1 3 169 254 1 1 169 254 0 1 oT tt PF Aux 1 Inside 19210003 192 168 6 6 192 168 1 17 Router 192 168 1 62 192 168 5 1 Server Router 192 168 1 22 192 168 1 1 192 168 1 2 192 168 1 3 192 168 3 65 192 168 5 2 192 168 5 3 192 168 5 4 192 168 3 10 192 168 3 11 192 168 3 12 Figure 6 1 A Routed network example In the example network in Figure 6 1 default route settings for the internal network are as shown in Table 6 1 Table 6 1 Default route settings news 169 254 1 2 VR aux1 interface web 169 254 1 3 VR aux1 interface server 192 168 1 17 VR inside interface wkst 192 168 1 1 192 168 1 17 VR inside interface wkst 192 168 1 2 wkst 192 168 1 3 Table 6 1 Default route settings Continued wkst 192 168 3 10 wkst 192 168 3 11 wkst 192 168 3 12 192 168 3 85 inside router Routes and DNS Setting up routes 95 wkst 192 168 5 2 wkst 192 168 5 3 wkst 192 168 5 4 192 168 5 1 inside router Www 169 254 0 1 Internet router Specifying the default gateway For most installations the default route will be your Internet router In the example network shown in Figure 6 1 the Veloci
96. ich the Symantec Raptor Management Console can be reached so that you can configure it from outside the internal network If you do not have a default route but you have an Symantec Raptor Management Console on your subnet you can add this route later Gateway Address 000 000 000 000 For the network in Figure 3 4 you would enter 169 254 10 254 Note If the Symantec Raptor Management Console is behind the VelociRaptor appliance and on the same subnet you do not have to enter a Gateway Address You can move past this address without changing it by pressing the E button static or default routes can be configured at a later time Now that VelociRaptor appliance has the network configuration information it needs to locate the managing Symantec Raptor Management Console you must enter the IP address of the Symantec Raptor Management Console host and make note of the remote management passwords Enter the Symantec Raptor Management Console host address for the Symantec Raptor Management Console host system SRMC IP Address 000 000 000 000 For the network in Figure 3 4 you would enter 169 254 10 1 Caution Once you enter the Symantec Raptor Management Console system IP address the VelociRaptor appliance calculates and displays your remote management passwords You MUST make note of these passwords You can change them later but you will need them to start the first remote management sessions between the Symantec Raptor Managemen
97. ight click the appliance icon from within Symantec Raptor Management Console and in the All Tasks menu select Backup The Backup dialog box is displayed see Figure 7 7 pa Please enter the local backup file name wd Local backup file name Files Symantec Raptor Management Console backup Browse V Set Recover password Recover password Verify Cancel Help Figure 7 7 Backup property page 2 From the Local backup file name field click Browse to display the open Saved System Configuration dialog box This opens to the default location for backup files Program Files Symantec Raptor Management Console backup When you enter a filename and click Save the file name is placed in the field 116 Management Console Restore configuration files You can also enter the path and a file name for the backup directory into the field The file name must have the extension rfwcfg If the directory does not exist you are asked if you want to create it 3 Optionally you can check the Set Recover password check box and enter a password This allows you to decrypt your keys files if you copy these backed up files to another VelociRaptor appliance with a different system name see Restore configuration files on page 116 Note If you do not enter a password you cannot restore backed up configuration files to another VelociRaptor appliance You can only restore them on the same machine Restore confi
98. internal mail server to send and receive mail In order for these changes to take effect you must save and reconfigure Would you like to save and reconfigure now C No will save and reconfigure later To exit the wizard click Finish lt Back Cancel 13 Figure 4 11 Completing the SMTP Configuration Wizard Select the appropriate radio button to indicate whether you will save and reconfigure the appliance now or later then click Finish to complete the wizard Note You can change the anti spam and anti relay settings from the SMTPD Proxy Properties page and or the individual rule properties For more information see the Symantec Enterprise Firewall and Symantec VPN Configuration Guide 70 Firewall SMTP Wizard Chapter VPN This chapter describes the use of the two tunnel wizards S2S site to site and the VPN Client You can use these wizards to connect to remote hosts or clients If you would prefer not to use these wizards refer to the procedures for configuring secure tunnels in the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide provided in PDF format Note In order to use VPN Client tunnels you will need the full VPN function crossgrade license Symantec Raptor Management Console provides two tunnel wizards m S2S Tunnel Wizard Use this wizard to configure site to site LAN to LAN secure tunnels m VPN Client Tunnel Wizard Use this wizard to
99. ion and accepts the 10 100Base T network cables 3 The Auxiliary 1 network connector enables Ethernet network connection and accepts the 10 100Base T network cables 4 The Serial console port 155200 bps allows you to connect a terminal emulator to act as a system console This lets you log on to the system console and access the appliance Linux OS locally For serial cable specifications see Serial 9 Pin Cable Specifications on page 179 5 The Serial connector allows you to connect a UPS to the serial port for smart UPS support See Connect an uninterruptible power supply on page 23 6 Outside Network connection eth 1 enable Ethernet network connections and accept the 10 100Base T network cables 7 Inside Network connection eth 0 enable Ethernet network connections and accept the 10 100Base T network cables 20 Installation Connect model 1100 to the network Table 2 1 Model 1100 back panel features Continued 8 The Power switch toggles the power on or off 9 The Power socket receives the AC cord that is provided Connect model 1100 to the network The VelociRaptor appliance model 1100 back panel provides a total of four Ethernet connections Your network connection requirements may differ depending on your site s configuration Refer to Figure 2 5 for the connection instructions below To connect your network 1 Plug the RJ 45 connector from the Internet into the outside networ
100. ion and installation of the executable However as a special exception the source code distributed need not include anything that is normally distributed in either source or binary form with the major components compiler kernel and so on of the operating system on which the executable runs unless that component itself accompanies the executable If distribution of executable or object code is made by offering access to copy from a designated place then offering equivalent access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 170 Licenses GNU GENERAL PUBLIC LICENSE You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance You are not required to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work
101. ion for the cluster Click one of the following radio buttons m To create a hardware HA LB cluster click Hardware HA LB To create a cluster for propagation of configuration files only click Other replication Click Next to display the Cluster members screen as shown in Figure 9 9 To add the first member to the cluster click Add to display the Connect to cluster member dialog box as shown in Figure 9 10 Type the IP address password and management port number of the first cluster member Note The Obtain read write access upon connecting check box is grayed out and can not be edited When the Cluster Wizard attempts to connect you to an appliance you must have read write access to add the appliance to the cluster Click OK The Cluster wizard attempts to connect to the appliance m If this is the first time this appliance is being added to a cluster the Cluster members screen is re displayed showing the IP address of the appliance and verifying that you are connected m If the appliance is already a member of a cluster a message asks if you want to read the existing information for the appliance m Ifyou click Yes the name and description of the cluster to which the appliance belongs replaces the name and description you provided in Step 4 on page 155 since the appliance can only belong to one cluster The Cluster members screen is displayed showing the members of the appliance s cluster To add a new membe
102. ions on how to obtain the license key This form also contains the license for the appliance Power cord Printed documentation A power cord required for the country in which the appliance will operate Available country cord types are Australia Euro UK and USA m VelociRaptor 1 5 Appliance Implementation Guide m Quick Start Card m Release Notes 14 Product Overview Components list Chapter Installation This chapter describes the following procedures m Installing the VelociRaptor appliance models 1100 1200 and 1300 as a rack mounted component or as a stand alone device m Connecting the VelociRaptor appliance to your network m Performing the initial setup of your VelociRaptor appliance Note Installation procedures differ for VelociRaptor appliance model 1100 and the 1200 and 1300 models due to the different layouts of their front and back panels Cautions and warnings Because this is an electrically powered device adhere to the listed warnings and cautions when installing or working with the VelociRaptor appliance Warning Read the installation instructions before connecting the system to its power source Refer to Important safeguards on page 165 for information regarding the setup and placement of the VelociRaptor appliance Stand alone hardware installation The VelociRaptor appliance model 1100 ships with five rubber feet for use when the appliance is set up as a freest
103. irection to redirect SMTP traffic arriving at the appliance s outside interface to the mail server In specifying an Internal mail server you are indicating where SMTP mail addressed to the VelociRaptor appliance s external interface is directed When QuickStart configures access to Web and FTP services it also configures a rule from the inside interface to the Universe allowing all internal systems to access HTTP and FTP services destined for anywhere For setting up firewall configurations beyond those detailed in the QuickStart wizard refer to the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide provided on the VelociRaptor CD ROM as a PDF file SMTP Wizard The SMTP Wizard provides a quick way to configure rules to provide anti spamming and anti relay protection and prevent your internal mail server from being used as a spam relay Because Symantec Raptor Management Console automatically creates the necessary rules for SMTP service when you use the wizard to configure your mail server you can set up anti spamming parameters on one particular rule created by the wizard The rule that allows all systems to send mail to the internal mail server should contain your anti spam restrictions To run the SMTP Wizard 1 In the left pane click on the icon of the appliance on which you want to perform the configuration The Configuring your Symantec System taskpad appears in the right pane If the taskpad
104. irst time you can access it again from the Configuring your Symantec System taskpad and edit any system information See Figure 4 1 Chapter Firewall The Symantec Raptor Management Console provides two automated wizards for setting up the firewall features of the VelociRaptor appliance m The QuickStart Wizard provides a quick way to configure mail FTP and Web services for the Firewall m The SMTP Wizard provides a quick way to configure rules to provide anti spamming and anti relay protection and prevent your internal mail server from being used as a spam relay For setting up firewall configurations beyond those detailed in this chapter refer to the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide provided on the VelociRaptor CD ROM as a PDF file QuickStart wizard Use the QuickStart wizard to quickly set up your mail FTP and Web services on the firewall of the VelociRaptor appliance After you connect to the VelociRaptor appliance the configuration taskpad appears in the right pane Click on the QuickStart icon see Figure 4 1 to access the QuickStart wizard You can re run the wizard to make changes at any time by selecting the VelociRaptor appliance system icon in the left pane If you have taskpads turned on the configuration taskpad containing the QuickStart wizard icon will appear in the right pane The QuickStart wizard gives you two firewall configuration options m Configure
105. irtual IP addresses VIPs for the members of the cluster Subnet 192 168 30 0 d Cluster member information Subnet Wittual IPaddress BA 192168300 BA 172 158 6 0 BB 19216810 BB 16910100 Edit Clear All VIPs cee Figure 9 6 Define primary subnet and virtual IP address screen Use the VIP addresses as reference points to previous definitions that would otherwise use a physical address Doing this removes any single point of failure In our example three appliances are virtually known by one VIP address and seem to be one appliance They still have different physical addresses but everybody addresses each appliance by its virtual IP address Multiple machines in the cluster can have the same virtual IP address so if one fails another can take its place and no additional routing needs to take place The one Symantec Raptor Management Console exception to addressing the VelociRaptor appliances by their VIP address is connecting to appliances and managing them You cannot use the VIP address in the Symantec Raptor Management Console because you cannot be guaranteed of connecting to the specific appliance you desire Any appliance on your network could be the active one at any given time Therefore all Symantec Raptor Management Console connections must be directed to the real IP address of the security gateway you wish to manage 144 High Availability and Load Balancing HA LB Implementation HA LB terms
106. k connection 6 2 Plug the RJ 45 connector from the LAN into the inside network connection 7 3 Plug the RJ 45 connector from any other service network if present into the Aux 1 network connection 3 4 Plug the RJ 45 connector from any other service network if present into the Aux 2 network connection 2 Connect power cord to model 1100 To connect power to the appliance model 1100 1 Plug the power cord into the appropriate connector on the rear panel 9 2 Connect the power supply cord from the appliance to an electrical outlet or UPS supply unit For UPS configuration details see Connect an uninterruptible power supply on page 23 Installation 21 Power on the model 1100 Power on the model 1100 Turn on the power by pressing the On Off switch on the back of the VelociRaptor appliance You will know it has powered up properly if m The hard disk spins up the fans turn on and the LCD screen lights up m A number of status messages are displayed on the LCD screen as the appliance completes its boot process Back panel of models 1200 and 1300 This section describes the features of the back panel of the VelociRaptor appliance models 1200 and 1300 14 e o gt cp OEN 1 Figure 2 6 Models 1200 and 1300 back panel Table 2 2 Models 1200 and 1300 back panel features eoe ee 1 The Power socket receives the AC cord that is provided 3 The Universal Serial Bus USB port is not currently supp
107. l IP Address for the cluster member without doing anything else in this dialog box This creates a normal VIP that is free to participate in load balancing It does not have any sort of stickiness associated with it Type a Virtual IP Address for the cluster member and check the This VIP is sticky check box This creates a sticky VIP that will stay on its current node as long as that node is healthy If the node goes down the VIP is transferred to another node in the cluster When the original node comes back up the VIP stays with the node that it transferred to 160 High Availability and Load Balancing Preparing to create a cluster m Type a Virtual IP Address for the cluster member check the This VIP is sticky check box and choose an IP address preferred machine for the VIP association This creates a sticky VIP that has a preference for the IP address you select It will stay with the node it is assigned to as long as that node is healthy If the node goes down the VIP is transferred to another node in the cluster When the original node is back up the VIP returns to it Note With symmetric routing turned on sticky VIPs do not effect the node that actually owns the connections simply where the traffic is first seen You can implement your own symmetric routing by having sticky VIPs bound to particular machines and then distribute them in a load balanced way Then turn asymmetric routing on and the incident node is the owne
108. lected any rules that allow mail to be sent to all systems will be deleted r lt Back Cancel Figure 4 5 Allow Internal Hosts Out 7 To allow all internal hosts to send mail directly to all external systems check the Allow Internal Hosts Out check box This allows internal systems to bypass the internal mail server 8 Click Next The QuickStart wizard prepares the configurations you have specified 9 Click Next when the progress bar shows that the preparations are complete 10 The final Quickstart wizard screen displays allowing you to choose when you want to save and reconfigure the VelociRaptor appliance 11 Make your selection and click Finish If you choose not to reconfigure now make sure that you do so at a later point QuickStart firewall configuration results When you have finished configuring your mail server and or Web and FTP services the QuickStart wizard automatically creates the necessary rules and redirected services to provide mail and or Web service to your network Firewall 63 SMTP Wizard When QuickStart sets up your mail server depending upon your wizard selections it configures the following m A rule to allow all systems to send mail to the internal mail server m A rule to allow the internal mail server to send mail to all systems m Arule to allow hosts on the inside network to send mail to all systems only if the Allow Internal Hosts Out check box is selected m A service red
109. lows you to view logfiles that contain information about the VelociRaptor appliance s operation To access this window click on Logfiles in the Symantec Raptor Management Console root directory Table 7 1 lists a few messages you may encounter after setup For a full list of messages see the log file messages appendix of the Symantec Enterprise Firewall and Symantec Enterprise VPN Reference Guide A number of common problems are discussed in depth in Knowledge Base accessible from the Symantec Customer Service Support website at http www symantec com techsupp Table 7 1 Setup 120 TYPE Info informational_message This message logs information such as license status and DNS problems 121 501 statistics duration seconds user user auth auth type sent amount rcvd amount srcif source interface src source port dst dest port op option arg file result result proto protocol notes access from incoming to outgoing rule time period This message logs statistics about a connection Elements are optional but occur in this order Info 121 can be used by custom applications for accounting Suspicious Activity Monitoring has been triggered While heavy access can indicate an attack soon after you install it is more likely that your thresholds are too low on heavily used services http in particular 516 CPU Temperature is low high This message indicates that the VelociRaptor ap
110. mail services The VelociRaptor appliance s secure Simple Mail Transfer Protocol SMTP proxy SMTPD enables you to pass SMTP mail by application proxy SMTPD supports transparent addressing allowing authorized internal systems to contact external systems directly It also checks all traffic entering 58 Firewall QuickStart wizard and leaving your domain for known sendmail attacks and it uses heuristics to detect and record new types of attacks The QuickStart wizard can prepare all these configurations for you Note You can use the SMTP Wizard to set up your mail server with anti spamming parameters without configuring Web access as well See SMTP Wizard on page 63 Configure the appliance to allow inside users to access Web and File Transfer Protocol access FTP services At this point your inside machines are cut off from the Internet Allowing HTTP and FTP access involves creating two simple rules called interface based rules They allow Web and FTP for your inside users The QuickStart wizard creates these rules for you To use the Quickstart wizard for VelociRaptor appliance firewall setup 1 In the left pane select the icon of the VelociRaptor appliance for which you are configuring mail and or Web access to display in the right panel the Configuring your Symantec System taskpad see Figure 4 1 If the taskpad is not displayed pull down the View menu and choose Taskpad You can re enter the wizard to make
111. main com Default Gateway Address fi 69 254 0 254 UPS Support Stop C Start Front Panel Keypad Locking Disable Enable Figure 7 12 Enabling keypad locking 5 Click OK 6 Save and Reconfigure 122 Management Console Front panel keypad locking Use a locked keypad To use a locked keypad 1 When you press an arrow key on the appliance front panel with the keypad locked the root password prompt displays Type the root password that was provided during setup see Step 9 on page 37 To enter your Password use Up and Down v arrow buttons on the appliance front panel to scroll through the alphabet characters When your Password character appears in the brackets press the right arrow gt button to make your selection and go on to select your next character using the same process Passwords are limited to 8 lowercase alpha a z characters only Note If you type an incorrect character you can either press the Cancel button S or you can go back using the left arrow lt button Your selections will be erased to the point at which you want to make your correction Once you have correctly typed your Password press the E button You now have access to the locked keypad Once Locking is enabled the appliance automatically locks after five 5 minutes of keypad inactivity Chapter Antivirus Scanning The possibility of a virus attack is a serious negative asp
112. ment Console expand the Base Components folder 2 Select the Remote Management Passwords icon Right click on the Remote Management Passwords icon and choose New gt Remote Management Password The Remote Management Password Properties page opens see Figure 7 1 107 108 Management Console Managing passwords YRONEFIYE Remote Management Password Properties 2 x Remote Management Password Specify remote management type system and password m Remote Management Type Remote Management Log Event Submission Intrusion Detection C Logfile Retrieval C ReadOnly Pot Ni Detection Port Number fa26 Blacklist Timeout minutes i440 m Remote Management System m Remote Management Password pe ooo Verify Password Figure 7 1 Remote management passwords 4 Inthe Remote Management Type section select the Remote Management if it is not already selected 5 In the Remote Management System field type the IP address of the Windows NT system running the managing Symantec Raptor Management Console Type your new password into the Remote Management Password field Type the new password again into the Verify Password field Click OK Root and secure remote login passwords You can change the VelociRaptor s root password and your Secure Remote Login SRL password from the System Properties page Management Console 109 Managing passwords To change the R
113. nce 3 Right click the icon and choose Properties The appliance s properties page opens 4 Select the System tab see Figure 7 3 YRONEFIYE Connected Properties Here you can change the VelociRaptor appliance system name the domain name and the default gateway address You can also select UPS Uninterruptible Power Supply support and enable or disable front keypad locking See Front panel keypad locking on page 121 for more information General Status Paths Passwords Date Time System License The current system name domain name and default gateway A address x System Name vR ONEFIVE Domain Name yourdomain com Default Gateway Address fi 69 254 0 254 UPS Support Stop C Start Front Panel Keypad Locking Disable Enable Cancel Help Figure 7 3 System settings 8 Management Console 111 Change system settings Make any necessary changes Click OK You must save and reconfigure the VelociRaptor appliance for your changes to take effect In the left pane click Symantec Raptor Management Console Select All Tasks gt Save and Reconfigure Change the date and time You can change the VelociRaptor appliance s date and time through the Symantec Raptor Management Console To change the date and time 1 Connect to the VelociRaptor appliance see Connect to VelociRaptor 1 5 appliance on page 48 In the left pane select the appli
114. nce See Symantec Gateway Security appliance setup on page 131 for more information 7 To block messages if the Symantec Gateway Security appliance is not available for scanning check the Block traffic if server is unavailable check box If you select Block traffic if server is unavailable and the proxy is unable to contact the Symantec Gateway Security appliance for scanning the files are blocked The proxy does not forward the unscanned file to the intended destination and an error message is logged indicating that the VelociRaptor could not connect to the Symantec Gateway Security appliance 126 Antivirus Scanning Configuring antivirus scanning proxy services 8 10 Use the Scan Options list to select how scanned files are handled m Scan and Log When a virus is detected during scanning a log entry is generated no repair is attempted and the file or message is forwarded to the intended destination m Scan and Delete When a virus is detected the infected file is deleted no repair is attempted and a log entry is generated m Scan and Repair or Delete When a virus is detected the Symantec Gateway Security appliance attempts to repair the infected file Infected files that cannot be repaired are deleted and a log entry is generated for each deleted file Use the Which file extensions to scan drop down list to select the file types that will be sent for scanning The Symantec Gateway Security appliance uses thes
115. nd address to host mappings for public systems These are computers at your site that are intended for use by both inside and outside users The etc hosts pub file uses the same format as hosts Each line must include an address and a fully qualified name The following examples show entries that might appear in the hosts pub file for the sample network in Figure 6 1 Again a fully qualified host name is required on each line 169 254 1 2 news xyz com 169 254 1 3 web xyz com 169 254 0 1 VelociRaptor xyz com Unlike information in hosts information on systems in the hosts pub file is available to both public and private networks Note As in hosts aliases are acceptable as long as every line has a fully qualified host name Verify connectivity On a system on the inside network use the MS DOS command ping to check whether your network is set up properly Verify that you can connect to computers on the Internet and on each of your subnets The ping command uses Internet Control Message Protocol ICMP echo packets to see if you can connect to a computer You can ping using either name or address Use ping in a command prompt window on your machine running Symantec Raptor Management Console The syntax for ping is ping IP address or ping computer name 102 Routes and DNS Verify connectivity If you ping by name the ping utility first attempts to find the address If it cannot find the address because of DNS or WINS p
116. nd online although with diminished throughput capacity because one appliance is bearing the full network load 138 High Availability and Load Balancing HA LB Implementation Internet External Network Router 169 10 10 1 Gay Hw SGS A 169 10 10 2 SGS B 169 10 10 3 SGS C 169 10 104 Can sei BR p amp E ay z Dedicated r R 8 Heartbeat Network 192 168 30 0 24 Server Server Server Service Network 172 168 6 0 24 Internal Network 192 168 1 0 24 192 168 1 4 G I Router 192 168 10 0 24 192 168 10 1 Figure 9 3 Three appliance cluster network diagram Figure 9 3 is a three appliance HA LB network diagram that shows a typical VelociRaptor cluster implementation Our clustered network consists of the following components m Fxternal network The external network is the 169 10 10 0 24 network This network connects to the Internet through our router 169 10 10 1 High Availability and Load Balancing 139 HA LB Implementation m Dedicated network The dedicated network is the 192 168 30 0 24 It is used as the heartbeat or control network Each appliance in the cluster uses the heartbeat network to exchange state information about the cluster m Service network Our service network is the 172 168 6 0 24 network A service network could have Web SMTP and FTP servers This network could contain many machines and subnets m Internal network Our internal network is the 192 168 1 0
117. nes the privacy and integrity algorithms used for encrypting and decrypting packets passing through your secure tunnel There are several pre configured policies for you to choose from depending on the level of security you require Remote End VPH Policy Finish Setup 1 Select a pre configured VPN policy for your new tunnel Cancel Setup Once your VPN policy selection is made if checkmarks appear beside the Local End and Remote End links you can click the Finish Setup link to complete and save the secure tunnel If you have made any configuration errors the wizard will notify when you attempt to Save the tunnel in the Finish setup page You can go back to any link and make the necessary corrections Figure 5 15 VPN Policy screen S2S Tunnel Wizard The VelociRaptor 1 5 appliance ships with several pre configured VPN policies From step 1 in this VPN Policy screen see Figure 5 15 click the VPN policy link The VPN policy pull down menu appears see Figure 5 16 86 VPN Configure S2S tunnels using the wizard symantec Introduction Local End Remote End VPH Policy Finish Setup Cancel Setup S25 Tunnel Wizard VPN Policy The YPN policy you select determines the privacy and integrity algorithms used for encrypting and decrypting packets passing through your secure tunnel There are several pre configured policies for you to choose from depending on the level of security you require 1 Select a p
118. nfigure the antivirus settings for FTP HTTP or SMTP 1 Inthe left pane expand the Access Controls node 2 Click Proxy Services 3 Inthe right pane double click FTPD SMTPD or HTTPD to display the corresponding Proxy Properties page Antivirus Scanning 125 Configuring antivirus scanning proxy services 4 Click the Antivirus Scanning tab Use this tab to control the behavior of virus scanning YRONEFIYE Services FTPD Properties l 2 x Status Timeout Port Restrictions Antivirus Scanning FTH This setting controls the behavior of virus scanning Al Antivirus scan server IP address Antivirus scan server port number fi 344 Block traffic if server is unavailable WV Scan Options Scan and Delete Which file extensions to scan Only those in include list Y Include list 386 ace acm acv acx adt amg app arj asd asp asx avb ax ax Restore default list Exclude list Figure 8 1 Services Properties Antivirus Scanning Tab 5 Inthe Antivirus scan server IP address field type the physical IP address of the Symantec Gateway Security appliance that will be used to scan for viruses 6 In the Antivirus scan server port number field type the port on which the Symantec Gateway Security appliance listens This port number must match the port number of the Symantec Gateway Security appliance This is specified in the Global_Antivirus_Configuration for the Symantec Gateway Security applia
119. nning by sending http ftp and smtp files to a remote antivirus scan server running on a Symantec Gateway Security appliance High availability load balancing The VelociRaptor appliance provides optional high availability and load balancing technology for clustered appliances In today s business environment Internet access is mission critical In order to achieve the availability needed while also maximizing your throughput your security gateways require high availability and load balancing This new integrated offering ensures easier setup better performance and higher security than other high availability load balancing solutions on the market When two or more VelociRaptor appliances are available the failure of one appliance causes the other appliance s to automatically pickup the workload of the failed appliance Appliances in a cluster also share the traffic load to maintain high throughput Symantec Raptor Management Console The Symantec Raptor Management Console SRMC is the graphical user interface for managing and monitoring all functions on the VelociRaptor appliance Product Overview 9 Appliance models and specifications Appliance models and specifications There are three VelociRaptor appliance model 1100 1200 and 1300 Model 1100 m 50 node license m Four 10 100Base T Ethernet network interfaces m Serial console interface m Serial port for uninterruptible power supply UPS m LCD display and keypad fo
120. nt Tunnel Wizard icon The Introduction screen shown in Figure 5 3 appears The wizard screens as well as the configuration procedures for both the S2S and VPN Client Tunnel Wizards in our examples are identical with one exception configuring the Remote End Because the Local End in this second example is the same as in the first example only the differing Remote End VPN Client configuration procedure is detailed in the following pages For more information see Configure 2S tunnels using the wizard on page 72 To configure the Remote End of the VPN Client Tunnel 1 Click on the Remote End link on the left side of the screen The Remote End configuration page appears see Figure 5 20 90 VPN Configure VPN Client tunnels using the wizard The Remote End screen of the VPN Client Tunnel Wizard gives you three ways to specify the single entity that will serve as both the remote security gateway and the tunnel endpoint By selecting an existing IKE enabled user By creating a new IKE enabled user By selecting an existing user group s YPN Client Tunnel Wizard E xj Ss symantec Introduction Remote End Local End T To configure the remote mobile end for your secure tunnel you select an IKE enabled user or user group to act as both the remote security gateway and the Remote End tunnel endpoint VPH Policy 1 Select an existing IKE enabled user using an already configured user Finish Setup Or Create a new
121. ntec Raptor Management Console Symantec Raptor Management Console Setup Choose Destination Location Select folder where Setup will install files Bme InstallShield Figure 3 5 Symantec Raptor Management Console Choose Destination Location window 7 Click Next to accept the default or specify an alternate directory path The Start Copying Files window is displayed see Figure 3 6 46 Initial Setup Install Symantec Raptor Management Console Symantec Raptor Management Console Setup xj Start Copying Files Review settings before copying files Setup has enough information to start copying the program files If you want to review or change any settings click Back If you are satisfied with the settings click Next to begin copying files Current Settings Target Directory Folder C Program Files Symantec Raptor Management Console Additional Components None InstallShield Figure 3 6 Symantec Raptor Management Console Start Copying Files window 8 Click Next to install Symantec Raptor Management Console and display the Setup Status window See Figure 3 7 which shows the progress of the installation Initial Setup 47 Install Symantec Raptor Management Console Symantec Raptor Management Console Setup Setup Status InstallShield Figure 3 7 Symantec Raptor Management Console Setup Status window When all the files are installed Symantec Raptor Management Console InstallShield Wiza
122. ntenance or any other misuse abuse or mishandling iv governmental actions or inactions v strikes or work stoppages vi Your failure to follow applicable use or operations instructions or manuals or vii such other events outside Symantec s reasonable control Licenses 175 SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT Upon discovery of any failure of the Hardware or component thereof to conform to the applicable warranty during the applicable warranty period You are required to contact us within ten 10 days after such failure and seek a return material authorization RMA number Symantec will promptly issue the requested RMA as long as we determine that you meet the conditions for warranty service The allegedly defective Appliance or component thereof shall be returned to Symantec securely and properly packaged freight and insurance prepaid with the RMA number prominently displayed on the exterior of the shipment packaging and with the Appliance Symantec will have no obligation to accept any Appliance which is returned without an RMA number Upon completion of repair or if Symantec decides in accordance with the warranty to replace a defective Appliance Symantec will return such repaired or replacement Appliance to You freight and insurance prepaid In the event that Symantec in its sole discretion determines that it is unable to replace or repair the Hardware Symantec will refund to You the F O B price paid by
123. number that are used to connect to it 150 High Availability and Load Balancing Preparing to create a cluster 10 11 12 13 Note The Obtain read write access check box is grayed out and cannot be edited It indicates that when the Cluster Wizard attempts to connect you to the specified appliance you must be able to obtain read write access to add the appliance to the cluster Click OK and the Cluster wizard will attempt to connect to the appliance m If this is the first time this appliance is being added to a cluster the Cluster members screen is redisplayed showing the IP address of the appliance and verifying that you are connected m If the appliance is already a member of a cluster a message asks if you want to read the existing cluster information for the appliance If you click Yes the name and description of the cluster to which the appliance belongs replaces the name and description you provided in step 4 since the appliance can only belong to one cluster The Cluster members screen is displayed showing the members of the appliance s cluster To add a new member to the cluster click Add to display the Connect to cluster member dialog box You can also delete an existing member from the cluster by selecting the IP address and clicking Delete Type the IP address password and management port number of another appliance and click OK The new member s IP address is added to the Cluster members screen
124. o accept it This password is used to connect directly to the Linux OS through the serial port You should record this password but Symantec recommends that you do not use it to connect directly to the system Provide this root password to customer support if your machine requires maintenance Note You cannot change your passwords on the VelociRaptor appliance itself The System ID displays System ID is 428a0d60 for example You provide this System ID to Symantec to obtain your license key see Get your license key on page 40 for information on obtaining a license key Write the System ID on the worksheet provided in this manual and press the E button You are next asked if you would like to save your setup information 38 Initial Setup Display system information Save Setup Yes No By default No is selected If you press the E button here to enter No VelociRaptor restarts the setup procedure and you must re enter your network information To save your setup data press the left lt arrow key to select Yes and press E to save it When you press E the following message should display Saving Config Config Saved 12 Press and hold down the E button to reboot The VelociRaptor appliance is now ready to be configured using the Symantec Raptor Management Console For more information see Chapter 4 Firewall Display system information Once the initial network configuration is complete and the applian
125. o continue Chapter Routes and DNS Routing is the process of choosing a path over which to send packets of information For the security gateway to function properly specific routes must be defined in the Routing Tables Network routes must be configured properly to allow information to move from machine to machine This chapter explains how to configure routes and set up the name service using the dynamic name server DNS proxy Make sure you have a solid working knowledge of DNS before proceeding as well as a list of the names and IP addresses of all computers at your site both in front of and behind the VelociRaptor appliance The configuration done in this chapter includes only the most basic name service features Refer to the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide for more advanced features Setting up routes Your TCP IP Protocol must be configured properly for VelociRaptor appliance to work This includes setting static routes or default gateways on your VelociRaptor appliance and your other computers Routes are necessary if you have a routed network behind the VelociRaptor appliance The VelociRaptor appliance must be able to find the appropriate router through which to send packets m A routed network has more than one subnet behind the VelociRaptor appliance inside network interface Other networks are behind routers or gateways m A flat network has only one subnet behind t
126. o obtain licenses as required to export re export or import the Appliance Export or re export of the Appliance to Cuba North Korea Iran Iraq Libya Syria or Sudan is prohibited If You are located in North America or Latin America this Agreement will be governed by the laws of the State of California United States of America Otherwise this Agreement will be governed by the laws of England This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Appliance and i supersedes all prior or contemporaneous oral or written communications proposals and representations with respect to its subject matter and ii prevails over any conflicting or additional terms of any quote order acknowledgment or similar Licenses 177 SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT communications between the parties This Agreement may only be modified by a License Module or by a written document which has been signed by both You and Symantec This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software and shall return the Appliance to Symantec The disclaimers of warranties and damages and limitations on liability shall survive termination Should you have any questions concerning this Agreement or if you desire to contact Symantec for any reason please write i Symantec Customer Service 175 W Broadway Eugene O
127. on By default the Automatically connect to all disconnected cluster members check box is checked The modifications you make will only be copied to members that are connected Uncheck this check box if you do not want to connect to all cluster members Note Symantec recommends that you connect to all cluster members when modifying a cluster so that the modifications you make are distributed to all members 4 Click Next m Ifthe option to automatically connect was checked the wizard connects to all cluster members and then displays the Cluster members screen m Ifthe option to automatically connect was not checked on the previous screen the Connect to cluster members screen is displayed Ifyou want to connect the cluster member whose IP address is shown type the password and if necessary change the management port then click Next to connect Repeat for all cluster members to which you want to connect a Ifyou do not want to connect to a member select the Ignore this member check box and click Next Note Modified cluster information is not copied to members which are ignored After you have been given the chance to connect to all cluster members the wizard displays the Cluster members screen 5 On the Cluster members screen you can m Click Add to add a new cluster member m Click Delete to delete a member of the cluster 10 High Availability and Load Balancing 159 Preparing to create a cluster
128. onfiguration a message notifies you that the configuration is invalid You can then click on any of the left side links to make the necessary corrections When you have completed and exited the tunnel wizard you can view your configuration in Symantec Raptor Management Console by expanding the Virtual Private Networks folder clicking on the Secure Tunnels and then double clicking the entry for the tunnel you created see Figure 5 18 88 VPN Configure VPN Client tunnels using the wizard You can also open the property pages for the entities and the tunnel you have just created From those property pages you can check your configuration and make any edits if necessary Refer to the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide for more detailed tunnel configuration information fi rmc70 Console Root Symantec Enterprise Management Symantec Raptor Management Console WRONEFIVE C nected Wirttta JIT P l Console Window Help Dae l 1a1x l Action Yiew Favorites e amp m 6 g Ss ea Tree Favorites Name Description _ Localntity Local Remote Remote C Console Root Ga B 7 Symantec Enterprise Management S amp Symantec Raptor Management Console EAA VRONEFIVE Connected Base Components Access Controls Virtual Private Networks ga Secure Tunnels gt VPN Policies ES IKE Policy E Remote Policies m Monitoring Controls
129. ont panel as shown in Figure 3 1 contains six data entry and navigation keys and a two line by 16 character liquid crystal display area The initial configuration of the VelociRaptor appliance takes place at the unit s front panel where you enter and modify parameters such as system and network IP addresses 26 Initial Setup Front panel layout model 1100 Figure 3 1 Table 3 1 VelociRaptor appliance model 1100 front panel Model 1100 front panel descriptions The Status Indicators signal Ethernet and hard drive activity m Tx Rx Transmit Receive blinks when there is network traffic on the inside interface m Link indicates an active network connection on the inside interface Col blinks when a collision is detected on the inside interface 100 M indicates that 100 Base T Ethernet is being used on the inside interface m Disk indicates hard disk activity on the hard disk drive The Temp indicator blinks to indicate temperature status blinking slowly for temperature warnings and quickly for temperature failures If the VelociRaptor appliance is in danger of overheating a log message is sent to Symantec Raptor Management Console The Liquid Crystal LCD screen displays the VelociRaptor version number and system health monitoring information The LCD screen is the same on all models Although relatively small in size it allows you to monitor appliance status modify configuration parameters and
130. oot and SRL passwords 1 Connect to the VelociRaptor appliance see Connect to VelociRaptor 1 5 appliance on page 48 2 Select the icon of the connected appliance in the left pane Right click the icon and choose Properties The appliances Properties page opens see Figure 7 2 YRONEFIYE Connected Properties E aixi General Status Paths fa Change Passwords wd Change Root Password Password f Verify Date Time System License Change Secure Remote Login Password Password f Verify Cancel Help Figure 7 2 System Properties page Password tab 3 Select the Passwords tab You can change your Root password and or your SRL password here 4 In the Root password or Secure Remote Login password section of the screen type a new password in the Password field 5 In the Verify Password field type the new password again 6 Click OK See Use secure remote login on page 119 for instructions on Secure Remote Login See the Symantec Enterprise Firewall and Symantec Enterprise VPN Reference Guide for further information 110 Management Console Change system settings Change system settings You can change the VelociRaptor appliance s system settings from Symantec Raptor Management Console To change the system settings 1 Connect to the VelociRaptor appliance see Connect to VelociRaptor 1 5 appliance on page 48 2 Inthe left pane select the icon of the connected applia
131. orted 4 Auxiliary 1 and Auxiliary 2 network connectors enable Ethernet network connections and accept the 10 100Base T network cables 5 The Serial connector allows you to connect a UPS to the serial port for smart UPS support See Connect an uninterruptible power supply on page pes 22 Installation Connect models 1200 and 1300 to the network Table 2 2 Models 1200 and 1300 back panel features 6 The Serial console port 155200 bites per second allows you to connect a terminal emulator to act as a system console This lets you log on to the system console and access the appliance Linux OS locally For serial cable specifications see Serial 9 Pin Cable Specifications on page 179 Outside Network connection eth 1 enable Ethernet network connections and accept the 10 100Base T network cables Inside Network connection eth 0 enable Ethernet network connections and accept the 10 100Base T network cables The Security lock hole is used to lock the unit to a secure location Connect models 1200 and 1300 to the network The VelociRaptor appliance models 1200 and 1300 back panel provide a total of four Ethernet connections Your network connection requirements may differ depending on your site s configuration Refer to Figure 2 6 for the connection instructions below 1 Plug the RJ 45 connector from the Internet into the outside network connection 6 Plug the RJ 45 connector from the
132. osoft Corporation IBM OS 2 and OS 2 Warp are registered trademarks of International Business Machines Corporation Novell and NetWare are registered trademarks of Novell Corporation 3Com and EtherLink are registered trademarks of 3Com Corporation Compag is a registered trademark of Compaq Corporation Zip and Jaz are registered trademarks of lomega Corporation SuperDisk is a trademark of Imation Enterprises Corporation Rainwall is a registered trademark of Rainfinity Corporation This product includes software developed by the Apache Software Foundation RealAudio is the registered trademark of RealNetworks Inc Adobe Acrobat Reader is the registered trademark of Adobe Realtime Blackhole List and Dial up UserList are registered trademarks of Mail Abuse Prevention Systems L L C FireProof is a registered trademarks of Radware Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged Technical support As part of Symantec Security Response our global technical support group maintains support centers throughout the world Our primary role is to respond to specific questions on product feature function installation and configuration as well as to author content for our Web accessible Knowledge Base We work collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion such as working with Product Engine
133. ost configuration Protocol on the eth1 outside interface check the Use DHCP check box to enable DHCP Initial Setup 55 Setup wizard Note If you enable DHCP on the eth1 outside interface there must be a DHCP server running on the outside network for DHCP to work When you enable DHCP the IP address of eth1 will change to 0 0 0 0 15 Click Apply to accept your edits 16 Repeat steps Step 11 on page 54 through Step 15 on page 55 for each interface you are configuring Click Next to move to the next page when you are finished 17 Set the Date and Time see Figure 3 15 Setup Wizard xj System s Date and Time Set Date and Time of the system Date and Time 02 07 2002 14 01 Timezone US Eastern Ek lt Back Cancel Figure 3 15 Setup Wizard System s Date and Time page If the date and time settings are incorrect click the Set Date and Time check box and edit these settings 18 Click Next to complete the setup wizard 19 Click Finish After you have successfully completed the VelociRaptor appliance Setup Wizard you are prompted to reboot the appliance When the reboot is complete the VelociRaptor appliance is up and running 56 Initial Setup Setup wizard Note You must access the logon screen again to connect to the VelociRaptor appliance see Connect to VelociRaptor 1 5 appliance on page 48 Once you have completed the VelociRaptor appliance Setup Wizard the f
134. ou would repeat this procedure to create a static route for the 192 168 5 0 subnet Configure the DNS proxy The DNS proxy provides a simple way to handle name service at your site It does not provide private information to outside users 98 Routes and DNS Configure the DNS proxy This chapter uses the xyz com network shown in Figure 6 1 as a typical example of how to configure the DNS proxy It includes only basic functionality The example network has a VelociRaptor appliance that does all the name resolution for this site There is a protected news server on a service network The main networks are the private protected machines An alternative to using the DNS proxy by itself to provide all name resolution is to use an inside name server for inside name requests The DNS proxy still deals with outside requests This is called a dual level DNS Caution You should understand DNS before attempting to configure the DNS proxy See the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide for information on DNS Provide private DNS file address statements The DNS private entries are stored in the Linux DNS entries hosts file and the public entries are stored in the hosts pub file Use the Symantec Raptor Management Console to specify the DNS entries as Public or Private Private machines are intended for use by inside users only Their names and IP addresses are kept secret from the outside interface to help
135. pliance temperature is slightly lower or higher than the normal operating temperature 616 CPU Temperature is too low high This message signals that the VelociRaptor appliance temperature has reached a critical level Managing passwords Once the VelociRaptor appliance is connected see Connect to VelociRaptor 1 5 appliance on page 48 you can use Symantec Raptor Management Console to make changes to the information you entered and the passwords you made note of during the initial setup procedure For more information about connecting to Management Console Managing passwords the VelociRaptor appliance see Initial network configuration procedure on page 35 Note Remember to document and save your passwords Passwords for the Symantec Raptor Management Console Root and Secure Remote Login SRL may be requested during future configuring of the VelociRaptor appliance You will need to know these passwords to do a configuration Backup and Restore During the Restore process the last Symantec Raptor Management Console password set before backup password is restored The Root and SRL passwords are not reset to their original state Remote management password You can change the VelociRaptor appliance s remote Symantec Raptor Management Console password from the Remote Management Password property page To specify a Symantec Raptor Management Console password 1 Inthe left pane of the Symantec Raptor Manage
136. ppliance returns to its default state This is the state it was in when you first received the appliance All network information you have entered is lost as well as any configuration data Only licensing information is retained 7 LCD Lock If you have enabled front panel keypad locking in system properties selecting this item will disable the front panel controls To unlock the LCD lock press any button on the front panel and enter the Root password for the appliance Note The front panel buttons can be locked from the Symantec Raptor Management Console This disables the use of the buttons until the proper password is entered using the buttons See Use a locked keypad on page 122 Get your license key Online Fax You can use the VelociRaptor appliance without a license key for a 30 day grace period At any point during those 30 days you can contact Symantec for a license key for a purchased system There are two methods for obtaining your license key To get your license key use the online license key generator from the Symantec licensing and registration site at www symantec com certificate The VelociRaptor appliance comes with the VelociRaptor License Key Request This form provides a number where you can fax your license key request in the event that you cannot use the online method Initial Setup Restoring the VelociRaptor 1 5 appliance operating system You must provide the VelociRaptor appliance System ID and
137. properly Also check your default gateway setting on wkst12 Routes and DNS 103 Verify connectivity If you can not ping an address behind a router ping both addresses of the router If one is reachable but the other is not you have a routing configuration problem Test the news server with this command ping news xyz com From an internal machine like wkst1 ping a computer outside your network ping www symantec com The request should return an IP address for the requested name The ping itself will be timed out or unreachable because ping is blocked by the VelociRaptor appliance However when the ping utility requests an IP address DNS should be able to find it If ping does not get an IP address for the outside name you have a problem with outside name service If you cannot receive an IP address for an outside name attempt the same ping command from an outside machine www xyz com in our example If it does not work from there the problem is more likely in your Internet router or your ISP s name server Check to see that your default gateway is set properly 104 Routes and DNS Verify connectivity Chapter Management Console The Symantec Raptor Management Console is the graphical user interface for managing and monitoring all functions on the VelociRaptor appliance Once you have connected to the VelociRaptor appliance you can use the Symantec Raptor Management Console to edit information yo
138. r D use the Software in any manner not authorized by this license 2 Content Updates Certain Symantec software products utilize content that is updated from time to time antivirus products utilize updated virus definitions content filtering products utilize updated URL lists firewall products utilize updated firewall rules vulnerability assessment products utilize updated vulnerability data etc 174 Licenses SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT collectively these are referred to as Content Updates You may obtain Content Updates for any period for which you have purchased a subscription for Content Updates for the product or otherwise separately acquired the right to obtain Content Updates This license does not otherwise permit you to obtain and use Content Updates 3 Limited Warranty Symantec warrants that the media on which the Restore Software is distributed will be free from defects for a period of thirty 30 days from the date of purchase of the Appliance Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option replace any defective media returned to Symantec within the warranty period or refund the money you paid for the Restore Software Symantec warrants that the Software will perform on the Appliance in substantial compliance with the written documentation accompanying the Appliance for a period of thirty 30 days from the date of purchase of the Appli
139. r easy set up m Six status indicator LEDs Figure 1 1 VelociRaptor appliance Model 1100 Note The VelociRaptor appliance ships with either high encryption 3DES AES or DES encryption Table 1 1 Model 1100 specifications Dimensions 17 00 in x 12 50 in x 1 75 in 43 2 cm x 31 8 cm x 4 5 cm Fits a standard 19 in equipment rack single rack unit height Weight 9 Ibs 3 oz 4 2 kg Network interfaces Four 10 100Base T Ethernet connections User interface 2 in x 16 in liquid crystal display on front panel LEDs transmit receive link collision 100 M disk activity temperature 10 Product Overview Appliance models and specifications Operating environment 32 to 108 F 0 to 40 C 10 to 90 humidity non condensing Power requirements Input rating 100 240V 50 60Hz Maximum power 50 watts consumption Model 1200 m 250 node license m Four 10 100Base T Ethernet network interfaces m Serial console interface m Serial port for uninterruptible power supply UPS m LCD display and keypad for easy set up m Six status indicator LEDs Model 1300 m Unlimited node license m Four 10 100Base T Ethernet network interfaces m Serial console interface m Serial port for uninterruptible power supply UPS m LCD display and keypad for easy set up m Six status indicator LEDs Figure 1 2 VelociRaptor appliance Model 1300 Product Overview Documentation Table 1 2 Mo
140. r node for the traffic 11 Click OK to process the Add a Virtual IP Address dialog box then click OK again to close the VIP Addresses dialog box 12 When all VIP addresses have been modified click Next to display the final wizard screen If the cluster you are modifying is a software HA LB cluster you will be prompted to reboot so that the modifications you have made can be registered 13 On the Completing the Wizard screen click Finish to write the modified cluster configuration to all files in the cluster Deleting a cluster To access the Delete Cluster Wizard you must be connected to at least one cluster member Note The process of deleting a cluster does not delete any appliances It simply removes the configuration information that associates them into a cluster To delete a cluster 1 In the left pane right click the cluster name 2 Choose All Tasks gt Delete Cluster to display the Delete Cluster Wizard 3 Click Next to display the Deleting a cluster screen High Availability and Load Balancing 161 Preparing to create a cluster By default the Automatically connect to all disconnected cluster members check box is checked The cluster can only be deleted if all members are connected so that the cluster information can be deleted from them Click Next m If the option to automatically connect was checked the wizard connects to all cluster members and then displays the Completing the Wizard screen
141. r supply 000 ae 2 23 Initial Setup Front panel layout model 1100 0 eee eee 3 25 Front panel layout models 1200 and 1300 00000 3 27 Front patiel cOmtrols seere are rist eld oil onal eve bi EEE EEEREN 3 29 Network address information 0 0 c cece eee eee eee ee 3 31 Network configuration worksheet 0 c cece eee eee eee 3 32 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Network configuration worksheet 0 c cece eee eee eee 3 34 Initial network configuration procedure 0 0 e eee eee 3 35 Display system information 0 0 cece cece eee eee 3 38 Use the system Menu oe bse mei cde cee wen eagle Gd wee eee Shee 3 39 Get your license key roire ranr Ra we ee hee Deans Poe KER eee 3 40 Online os oye hs id haere daring wade tale ded omen sides 3 40 PANE nessuna ar aaa ace ate Silas a ores akties a Riss Sto 3 40 Restoring the VelociRaptor 1 5 appliance operating system 3 41 Install Symantec Raptor Management Console 0 3 43 Connect to VelociRaptor 1 5 appliance 0 cece eee eee 3 48 S tUp WIZAI cc Soda nates goa head E AA aioe een as ins tae Beds 3 50 Firewall QuickStart wizard jis ot cid soe eae os bode spake gee eke 4 57 QuickStart firewall configuration results 000005 4 62 SMTP Witatd aaaeeeaa tad ete led dpe ed Ree Bao e wees 4 63 VPN Configure S2S tunnels using the wizar
142. r to the cluster click Add to display the Connect to cluster member dialog box 156 High Availability and Load Balancing Preparing to create a cluster You can also delete an existing member from the cluster by selecting the IP address and clicking Delete 11 Type the IP address password and management port of another appliance and click OK The new member s IP address is added to the Cluster members screen and your connection is verified 12 Repeat Step 10 on page 155 and Step 11 on page 156 for each cluster member to be added 13 When all the cluster members have been added click Next to display the final screen of the Cluster Wizard 14 Click Finish to complete the wizard You are returned to the Symantec Raptor Management Console The newly created cluster appears as an icon in the left pane By expanding it you can see the members of the cluster If you created a Hardware HA LB cluster the cluster is ready to be connected a Radware FireProof device Radware s FireProof is an intelligent traffic management device for multiple firewalls and Virtual Private Network VPN devices See www radware com for more information Verifying a cluster Verifying a cluster allows you to be sure that the cluster configuration information is identical on all cluster members For example if a machine was down when you last made changes it may not have the latest cluster configuration information If your cluster members do not have i
143. rack hardware can differ from site to site the screws shipped with the unit may not be of the proper thread size for your needs Before proceeding obtain screws of the proper size and length for your rack installation To mount the appliance in a standard 19 inch equipment rack 1 Connect the mounting brackets to the sides of the appliance towards the front or the rear of the case See Figure 2 2 9 symantec Tuk 0 UNK 0 co 0 wom 0 DISK 0 TEMP 0 Figure 2 2 Rack mount bracket installation 2 Secure the mounting brackets to the equipment rack See Figure 2 3 or Figure 2 4 18 Installation Rack mount instructions OO000000 9 symantec CJ VelociRaptor 0 0 0 0 0 vl A o oooooooo 0 Figure 2 3 Rack mount rack installation front O OO00000 opopooooooo 9 symantec Cm J eo oO 0 0 0 0 0 T Figure 2 4 Rack mount rack installation back Installation 19 Back panel of model 1100 Back panel of model 1100 This section describes the features of the back panel of the VelociRaptor appliance model 1100 i h Q O OLI gt gt Figure 2 5 Model 1100 back panel Table 2 1 describes the features of the Model 1100 back panel Table 2 1 Model 1100 back panel features 1 The Cooling fans maintain a proper operating temperature Ensure that the ventilation holes in the front and back are not blocked 2 The Auxiliary 2 network connector enables Ethernet network connect
144. rd Complete window appears see Figure 3 8 48 Initial Setup Connect to VelociRaptor 1 5 appliance 9 Symantec Raptor Management Console Setup InstallShield Wizard Complete The InstallShield Wizard has successfully installed Symantec Raptor Management Console Before you can use the program you must restart your computer No will restart my computer later Remove any disks from their drives and then click Finish to complete setup lt Back Cancel Figure 3 8 Symantec Raptor Management Console InstallShield Wizard Complete window Specify whether to reboot now or later then click Finish 10 When you reboot the Symantec Raptor Management Console icon and menu items are added to the desktop and programs groups Use the Symantec Raptor Management Console icon or menu items to start Symantec Raptor Management Console Connect to VelociRaptor 1 5 appliance After rebooting you are ready to configure the VelociRaptor 1 5 appliance To connect to the VelociRaptor 1 5 appliance 1 Open Symantec Raptor Management Console by double clicking the shortcut icon placed on your desktop during installation The Console Root window opens Expand the Symantec Enterprise Management folder Click on the Symantec Raptor Management Console icon in the left pane to access the Getting Connected taskpad see Figure 3 9 Initial Setup 49 Connect to VelociRaptor 1 5 appliance 0 onsole Roo ante erpri
145. re configured gt for your new tunnel ike_sample_crypto_interop ike_default_crypto_strang Once your YPN policy selection ike_default_c End and Remote End links you can click the Finish Setup link to complete and save the secure tunnel If you have made any configuration errors the wizard will notify when you attempt to Save the tunnel in the Finish setup page You can go back to any link and make the necessary corrections Figure 5 16 VPN policy pull down menu 3 From the pull down menu select an existing policy In this case we are selecting the pre configured ike_default_crypto_strong policy Once your tunnel is configured you can exit the wizard and access the property page for this VPN policy to view its components Caution The VPN policy must be the same for both ends of the tunnel Administrators must exchange this information Refer to the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide for details To finish the configuration of the S2S tunnel 1 On the left side click the Finish Setup link The Finish Setup screen is displayed with a check mark beside the VPN Policy link to indicate that the VPN Policy configuration is complete VPN 87 Configure S2S tunnels using the wizard e 525 Tunnel Wizard xi symantec oo Introduction Finish Setup Local End Here are your current selections Remote End Local Security Gateway Vest 206 7 7 3 VPH Policy Local Network
146. rely extend their network perimeters beyond the enterprise firewall by providing VPN server proxy secured scanning and personal firewall protection via the Symantec Enterprise VPN client A completely integrated and standards based solution it allows organizations to establish safe fast and inexpensive connections enabling new forms of business and secure access to information for authorized partners customers telecommuters and remote offices The VelociRaptor appliance uses VPN tunnels to send encrypted and encapsulated IP packets over public networks securely to another VPN server Symantec s IPsec compliant Symantec Enterprise Virtual Private Network SEVPN Client 7 0 is optional and available with the full VPN function cross grade license VPN features include m VPN policies The VelociRaptor appliance ships with pre configured general VPN policies that you can apply to your secure tunnels For example there are IPsec IKE policies and IPsec Static policies You can apply these policies to each IKE or IPsec Static secure tunnel you create m Support for third party IKE clients VelociRaptor supports scalable policy management for any IKE compliant third party mobile client through tunnels based on users and user groups See the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide for more information 7 8 Product Overview Antivirus Scanning The VelociRaptor appliance provides antivirus sca
147. requests from the eth interface By default this is the outside interface Select this only if your VelociRaptor is connected to the eth1 interface You must not select lt LOCAL 127 0 0 1 gt m This address is known as the loopback interface If you select this option the Symantec Gateway Security appliance will not accept any scanning requests from the VelociRaptor appliance Antivirus Scanning 133 Symantec Gateway Security antivirus configuration Note On some Symantec Gateway Security appliances the eth2 and eth3 interfaces may also be available for use depending on your configuration 4 Type the TCP IP Port Number on which the Symantec Gateway Security appliance listens This port number must be assigned to only listen for scanning requests from the VelociRaptor appliance Once it is assigned it can not be used for any other purpose The default port number is 1344 If you use a port number other than the default select a number greater than 1024 that is not in use by any other program or service 5 Click OK Symantec Gateway Security antivirus configuration All antivirus scanning is based on the specific antivirus configuration of the Symantec Gateway Security appliance that serves the VelociRaptor See the Antivirus chapter in the Symantec Gateway Security Installation and Configuration Guide for more information 134 Antivirus Scanning Symantec Gateway Security antivirus configuration Chapter High Av
148. rint or display an announcement including an appropriate copyright notice and a notice that there is no warranty or else saying that you provide a warranty and that users may redistribute the program under these conditions and telling the user how to view a copy of this License Exception if the Program itself is interactive but does not normally print such an announcement your work based on the Program is not required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Program the distribution of the whole Licenses 169 GNU GENERAL PUBLIC LICENSE must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this section to claim rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In addition mere aggregation of another work not based on the Program with the Program or with a work based on the
149. roblems ping responds with bad IP address If it finds the address ping proceeds If you ping by address ping sends a request for a response If the computer is working and if you can reach it you receive reply messages If the computer is down or something is wrong with the network between you and the other computer ping tells you the computer is unreachable or that the request has timed out The following section refers to the routed network example in Figure 6 1 and uses the computer names shown in Table 6 2 Table 6 2 Routed network example computer names 192 168 1 1 wkst1 192 168 1 2 wkst2 192 168 3 12 wkst12 m From a computer behind the appliance such as wkst 1in our example ping a computer on each subnet behind the VelociRaptor appliance as follows ping wkst2 xyz com ping wkst12 xyz com Both of these computers should be reachable If either of these commands fails try again using addresses ping 192 168 1 2 ping 192 168 3 12 If the ping command succeeds with the address you have a name resolution problem If they are still unreachable you have a networking problem Make sure that wkst2 and wkst12 are on and connected to the network Check the default gateway setting on wkst1 it should be set to the inside interface of the VelociRaptor appliance If wkst2 is reachable but wkst12 is not your static route from VelociRaptor appliance has not been established or your router is not configured
150. rom Setup Wizard VRONEFIVE Figure 5 2 Configuring your Symantec System taskpad 73 74 VPN Configure S2S tunnels using the wizard 525 Tunnel Wizard c x Ss symantec Mae 17 Introduction Introduction pocel En This wizard helps you to quickly and sucessfully setup a secure tunnel Remote End Navigate through this wizard by selecting the links on the left Each link represents VPH Policy a component of the tunnel you must configure Once you ve completed a given component a checkmark appears next to the link When you ve finished Finish Setup configuring all the required elements click the Finish Setup link to save your secure tunnel Cancel Setup A secure tunnel configuration requires that you set up the following e Local End Remote End e PN Policy Click the corresponding links on the left to begin Figure 5 3 Introduction screen S2S Tunnel Wizard As the Introduction screen explains see Figure 5 3 click on the links on the left side of the screen to configure the corresponding component of the tunnel It is suggested that you follow the links in the order they appear starting with Local End In the various wizards screens you are asked to select a combination of security gateways network entities and users with which to build your tunnel If you have not configured these tunnel components before beginning the wizard you can create a new security gateway network entity or user from within
151. rs will be ignored To continue with creation of the cluster click Next Cancel Figure 9 7 Create Cluster wizard Introduction screen Click Next to display the Create a new cluster screen 148 High Availability and Load Balancing Preparing to create a cluster Create Cluster Wizard Create a new cluster Specify a name and description for the cluster Select the type of the cluster Software Clusted Q 2 Figure 9 8 Create a new cluster wizard screen Type a name and description for the cluster 5 Click the Integrated Software HA LB radio button Click Next to display the Cluster members screen High Availability and Load Balancing 149 Preparing to create a cluster Create Cluster Wizard A x Cluster members Use the buttons to Add or Delete cluster members Use the checkboxes to enable or disable the propagation of configuration files to cluster members Cluster members IP Address Figure 9 9 Cluster members screen To add the first member to the cluster click Add to display the Connect to cluster member dialog box Symantec Raptor Management Console 21 xi Connect to cluster member IP Address Wes a Password Management Port 418 WM Obtain read write access upon connecting cove Figure 9 10 Connect to cluster member dialog box Type the IP address of the appliance that will be the first cluster member and the password and port
152. rview Checking the hardware You will need to use all these manuals to fully configure and manage the VelociRaptor appliance Checking the hardware After carefully unpacking the VelociRaptor appliance compare the actual kit contents with Table 1 3 to ensure that you have received all ordered components Follow the instructions on the Quick Start Card to install and set up the appliance Components list The VelociRaptor appliance ships with the components listed in the Table 1 3 Table 1 3 Components list VelociRaptor appliance A single device rack mount or stand alone Five rubber feet For resting the appliance on a flat surface Note Models 1200 and 1300 do not come with rubber feet Rack mount brackets Hardware for rack mounting the appliance Product Overview Components list Software CD ROM containing m Symantec Raptor Management Console GUI m Adobe Acrobat Reader m Remote log tools m FTP client software m Microsoft Management Console MMC 1 2 software m Appliance operating system restore program The following documentation in PDF format m VelociRaptor 1 5 Appliance Implementation Guide m Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide m Symantec Enterprise Firewall Symantec Enterprise VPN and VelociRaptor Firewall Appliance Reference Guide m Quick Start Card License Key form A form which provides the license serial number and direct
153. se Manageme antec Rapto anag onso O x hay Console Window Help D amp fl amp la x Action view favortes e gt Alm elele wto ak Sa Tree Favorites Console Root B 7 tec Enterprise Management c Raptor Management Getting Connected F a New Connection New Cluster Figure 3 9 Symantec Raptor Management Console Getting Connected taskpad window 4 Click on the New Connection icon in the Getting Connected taskpad to display the Symantec Raptor Management Console logon screen see Figure 3 10 axl Welcome to the Symantec Raptor Management Console Name Password Management Port jare IV Obtain read write access upon connecting ae a Symantec Raptor Management Console symantec Symantec Raptor Management Console Figure 3 10 Symantec Raptor Management Console logon screen 5 Type the IP address of the VelociRaptor appliance interface in the Name field The IP address you gave the appliance during initial setup 50 Initial Setup Setup wizard Setup wizard Type the SRMC Password that the VelociRaptor appliance displayed during the initial setup procedure See Initial network configuration procedure on page 35 Click OK When you attempt to connect through the Symantec Raptor Management Console for the first time the VelociRaptor appliance Setup Wizard starts automatically It prompts you for required VelociRaptor
154. se snena en aE a hae wane E alee EEE oust 1 6 Firewall dersienn sec E E E A 1 6 VBE TE E EE E E E E E 1 7 Antivir s Scanning sersanato ni Gee Seed i E Me dre eS 1 8 High availability load balancing 0 cece eee eee 1 8 Symantec Raptor Management Console 000 00 1 8 Appliance models and specifications 1 0 0 0 0 cece eee ee eee 1 9 Model 1100 errietara den diads bitveasdedadaeeasddeoe es 1 9 Model 1200 gcd icciteagutienG inde n EE crete Pech ewew 1 10 Model 1300 ciccccciey deat cee sae i i eae mea eae a baa dees 1 10 DGOGUINENEAT OD ocr secede aie cies dence tong EE EE ETE 1 11 Checking the hardware 0 ccc cece eee eee ees 1 12 COmponc nts SE serrait rera EE ENEE EA 1 12 Installation Cautions and warnings e seirisrkrs rtr Ey cee EENDERDE 2 15 Stand alone hardware installation 0 cece eee eae 2 15 Rack mount instructions 0 cece eee eee 2 17 Back panel of model 1100 0 eee eee 2 19 Connect model 1100 to the network 00 cee eee eee eee 2 20 Connect power cord to model 1100 6 cee 2 20 Power on the model 1100 eee eee eee eee eee eee eee 2 21 Back panel of models 1200 and 1300 0 cece eee eee eee 2 21 Connect models 1200 and 1300 to the network 06 2 22 Connect the power cord to models 1200 and 1300 2 22 Power on the models 1200 and 1300 cece eee eee eee 2 23 Connect an uninterruptible powe
155. t Console and the VelociRaptor appliance The Symantec Raptor Management Console password displays SRMC Password Itbcfetglzha for example Record this password in the Network configuration worksheet on page 32 and press the E button to accept it 10 11 Initial Setup 37 Initial network configuration procedure Later you will enter this password into the Symantec Raptor Management Console login screen to begin a remote management session between the Symantec Raptor Management Console and the appliance After you initially login you can change this password using the Remote Management Passwords feature of Symantec Raptor Management Console The SRL password displays SRL Password xxdmmfsb for example Record this password in the Network configuration worksheet on page 32 and press the E button to accept it Secure Remote Login SRL enables a user on an authorized remote system to login to the VelociRaptor appliance and edit VelociRaptor appliance files reboot the machine or perform other troubleshooting or debugging tasks that are unrelated to normal VelociRaptor appliance operations All remote traffic is encrypted To make an SRL connection from an authorized client to the VelociRaptor appliance see Connect to VelociRaptor 1 5 appliance on page 48 The Root password displays Root Password h7vuvaxf for example Record this password in the Network configuration worksheet on page 32 and press the E button t
156. t want to scan m Use a semicolon to separate file extensions a Usea single period to indicate a file without an extension Antivirus Scanning 127 Enabling antivirus scanning in a rule m Use a question mark as a wildcard If you make changes to the list of included files and want to restore the default list of files click Restore default list 11 Ifyou have selected All except those in exclude list from the Which file extensions to scan list optionally edit the exclude list to add or remove file extensions Add any file extensions you do not want to scan Delete any extensions that you want to scan m Use a semicolon to separate file extensions a Usea single period to indicate a file without an extension m Use a question mark as a wildcard 12 Click OK to save your configuration Enabling antivirus scanning in a rule To enable antivirus scanning for the FTP HTTP or SMTP proxy in a rule you must enable the appropriate proxy as a service and make sure that application data scanning is enabled in the rule To create a rule with antivirus scanning enabled 1 Inthe left pane expand the Access Controls node 2 Right click Rules 3 Select New gt Rule to display the Rule Properties page 128 Antivirus Scanning Enabling antivirus scanning in a rule YRONEFIVE Rule Rule 3 Properties New i 2 x General Services Time Authentication Alert Thresholds Miscellaneous Advanced Services
157. ter If you choose Yes reboot now all appliances in the cluster will be rebooted 21 Click Finish to complete the wizard You are returned to the Symantec Raptor Management Console The newly created cluster appears as an icon in the left pane By expanding it you can see all the members of the cluster You may want to delete the previous individual appliances that are now members of the cluster The members of the cluster will start to work as an integrated software HA LB cluster after rebooting Creating a cluster for appliance file propagation or hardware HA LB Clusters can be used to propagate configuration information such as rules users and entity definitions from one appliance to other appliances The following procedure does not involve any HA LB configuration Before you run the Cluster Wizard make sure that the IP addresses and passwords of all the appliances you want to add to the cluster have been defined on all the VelociRaptor appliances that will be added to the cluster High Availability and Load Balancing 155 Preparing to create a cluster To create a cluster of appliances for propagation of configuration files or hardware HA LB 1 oa fF W N 10 Click the Symantec Raptor Management Console icon to display the Getting Connected taskpad Click the New Cluster icon to display the Cluster Create Wizard Click Next to display the Create a new cluster screen as shown in Figure 9 8 Type a name and descript
158. th data inspection technology that filters traffic and integrates application level proxies network circuit analysis and packet filtering into the gateway security architecture To bar access to private networks and confidential information Symantec VelociRaptor applies full inspection scanning techniques that ensure that data is validated at all levels of the protocol stack including application proxies Through the Symantec Raptor Management Console SRMC administrators can flexibly configure scalable gateway protection for networks of any size The console allows administrators to remotely and securely control and monitor distributed appliances firewalls and VPN servers and create configurable policies for users and user groups In addition to its simplified policy management Symantec VelociRaptor makes installation and configuration quick and easy with a pre installed Symantec Enterprise Firewall and Symantec Enterprise VPN pre configured and hardened operating system software and an array of setup wizards To provide high availability and to share traffic loads among multiple security devices Symantec VelociRaptor includes optional high availability load balancing features With its integrated standards based Symantec Enterprise VPN the Symantec VelociRaptor provides secure site to site remote access to extend enterprise networks Support for home office and telecommuter access is available with the optional Full VPN Upgrade Sym
159. the VelociRaptor product software serial number whenever requesting a license key or technical support m Obtain the System ID during the initial appliance setup procedure as described in Initial network configuration procedure on page 35 or access it from the appliance System Menu described in Use the system menu on page 29 m Locate the product serial number on the VelociRaptor License Key Request form After you obtain your license key you can enter it as part of the VelociRaptor Symantec Raptor Management Console Setup Wizard procedure see QuickStart wizard on page 57 If you do not enter the license key in the Setup Wizard during the initial configuration procedure use the Symantec Raptor Management Console System Properties to enter your license key at a later time Restoring the VelociRaptor 1 5 appliance operating system The VelociRaptor CD ROM ships with the VelociRaptor appliance and contains a VelociRaptor appliance operating system restore program In the unlikely event that a complete reinstallation of the software is required you can boot this CD ROM ina PC connected to the appliance Caution Before you use this procedure contact Customer Support as this operation will result in the complete overwriting of your existing VelociRaptor 1 5 appliance configuration All configuration data will be lost The requirements for the PC running the operating system restore program are m An industry standard PC whit
160. the subnet in this case finance and 192 168 20 0 Click OK your new subnet entity will be used as the remote network entity 84 VPN Configure S2S tunnels using the wizard s 525 Tunnel Wizard Exi 9 symantec oo Introduction Remote End Local End To configure the remote end of your secure tunnel you select a remote security gateway and the protected network entity that acts as the originator of the RemoteEnd amp packets being sent or the final destination of the packets passing through the tunnel VPH Policy Finish Setup 1 Select East using an already configured security gateway entity Or Cancel Setup Create a new remote security gateway for your tunnel 2 Select finance using an already configured network entity Or Create a new remote protected entity to serve as the originator of tunnel packets or the final destination for tunnel packets Once your remote end selections are made click the VPH Policy link Figure 5 14 Completed Remote End screen S2S Tunnel Wizard The remote end of your secure tunnel is now configured To configure the VPN Policy of a S2S Tunnel 1 On the left side of the screen Click on the VPN Policy link to display the VPN Policy configuration page A check mark appears beside the Remote End link to indicate completion see Figure 5 15 VPN 85 Configure S2S tunnels using the wizard 9 symantec an Se tTa Introduction VPN Policy Local End The VPN policy you select determi
161. the wizard To configure the Local End of a S2S tunnel using the S2S tunnel wizard 1 From the wizard Introduction page click on the Local End link on the left side of the screen The Local End configuration page appears see Figure 5 4 VPN 75 Configure S2S tunnels using the wizard t 525 Tunnel Wizard xi b symantec O _ _ Introduction Local End Local End To configure the local end of your secure tunnel you select a local security gateway generally your Raptor system s outside interface and the protected Remote End network entity that acts as the originator of the packets being sent or the final VPH Policy destination of the packets passing through the tunnel Finish Setup 1 Select an existing local security gateway using an already configured security gateway entity Cancel Setup Or Select a local interface to create a new local security gateway 2 Select an existing network entity using an already configured network entity Or Create a new local protected entity to serve as the originator of tunnel packets or the final destination for tunnel packets Once your local end selections are made click the Remote End link Figure 5 4 Local End S2S Tunnel Wizard 2 Step 1 on the Local End screen gives you two ways to select the local security gateway By selecting an existing security gateway By using a local interface to create a new security gateway For the network example in Figure 5 1
162. tion wd License Limit Used User Licenses Used Server Licenses Unlimited Users fo jo System Id O74BDADE License Key eval pyre7d9re9d5 Figure 7 5 Type a license key Select the License tab see Figure 7 5 In the License Key field enter a new VelociRaptor appliance license key or if you have a 30 day non licensed copy enter a license key for the first time Click OK 6 To save your new key in the left pane right click in Symantec Raptor Management Console and select All Tasks gt Save and Reconfigure 7 To make the license change take effect restart the VelociRaptor appliance Perform a system shutdown from the Symantec Raptor Management Console From the Symantec Raptor Management Console All Tasks menu you can remotely perform VelociRaptor appliance system shutdowns 114 Management Console Perform a system reboot from the Symantec Raptor Management Console To shutdown from Symantec Raptor Management Console 1 4 Right mouse click the appliance icon from within Symantec Raptor Management Console in the All Tasks menu click System Shutdown see Figure 7 6 All Tasks Disconnect e a a ae a r Reconfigure Stop New Taskpad View System Shutdown System Reboot View gt New Window from Here Properties Restore Help Backup a Rt SRL Client Save All Change Log Import Users Import VPN Figure 7 6 System Shutdown menu You are asked to confirm
163. ty In this case we will create a new entity to represent the remote finance subnet displayed in Figure 5 1 From the second part of step 2 select the Create a new remote protected entity link A pull down menu appears see Figure 5 12 81 82 VPN Configure S2S tunnels using the wizard 525 Tunnel Wizard xi i symantec oo Introduction Remote End Local End To configure the remote end of your secure tunnel you select a remote security gateway and the protected network entity that acts as the originator of the Remote End packets being sent or the final destination of the packets passing through the VPH Policy ne Finish Setup 1 Select East using an already configured security gateway entity Or Cancel Setup Create a new remote security gateway for your tunnel 2 Select an existing network entity using an already configured network entity Or l Subnet v to serve as the originator of tunnel packets or the final tunnel packets Subnet Once yo selections are made click the WPH Policy link Figure 5 12 Remote protected entity pull down menu 6 From the pull down menu select Subnet to create the 206 7 7 2 finance subnet displayed in Figure 5 1 The New Subnet dialog box appears see Figure 5 13 VPN 83 Configure S2S tunnels using the wizard New Subnet 192 168 20 0 Figure 5 13 New Subnet dialog box Remote End In the dialog box type a Name for your subnet entity and the IP address of
164. u entered during the initial VelociRaptor appliance configuration such as passwords and license key data and all other configuration tasks Because the communications between the Symantec Raptor Management Console and the VelociRaptor appliance are encrypted you can securely manage the appliance from a remote location You can manage several appliances from a single Symantec Raptor Management Console and also manage a single appliance from several Symantec Raptor Management Consoles You can also manage a mixture of VelociRaptor appliances Symantec Enterprise Firewalls and Symantec Enterprise VPNs from the same Symantec Raptor Management Console The VelociRaptor appliance comes with an additional management utility called SRL Secure Remote Login which offers an encrypted secure communication to the VelociRaptor appliance at the command line level to allow remote access to the operating system if needed The Symantec Raptor Management Console is designed to provide access to all needed operating system configurations See Use secure remote login on page 119 for further details on SRL Monitor VelociRaptor appliance Before you move into more advanced management functions it is important to understand the monitoring capabilities of the VelociRaptor appliance The Symantec Enterprise Firewall and Symantec Enterprise VPN Reference Guide deals with monitoring in detail 106 Management Console Managing passwords The Logfiles window al
165. ult This causes SMTP to refuse all email to addresses specified using source routing syntax such as host1 host2 user symantec com If you disable this check box and specify a Domain name in the Specify recipient s domain name field the SMTP proxy will only accept the email if the final destination is one of the acceptable recipient domains If you disable this check box and do not specify a recipient domain the SMTP proxy will accept email for all addresses source routed or not You can also specify an RBL site against which the address should be checked 11 Click Next 68 Firewall SMTP Wizard SMTP Configuration Wizard 7 x Check DUL Check sender s address against sites with dialup and dynamically assigned IP addresses New site Add O dialups mail abuse ora Remove lt Back Cancel Figure 4 10 Check DUL screen 12 On the Check DUL screen specify the domain name of a dial up user list DUL or check the domain name provided As with the RBL this instructs SMTP to check the sender s address against a list of sites with dialup and dynamically assigned IP addresses of mass emailers who spam using direct connections to their victims mail servers without using their ISP s mail server as a relay or gateway Firewall 69 SMTP Wizard SMTP Configuration Wizard E x Completing the SMTP Configuration Wizard The SMTP Configuration Wizard has successfully J Modified or created rules to enable your
166. uptible Power Supply UPS connection 23 IP address configuring during initial setup 35 configuring virtual IP addresses for clusters 140 K Keypad using locked 121 122 L LEDs See Status indicators License GNU general public 167 Symantec appliance license and warranty agreement 172 License Key 52 obtaining 40 112 Lithium battery 165 Load balancing network resources 135 Locked keypad using 122 Log files managing 118 Login remote 119 M Mail setup 57 Managing log files 118 VelociRaptor security functions 8 Manual reset 27 Monitoring mode 38 VelociRaptor security functions 8 N Netmask configuring during initial setup 35 Network address information 31 configuration 31 configuration worksheets 32 connections model 1100 20 models 1200 1300 22 flat 93 interfaces 53 resources load balancing 135 routed 93 setup 39 status indicators 28 NTFS 44 P Password entering for SRMC initial setup 36 managing using SRMC 108 root 37 Root and Secure Remote 108 SRL 37 VelociRaptor 50 Patches applying 117 Ping command using 96 101 Power applying for model 1100 21 applying for models 1200 1300 23 cord installation model 1100 20 models 1200 1300 22 switch 22 Preferred node 145 Private DNS entries configuring using SRMC 98 Index 185 Protocols configuring custom services 6 Proxies DNS 97 Proxy services configuring for antivirus scanning 123 FTP 124 HTTP 124 Q Quickstart wiz
167. way Security appliances and Symantec Enterprise Firewalls The Symantec Raptor Management Console provides automated wizards for m VelociRaptor Setup m QuickStart m SMTP m S25 Site to Site Tunnel m VPN Client Tunnel m Cluster These wizards help you get your VelociRaptor appliance up and running quickly and easily You can immediately begin securely passing traffic to and from your protected network Install Symantec Raptor Management Console Install the Symantec Raptor Management Console on a system which meets the following hardware and software requirements Hardware Requirements m Industry Standard PC m 233 MHz Pentium II or higher m 128MBRAM m 20 MB disk space m Ethernet card m Windows NT 4 0 workstation or server with Service Pack 6a or Windows 2000 Professional or Server with Service Pack 2 Service packs can be found on the Microsoft Website at http support microsoft com The system on which you install Symantec Raptor Management Console can not be a backup or Primary Domain Controller PDC 44 Initial Setup Install Symantec Raptor Management Console The system must be listed on the Microsoft Windows NT 4 0 or Windows 2000 Hardware Compatibility List HCL Check the Microsoft Web site at http www microsoft com You must have a color monitor with a minimum resolution of 1024x768 pixels Click the right mouse button on the background screen and select Properties from the list then choose the Settin
168. wissern Sie sich da die Steckdose leicht zug nglich ist Warning To reduce the risk of electrical shock do not disassemble this product Return it to Symantec when service or repair work is required Opening or removing covers may expose you to dangerous voltage or other risks Incorrect reassembly can cause electric shock when this product is subsequently used Note Opening the cover will void your warranty Operating the unit in an equipment rack If you plan to install the VelociRaptor 1 5 appliance in an equipment rack use these precautions m Ensure the ambient temperature around the appliance which may be higher than the room temperature is within the limits specified in Appliance models and specifications on page 9 m Ensure there is sufficient air flow around the unit a Ensure electrical circuits are not overloaded consider the nameplate ratings of all the connected equipment and ensure you have overcurrent protection a Ensure the equipment is properly grounded particularly any equipment connected to a power strip Do not place any objects on top of the appliance Appendix Licenses The LINUX operating system used in VelociRaptor 1 5 appliance is covered by the GNU General Public License The firewall software is covered by the Symantec license included with the license serial number To view licensed and enabled features 1 2 3 Select the icon of the connected appliance in the l
169. y particular circumstance the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system it is up to the author donor to decide if he or she is willing to 10 11 NO WARRANTY 1 Licenses 171 GNU GENERAL PUBLIC LICENSE distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License If the distribution and or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries so that distribution is permitted only in or among countries not thus excluded In such case this License incorporates the limitation as if written in the body of this License The Free Software Foundation may publish revised and
170. y the Bind Address on which the local scan server listens for remote requests The following procedure must be performed on the Symantec Gateway Security appliance serving the VelociRaptor To setup a Symantec Gateway Security appliance to accept remote requests for scanning 1 Using the Symantec Raptor Management Console connect to the remote Symantec Gateway Security appliance 132 Antivirus Scanning Symantec Gateway Security appliance setup 2 Double click Global_Antivirus_Configuration in the right pane to display the Global_Antivirus_Configuration Properties page SGSA A Config Global_Anti irus_Configuration P General Please specify the configuration for the antivirus server a Bind Address A Port Number Figure 8 6 AV Global Antivirus Configuration Properties Page General Tab 3 Use the Bind Address drop down list to specify the interface on which the local antivirus scan server listens To enable requests for scanning from a VelociRaptor you must select lt ALL 0 0 0 0 gt ethO or eth1 a Ifyou select lt ALL 0 0 0 0 gt the antivirus scan server accepts all requests that it receives local and nonlocal m Ifyou select eth0 the antivirus scan server accepts only scan requests from the eth0 interface By default this is the inside interface Select this only if your VelociRaptor is connected to the eth0 interface Ifyou select eth1 the antivirus scan server accepts only scan
171. your selection For the network in Figure 3 4 you would select Out All address information you enter in the next steps is applied to the interface you select here 3 Enter the VelociRaptor appliance IP address for the interface selected Use the arrow buttons on the front panel to enter all data Press the E button to move to the next LCD screen when the data is complete For button operation instructions see Front panel controls on page 29 IP Address 000 000 000 000 This is the VelociRaptor appliance interface address that is closest to the managing Symantec Raptor Management Console For the network in Figure 3 4 you would enter 169 254 0 1 Note If the Symantec Raptor Management Console is offsite as in Figure 3 4 or simply not behind the designated VelociRaptor appliance enter the outside interface IP address If the Symantec Raptor Management Console is behind the VelociRaptor appliance enter the appropriate inside interface IP address 4 Enter the netmask address for the IP address you just entered Netmask 000 000 000 000 For the network in Figure 3 4 you would enter 255 255 255 0 as the netmask 36 Initial Setup Initial network configuration procedure Enter the Gateway address to serve as the default gateway for the VelociRaptor appliance If you have an internal Symantec Raptor Management Console behind an internal router you must enter the IP address of the router interface through wh
Download Pdf Manuals
Related Search