Nortel Switched Firewall 2.3.1 User's Guide and ... - Avaya Support [PDF]

Nortel Switched Firewall 5100 Series Release 2.3.1 TM

User’s Guide and Command Reference

part number: 213455-K, June 2005

4655 Great America Parkway Santa Clara, CA 95054 Phone 1-800-4Nortel http://www.nortel.com

2 Copyright © Nortel Networks Limited 2005. All rights reserved. 4655 Great America Parkway, Santa Clara, California, 95054, USA. Part Number: 213455-K. This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without warranty of any kind, either express or implied, including any kind of implied or express warranty of noninfringement or the implied warranties of merchantability or fitness for a particular purpose. U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR 2.101 (Oct 1995) and contains “commercial technical data” and “commercial software documentation” as those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995). Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc. Nortel Switched Firewall, Nortel 5105, 5106, 5109, 5114, Nortel Firewall, and Firewall OS are trademarks of Nortel Networks, Inc. in the United States and certain other countries. Check Point, OPSEC, and SmartUpdate are trademarks of Check Point Software Technologies Ltd. FireWall-1 and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. Portions of this manual are Copyright © 2001 Check Point Software Technologies Ltd. All Rights Reserved. Any other trademarks appearing in this manual are owned by their respective companies. Export This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or reexport may be required by the U.S. Department of Commerce. Licensing This product includes software developed by Check Point Software Technologies (http://www.checkpoint.com). This product also contains software developed by other parties. See Appendix E, “Software Licenses”, on page 375 for more information.

213455-K

3 Regulatory Compliance FCC Class A Notice. The equipment complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1) The device may not cause harmful interference, and 2) This equipment must accept any interference received, including interference that may cause undesired operation. The equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. The equipment generates, uses and can radiate radio-frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. Operation of this equipment in a residential area is likely to cause harmful interference. In such a case, the user will be required to correct the interference at his own experience. Do not make mechanical or electrical modifications to the equipment. Industry Canada: This Class A digital apparatus meets all requirements of the Canadian Interference-Causing Equipment Regulations. Cet appareil Numérique de la classe A respecte toutes les exigences du Règlements sur le matériel brouilleur du Canada. VCCI Class A Notice: This is a Class A product based on the standard of the Voluntary Control Council for Interference from Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may occur. In such a case, the user may be required to take corrective actions. Japanese VCCI Class A Notice

Taiwan EMC Notice

CE Notice: The CE mark on this equipment indicates that this equipment meets or exceeds the following technical standards: EN55022, EN55024, EN60950, and all supporting document requirements.

User’s Guide and Command Reference

4 Safety Information Caution—Nortel Networks products are designed to work with single-phase power systems having a grounded neutral conductor. To reduce the risk of electric shock, do not plug Nortel Networks products into any other type of power system. Contact your facilities manager or a qualified electrician if you are not sure what type of power is supplied to your building. Caution—Not all power cords have the same ratings. Household extension cords do not have overload protection and are not meant for use with computer systems. Do not use household extension cords with your Nortel Networks product. Caution—Your Nortel Networks product is shipped with a grounding type (three-wire) power cord. To reduce the risk of electric shock, always plug the cord into a grounded power outlet. Nordic Lithium Battery Cautions (Norge) ADVARSEL—Litiumbatteri - Eksplosjonsfare. Ved utskifting benyttes kun batteri som anbefalt av apparatfabrikanten. Brukt batteri returneres apparatleverandøren. (Sverige) VARNING—Explosionsfara vid felaktigt batteribyte. Använd samma batterityp eller en ekvivalent typ som rekommenderas av apparattillverkaren. Kassera använt batteri enligt fabrikantens instruktion. (Danmark) ADVARSEL! Litiumbatteri - Eksplosionsfare ved fejlagtig håndtering. Udskiftning må kun ske med batteri af samme fabrikat og type. Levér det brugte batteri tilbage til leverandøren. (Suomi) VAROITUS—Paristo voi räjähtää, jos se on virheellisesti asennettu. Vaihda paristo ainoastaan laitevalmistajan suosittelemaan tyyppiin. Hävitä käytetty paristo valmistajan ohjeiden mukaisesti. Warranty Nortel Networks provides a limited warranty on all its products for a period of one year from the date of shipment. Free technical support and free replacement of hardware is provided for the first 90 days after shipment. You may choose to purchase additional service and support from Nortel Networks. Please contact your local sales representative for more information.

213455-K

Contents Preface 15 Who Should Use This Book 15 How This Book Is Organized 15 Part 1: Getting Started 15 Part 2: Command Reference 16 Part 3: Appendices 16 Related Documentation 17 Typographic Conventions 18 How to Get Help 19 Chapter 1: Introduction 23 Feature Summary 24 What’s New in NSF 2.3.1? 24 Software Support 24 New Hardware Support 24 Reliability and Redundancy 24 DHCP, Routing and Bridging 25 Management 26 Usability Enhancements 26 Upgrades 27 Supported Hardware 28 Performance 29 Nortel Switched Firewall Basics 30 Network Elements 30 The Networks 30 The Firewall 31 The Management Interfaces 31 Chapter 2: Initial Setup 33 Basic Requirements 34 5 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Example Network 35 Firewall Management Network 35 SmartCenter Server 36 Trusted Network 36 Untrusted Network (Internet) 36 Setting Up the Basic Configuration 37 Installing Firewall License 43 Example: 44 Configuring Network Interfaces and Ports 44 Allowing SMART Client Access to the Firewall 47 Installing Check Point Management Tools 48 Editing the Windows NT hosts file 48 Installing Check Point SmartCenter Server and SmartConsole 49 Defining a Firewall Object in the SmartDashboard 58 Creating a Firewall Policy Test Rule 63 Creating and Installing Firewall Security Rules 65 VLAN Tags 66 Layer 2 Switch Configuration 67 SmartDashboard Configuration 67 Switched Firewall Configuration 68 Chapter 3: Dynamic Host Configuration Protocol 71 DHCP Relay Agent 72 Configuring for DHCP Relay Agent 73 Chapter 4: Open Shortest Path First 75 OSPF Overview 76 Types of OSPF Areas 76 Types of OSPF Routing Devices 77 Neighbors and Adjacencies 78 The Link-State Database 79 The Shortest Path First Tree 79 Authentication 80 Internal Versus External Routing 80 NSF 2.3.1 OSPF Implementation 81 Configurable Parameters 81 Defining Areas 82 Assigning the Area Index 82

6 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Using the Area ID to Assign the OSPF Area Number 83 Attaching an Area to a Network 83 Interface Cost 84 Electing the Designated Router and Backup 84 Router ID 84 Authentication 85 Simple Authentication 85 MD5 Authentication 85 GRE Tunnel Support 86 OSPF Features Not Supported in This Release 86 OSPF Configuration Examples 87 Example 1: Configuring a Simple OSPF Domain 87 Example 2: Configuring GRE Tunnel 89 Avoiding Loops in the GRE Tunnel 91 Example 3: Configuring Failover 92 Chapter 5: Redundant Firewalls 97 VRRP on the Switched Firewall 98 VRRP Overview 98 Switched Firewall Cluster 98 Active Master Determination 99 VRRP Election 99 VRRP Failover 100 VRRP Failover-based on Links 101 MAC Address Mapping 101 Stateful Failover 102 VRRP Router Parameters 102 Active-Standby and Active-Active 102 Advertisement Interval 102 Gratuitous ARP (GARP) 103 VRRP Interface 103 Advanced Failover Check 104 Preferred Master 104

7 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuring VRRP Active-Standby Failover 105 Configuration Overview 106 Requirements 107 Installing the Redundant Switched Firewall 108 Configuration Check List 109 Configuring the Redundant Switched Firewall 109 Configuring Check Point Software for Active-Standby 113 Configuration Dump for VRRP Active-Standby Failover 120 Configuring VRRP Active-Active Failover 123 Configuration Overview 123 Requirements 125 Installing the Redundant Switched Firewall 125 Configuration Check List 125 Configuring the Redundant Switched Firewall 126 Configuring Check Point Software 126 Configuration Dump for VRRP Active-Active Failover 133 Configuring Check Point ClusterXL Failover 136 Configuration Check List on the Management Station 137 Step-by-Step Configuration Procedure 138 Configuration Dump for Check Point ClusterXL Failover 153 Establishing Trust on Redundant Firewalls 157 Managing through the VRRP Interface 157 Synchronizing Nortel Switched Firewalls 159 Chapter 6: Layer 2 and Layer 3 Firewalls 161 Overview 162 Configuring Layer 2 Bridge Mode Firewall 162 Configuring the Firewall Software 163 Configuring the Check Point Software 166 Configuring a Layer 3 Firewall 170 Configuring the Firewall Software 170 Configuring the Check Point Software 174 Configuration Issues 178 Chapter 7: Applications 179 Uninterruptible Power Supply 180 Configuring UPS Support 180 Displaying UPS Configuration 184

8 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

RADIUS Authentication 185 VPN Support 187 ISP Redundancy 188 User Authority 189 Chapter 8: Upgrading and Reinstalling the Software 191 Compatibility 192 Types of Upgrade 192 Nortel Switched Firewall SSI Upgrades 192 Built-In Firewall Software Upgrades 193 Check Point Management Station Upgrades 193 Upgrade and Reinstall Images 194 Upgrading to NSF 2.3.1 Software 195 Loading the New Software 195 Activating the Software 197 Standalone Upgrade 198 Cluster Upgrade 199 Reinstalling Software 203 Using the ISO Image 203 Using the IMG Image 204 Chapter 9: Basic System Management 207 Management Tools 207 Users and Passwords 208 Chapter 10: The Command Line Interface 213 Accessing the Command Line Interface 213 Using the Local Serial Port 213 Defining the Remote Access List 214 Displaying the Access List 214 Adding Items to the Access List 214 Using Telnet 215 Enabling Telnet Access 216 Starting the Telnet Session 217 Using Secure Shell 217 Enabling SSH Access on the Nortel Switched Firewall 217 Starting the SSH Session 218

9 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Using the Command Line Interface 219 Basic Operation 219 The Main Menu 220 Idle Time-out 221 Multiple Administration Sessions 221 Global Commands 221 Command Line History and Editing 224 Command Line Shortcuts 225 Command Stacking 225 Command Abbreviation 225 Tab Completion 225 Chapter 11: Command Reference 227 Main Menu 227 Information Menu 231 Info_host Menu 234 Information Menu 235 Bridge 1 Information Menu 237 Route Information Menu 237 OSPF Router Information Menu 238 VRRP Information Menu 239 Configuration Menu 240 System Menu 242 Date and Time Menu 244 NTP Servers Menu 245 DNS Servers Menu 246 Cluster Menu 247 Cluster Host Menu 248 Access List Menu 250 Administrative Applications Menu 251 Telnet Administration Menu 253 SSH Administration Menu 254 SSH Host Keys Menu 255 SSH Known Host Keys Menu 256 Web Administration Menu 257 HTTP Configuration Menu 258 SSL Configuration Menu 259 Certificate Management Menu 260 Server Certificate Management Menu 261 CA Certificate Management Menu 262 10 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

SNMP Administration Menu 263 SNMP Users Menu 265 Trap Hosts Menu 266 SNMP System Information Menu 267 Advanced SNMP Settings Menu 268 Audit Menu 269 Radius Audit Servers Menu 271 Authentication Menu 272 Radius Authentication Servers Menu 273 Platform Logging Menu 274 System Logging Menu 275 ELA Logging Menu 276 Log Archiving Menu 278 User Menu 279 User user_name Menu 281 SSH Users Menu 281 SSH User Admin Menu 282 Groups Menu 283 APC UPS Menu 284 Network Configuration Menu 286 Port Menu 288 Physical Port Connector Characteristics 288 Interface Menu 289 VRRP Interface Menu 291 Bridge 1 Menu 293 Bridge 1 Ports Menu 294 VRRP Bridge 1 Menu 295 VRRP Settings Menu 296 Routes Menu 299 GRE Tunnel 1 Menu 300 OSPF Menu 301 OSPF Area Index Menu 303 OSPF Interface Menu 304 OSPF GRE Tunnel 1 Menu 307 Route Redistribution Menu 310 OSPF Connected Route Redistribution Menu 311 OSPF Static Route Redistribution Menu 312 OSPF Default Gateway Route Redistribution Menu 313 Proxy Arp Menu 314 Proxy Arp List Menu 315 DHCP Relay Menu 316 11 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

DHCP Relay Interface Menu 317 DHCP Server Menu 318 Firewall License Menu 319 Firewall Configuration Menu 320 Sync Configuration Menu 322 SMART Clients Menu 323 SmartUpdate Configuration Menu 324 Miscellaneous Settings Menu 324 Boot Menu 325 Software Management Menu 326 Software Patches Menu 327 The Maintenance Menu 328 Firewall Maintenance Menu 329 Tech Support Dump Menu 331 Backup Menu 332 OSPF Debug Menu 333 Appendix A: Event Logging API 337 Configure the Check Point SmartCenter Server 338 Configure the Firewall 342 The Check Point SmartView Tracker 344 Appendix B: Backing Up and Cloning Configurations 345 Overview 346 Remote Backup 346 Clone Command 346 Local Backup 346 Backing Up and Cloning 346 Backing Up a Configuration 346 Troubleshooting for Backup 347 Cloning a Configuration 348 Appendix C: Common Tasks 349 Installing a New Image From CD-ROM 350 Enabling USB Support 351 Verify USB Support on the Firewall 351 Enabling the USB Support in the BIOS 352 Mounting a Floppy Disk on the firewall 355 Mounting a CD-ROM on the firewall 356 Mounting the USB Port 356 12 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Tuning Check Point NG Performance 357 Connection Parameters 357 NAT Parameters 358 Reading System Memory Information 359 Generating Public/Private DSA Key Pair 360 Appendix D: Troubleshooting 363 Failed to Establish Trust between SmartCenter Server and Firewall 364 Actions 364 Managing Licenses 366 Re-installing an Existing License 366 Installing a License on an NT Workstation 366 Re-establishing SIC 367 Cannot Download Policy on Firewall 368 Action 368 Poor Performance with Other Devices 368 Actions 368 Cannot Log Into the Management Station from the SMART Client 369 Actions 369 Check Point Sends Connection Failed Messages to Firewall 369 Action 369 VRRP Configuration Tips 370 VRRP: Active Master Backup Fails 371 Actions 371 VRRP: Both Masters are Active 372 Actions 372 Poor Performance Under Heavy Traffic 372 Configure Mandatory IP Addresses 373 Appendix E: Software Licenses 375 Apache Software Licence 375 mod_ssl License 376 OpenSSL and SSLeay Licenses 377 OpenSSL License 377 Original SSLeay License 378 PHP License 379 SMTPclient License 380 GNU General Public License 381

13 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

14 213455-K, June 2005

Preface This User’s Guide and Command Reference describes the components and features of the Nortel Switched Firewall 5100 Series system and explains how to perform initial setup, configuration and maintenance. Once you have completed network configuration using this guide, you must rely on the documentation from Check Point to develop and administer security policies.

Who Should Use This Book This User’s Guide and Command Reference is intended for network installers and system administrators engaged in configuring and maintaining a network. It assumes that you are familiar with Ethernet concepts and IP addressing.

How This Book Is Organized The chapters in this book are organized as follows:

Part 1: Getting Started Chapter 1, “Introduction”, provides an overview of the major features of the Nortel Switched Firewall, including the physical layout of its components and the basic concepts behind their operation. Chapter 2, “Initial Setup”, describes how to perform start-up configuration on the Nortel

Switched Firewall. An example network is shown, along with instructions on how to configure the firewall CLI and Check Point™ SmartCenter Server. Chapter 3, “Dynamic Host Configuration Protocol”, describes how to configure the Nortel Switched Firewall for Dynamic Host Configuration Protocol (DHCP) support.

15 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Chapter 4, “Open Shortest Path First”, provides an overview of the Open Shortest Path First (OSPF) protocol, describes the implementation of OSPF on the Switched Firewall, and includes several OSPF configuration examples. Chapter 5, “Redundant Firewalls”, provides configuration examples for clustering Switched Firewalls in a redundant configuration for high availability or active-active using VRRP and synchronization for stateful failover. There is also an overview of the VRRP implementation. Chapter 6, “Layer 2 and Layer 3 Firewalls”, describes how to configure a Layer 2 and Layer 3

firewall. Chapter 7, “Applications”, describes applications that are supported by the Nortel Switched

Firewall. Chapter 8, “Upgrading and Reinstalling the Software”, describes how to upgrade or reinstall

the Nortel Switched Firewall system component software. Chapter 9, “Basic System Management”, describes the various tools used for managing the system, and explains basic management concepts.

Part 2: Command Reference Chapter 10, “The Command Line Interface”, describes how to access and use the textbased management interface for collecting system information and performing configuration. Chapter 11, “Command Reference”, explains the menus, commands, and parameters of the text-based management interface.

Part 3: Appendices Appendix A, “Event Logging API”, describes how to view Nortel Switched Firewall log messages with your Check Point SmartView Tracker. Appendix B, “Backing Up and Cloning Configurations”, describes how to back up and clone configurations. Appendix C, “Common Tasks”, describes routine management functions. Appendix D, “Troubleshooting”, provides suggestions for troubleshooting basic problems. Appendix E, “Software Licenses”, provides licensing information for the software used in this

product.

16 „ Preface 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Related Documentation For setup, configuration, software maintenance and release-specific information, see the related documentation which includes following: „

Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C)

„

Nortel Switched Firewall 2.3.1 Browser-Based Users Guide (216383-C)

„

Nortel Switched Firewall 5100 Series 2.3.1 Release Notes (213456-R)

All the documents are posted on the Nortel Networks Customer Support Web site. See the Release Notes for Web navigation instructions.

Preface „ 17 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Typographic Conventions The following table describes the typographic styles used in this book. Table 1 Typographic Conventions Typeface or Symbol

Meaning

Example

AaBbCc123

This fixed-width type is used for names of commands, files, and directories used within the text.

View the readme.txt file.

It also depicts on-screen computer output and Main# prompts. AaBbCc123

This italicized type shows book titles, special Read your User’s Guide terms, or words to be emphasized. thoroughly.

AaBbCc123

This fixed-width, bold type appears in command examples. It shows text that must be typed in exactly as shown.

Main# sys

Italicized type within angle-brackets appears To establish a Telnet in command examples as a parameter place- session, enter: host# telnet holder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. [

]

|

Command items shown inside square brackets are optional and can be used or excluded as the situation demands. Do not type the brackets.

Command items separated by the vertical bar System# autoneg on|off depict a list of possible values, only one of which should be entered. The vertical bar can be literally considered to mean “or.” This can also be used to separate different selections within a window-based menu bar.

host# ls [-a]

Select Edit | Copy from the window’s menu bar.

Non-alphanumeric keyboard items are shown Press the key. in regular type inside brackets. When directed, press the appropriate key. Do not type the brackets.

18 „ Preface 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

How to Get Help If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased a Nortel Networks service program, contact one of the following Nortel Networks Technical Solutions Centers. Technical Solutions Center

Telephone

Europe, Middle East, and Africa

00800 8008 9009 or +44 (0) 870 907 9009

North America

(800) 4NORTEL or (800) 466-7835

Asia Pacific

(61) (2) 8870-8800

China

(800) 810-5000

Additional information about the Nortel Networks Technical Solutions Centers is available at the following URL: http://www.nortel.com/contactus An Express Routing Code (ERC) is available for many Nortel Networks products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate an ERC for your product or service, refer to the following URL: http://www.nortel.com/erc

Preface „ 19 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

20 „ Preface 213455-K, June 2005

Part 1: Getting Started This section discusses basic firewall functions, Nortel Switched Firewall components, and features. The following topics are included in this section:

213455-K, June 2005

„

New features and basic functions

„

Initial setup

„

DHCP Relay and OSPF

„

Layer 2 and Layer 3 firewall

„

Redundant firewalls

„

Firewall applications

„

System management

„

Software upgrade

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

22 „ Getting Started 213455-K, June 2005

CHAPTER 1

Introduction The Nortel Switched Firewall is a combination of dedicated hardware and software (hardened OS, security applications, and networking technology). It addresses the needs for security, performance and ease of use. The software is a combination of NSF Single System Image (SSI) software and the FireWall1® NG software from Check Point™. The following topics are covered in this chapter: „

“Feature Summary” on page 24

„

“Nortel Switched Firewall Basics” on page 30

23 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Feature Summary The Nortel Switched Firewall (NSF) is a high-performance firewall system for network security. The system uses a versatile, multi-component approach to deliver unparalleled firewall processing power, reliability, and scalability. The following topics are covered in this section: „

What’s New in NSF 2.3.1?

„

“Supported Hardware” on page 28

„

“Performance” on page 29

What’s New in NSF 2.3.1? The following features have been added to the Nortel Switched Firewall release 2.3.1 since the last major release:

Software Support Supports Check Point™ FireWall-1® NG with Application Intelligence R55 and Hotfix Accumulator 12 (HFA_12) software.

New Hardware Support Supports two new hardware platforms, 5111-NE1 and 5114-NE1 (see Table 1-1 on page 28).

Reliability and Redundancy „

Manages power supply by supporting APC Uninterruptible Power Supply (UPS) models UPS is supported through USB, Ethernet, and SNMP.

„

Supports USB storage stick The USB port can be used to store all uploads such as tsdump, backup, configuration, and Check Point logs.

„

Supports RADIUS authentication in a standalone or cluster configuration Multiple RADIUS servers can be configured for redundancy. Radius Authentication is supported for managing user logins. NSF 2.3.1 supports fallback to local authentication when the Radius server is not available. Supports auditing from the remote Radius Auditing Servers.

24 „ Introduction 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

Supports Check Point ISP Redundancy feature ISP Redundancy guarantees reliable Internet connectivity by allowing a single or clustered Switched Firewall to connect to the Internet through redundant Internet Service Provider (ISP) links.

„

„

VRRP enhancements †

Supports failover time to less than 1 second

†

SSI MIP does not migrate on failover

†

Supports the “preferred master” configuration

†

Access SSI management through VRRP interface

†

Supports high availability in an OSPF network

†

Access the firewall (Telnet or BBI) using the VRRP interface IP address

Supports secure file transfer through SCP/SFTP SCP/SFTP uses a username and password for authentication.

DHCP, Routing and Bridging „

Supports Dynamic Host Configuration Protocol (DHCP) Relay In the DHCP environment, the Nortel Switched Firewall acts as a relay agent allowing hosts or clients on an IP network to obtain their configurations from a DHCP server, thereby reducing network administration. NSF implementation of the DHCP relay agent eliminates the need to have DHCP/BOOTP servers on every subnet, reducing the number of DHCP servers deployed on the network and centralizing management.

„

Supports Layer 2 and Layer 3 bridge modes on the firewall Bridging is supported for standalone and active-standby configurations.

„

Supports Generic Routing Encapsulation (GRE) Tunnel NSF 2.3.1 allows GRE tunnels to interoperate with third-party solutions.

„

Supports OSPF in cluster configuration NSF 2.3.1 supports both active-standby and active-active configuration

Introduction „ 25 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Management „

Supports Check Point User Authority feature The UserAuthority feature provides centralized management of user authentication and authorization.

„

Supports SSI management traffic on VLAN NSF 2.3.1 allows you to configure the SSI network on a VLAN, so you can share the management port for other interfaces.

„

Supports SSI management traffic to bypass Check Point rules This bypass implementation prevents Check Point from blocking SSI traffic, so you do not have to create a separate policy on the Check Point management station to allow SSI traffic.

„

Provides a hardware sensor module The sensor module is responsible for generating alarm events and SNMP traps when hardware parameters, such as the fan rpm values or temperature reach critical levels.

„

Supports a user-friendly name for your firewall

„

Flexible Management To help you minimize the amount of time spent manually configuring individual devices, NSF gives you a flexible set of management options to control the configuration, policycreation, deployment, and on-going management of your NSF security solutions. You can use the CLI, BBI, or the Management Console.

„

Centralized Management Provides dynamic Plug N Play—added components can be automatically configured and brought into service. Provides a Single System Image (SSI)—all components in a given Nortel Switched Firewall cluster are configured together as a single system. Supports SNMP version 2c and 3 event and alarm traps.

Usability Enhancements „

Extended logging Detailed information on errors is available immediately at the CLI and the BBI. The error messages displayed at the console have log IDs. A detailed description of these messages and possible work around can be found by entering the log IDs.

„

Support for cloning configurations through the CLI.

26 „ Introduction 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

New improved Browser-Based Interface (HTTP and HTTPS) offers easy configuration of network settings and displays dynamic status of the firewall. For more information, see the NSF 2.3.1 Browser-Based Interface (BBI) Quick Access Guide (216383-C).

„

Provides an easy and quick way to capture packets through the CLI using the new CLI commands, /info/fwmon and /info/ethereal.

„

Display firewall capacity with the /info/capacity command. This command lists the ports supported, firewall memory, maximum connections, VLAN interface, routes supported, and disk capacity.

Upgrades „

Update current image with a patch, using rpm install (applies to all the firewalls in the cluster).

„

Allows for restoring of configuration and images in case of failed upgrade or configuration changes.

„

Supports simplified upgrade procedure.

Introduction „ 27 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Supported Hardware Table 1-1 shows the model numbers of the hardware platforms supported for NSF 2.3.1. The platforms differ with respect to hardware features and performance. But in all other operational aspects (software, certification, system management, logging and monitoring) the platforms are the same. Table 1-1 Nortel Switched Firewall 5100 Series Hardware Platforms Model

Supported Ports

RAM

5111-NE1

„

Two embedded 10/100/1000 Mbps Copper Ethernet ports. „ One quad Copper Ethernet (Four 10/100/1000 Mbps Copper Ethernet ports.)

512 MB

5114-NE1

„

5106

„

Two embedded 10/100 Mbps ethernet ports. „ One dual Copper ethernet (Two 10/100/1000 Mbps ports).

512 MB

5109

„

Two embedded 10/100/1000 Mbps Copper ethernet ports. „ One quad Copper ethernet (Four 10/100 Mbps Copper ethernet ports.

512 MB

5114

„

1.0 GB Two embedded 10/100/1000 Mbps Copper Ethernet ports. „ One dual fiber Ethernet (Two 1000 Mbps fiber ethernet ports.)

1.0 GB Two embedded 10/100/1000 Mbps Copper ethernet ports. „ One dual fiber ethernet (Two 1000Base-SX multimode fiber with LC type connectors.)

28 „ Introduction 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Performance Table 1-2 compares the throughput, concurrent sessions, and new connections per second on each of the 5100 Series model. Table 1-2 Nortel Switched Firewall 5100 Series Hardware Performance Model

Throughput

Concurrent Sessions

New Connections per Second

5114-NE1

1,600 Mbps

500,000

4,000

5111-NE1

1000 Mbps

300,000

4,000

5114

1,600 Mbps

500,000

4,000

5109

1000 Mbps

300,000

4,000

5106

300 Mbps

250,000

3,600 -3,200

Introduction „ 29 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Nortel Switched Firewall Basics Network Elements A basic network utilizing the Nortel Switched Firewall appears as follows: Nortel Switched Firewall with Check Point SmartCenter Server

NSF Remote Console/ Check Point SMART Clients

NSF Local Console

Internet Untrusted Network

Intranet Trusted Network Semi Trusted Network (DMZ)

Figure 1-1 Nortel Switched Firewall Network Elements

The Networks „

Trusted Networks These represent internal network resources that must be protected from unauthorized access. Trusted networks usually provide internal services such as a company’s intranet, as well as valued applications made available to external clients, such as public e-commerce Web sites.

„

Semi-trusted Networks To increase security, services intended primarily for external clients are often placed on a separate network so that a hostile intrusion would not affect the company’s internal networks. A network isolated in this way is also known as a De-Militarized Zone (DMZ). For more information, see your Check Point documentation.

„

Untrusted Networks These are the external networks that are presumed to be potentially hostile, such as the Internet.

30 „ Introduction 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

The Firewall „

Nortel Switched Firewall The Nortel Switched Firewall is placed in the path between your various trusted, semitrusted, and untrusted networks. It examines all traffic moving between the connected networks and either allows or blocks that traffic, depending on the security policies defined by the administrator.

The Management Interfaces „

NSF Local Console A local console is used for entering basic network information during initial configuration. Once the system is configured, the local console can be used to access the text-based Command Line Interface (CLI) for collecting system information and performing additional configuration. The NSF console is not used to manage or install firewall policies.

„

„

NSF Remote Console/Check Point SMART Clients †

For a list of trusted users, the administrator can separately allow or deny Telnet or Secure Shell (SSH) access to the NSF CLI, and HTTP or SSL access to the NSF Browser-Based Interface. Remote access features can be used for collecting system information and performing additional configuration, but not to manage or install firewall policies.

†

Check Point SMART Client software, such as the SmartDashboard, can be installed on one or more administrator workstations on your network. This software usually provides a graphical user interface for creating, modifying, and monitoring firewall policies. For security, SMART Clients do not interact directly with the firewalls. Instead, any policy changes made in a SMART Client are forwarded to the SmartCenter Server, which then loads them onto the firewalls. For convenience, a SMART Client can be installed on the management station running the SmartCenter Server (see Note – below).

Check Point SmartCenter Server management station The management station running the SmartCenter Server holds the master policy database for all the firewalls in your network. Its job is to establish Secure Internal Communications (SIC) with each valid firewall and load the firewall with the appropriate security policies. The SmartCenter Server may be enabled on the firewall in the CLI setup utility.

NOTE – If you have a second firewall in the cluster to implement an active-standby (high availability) or active-active firewall configuration, you must install the SmartCenter Server on a management station. In this case do not enable the SmartCenter Server on the firewall when prompted in Step 12 of the initial setup routine which starts on page 37.

Introduction „ 31 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

32 „ Introduction 213455-K, June 2005

CHAPTER 2

Initial Setup This chapter describes how to perform initial setup for a single Firewall configuration. A basic configuration is performed on a Nortel Switched Firewall that allows remote access by Telnet or SMART Client. Then the Check Point management tools are installed on a workstation. It is assumed that you have installed the Nortel Switched Firewall hardware as described in the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C), including mounting the components, attaching network cables, turning on power, and connecting a console terminal. The following topics are discussed in this chapter: „

“Basic Requirements” on page 34

„

“Example Network” on page 35

„

“Setting Up the Basic Configuration” on page 37 †

“Allowing SMART Client Access to the Firewall” on page 47

†

“Editing the Windows NT hosts file” on page 48

„

“Installing Check Point Management Tools” on page 48

„

“VLAN Tags” on page 66 VLAN tagging allows the Switched Firewall to forward VLAN tagged packets to the appropriate workgroup.

33 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Basic Requirements The following are needed prior to configuring the Nortel Switched Firewall: „

Firewall hardware installed as described in the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C). This includes mounting the components, attaching network cables, turning on power, and connecting a console terminal.

„

A Check Point license for the Firewall

„

One subnet assigned for internal Nortel Switched Firewall use. This subnet must consist of the following IP addresses: †

One Management IP (MIP) address.

†

An IP address for the Firewall host.

NOTE – The highest IP address and lowest IP address in the subnet range are reserved for broadcasts and should not be assigned to specific devices. „

A list of subnets that will be statically configured on the firewall for internal networks, plus the IP address of the internal router that handles routes for these networks.

„

The IP address of the default gateway for data moving through the firewall to the Internet.

„

An IP address reserved for the Firewall on each trusted, untrusted, and semi-trusted subnet that will connect directly to the Firewall.

„

A SmartCenter Server and SMART Client on one of the networks attached to the Firewall. You can install the SmartCenter Server on the Switched Firewall or on a remote management station (Note – If you have two Switched Firewalls in the cluster, you must implement the SmartCenter Server on the management station). You can install the SMART Client on the same machine as the SmartCenter Server, or on a separate machine that can be reached from the SmartCenter Server.

NOTE – This release of the Switched Firewall supports Check Point FireWall-1 NG with Application Intelligence (R55) and Hotfix Accumulator 12 (HFA_12) software. „

Nortel Switched Firewall installed running Firewall OS version 2.3.1 or higher.

NOTE – Before upgrading the software on the Firewall, you must perform the initial setup procedures as explained in this chapter. Once initial setup is complete, see Chapter 8, “Upgrading and Reinstalling the Software”,” on page 191 for more information.

34 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Example Network The example network in Figure 2-1 illustrates the procedure that is described in this chapter. Once the network information is collected, you can use the Setup utility to begin basic system configuration as described in “Setting Up the Basic Configuration” on page 37. NSF 5106, 5109, 5114 5111-NE1, or 5114-NE1

Untrusted Network Interface 2 IP: 172.25.3.10 Port 4 (eth3)

Internet

2 3

4 Router Inside Interface IP: 172.25.3.23

Trusted Network

1

Port 1 (eth0) Management Network Host IP: 192.168.1.2 MIP: 192.168.1.1 Gateway: 172.25.3.23

Interface 1 IP: 10.3.0.1 Port 3 (eth2)

IP: 10.3.0.0/16 Gateway: 10.3.0.1

Check Point SmartCenter Server and SMART Client IP: 192.168.1.3

Figure 2-1 Example Network The components used to create the example network is described in the following sections.

Firewall Management Network The management network is automatically configured when you run “Setting Up the Basic Configuration” on page 37. NOTE – The management network port is for administrative purposes such as the BrowserBased Interface, Telnet, SSH and the Check Point management tools such as the SmartCenter Server and the SMART Client (see “Installing Check Point Management Tools” on page 48). „

The Host IP address in the example network is 192.168.1.2 and the Management IP (MIP) address is 192.168.1.1.

„

The management network port in the Figure 2-1 is configured on port 1 for the 5106 and 5114, and port 3 for the 5109.

Initial Setup „ 35 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

NOTE – The MIP address supports firewall clustering with a redundant firewall in a highavailability (active-standby) or active-active failover configuration. For more information, see Chapter 5, “Redundant Firewalls” on page 97. Though you may have only one firewall in your system, you must still configure the MIP address. The management network can be configured on any port. The management port can be shared with different interfaces, provided the SSI network is configured on a VLAN on the management port. NOTE – To provide a secure remote access path for a secondary SmartCenter Server or SMART Client, you can configure it on the Trusted Network.

SmartCenter Server You can install the SmartCenter Server on the firewall host or on a Check Point management station. In this example, it is implemented on a Check Point management station. The Check Point management station IP address is 192.168.1.3. NOTE – If you have a second firewall in the cluster to implement a high-availability or activeactive firewall configuration, you must install the SmartCenter Server on a management station. If this is your situation, do not enable the SmartCenter Server on the firewall when prompted in Step 12 of the initial setup routine which starts on page 37.

Trusted Network „

The Trusted Network’s IP address range is 10.3.0.0/16.

„

The Trusted Network connects to port 3, Interface 1 (5109 port 1, Interface 1). The Interface address is 10.3.0.1.

Untrusted Network (Internet) „

Firewall’s default gateway IP address is 172.25.3.23. This is the upstream router’s internal interface.

„

The Untrusted Network connects to port 4, Interface 2 (5109 port 2, Interface 2). The Interface address is 172.25.3.10.

36 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Setting Up the Basic Configuration The console connection is used to access the Nortel Switched Firewall for performing the initial configuration. 1.

Connect the console cable and start a console terminal. Connect the included console cable between the serial port on the Firewall to the serial port of a computer with terminal emulation software as described in the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C). Press on the console terminal to establish the connection. The Nortel Switched Firewall login prompt will appear. Enter the default login name (admin) and the default password (admin). If the Nortel Switched Firewall is set to factory defaults, a special Setup utility menu appears. login: admin Password: admin (not displayed) Switched Firewall HW platform: NSF 5114 Software version 2.3.1 -----------------------------------------------------------[Setup Menu] clone - Clone the configuration join - Join an existing SFD cluster new - Initialize host as a new installation boot - Boot Menu info - Information menu exit - Exit [global command, always available] >> Setup# new

Use the clone command to restore the full configuration of a previous setup. The new firewall is a clone of the original and can replace the original firewall in the network setup. For more information on cloning, see Appendix B, “Backing Up and Cloning Configurations” on page 345. 2.

Select a “new” installation. >> Setup# new Setup will guide you through the initial configuration of the iSD.

Initial Setup „ 37 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

3.

Enter the port number to be used for the management network. Enter port number for the management network [1-4]*: 1

4.

Enter the host IP address for this Firewall: Enter IP address for this machine: 192.168.1.2

NOTE – The IP addresses shown here and in the following steps are taken from the example network on page 35. Enter information for your specific network configuration. 5.

Enter the network mask for the entire subnet: Enter network mask [255.255.255.0]:

In this example, the network spans 192.168.1.0/24. 6.

Enter the VLAN tag ID information. Specify a VLAN tag ID for SSI (management) traffic. Enter VLAN tag id (or zero for no VLAN) [0]:1

The SSI management port can be shared across different interfaces. NSF 2.3.1 allows separate VLANs for SSI management traffic and data traffic on the same management port. 7.

Enter the Management IP (MIP) address information. This address must be in the same subnet as the firewall IP address specified in Step 3. Enter the Management IP (MIP) address: 192.168.1.1 Making sure the MIP does not exist...ok

38 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

8.

Set your time zone by selecting continent or ocean, then country, then region. For example: Timezone setting 1 - Africa 2 - Americas 3 - Antarctica 4 - Arctic Ocean 5 - Asia 6 - Atlantic Ocean 7 - Australia 8 - Europe 9 - Indian Ocean 10 - Pacific Ocean Select a continent or an ocean, or enter a full timezone name: 2 Countries: 1 - Anguilla 18 - Ecuador 2 - Antigua & Barbuda 19 - El Salvador 3 - Argentina 20 - French Guiana 4 - Aruba 21 - Greenland 5 - Bahamas 22 - Grenada 6 - Barbados 23 - Guadeloupe 7 - Belize 24 - Guatemala 8 - Bolivia 25 - Guyana 9 - Brazil 26 - Haiti 10 - Canada 27 - Honduras 11 - Cayman Islands 28 - Jamaica 12 - Chile 29 - Martinique 13 - Colombia 30 - Mexico 14 - Costa Rica 31 - Montserrat 15 - Cuba 32 - Netherlands Antil 16 - Dominica 33 - Nicaragua 17 - Dominican Republic 34 - Panama Select a country: 45

35 - Paraguay 36 - Peru 37 - Puerto Rico 38 - St Kitts & Nevis 39 - St Lucia 40 - St Pierre & Mique 41 - St Vincent 42 - Suriname 43 - Trinidad & Tobago 44 - Turks & Caicos Is 45 - United States 46 - Uruguay 47 - Venezuela 48 - Virgin Islands (U 49 - Virgin Islands (U

Initial Setup „ 39 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Regions: 1 - Adak Aleutian Islands 2 - Anchorage Alaska Time 3 - Boise Mountain Time - south Idaho & east Oregon 4 - Chicago Central Time 5 - Denver Mountain Time 6 - Detroit Eastern Time - Michigan - most locations 7 - Honolulu Hawaii 8 - Indiana/Knox Eastern Standard Time - Indiana - Starke County 9 - Indiana/Marengo Eastern Standard Time - Indiana - Crawford County 10 - Indiana/Vevay Eastern Standard Time - Indiana - Switzerland Cnty 11 - Indianapolis Eastern Standard Time - Indiana - most locations 12 - Juneau Alaska Time - Alaska panhandle 13 - Kentucky/Monticello Eastern Time - Kentucky - Wayne County 14 - Los_Angeles Pacific Time 15 - Louisville Eastern Time - Kentucky - Louisville area 16 - Menominee Central Time - Michigan - Wisconsin border 17 - New_York Eastern Time 18 - Nome Alaska Time - west Alaska 19 - North_Dakota/Center Central Time - North Dakota - Oliver County 20 - Phoenix Mountain Standard Time - Arizona 21 - Shiprock Mountain Time - Navajo 22 - Yakutat Alaska Time - Alaska panhandle neck Select a region: 17

9.

Set the current date and time: Enter the current date (YYYY-MM-DD) [2004-01-05]: Enter the current time (HH:MM:SS) [13:14:09]:

10. Generate a new Secure Shell (SSH) host key for use secure remote administration sessions: Generate new SSH host keys (yes/no) [yes]: y This may take a few seconds...ok

Nortel Networks recommends that you generate a new SSH key in order to maintain a high level of security when connecting to the Nortel Switched Firewall using an SSH client.

40 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

11. Set the new administrator password. The current default administrator password is admin. Nortel Networks recommends that you change the password. Enter a password for the "admin" user: Re-enter to confirm:

12. Choose whether to enable the Check Point SmartCenter Server on the firewall. Setup gives you the option of configuring your Nortel Switched Firewall with or without a collocated SmartCenter Server. Enabling the SmartCenter Server on the Switched Firewall lets you use the interface without requiring Secure Internal Communications. A second license is also not required for hosting the SmartCenter Server on the management station. However, you may not want to take advantage of this feature if you intend to install a second Switched Firewall in a cluster with this firewall. In that case, you must enter 1 or 3 at the prompt and install the SmartCenter Server on the management station. See Check Point documentation for more information on Check Point Express. NOTE – If you install the SmartCenter Server on the firewall now, but decide later to add a second Switched Firewall to the cluster (to implement a active-standby (high-availability) or active-active firewall configuration), you must reimage your system and repeat Setup to uninstall the SmartCenter Server. Select installation type: 1. Check Point Gateway 2. Check Point Gateway and SmartCenter Server 3. Check Point Express Gateway 4. Check Point Express Gateway and SmartCenter Server Enter your selection: (1/2/3/4) [1]:

13. If you chose 2 or 4 in Step 12, enter the management server administrative password. Enter Check Point Primary SmartCenter Server admin password: Re-enter to confirm:

Initial Setup „ 41 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

14. If you chose 1 or 3 in Step 12, you will be prompted to set the Check Point Secure Internal Communication (SIC) one-time password. The SIC password is required later when you establish Secure Internal Communications between an external Check Point SmartCenter server on NSF. Check Point documentation refers to this password as the “Authentication Key” (see page 367). Enter Check Point SIC one-time password: Re-enter to confirm:

15. Allow self-configuration to complete. Once the basic configuration information has been entered, the system begins a phase of selfconfiguration and initialization. During this phase, a series of messages are displayed. The self-configuration phase is complete when the following message is displayed: Applying Check Point firewall and SmartCenter Server settings... Initializing system......ok Configuring firewall...Done Setup successful. System will reboot shortly. After reboot relogin to configure. login:

Once this Setup process is complete, you will need to log in and configure Check Point licenses as shown in the following section. 16. Install the firewall license. See“Installing Firewall License” on page 43. 17. Configure Network Interfaces and Ports. See “Configuring Network Interfaces and Ports” on page 44. 18. (optional) Allow SMART client access to the firewall. See “Allowing SMART Client Access to the Firewall” on page 47. This concludes the firewall basic configuration. You are now ready to proceed with the Check Point management station as described in “Installing Check Point Management Tools” on page 48.

42 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Installing Firewall License Once the Setup utility has been used for basic system configuration, the Setup menu is no longer displayed upon subsequent log-ins. Instead, the CLI Main Menu is displayed: [Main Menu] info cfg boot validate security maint diff apply revert paste help exit

-

Information Menu Configuration Menu Boot Menu Validate configuration Display security status Maintenance Menu Show pending config changes Apply pending config changes Revert pending config changes Restore saved config with key Show command help Exit [global command, always

[global command] [global command] [global command] [global command] [global command] available]

>> Main#

Use the following CLI commands to install your Check Point licenses on the Firewall host, and configure information about the network. NOTE – The Switched Firewall ships with a 15-day trial license that auto-installs for a new or join installation. After the trial period ends, a license error appears when you try to push policies to the Switched Firewall. Additionally, each time you log into the SmartCenter server, it displays a notification of how many days are left before the trial period ends. If local licensing is used, enter Check Point licensing information for the Firewall. NOTE – If central licensing is used, skip this step. With central licensing, the license is pushed from the Check Point SmartCenter Server in a later step. The license information will be part of your Check Point package. The license(s) you received from Check Point should be specifically configured for your firewall Host IP address.

Initial Setup „ 43 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Example: „

Expiry date: 01jan2005

„

Feature string: CPSUITE-EVAL-3DES-NG CK-CHECK-POINT

„

License string: aBXAVeTWHR-FyxKKcdej-QiiS89a6N-isMP6Ywnn

NOTE – Be sure to enter the information exactly as shown on your specific Check Point license. >> # /cfg/lic/pastelic List of current hosts: 1: 192.168.1.2 2: 192.168.1.100 Choice: 1 Enter the entire license string :cplic put 10.10.1.4 10Mar2005 auZgS2cQ-wUKedwp5Z-8ZinqozZ3-oM4yzDkid cpmp-eval-1-3des-ng CKC40DE4D769CE

Configuring Network Interfaces and Ports Network interfaces and ports are configured in the following menu: >> Main# /cfg/net -----------------------------------------------------------[Network Configuration Menu] port - Port Menu if - Interface Menu bridge - Bridge Configuration Menu vrrp - VRRP Settings Menu gateway - Set default gateway address routes - Routes Menu gre - GRE Tunnel Menu ospf - Open Shortest Path First (OSPF) Menu parp - Proxy Arp Menu dhcprl - DHCP Relay Menu

The rules for configuring networks and ports are as follows: „

The management network interface (not numbered) is reserved for the firewall’s host IP address. The port that you assign to this interface may be used to attach network devices such as a management console, as long as the device is in the same IP network as the firewall’s host IP address.

„

You can configure one address per interface, with one network address range.

44 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

You can assign a port to multiple interfaces (up to 255).

„

Interfaces on the same port cannot share the same network.

„

A network device that is connected to an interface should use the interface IP address as the default gateway. This will direct traffic through the firewall.

NOTE – The general guideline for port assignments is to reserve Gigabit Ethernet ports for firewall traffic and Fast Ethernet ports for management traffic. This example refers to the example illustrated in Figure 2-1 on page 35.

1.

„

The Switched Firewall management network is configured on port 1. The management network is automatically configured when you ran the setup utility described in “Setting Up the Basic Configuration” on page 37.

„

Interface 1 is for trusted (internal) network traffic and resides on port 3.

„

Interface 2 is for untrusted (external) network traffic and resides on port 4.

(Optional) Reset the firewall to factory defaults. If you are configuring the Switched Firewall for the first time, the unit is already set to factory defaults. Therefore you may skip this step. However, if you wish to override the previous configuration, then you should perform the following steps:

2.

a.

Enter /boot/delete to reset the Switched Firewall to the factory default.

b.

Reboot the machine.

c.

Perform the initial setup procedure (see “Setting Up the Basic Configuration” on page 37).

Configure the ports and interfaces for the attached networks. NOTE – The port/interface assignments in the following commands refer to the configuration of the 5106 and 5114 in the Example Network in Figure 2-1 on page 35. If you are configuring a 5109, assign port 1 to Interface 1 (if_1) and port 2 to Interface 2 (if_2). Nortel recommends that you assign a descriptive name to each port so that it is easier to remember which port is assigned to a particular interface.

Initial Setup „ 45 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

When configuring interfaces, make sure that each interface IP address is within the same subnet as the network to which it is connected.

3.

>> >> >> >> >> >> >> >>

Main# /cfg/net/port 3 Port 3# name if_1 Port 3# apply Interface 1#/cfg/net/if 1 Interface 1# addr1 10.3.0.1 Interface 1# mask 16 Interface 1# port 3 Interface 1# ena

(Select the Port 3 Menu) (Name this port for Interface 1) (Apply the setting to the port) (Select the Network Interface 1 Menu) (Set IP interface to Trusted Network) (Set 16-bit Subnet mask) (Assign this interface to port 3) (Enable Interface 1)

>> >> >> >> >> >> >> >>

/cfg/net/port 4 Port 4# name if_2 Port 4# apply Port 4# /cfg/net/if 2 Interface 2# addr1 172.25.3.10 Interface 2# mask 24 Interface 2# port 4 Interface 2# ena

(Select the Port 4 Menu) (Name this port for Interface 2) (Apply the setting to the port) (Select the Network Interface 2 Menu) (Set IP interface to Untrusted network) (Set 24-bit Subnet mask) (Assign this interface to port 4) (Enable Interface 2)

Configure a default gateway or static route for the external networks. Traffic headed to the Internet needs to be directed to its next hop. In this example, a default gateway is used. The default gateway address is the same address as the router’s internal IP interface. Note that Interface 2 was configured to be on the same subnet as the default gateway: >> /cfg/net/gateway 172.25.3.23 >> Gateway Settings# apply

4.

(Set gateway IP address) (Enable the gateway)

Allow a client workstation remote access to the Firewall. In this step, you add the IP address of a client for remote management access such as Telnet, Browser-Based Interface, or SSH (but not for SmartCenter Servers or SMART Clients). Entering a 32-bit mask limits access only to that particular IP address. >> /cfg/sys/accesslist >> Access List# add 10.3.0.2 Enter netmask: 255.255.255.255

5.

(Select the Access List menu) (Enter IP address of remote client) (Limit access only to client)

Apply the configuration changes: >> Access List# apply

This command applies the configuration changes on the Firewall. 46 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

6.

Verify the interfaces are correctly configured: >> Access List# /info/net/if Interface Information Id Address Port == ============== ==== 1 10.3.0.1/16 3 2 172.25.3.10/24 4

Status ======= Enabled Enabled

Vlan ==== 0 0

Allowing SMART Client Access to the Firewall The following procedure gives firewall access to a Check Point SMART Client when the SmartCenter Server is enabled on the firewall. 1.

At the firewall CLI, log in as admin and enter the following commands: >> /cfg/fw/client/add 192.168.1.3 address> >> apply

> >> >> >> >>

Main# apply Main# /cfg/fw/dis Firewall Configuration# apply Firewall Configuration# /cfg/fw/ena Firewall Configuration# apply

Allow several minutes for FireWall-1 services to stop before entering the /cfg/fw/ena. 3.

Launch the Check Point SmartDashboard to connect to the SmartCenter Server.

Initial Setup „ 47 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Installing Check Point Management Tools The Nortel Switched Firewall uses standard Check Point software tools to install, maintain, and monitor firewall policies. The following Check Point tools are required to be installed on appropriate administrator workstations in your network: „

Check Point SmartCenter Server—The SmartCenter Server is the central database for your Switched Firewall system. The SmartCenter Server establishes secure communications with your firewalls, stores firewall policies, and uploads the policies to the firewalls as necessary. The SmartCenter Server may be enabled on the firewall during initial setup (see page 41).

„

Check Point SMART Clients—SMART Clients interface with the SmartCenter Server to provide a graphical user-interface for creating, editing, updating, and monitoring firewall security policies. The SMART Client software can be installed on administrative workstations in your network or on the same workstation as the SmartCenter Server.

NOTE – If you have already enabled the SmartCenter Server in the initial setup (Step 12 on page 41), or if you have installed an appropriate SmartCenter Server and SmartDashboard on workstations in your network, proceed to “Defining a Firewall Object in the SmartDashboard” on page 58.”

Editing the Windows NT hosts file For Windows NT-based installations, the Windows NT hosts file should be edited to include the firewall information. This step allows the Check Point management station to recognize the firewall’s IP address and name. Nortel Networks recommends that you edit the hosts file before you install the Check Point management station software. Edit the c:\winnt\system32\drivers\etc\hosts file on the Check Point SmartCenter Server and add one line with the Firewall IP address and name. For example, to associate the Firewall “isd1” with its host IP address, enter the following: 192.168.1.2 isd1

48 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Installing Check Point SmartCenter Server and SmartConsole This procedure outlines how to install the Check Point management tools (SmartCenter Server and SmartConsole) for VPN-1 Pro NG with Application Intelligence (R55). Before you begin installation, make sure your management station meets or exceeds the minimum requirements listed below: „

Operating System: Refer to the Check Point Release Notes at http://www.checkpoint.com

„

Processor: Intel Pentium II 300 MHz or better

„

Disk space: 40 MB

„

Memory: 256 MB

„

Check Point Management Suite software (R55)

„

Access to the management network on the Firewall

The following procedure describes the installation on a Windows management station: 1.

Launch the Check Point Management Suite setup program on the management station. The installation program begins with this screen prompt:

You may choose either Check Point Enterprise/Pro or Check Point Express, but be sure you match the selection you made in Step 12 on page 41 during the initial setup procedure for the firewall host. For a description of the Check Point Enterprise/Pro and Express features, go to this link on the Check Point Web site: http://www.checkpoint.com/products/smartcenter/index.html 2.

After choosing the installation option, click Next.

Initial Setup „ 49 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

3.

When prompted, select New Installation, then click Next:

4.

When prompted, select SmartCenter (optional) and SmartConsole, then click Next.

Check SmartCenter if you selected 1 or 3 in Step 12 on page 41; do not check SmartCenter if you selected 2 or 4. The SmartConsole selection includes all of the GUI Client tools you need for the SMART Client that administers the Check Point features on the firewall. NOTE – You can have multiple SMART Clients by installing the SmartConsole components on additional workstations separate from the primary management workstation. For these instances, do not select SmartCenter.

50 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

5.

When prompted, select Primary SmartCenter, then click Next.

NOTE—This screen appears only if you checked the SmartCenter box in Step 4 on page 50. 6.

The Information screen confirms the product choices you have made. If these are correct, click Next.

Initial Setup „ 51 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

At this point, the program will install the SVN Foundation software (standard), SmartCenter (if selected) and SmartConsole components. The installation status is displayed in the Installation Status window.

7.

When prompted, click Next to continue.

52 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

8.

When prompted, click Next to continue.

9.

When prompted, specify the SmartConsole components to be installed:

Check Point Enterprise/Pro preselects all of the SmartConsole components. Check Point Express preselects the top four components. See Step 1 on page 49. NOTE – Backward compatibility is a standard feature that is installed in the background.

Initial Setup „ 53 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

10. When prompted, specify a valid Check Point license for the SmartCenter Server. Select the Fetch From File... or Add... button (below, left) and specify the appropriate license data (below, right):

When you have entered the license data, click OK, and Next. 11. When prompted, click the Add… button (below, left) and enter login information for SmartCenter administrators (below, right):

54 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

When you have entered the administrator information, click OK and Next. 12. When prompted, add any remote GUI Clients (also known as SMART Clients):

Enter localhost or the host’s IP address if the GUI client is on the same host as the SmartCenter Server. Also specify the DNS hostname or IP address of other management clients that will be permitted to interface with this management station. Click Next to continue. 13. When prompted, type random characters for the cryptographic seed:

Initial Setup „ 55 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

NOTE – Do not type the characters quickly. When overfilled, the input buffer may take a few moments to process. When the cryptographic seed is generated, click Next to continue. 14. Initialize the Internal Certificate Authority (ICA). This creates a Secure Internal Communication (SIC) certificate for the Management Server to use when authenticating communications between Check Point components. Enter a name for the CA and press . Once the Internal CA Status changes to Initialized, then click Next.

56 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

15. Record the SmartCenter Server fingerprint by clicking Export to file….

As a security measure, this fingerprint will be required in a later step to ensure that no one has impersonated the administrator. Press Finish to continue. 16. When prompted, reboot the management station:

Once the station is rebooted, installation of the SmartCenter Server and SmartConsole are complete. 17. Use the SmartDashboard to define a firewall object. See “Defining a Firewall Object in the SmartDashboard” on page 58. 18. Create a firewall policy test rule.

Initial Setup „ 57 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

See “Creating a Firewall Policy Test Rule” on page 63. 19. Install firewall security rules. See “Creating and Installing Firewall Security Rules” on page 65. This concludes installing and configuring the Management station tools.

Defining a Firewall Object in the SmartDashboard 1.

Launch the SmartDashboard software by clicking StartProgramsCheck Point SmartConsole R55SmartDashboard.

2.

Log in using an administrator account:

Enter one of the user name/password combinations configured during the installation of the Management Server tools during Step 11 on page 54. Also specify the IP address of the SmartCenter Server and click OK. NOTE—Be sure you have added this IP address in the client access list to allow SMART Client access to the firewall (see Step 1 on page page 47). 3.

Verify the Check Point fingerprint.

58 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

At this point, the SmartDashboard will contact the Management Server. Since this is the first contact, you will be prompted to verify the current fingerprint:

Click Approve to verify that the fingerprint is the same as the one obtained during installation of the Management Server tools during Step 15 on page 57. 4.

Create a new Gateway object to represent the newly installed Firewall. From the SmartDashboard Network Objects pane, right-click on the Check Point object, then New Check Point | Gateway… Select Classic Mode when the Check Point installed Gateway creation window appears.

Initial Setup „ 59 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

5.

Define the Firewall object parameters:

Enter the following information: „

Name: If this is a Windows NT machine, use the name you specified in “Editing the Windows NT hosts file” on page 48. Otherwise just type in a name (isd1 in the example).

„

IP Address: The address of the newly installed Firewall. In our example, the address is 192.168.1.2.

„

Check Point Products: †

Version: Select NG with Application Intelligence.

†

List Window: Check FireWall

60 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

6.

Click on the Communication button in the General Properties window (see Step 5 on page 58). The Communications window appears (below, left):

Enter the Activation Key (the SIC password) and click Initialize.The SmartCenter Server will contact the Firewall and exchange security information. When successful, the window will indicate “Trust established” (above, right). Press Close.

Initial Setup „ 61 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

7.

Get the interfaces for the Firewall object. Select the Topology section of the Check Point Gateway window and click Get…, then select Interfaces with Topology… This will retrieve the interfaces you configured on the firewall and topology information (under the IP Addresses behind interfaces header). NOTE—The topology information is needed to install Check Point policies on the configured firewall interfaces.

The interfaces eth0, eth2, and eth3 refer to port 1, port 3, and port 4, respectively. 8.

Click OK to close the Check Point Gateway window.

9.

From the SmartDashboard menu bar, select File | Save.

62 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Creating a Firewall Policy Test Rule At this point in the initial setup, Nortel Networks recommends a test to ensure that the system components are properly configured. For this test, create a policy rule that will allow any and all traffic to pass through the firewall. Later, once the firewall operation is confirmed, you can remove this test policy and create firewall security rules that will restrict undesirable traffic. From the SmartDashboard menu bar, select Rules | Add Rule | Top. A new rule will be added to the rulebase. The default action of the new rule is “drop,” indicating that all traffic from any source to any destination will not pass through the firewall.

Change the action of the new rule to “accept” by right-clicking on the “drop” action icon and selecting “accept” as the new action from the pop-up list.

Also change the Track setting to “log” by right-clicking on the “none” setting and selecting “log” as the new track setting from the pop-up list.

Initial Setup „ 63 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

10. Push the policies to the Firewall. From the menu bar, select Policy | Install. When the Install Policy window appears, select the Firewall object and click on OK. NOTE – If your system has a active-standby (high-availability) or active-active configuration, go to PolicyGlobal PropertiesNAT - Network Address Translation and deselect Automatic ARP configuration before you push policies for the first time. Otherwise the Proxy ARP module will not work properly. If the Check Point antispoofing feature is not enabled, a warning message will appear. See your Check Point documentation to determine whether antispoofing is necessary for your firewall. 11. If the effort to push policies fails, press Show Errors… (below left).

A common cause of errors is an expired license (above right). If this is the case, update the license on the SmartCenter Server using SmartUpdate and push policies again.

64 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

12. Use the SmartView Tracker program to confirm proper operation of the Firewall. The SmartView Tracker lists all traffic being processed, accepted, dropped, and so on. To confirm that the Nortel Switched Firewall is properly configured, select the SmartView Tracker Active Mode. Use a client station to ping the firewall. If the SmartView Tracker displays an entry for the ping traffic, the configuration is good. NOTE – The SmartView Tracker is an excellent tool for debugging and enhancing your security rules. See your Check Point documentation for complete details. 13. Use the SmartDashboard to remove the test rule generated in “Creating a Firewall Policy Test Rule” on page 63.

Creating and Installing Firewall Security Rules The rules you apply to your security policy will depend on the security needs of your network. In general, you should drop all traffic that is not specifically required. See the Check Point documentation for more information about creating and maintaining effective security policies.

Initial Setup „ 65 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

VLAN Tags Virtual LAN (VLAN) tags configured on a Switched Firewall interface allow the VLAN-configured hosts on that interface to participate as VLAN members. This example describes an Switched Firewall configuration that includes VLANs on a DMZ network. Figure 2-2 shows Internet connectivity through a single gateway on port 4, an internal network on port 1 that uses public addresses, a trusted network that uses public addresses on port 3, and multiple DMZs using private IP addresses on port 2. The DMZs are connected to the Switched Firewall using a single 802.1Q VLAN Tagged Trunk. The VLANs are used to isolate traffic from different security zones. A Layer 2 switch is configured with port-based VLAN access ports and VLAN Tagged Trunks that uplink to the Switched Firewall. The VLANs map directly to interfaces (which represent subnets) on the Switched Firewall. This allows you to apply policies on a per-VLAN basis. Multiple VLANs can be used on multiple tagged connections up to the number of available interfaces on the Switched Firewall (255). The vlanid (see the “Interface Menu” on page 289) must match the VLAN tag on the respective VLAN. NOTE – If the vlanid is 0, VLAN tagging is disabled for that interface. Cluster MIP 10.10.1.33 Host 1 ip 10.10.1.193

SmartCenter Server and SMART Client 10.10.1.200 if 1 port 4 ena y addr1 47.133.63.99 addr2 0.0.0.0 vlanid 0 Internet

1 3

4

if 2 port 2 ena y addr1 192.168.0.1 mask 255.255.255.0 addr2 0.0.0.0 vlanid 10

DMZ A / vlan 10

2

if 33 port 3 ena y addr1 33.1.1.10 addr2 0.0.0.0 vlanid 0

if 3 port 2 ena y addr1 192.168.2.1 mask 255.255.255.0 addr2 0.0.0.0 vlanid 11

End-hosts

DMZ B / vlan 11

Figure 2-2 DMZ Network with VLAN Tagging

66 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Layer 2 Switch Configuration To ensure that each of the DMZ areas is privately and securely connected to the Switched Firewall, the following configuration steps must be taken on the layer 2 switches: „

Configure DMZ access ports on the layer 2 switch as members of the corresponding VLAN. In this example, DMZ A is VLAN ID 10; DMZ B is VLAN ID 11. The switch must add a VLAN tag to untagged frames entering the port.

„

Configure the trunk (uplink) port as a member of each DMZ VLAN and as a tagged trunk port.

„

Disable any unused ports and filter any tagged traffic on ports that are not VLAN members.

„

Ensure that auto-learning is disabled on the trunk port and the MAC address of the Switched Firewall is configured on the switch.

If VLANs are configured on the interface, then TAG is always enabled. However, Windows PCs must be tagged if they are connected directly to the interface. Or, you can add a 802.1qcapable Layer 2 switch between the PC and the firewall.

SmartDashboard Configuration Prior to performing these steps, ensure that the Check Point SmartCenter Server is configured and trust is established between the SmartCenter Server and the firewall host. You must configure the topology and define interface properties for the firewall. Ensure that the interface (47.133.63.99) facing the Internet is defined as “external.” Make sure that the other networks are defined as “internal” with addresses behind the gateway defined by the interface IP and netmask. Also, name the networks as follows for use in the SmartDashboard: „

10.10.1.0: “NSF-Private”

„

33.1.1.0: “Intranet”

„

47.133.63.0 “Internet”

„

192.168.0.0: “DMZ-1”

„

192.168.2.0: “DMZ-2”

Create a network object for the public web server in DMZ-1 by right-clicking in the network topology window and selecting New Network Object > Workstation. Enter DMZ1-WWW for the name and 192.168.0.1 for the IP address. Create a network object for the public web server in DMZ-2 by right clicking in the network topology window and selecting New Network Object > Workstation. Enter DMZ2-WWW for the name and 192.168.2.1 for the IP address. Initial Setup „ 67 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

The rules required for your application depend on specific application needs.

Switched Firewall Configuration Below is a dump of the Switched Firewall configuration for the example in Figure 2-2: /cfg /cfg/sys /cfg/sys/time tzone "America/Montreal" /cfg/sys/time/ntp /cfg/sys/dns /cfg/sys/cluster mip 10.10.1.10 /cfg/sys/cluster/host 1 ip 10.10.1.6 /cfg/sys/accesslist add 47.0.0.0 255.0.0.0 add 131.149.195.0 255.255.255.0 /cfg/sys/adm idle 10m /cfg/sys/adm/telnet ena n /cfg/sys/adm/ssh ena n /cfg/sys/adm/web /cfg/sys/adm/web/http port 80 ena y /cfg/sys/adm/web/ssl port 443 ena n tls y sslv2 y sslv3 y /cfg/sys/adm/web/ssl/certs /cfg/sys/adm/web/ssl/certs/serv /cfg/sys/adm/web/ssl/certs/ca /cfg/sys/adm/snmp ena n model v2c level auth access d events n alarms n rcomm public /cfg/sys/adm/snmp/users /cfg/sys/adm/snmp/hosts /cfg/sys/adm/snmp/system /cfg/sys/adm/snmp/adv trapsrcip auto /cfg/sys/log debug n srcip auto /cfg/sys/log/syslog /cfg/sys/log/ela ena n addr 0.0.0.0 sev err /cfg/sys/log/arch email none smtp 0.0.0.0 int "1, 0" size 0 /cfg/sys/user expire 0 /cfg/net

68 „ Initial Setup 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/port 1 name "Host Port" autoneg on speed 0 mode full /cfg/net/port 2 name none autoneg on speed 0 mode full /cfg/net/port 3 name none autoneg on speed 0 mode full /cfg/net/port 4 name none autoneg on speed 0 mode full /cfg/net/if 1 addr1 47.133.63.99 addr2 0.0.0.0 mask 255.255.255.0 vlanid 0 port 4 ena y /cfg/net/if 1/vrrp vrid 1 ip1 0.0.0.0 ip2 0.0.0.0 /cfg/net/if 2 addr1 192.168.0.1 addr2 0.0.0.0 mask 255.255.255.0 vlanid 10 port 2 ena y /cfg/net/if 2/vrrp vrid 2 ip1 0.0.0.0 ip2 0.0.0.0 /cfg/net/if 3 addr1 192.168.2.1 addr2 0.0.0.0 mask 255.255.255.0 vlanid 11 port 2 ena y /cfg/net/if 3/vrrp vrid 3 ip1 0.0.0.0 ip2 0.0.0.0 /cfg/net/if 33 addr1 33.1.1.10 addr2 0.0.0.0 mask 255.255.255.0 vlanid 0 port 3 ena y /cfg/net/if 33/vrrp vrid 3 ip1 0.0.0.0 ip2 0.0.0.0 /cfg/net/vrrp ha n aa n adint 3 garp 1 gbcast 2

Initial Setup „ 69 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/adv /cfg/net/adv/route gateway 0.0.0.0 /cfg/net/adv/route/ospf rtrid 0.0.0.0 spf “5, 10” ena n /cfg/net/adv/route/ospf/if 1 aindex 0 prio none cost none hello 10 dead 40 trans 1 retra 5 auth none md5key “1, “ ena n /cfg/net/adv/route/routes /cfg/net/adv/parp enable n /cfg/net/adv/parp/list /cfg/pnp /cfg/fw ena y /cfg/fw/sync ena n /cfg/fw/client /cfg/misc warn y

Identical /cfg/../../../ospf configurations for if 1, 2, 3, 33

70 „ Initial Setup 213455-K, June 2005

CHAPTER 3

Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) is a transport protocol that provides a framework for automatically assigning IP addresses and configuration information to other IP hosts or clients in a large TCP/IP network. Without DHCP, the IP address must be entered manually for each network device. DHCP allows a network administrator to distribute IP addresses from a central point and automatically send a new IP address when a device is connected to a different place in the network. DHCP is an extension of another network IP management protocol, Bootstrap Protocol (BOOTP), with an additional capability of being able to dynamically allocate reusable network addresses and configuration parameters for client operation. Built on the client/server model, DHCP allows hosts or clients on an IP network to obtain their configurations from a DHCP server, thereby reducing network administration. The most significant configuration the client receives from the server is its required IP address; (other optional parameters include the “generic” file name to be booted, the address of the default gateway, and so forth). Nortel Networks DHCP relay agent eliminates the need to have DHCP/BOOTP servers on every subnet. It allows the administrator to reduce the number of DHCP servers deployed on the network and to centralize them. Without the DHCP relay agent, there must be at least one DHCP server deployed at each subnet that has hosts needing to perform the DHCP request.

71 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

DHCP Relay Agent DHCP is described in RFC 2131, and the DHCP relay agent supported on the Nortel Switched Firewall is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. DHCP defines the methods through which clients can be assigned an IP address for a finite lease period and allowing reassignment of the IP address to another client later. Additionally, DHCP provides the mechanism for a client to gather other IP configuration parameters it needs to operate in the TCP/IP network. In the DHCP environment, the Nortel Switched Firewall acts as a relay agent. The DHCP relay feature (/cfg/net/dhcprl) enables the firewall to forward a client request for an IP address to DHCP servers with IP addresses that have been configured on the Nortel Switched Firewall. When Nortel Switched Firewall receives a UDP broadcast on port 67 from a DHCP client requesting an IP address, the request is then forwarded as a UDP Unicast MAC layer message to DHCP servers whose IP addresses are configured on the firewall. The servers respond with a UDP Unicast message back to the firewall, with the default gateway and IP address for the client. The destination IP address in the server response represents the interface address on the Nortel Switched Firewall that received the client request. This interface address tells the Nortel Switched Firewall on which VLAN to send the server response to the client.

72 „ Dynamic Host Configuration Protocol 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuring for DHCP Relay Agent To enable the Nortel Switched Firewall to be the DHCP forwarder, you need to configure the DHCP server IP addresses on the firewall. You must enable DHCP relay on the interface connected to the client subnet. The following figure shows a basic DHCP network example: Boston

Atlanta 20.1.1.1 10.1.1.0

DHCP Client

Nortel Switched Firewall DHCP Relay Agent

DHCP Server 10.1.1.2

Figure 3-1 DHCP Relay Agent Configuration The client request is forwarded to all DHCP servers configured on the firewall. The use of two servers provides failover redundancy, but you can configure up to eight DHCP servers. However, no health checking is supported. DHCP Relay functionality is assigned on a per-interface basis. At least one server and one interface must be enabled for DHCP, otherwise the configuration fails validation. Use the following commands to configure the Nortel Switched Firewall as a DHCP relay agent: 1.

Enable DHCP Relay globally. >> # /cfg/net/dhcprl >> DHCP Relay# ena

2.

Configure DHCP requests to enter on this interface. >> DHCP Relay# if 1 >> DHCP Relay Interface 1# ena

(Allow DHCP requests)

Dynamic Host Configuration Protocol „ 73 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

3.

Configure DHCP server information. >> >> >> >> >> >>

4.

# /cfg/net/dhcprl/server 1 DHCP Server 1# addr 10.1.1.1 DHCP Server 1# ena DHCP Server 1# ../server 2 DHCP Server 2# addr 10.1.1.2 DHCP Server 2# ena

Display current configuration. >> # /cfg/net/dhcprl/cur

5.

(Set IP address of 1st DHCP server) (Enable the DHCP server) (Set IP address of 2nd DHCP server) (Set IP address of 2nd DHCP server) (Enable the DHCP server)

(Display current configuration)

Apply and save the changes. >> DHCP Relay# apply

74 „ Dynamic Host Configuration Protocol 213455-K, June 2005

CHAPTER 4

Open Shortest Path First The Nortel Switched Firewall 2.3.1 supports the Open Shortest Path First (OSPF) routing protocol. This implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. The following sections discuss current OSPF support: „

“OSPF Overview” on page 76. This section provides information on OSPF concepts: Types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database, authentication, and internal versus external routing.

„

“NSF 2.3.1 OSPF Implementation” on page 81. This section gives you information specific to the Nortel Switched Firewall implementation of OSPF: Configuration parameters, electing the designated router, summarizing routes and so forth.

„

“OSPF Configuration Examples” on page 87. This section provides detailed instructions for configuring a simple OSPF domain. †

“Example 1: Configuring a Simple OSPF Domain” on page 87

†

“Example 2: Configuring GRE Tunnel” on page 89

†

“Example 3: Configuring Failover” on page 92

75 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

OSPF Overview OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. All routing devices maintain link information in their own Link State Database (LSDB). The LSDB for all routing devices within an area is identical but is not exchanged between different areas. Only routing updates are exchanged between areas, thereby significantly reducing the overhead for maintaining routing information on a large, dynamic network. NSF 2.3.1 highavailability solution is supported in an OSPF network. The following sections describe key OSPF concepts.

Types of OSPF Areas An AS can be broken into logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone is the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. As shown in Figure 4-1 on page 77, OSPF defines the following types of areas: „

Stub Area—an area that is connected to only one other area. External route information is not distributed into stub areas.

„

Not-So-Stubby-Area (NSSA)—similar to a stub area with additional capabilities. Routes originating from within the NSSA can be propagated to adjacent transit and backbone areas. External routes from outside the AS can be advertised within the NSSA but are not distributed into other areas.

76 „ Open Shortest Path First 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

Transit Area—an area that allows area summary information to be exchanged between routing devices. The backbone (area 0) and any area that is not a stub area or an NSSA are considered transit areas.

Backbone Area 0 (Also a Transit Area) ABR

ABR ABR

Internal LSA Routes

Stub Area

Transit Area

Virtual Link

No External Routes from Backbone

Not-So-Stubby Area (NSSA)

ABR

External LSA Routes ASBR

Non-OSPF Area RIP/BGP AS

ABR = Area Border Router ASBR = Autonomous System Boundary Router

Stub Area, NSSA, or Transit Area Connected to Backbone via Virtual Link

Figure 4-1 OSPF Area Types

Types of OSPF Routing Devices As shown in Figure 4-2, OSPF uses the following types of routing devices: „

Internal Router (IR)—a router that has all of its interfaces within the same area. IRs maintain LSDBs identical to those of other routing devices within the local area.

„

Area Border Router (ABR)—a router that has interfaces in multiple areas. ABRs maintain one LSDB for each connected area and disseminate routing information between areas.

Open Shortest Path First „ 77 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

Autonomous System Boundary Router (ASBR)—a router that acts as a gateway between the OSPF domain and non-OSPF domains, such as RIP, BGP, and static routes.

OSPF Autonomous System Backbone Area 0

BGP

External Routes

Area 3

Inter-Area Routes (Summary Routes)

ASBR

ABR

RIP ABR ASBR Area 1

ABR Internal Router

Area 2

Figure 4-2 OSPF Domain and an Autonomous System

Neighbors and Adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed. Neighbors are routing devices that maintain information about each others’ health. To establish neighbor relationships, routing devices periodically send hello packets on each of their interfaces. All routing devices that share a common network segment, appear in the same area, and have the same health parameters (hello and dead intervals) and authentication parameters respond to each other’s hello packets and become neighbors. Neighbors continue to send periodic hello packets to advertise their health to neighbors. In turn, they listen to hello packets to determine the health of their neighbors and to establish contact with new neighbors. Adjacencies are neighbors that exchange OSPF database information. In order to limit the number of database exchanges, not all neighbors in an area (IP network) become adjacent to each other. Instead, the hello process is used for electing one of the neighbors as the area’s Designated Router (DR) and one as the area’s Backup Designated Router (BDR). The DR is adjacent to all other neighbors and acts as the central contact for database exchanges. Each neighbor sends its database information to the DR, which relays the information to the other neighbors.

78 „ Open Shortest Path First 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Because of the overhead required for establishing a new DR in case of failure, the hello process also elects a Backup Designated Router (BDR). The BDR is adjacent to all other neighbors (including the DR). Each neighbor sends its database information to the BDR just as with the DR, but the BDR merely stores this data and does not distribute it. If the DR fails, the BDR will take over the task of distributing database information to the other neighbors.

The Link-State Database OSPF is a link-state routing protocol. A link represents an interface (or routable path) from the routing device. By establishing an adjacency with the DR, each routing device in an OSPF area maintains an identical Link-State Database (LSDB) describing the network topology for its area. Each routing device transmits a Link-State Advertisement (LSA) on each of its interfaces. LSAs are entered into the LSDB of each routing device. OSPF uses flooding to distribute LSAs between routing devices. When LSAs result in changes to the routing device’s LSDB, the routing device forwards the changes to the adjacent neighbors (the DR and BDR) for distribution to the other neighbors. OSPF routing updates occur only when changes occur, instead of periodically. For each new route, if an adjacency is interested in that route (for example, if configured to receive static routes and the new route is indeed static), an update message containing the new route is sent to the adjacency. For each route removed from the route table, if the route has already been sent to an adjacency, an update message containing the route to withdraw is sent.

The Shortest Path First Tree The routing devices use a link-state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination. The cost of an individual interface in OSPF is an indication of the overhead required to send packets across it. The cost is inversely proportional to the bandwidth of the interface. A lower cost indicates a higher bandwidth.

Open Shortest Path First „ 79 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Authentication OSPF also allows packet authentication and uses IP multicast when sending and receiving packets. This ensures less processing on routing devices that are not listening to OSPF packets.

Internal Versus External Routing To ensure effective processing of network traffic, every routing device on your network needs to know how to send a packet (directly or indirectly) to any other location/destination in your network. This is referred to as internal routing and can be done with static routes or using active internal routing protocols, such as OSPF, RIP, or RIPv2. It is also useful to tell routers outside your network (upstream providers or peers) about the routes you have access to in your network. Sharing of routing information between autonomous systems is known as external routing. Typically, an AS will have one or more border routers (peer routers that exchange routes with other OSPF networks) as well as an internal routing system enabling every router in that AS to reach every other router and destination within that AS. When a routing device advertises routes to boundary routers on other autonomous systems, it is effectively committing to carry data to the IP space represented in the route being advertised. For example, if the routing device advertises 192.204.4.0/24, it is declaring that if another router sends data destined for any address in the 192.204.4.0/24 range, it will carry that data to its destination.

80 „ Open Shortest Path First 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

NSF 2.3.1 OSPF Implementation The following sections describe details on the OSPF implementation in the Nortel Switched Firewall: „

“Configurable Parameters” on page 81

„

“Defining Areas” on page 82

„

“Interface Cost” on page 84

„

“Electing the Designated Router and Backup” on page 84

„

“Router ID” on page 84

„

“Authentication” on page 85

„

“GRE Tunnel Support” on page 86

„

“OSPF Features Not Supported in This Release” on page 86

Configurable Parameters In the Nortel Switched Firewall 2.3.1, OSPF parameters can be configured through the Command Line Interface (CLI) or Browser-Based Interface (BBI). The CLI supports the following parameters: interface output cost, interface priority, dead and hello intervals, retransmission interval, and interface transmit delay. In addition, you can specify the Shortest Path First (SPF) interval—Time interval between successive calculations of the shortest path tree using the Dijkstra’s algorithm.

Open Shortest Path First „ 81 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Defining Areas If you are configuring multiple areas in your OSPF domain, one of the areas must be designated as area 0, known as the backbone. The backbone is the central OSPF area and is usually physically connected to all other areas. The areas inject routing information into the backbone which, in turn, disseminates the information into other areas. Since the backbone connects the areas in your network, it must be a contiguous area. NOTE – Nortel Switched Firewall does not support virtual links and backbone partitioning— which requires virtual links to ensure that all parts of the AS are reachable. Up to 17 OSPF areas (0-16) can be connected to an Nortel Switched Firewall cluster. To configure an area, the OSPF number must be defined and then attached to a network interface on the Nortel Switched Firewall. The full process is explained in the following sections. An OSPF area is defined by assigning two pieces of information—an area index and an area ID. The command to define an OSPF area is as follows: >> # /cfg/net/ospf/aindex /id

NOTE – The aindex option above is an arbitrary index used only on the Nortel Switched Firewall and does not represent the actual OSPF area number. The actual OSPF area number is defined in the id portion of the command as will be explained below.

Assigning the Area Index The aindex option is actually just an arbitrary index (1-16) used only by the Nortel Switched Firewall. This index does not necessarily represent the OSPF area number. For example, the following commands define OSPF area 1 because that information is held in the area ID portion of the command, even though the arbitrary area indexes do not agree with the area IDs: >> # /cfg/net/ospf/aindex 2/id 0.0.0.1

(Use index 2 to set area 1)

NOTE – The backbone area 0 (aindex 0) is automatically configured as a transit area with id 0.0.0.0.

82 „ Open Shortest Path First 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Using the Area ID to Assign the OSPF Area Number The OSPF area number is defined in the id option. The octet format is used in order to be compatible with two different systems of notation used by other OSPF network vendors. There are two valid ways to designate an area ID: „

Placing the area number in the last octet (0.0.0.n) Most common OSPF vendors express the area ID number as a single number. For example, the Cisco IOS-based router command “network 1.1.1.0 0.0.0.255 area 1” defines the area number simply as “area 1.” On an Nortel Switched Firewall, using the last octet in the area ID, “area 1” is equivalent to “id 0.0.0.1”.

„

Multi-octet (IP address) Some OSPF vendors express the area ID number in multi-octet format. For example, “area 2.2.2.2” represents OSPF area 2 and can be specified directly on an Nortel Switched Firewall as “id 2.2.2.2”.

NOTE – Although both types of area ID formats are supported, be sure that the area IDs are in the same format throughout an area.

Attaching an Area to a Network Once an OSPF area has been defined, it must be associated with a network. To attach the area to a network, you must assign the OSPF area index to an IP interface that participates in the area. The format for the command is as follows: >> # /cfg/net/ospf/if /aindex

For example, the following commands could be used to configure IP interface 14 for a presence on the 10.10.10.1/24 network, to define OSPF area 1 using index 2 on the Nortel Switched Firewall, and to attach the area to the network: >> >> >> >> >> >> >> >> >>

# /cfg/net/if 14 Interface 14# addr1 10.10.10.1 Interface 14# ena Interface 14# ../ospf/aindex 2 OSPF Area Index 2 # id 0.0.0.1 OSPF Area Index 2 # ena OSPF Area Index 2 # ../if 14 OSPF Interface 14# aindex 2 OSPF Interface 14# ena

(Select menu for IP interface 14) (Define IP address on the backbone) (Enable IP interface 14) (Select menu for area index 2)

(Define area ID as OSPF area 1) (Enable area index 2) (Select OSPF menu for interface 14) (Attach area to network interface 14) (Enable interface 14 for area index 2)

Open Shortest Path First „ 83 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Interface Cost The OSPF link-state algorithm (Dijkstra’s algorithm) places each routing device at the root of a tree and determines the cumulative cost required to reach each destination. Usually, the cost is inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth. You can manually enter the cost for the output route with the following commands: >> # /cfg/net/ospf/if >> # cost

Electing the Designated Router and Backup In any area with more than two routing devices, a Designated Router (DR) is elected as the central contact for database exchanges among neighbors, and a Backup Designated Router (BDR) is elected in case the DR fails. DR and BDR elections are made through the hello process. The election can be influenced by assigning a priority value to the OSPF interfaces. The commands are as follows: >> # /cfg/net/ospf/if >> # prio

A priority value of 255 is the highest, and 1 is the lowest. A priority value of 0 specifies that the interface cannot be used as a DR or BDR. In case of a tie, the routing device with the lowest router ID wins.

Router ID Routing devices in OSPF areas are identified by a router ID. The router ID is expressed in IP address format. The IP address of the router ID is not required to be included in any IP interface range or in any OSPF area. The router ID can be configured in one of the following two ways: „

Statically—Use the following command to manually configure the router ID: >> # /cfg/net/ospf/rtrid1

„

Dynamically—OSPF protocol configures the lowest IP interface IP address as the router ID. This is the default. To use a dynamic router ID after having set it statically, set the router ID to 0.0.0.0 and reboot the Nortel Switched Firewall.

84 „ Open Shortest Path First 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Authentication OSPF protocol exchanges are authenticated so that only trusted devices can participate. The Nortel Switched Firewall 2.3.1 supports simple authentication (type 1 plain text passwords) and MD5 authentication (encrypted data and passwords) among neighboring routing devices in an area.

Simple Authentication OSPF simple passwords are configured and enabled individually for each defined interface. The plain text passwords up to eight characters long For interfaces, the following CLI commands can be used: >> # /cfg/net/ospf/if (Select OSPF interface) >> OSPF Interface# auth password|none (Set simple authentication on/off) >> OSPF Interface# key (Set type 1 password)

MD5 Authentication OSPF MD5 passwords use strong cryptographic to protect data and passwords. To preserve security, MD5 passwords should be changed frequently. MD5 passwords are configured and enabled individually for each defined interface. MD5 passwords are defined with a key ID (1-255) and a password up to 16 characters. For interfaces, the following CLI commands can be used: >> # /cfg/net/ospf/if (Select OSPF interface) >> OSPF Interface# auth md5|none (Set MD5 on/off) >> OSPF Interface# md5key (Set MD5 ID & password)

Open Shortest Path First „ 85 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

GRE Tunnel Support NSF 2.3.1 supports Generic Routing Encapsulation (GRE) on all Firewalls. GRE is a point-topoint tunneling protocol that takes packets from one network system and places them inside frames from another network system in a peer-to-peer configuration. Typically, GRE is used to transport legacy Layer 3 protocols over an IP backbone. In this release, NSF supports GRE over OSPF only. You can configure up to 5 GRE tunnels on an OSPF network. All GRE-OSPF packets are forwarded to the Management IP address (MIP). If GRE packets are IPSec, IPSec-GRE-OSPF encrypted packets are decrypted by Check Point software and then forwarded by GRE to the MIP. In this release, static GRE routes cannot be propagated in the unicast route table using the CLI. GRE loopback interfaces are also not supported. To configure a GRE tunnel in an OSPF network, see “Example 2: Configuring GRE Tunnel” on page 89.

OSPF Features Not Supported in This Release „

Filtering OSPF routes

„

Stub and NSSA areas

„

Load balancing equal cost routes During traffic forwarding if the first configured equal cost route is deleted, the next in line is selected.

„

Using OSPF to forward multicast routes

„

Virtual Links

„

Multiple MD5 keys per OSPF interface

„

Route map

„

Summarizing routes

„

Host routes

„

OSPF connected interfaces redistribution

86 „ Open Shortest Path First 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

OSPF Configuration Examples A summary of the basic steps for configuring OSPF on the Nortel Switched Firewall is listed here. Detailed instructions for each of the steps is covered in the following sections: 1.

Configure IP interfaces. One IP interface is required for each desired network (range of IP addresses) being assigned to an OSPF area on the Nortel Switched Firewall.

2.

Enable OSPF on the Nortel Switched Firewall.

3.

Define the OSPF areas.

4.

Configure OSPF interface parameters. IP interfaces are used for attaching networks to the various areas.

Example 1: Configuring a Simple OSPF Domain In this example, two OSPF areas are defined—one area is the backbone and the other is a transit area. A transit area does not allow advertisements of external routes, thus reducing the size of the database. Instead, a default summary route of IP address 0.0.0.0 is automatically inserted into the transit area. Any traffic for IP address destinations outside the transit area are forwarded to the transit area IP interface, and then into the backbone.

Backbone

Stub Area

Area 0

Area 1

(0.0.0.0)

(0.0.0.1)

IF 1

IF 2

10.10.7.1

10.10.12.1

Network 10.10.7.0/24

Network 10.10.12.0/24

Figure 4-3 A Simple OSPF Domain Follow this procedure to configure OSPF support as shown in Figure 4-3:

Open Shortest Path First „ 87 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

1.

Configure IP interfaces on each network that will be attached to OSPF areas. In this example, two IP interfaces are needed: one for the backbone network on 10.10.7.0/24 and one for the transit area network on 10.10.12.0/24. >> >> >> >> >> >>

# /cfg/net/if Interface 1 # Interface 1 # Interface 1 # Interface 1 # Interface 2 #

1 addr1 10.10.7.1 mask 255.255.255.0 ena ../if 2 addr1 10.10.12.1

>> Interface 2 # mask 255.255.255.0 >> Interface 2 # ena

2.

Enable OSPF. >> Interface 2 # /cfg/net/ospf/ena

3.

OSPF OSPF OSPF OSPF

Area Area Area Area

index index index index

2 2 2 2

# # # #

../aindex 2 id 0.0.0.1 type transit ena

(Select OSPF menu for IP interface 1) (Enable the backbone interface)

Attach the network interface to the stub area. >> OSPF Interface 1 # ../if 2 >> OSPF Interface 2 # aindex 2 >> OSPF Interface 2 # ena

6.

(Select menu for area index 2) (Set the area ID for OSPF area 1) (Define area as transit type) (Enable the area)

Attach the network interface to the backbone. >> OSPF Area 2 # ../if 1 >> OSPF Interface 1 # ena

5.

(Enable OSPF on the firewall)

Define the stub area. >> >> >> >>

4.

(Select menu for IP interface 1) (Set IP address on backbone network) (Set IP mask on backbone network) (Enable IP interface 1) (Select menu for IP interface 2) (Set IP address on transit area network) (Set IP mask on stub area network) (Enable IP interface 2)

(Select OSPF menu for IP interface 2) (Attach network to transist area) (Enable the transist area interface)

Apply the configuration changes. >> OSPF Interface 2 # apply

7.

Verifying OSPF Support.

88 „ Open Shortest Path First 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Use the /info/net/route/ospf menu to verify OSPF support on your Switched Firewall.

Example 2: Configuring GRE Tunnel Figure 4-4 on page 89 shows two Nortel Switched Firewalls, ASF- California and ASF-New York configured for GRE tunneling support. The two firewalls are configured to tunnel OSPF packets in a GRE tunnel, so other routers on the internet do not need to learn about OSPF. In Figure 4-4 on page 89 the OSPF network is on the GRE interface 50.1.1.0/24; the GRE tunnel end points is on physical interface 3.

NSF California Switched Firewall 5114

NSF NewYork Switched Firewall 5114

30.1.1.2/8

20.1.1.2/8

If 3: 30.1.1.1/8

If 3: 20.1.1.1/8 Internet GRE Tunnel

GRE 1 SIP: 50.1.1.1 DIP: 50.1.1.2 Remote address: 20.1.1.1

OSPF Network GRE Tunnel end points

GRE 1 SIP: 50.1.1.2 DIP: 50.1.1.1 Remote address: 30.1.1.1

Figure 4-4 Configuring for GRE Tunnel Support To configure for GRE tunneling support, follow these steps on ASF-California and ASF-New York firewalls: 1.

Configure the two firewalls ASF-California and ASF-New York for basic operation. „

Configure IP interfaces.

„

Define the OSPF areas.

„

Configure OSPF interface parameters.

„

Enable OSPF on the GRE interface (do not enable OSPF on physical interface 3).

Open Shortest Path First „ 89 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

2.

Configure GRE tunnel 1 on ASF-California. >> >> >> >>

# /cfg/net/gre 1 GRE 1# name tunnel_one GRE 1# phyif 3 GRE 1# remoteaddr 20.1.1.1

>> >> >> >>

GRE GRE GRE GRE

1# 1# 1# 1#

sip 50.1.1.1 dip 50.1.1.2 mask 255.255.255.255 ena y

(Select GRE tunnel 1 ) (Assign a name for GRE 1) (Assign Physical Interface for GRE 1) (Assign GRE tunnel end point of ASF-New York) (Assign source IP address) (Assign destination IP address) (Assign the mask) (Enable GRE 1)

NOTE – A physical interface must be configured for the GRE Tunnel end points. In Figure 4-4, physical interface 3 is configured for each of GRE tunnel end points, 20.1.1.1 and 30.1.1.1. 3.

Enable OSPF on ASF-California. >> # /cfg/net/ospf >> OSPF# ena y

4.

Enable GRE 1 for OSPF on ASF-California. >> # /cfg/net/ospf/gre 1 >> GRE 1# ena y

5.

6.

(Select OSPF menu ) (Enable OSPF)

(Select GRE 1 ) (Enable GRE for OSPF routes)

Configure GRE tunnel 1 support on ASF-New York. >> >> >> >>

# /cfg/net/gre 1 GRE 1# name tunnel_one GRE 1# phyif 3 GRE 1# remoteaddr 30.1.1.1

>> >> >> >>

GRE GRE GRE GRE

1# 1# 1# 1#

sip 50.1.1.2 dip 50.1.1.1 mask 255.255.255.255 ena y

(Select GRE tunnel 1 ) (Assign a name for GRE 1) (Assign Physical Interface for GRE 1) (Assign GRE tunnel end point of ASF-California) (Assign source IP address) (Assign destination IP address) (Assign the mask) (Enable GRE 1)

Enable OSPF on ASF-New York. >> # /cfg/net/ospf >> OSPF# ena y

(Select OSPF menu ) (Enable OSPF)

90 „ Open Shortest Path First 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

NOTE – Make sure OSPF is enabled on the GRE tunnel interface (50.1.1.0) only. To avoid infinite loops, do not configure OSPF on the 20.1.1.1/8 or 30.1.1.1/8 networks. For more information, see “Avoiding Loops in the GRE Tunnel” on page 91. 7.

Enable GRE 1 for OSPF on ASF-New York. (Select GRE 1 ) (Enable GRE for OSPF routes)

>> # /cfg/net/ospf/gre 1 >> GRE 1# ena y

8.

Verifying OSPF Support. Use the /info/net/route/ospf menu to verify OSPF support on your Switched Firewall.

9.

Configure Check Point GUI for GRE support. To support GRE on the firewall, you need special configurations and rules from Check Point. For more information, refer to the document, 5100_OSPFWithGre.doc available on the Nortel Web site.

Avoiding Loops in the GRE Tunnel Design the network carefully to ensure that packets do not get into a loop in the GRE tunnel. In the example shown in Figure 4-4 on page 89, if the user enables OSPF both on GRE tunnel end points (interface 3) and GRE source-destination addresses on ASF-New York, the following routes are present on ASF-California:. >> # /i/n/gre GRE Tunnel Information Num GRETunnel Phylcl Phyrmte GRElcl GRErmte GREMask === ======= ===== ====== ===== ===== ====== 1 tunnel_one 30.1.1.1 20.1.1.1 50.1.1.1 50.1.1.2 255.255.255.255 >> # /i/n/r/ospf/route Route Table Information 30 total routes: Num Destination === =========== 1 default 2 11.0.0.0/8 3 20.0.0.0/8

Gateway ======= 30.1.1.2 50.1.1.2 50.1.1.2

Metric ====== gw 20 20

Source ====== 30 ospf ospf

Vlan Vnic ==== ==== v30

The above screen shows that a loop exists because data packets on the GRE tunnel end point (50.1.1.2 subnet) and the OSPF subnet (20.0.0.0 subnet) have the same destination. Open Shortest Path First „ 91 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Example 3: Configuring Failover Figure 4-5 shows two Nortel Switched Firewalls, NSF#1 and NSF#2 configured for failover. The two firewalls on the OSPF network are configured for failover on the management, client, and server interface.

Check Point Management Station SmartCenter Server and SMART Client

172.25.3.38 OSPF network

172.25.3.2

NSF#1

2 10.8.90.1

OSPF router

VLAN 12

10.10.2.1

VLAN 11

Speed

1

3

5

7

9

11

Lnk/Act

Speed

13

15

17

19

21

23

Lnk/Act

Speed

25

27

29

31

33

35

Lnk/Act

Speed

37

39

41

43

45

47

Lnk/Act

Speed

2

4

6

8

10

12

Lnk/Act

Speed

14

16

18

20

22

24

Lnk/Act

Speed

26

28

30

32

34

36

Lnk/Act

Speed

38

40

42

44

46

48

Lnk/Act

Gateway:172.25.3.1

4

3

10.8.90,205 In Use

Lnk/Act

10.10.1.1

1

Console

Sync net 10.10.1.0

External Gateway 10.8.90,200

Server 10.10.2.2

1 10.8.90.2

4

3

172.25.3.3

2

NSF#1 10.10.1.2

Figure 4-5 Configuring Failover on an OSPF Network Follow these steps to configure failover on the OSPF network: 1.

Install the NSF 2.3.1 software on both firewalls, NSF#1 and NSF#2.

2.

Log in to firewall NSF#1 as admin and type “new” for initializing the firewall as a new installation.

92 „ Open Shortest Path First 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Refer to “Setting Up the Basic Configuration” on page 37 and specify the firewall IP address as 10.10.1.1 and MIP IP address as 10.10.1.10. 3.

Re-log in to firewall NSF#1 as root user and unload the default policy. (Login as root )

>> login:root >> password: >>fw unloadlocal

4.

(Unload default policy)

Log in to firewall NSF#2 and use the setup utility to join the cluster. >> >> >> >> >>

join (Join the cluster ) Management network port: 1 Firewall NSF#2 IP: 10.10.1.2 MIP IP: 10.10.1.10 Check Point Gateway Installation Type:1

5.

Wait for 5 minutes for the new configuration to take effect.

6.

Log in to firewall NSF#1 as admin and add licenses for both firewalls with the cfg/pnp/add command.

7.

Verify if both firewalls are up and running.. >> Main# /info/clu IP addr type 10.10.1.1 master 10.10.1.2 master

8.

MIP *

Local *

cpu(%) mem(%) 26 42 26 42

op up up

Configure VRRP on the management interface. >> >> >> >> >> >> >> >>

Main# Main# Main# Main# Main# Main# Main# Main#

/cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if

10/addr1 172.25.3.2 10/addr2 172.25.3.3 10/mask 255.255.255.0 10/port 2 10/ ena y 10/vrrp/vrid 10 10/vrrp/ip1 172.25.3.1 10/vrrp/ip2 0.0.0.0

Open Shortest Path First „ 93 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

9.

Configure VRRP on the client interface. >> >> >> >> >> >> >> >>

Main# Main# Main# Main# Main# Main# Main# Main#

/cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if

3/addr1 10.8.90.1 3/addr2 10.8.90.2 3/mask 255.255.255.0 3/port 3 3/ ena y 3/vrrp/vrid 5 3/vrrp/ip1 10.8.90.200 3/vrrp/ip2 0.0.0.0

10. Configure VRRP on the server interface. >> >> >> >> >> >> >> >>

Main# Main# Main# Main# Main# Main# Main# Main#

/cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if

4/addr1 200.200.200.1 4/addr2 200.200.200.2 4/mask 255.255.255.0 4/port 4 4/ ena y 4/vrrp/vrid 7 4/vrrp/ip1 200.200.200.4 4/vrrp/ip2 0.0.0.0

11. Enable the failover type for the cluster. >> Main# /cfg/net/vrrp/ha y

(Enable active-standby failover)

or >> Main# /cfg/net/vrrp/aa y

(Enable active-active failover)

NOTE – If you are configuring active-active failover, then modify the second virtual IP address (/cfg/net/if 4/vrrp/ip2) in Step 8, 9, and 10 from 0.0.0.0 to a specific value. 12. Enable OSPF globally. >> Main# /cfg/net/ospf/ena

(Enable OSPF globally)

94 „ Open Shortest Path First 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

13. Configure OSPF parameters. >> >> >> >> >> >>

Main# /cfg/net/ospf/if 3 Interface 3 # aindex 0 Interface 3 # prio 10 Interface 3 # cost1 2 Interface 3 # cost2 10 Interface 3 # ena

(Select menu for IP interface 3) (Assign area 0 to IF 3) (Set IF router priority) (Cost of output routes) (Cost of output routes) (Enable OSPF for IF 3)

14. Enable synchronization and apply the changes. >> Main# /cfg/fw/sync/ena >> Main# apply

(Enable synchronization)

Both firewalls reboot. 15. Wait 5 minutes for both firewalls to reboot completely. 16. Configure Check Point software to support failover on the OSPF network. Start the Check Point SmartDashboard tool and configure the following: a) Create a new Gateway cluster (Cluster name: Cluster_Gateway; Cluster IP address:10.8.90.200; Enable FireWall-1). b) Add the two firewalls as cluster members to Cluster_Gateway. — Select Communication > Test SIC status to get SIC conncection for the first cluster member. — Select Topology > Get Interface with Topology to get the interface and topology. c) Configure synchronized network. From Synchronization Properties, click Add to add a new sync network. (Name: sync_net; IP address:10.10.1.0). d) Configure the virtual IP addresses for external and internal interfaces. From the Topology tab, select Add to add new interfaces: †

External interface (Name:External_If; IP:10.8.90.200)

†

Internal interface (Name:Internal_If; IP:200.200.200.4)

e) Add a new rule to allow OSPF traffic and install the policy to the cluster. 17. Configure the OSPF router. a) Create a router interface 1; Connect it to the external interface of the firewall (10.8.90.200), and configure VLAN 11. b) Enable OSPF globally Open Shortest Path First „ 95 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

c) Configure Area 0 d) Assign area 0 to router Interface 1. e) Apply and save new configuration on router. 18. Verify your configuration. At the firewalls: You should see the router as a neighbor and OSPF routes from the neighbor router. >> # /info/net/vrrp/status >> # /info/net/route/ospf/neigh >> # /info/net/route/ospf/routes

(VRRP is up) (Look up the router) (Look up OSPF routes)

At the OSPF router: Observe the firewalls as a neighbor and OSPF routes from the firewalls. This concludes configuring failover on the OSPF network.

96 „ Open Shortest Path First 213455-K, June 2005

CHAPTER 5

Redundant Firewalls This chapter describes three applications for configuring redundant Switched Firewalls. A second Switched Firewall can be added to a cluster to create one of the following three failover type: VRRP active-standby (also referred to as high-availability), VRRP active-active, or ClusterXL (Check Point failover solution). „

“VRRP on the Switched Firewall” on page 98

„

“Configuring VRRP Active-Standby Failover” on page 105

„

“Configuring VRRP Active-Active Failover” on page 123

„

“Configuring Check Point ClusterXL Failover” on page 136

„

“Establishing Trust on Redundant Firewalls” on page 157

„

“Synchronizing Nortel Switched Firewalls” on page 159

97 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

VRRP on the Switched Firewall This section describes Virtual Router Redundancy Protocol (VRRP) concepts and how VRRP is implemented on the Switched Firewall with respect to the VRRP parameters that you must configure. „

“VRRP Overview” on page 98

„

“Switched Firewall Cluster” on page 98

„

“Active Master Determination” on page 99

„

“VRRP Router Parameters” on page 102

VRRP Overview The Virtual Router Redundancy Protocol (VRRP) defined by RFC 2338 eliminates single point of failure by dynamically assigning responsibility for a virtual router to one of the physical (VRRP) routers on a LAN. The advantage VRRP provides is a higher availability default path without requiring configuration of dynamic routing or router discovery protocols on every end-host. NOTE – VRRP on the Nortel Switched Firewall is a custom implementation that deviates from RFC 2338 in some details. The VRRP router controlling the IP addresses associated with the virtual router is called the active master, and it forwards packets intended for these IP addresses. If the active master becomes unavailable, VRRP provides dynamic failover in the forwarding responsibility to a redundant VRRP router. This lets the end-hosts use the virtual router IP addresses as the default first hop router, regardless of which VRRP router is active. Two firewalls in a VRRP configuration communicate using VRRP packets. The purpose of the VRRP packet is to communicate the state of the active firewall. VRRP packets are encapsulated in IP packets that are sent to the multicast group address (224.0.0.18) assigned to VRRP. NSF 2.3.1 high-availability solution is supported in an OSPF network.

Switched Firewall Cluster Only two Switched Firewalls can be in a cluster. A cluster is created when a second Switched Firewall is added to the first using the join command. The join command is accessed from the Setup Menu, which appears when you first turn on the firewall that has not been configured

98 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

(see “Setting Up the Basic Configuration” on page 37). The general order for configuring redundant Switched Firewalls is presented in “Installing the Redundant Switched Firewall” on page 108. Clustered firewalls act as virtual routers in a redundant relationship using VRRP. In a activestandby (high-availability) configuration, only one firewall passes traffic, while the redundant firewall is a dedicated backup. In an active-active configuration, both firewalls process separate traffic streams, but each is available to backup the other when a failure occurs unless the Preferred Master parameter is configured. For more information on the Preferred Master command, see “Preferred Master” on page 104. The firewall with the higher IP address is the default master. The firewall with the lower IP address is the default backup. Initially, the default master is active, that is, it assumes the ARP response and packet forwarding responsibilities for the virtual routers. The default backup is inactive, but it is available to take over if it detects a failure on the default master. In all cases, the assumption of the active role is managed by the VRRP Election process. Past the initialization stage, the role of active master is independent of the default condition. For more information, see “Active Master Determination” on page 99.

Active Master Determination VRRP ensures that one virtual router or the other assumes the role of active master. VRRP Election, the process that determines the active master, occurs during initialization (i.e., when HA or AA is enabled for the cluster) or during firewall startup. VRRP Failover occurs when the backup fails to receive advertisement packets at pre-set intervals from each interface on the active master. Both processes ensure that only one firewall is active at a time and that it is able to communicate on the LAN. Both processes are described below.

VRRP Election At startup, the virtual routers on both Switched Firewalls come up in the backup state and wait for advertisement packets. When none are received (only active masters broadcast advertisement packets), each virtual router assumes the active master role and both virtual routers begin broadcasting advertisement packets. Once it detects advertisement packets from the other master, the virtual router with the lower IP address (default backup) reverts to backup leaving the virtual router with the higher IP address (default master) as the active master. The active master continuously broadcasts advertisement packets at regular intervals defined by the adint value. If advertisement packets are not received within the advertisement interval, VRRP failover begins on the backup. Some reasons why advertisement packets do not reach the backup include:

Redundant Firewalls „ 99 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

Active link is down.

„

Port is down.

„

High traffic spreads advertisement packets beyond the specified adint interval.

„

A device on the virtual router LAN blocks the advertisement packets or ARP traffic.

NOTE – VRRP miss-handles failures due to externally blocked multicast traffic. It results in both units assuming the active role. Note also that backups do not block traffic.

VRRP Failover VRRP failover occurs when the backup fails to receive advertisement packets at pre-set intervals from each interface on the active master. †

If VRRP multicast advertisement packets to group address 224.0.0.18 are not received by any virtual router on the backup, all of the backup virtual routers will send four ARP requests (one per second) to the active master virtual router IP addresses. The intention is to give the active master ample opportunity to respond, to ensure that it is down before going on to the next step.

†

If ARP replies from the active master are not received, failover occurs (the backup virtual router assumes the role of active master).

†

If ARP replies from the active master are received, no failover occurs. This phenomenon may indicate that traffic on the active master is too heavy for it to send advertisement packets within the adint window. If you believe this is the case, increase the adint value (see the /cfg/net/vrrp/adint command on page 296).

NOTE – When a virtual router comes up from the fault state, it will ARP for an active master. If the virtual router receives an ARP response, it will assume the role of backup. The backup will continue sending ARP messages to the virtual router until it does not receive a response. It will then initiate the failover process. If the MIP ownership is assigned to the VRRP master and a failover takes place, the SSI restarts to allow the MIP ownership to migrate to the new VRRP master. MIP ownership need not be assigned to the VRRP master. System error messages appear at the CLI and the BBI until MIP migration completes.

100 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

VRRP Failover-based on Links Link failures decrement the internal priority value that VRRP maintains for both Switched Firewalls. A link failure is defined as a loss of link at the VRRP interface. At initialization, VRRP sets the priority value to 100 for both firewalls. When a physical link fails, VRRP reduces the priority value for that firewall by two. If that causes the firewall’s priority value to fall below the other firewall’s, failover occurs. When the link is restored, the priority value for that firewall is increased by two. This may cause both firewalls to have the same priority values. Nevertheless, the cluster status will not change until a link failure occurs on the backup that causes VRRP to reduce its priority value by two and triggers a failover.

MAC Address Mapping MAC address mapping is different for active-standby (high-availability) and active-active configurations. Active-Standby (High Availability): The active master uses its vrid to set a unique virtual router MAC address according to this formula: 0x00005E0001. This is the address that the active master returns in response to end-host ARP requests and Proxy ARP requests. GARP messages also contain the active master’s virtual router MAC address. Meanwhile, the backup retains its physical MAC address. When the active master becomes the backup, it overwrites its virtual router MAC address with its physical MAC address. At the same time, the newly active master overwrites its physical MAC address with its unique virtual router MAC address. Active-Active: The virtual router responds to end-host ARP requests and Proxy ARP requests with the physical MAC address of addr1 or addr2 (cfg/net/if/addr1 or cfg/net/if/addr2), depending on which firewall is the active master. The virtual router IP address never changes. GARP messages also contain the real MAC addresses of the active master’s virtual router ports. NOTE – In practice, GARP messaging is usually the mechanism that informs switches and routers of MAC address changes.

Redundant Firewalls „ 101 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Stateful Failover Stateful failover is enabled globally at the Sync Configuration Menu (see page 322) or the BBI Firewall / Synchronization form (see the Nortel Switched Firewall 5100 Series BBI Quick Guide). When /cfg/fw/sync is enabled, the active master shares session state data with the backup. This allows sessions to continue on the backup when failover occurs. If /cfg/fw/sync is disabled, traffic is dropped at failover because the backup cannot find the existing session. This requires the client to reestablish the connection. Stateful failover requires a dedicated connection between Switched Firewalls (see Figure 5-2 on page 124 and “Synchronizing Nortel Switched Firewalls” on page 159).

VRRP Router Parameters VRRP router parameters are defined globally using the CLI (“VRRP Settings Menu” on page 296) or the BBI (see the Network / VRRP form in the Nortel Switched Firewall 5100 Series BBI Quick Guide). The following parameters are used to configure VRRP: „

Active-Standby and Active-Active

„

Advertisement Interval

„

Gratuitous ARP (GARP)

„

VRRP Interface

„

Advanced Failover Check

„

Preferred Master

Active-Standby and Active-Active The commands /cfg/net/vrrp/ha enables Active-Standby (also referred to as high availability) and /cfg/net/vrrp/aa enables active-active. Only one mode can be enabled at a time and you can not apply either condition unless there are two firewalls in the cluster.

Advertisement Interval The command /cfg/net/vrrp/adint sets the interval in seconds between advertisement messages, which are multicast to 224.0.0.18 from the active master’s sub-address (see “VRRP Interface” on page 103). If the backup does not receive advertisement messages at the specified interval, the VRRP failover process begins (see page 100). NOTE – A rule to allow VRRP multicast packets to and from the virtual router sub-addresses on both firewalls must be configured at the Check Point SmartDashboard. If the policy is not properly implemented, both firewalls assume the role of active master (see “SmartDashboard Configuration” on page 67).

102 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

It may be necessary to increase the adint value during high traffic periods that prevent the active firewall from issuing advertisement messages at the specified interval. Increasing the adint value lowers the chance for unnecessary disruption of packet forwarding, but increases the length of service disruption in the event that the active master fails.

Gratuitous ARP (GARP) Once the backup detects a failure in the active master, the backup immediately flashes a Gratuitous ARP (GARP) message to the end-hosts on the virtual router interface. The GARP (an unsolicited ARP response) forces end-hosts to update their ARP caches with the new MAC address/IP address mapping. Then the backup delays a period of time defined by the /cfg/net/vrrp/garp (GARP delay) value before sending continuous GARP messages at intervals defined by the /cfg/net/vrrp/gbcast (Gratuitous Broadcast) value. Continuous GARP messages prevent end-hosts from aging out their ARP entries for the virtual router. The flash GARP message shortens the ‘black hole’ period, that is, the time it takes a device to discover a lost neighbor. (One of the goals of a properly implemented VRRP backup strategy is to keep black hole periods short for end-hosts.) Increasing the gbcast value cuts down on the GARP traffic, but lengthens the interval between end-host ARP cache updates.

VRRP Interface Virtual router interface parameters are defined per virtual router at the VRRP Interface Menu (see page 291) or the Network / Interfaces / Update (Add or Modify) form in the Nortel Switched Firewall 5100 Series BBI Quick Guide. Before you configure them, you must first configure the interface IP parameters at the Interface Menu (see page 289). Each virtual router interface requires the following parameters: „

A common virtual router IP address

„

A common virtual router ID (vrid)

„

Two sub-addresses (one representing each firewall host)

„

A common port on each firewall

Real Router IP addresses. The IP addresses you enter for addr1 and addr2 (cfg/net/if) at the Interface Menu becomes the real router IP addresses. Other real interface parameters including the port must be filled in as well.

Redundant Firewalls „ 103 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Virtual Router IP addresses. The vrid and virtual router addresses (ip1 and ip2) are defined at the VRRP Interface Menu (cfg/net/if_#/vrrp/ip1 or ip2) on the same interface as the virtual router interface. For more information on the VRRP Interface Menu, see page 291. The virtual router IP address and the sub-addresses must be unique, but all three IP addresses must belong to the same subnet.

Advanced Failover Check If Advanced Failover Check (AFC), cfg/net/vrrp/afc is enabled, the system ARPs before initiating a failover caused by missed VRRP advertisements.

Preferred Master The Preferred Master command, cfg/net/vrrp/prefmaster allows you to specify which Switched Firewall in the cluster to be the VRRP Master. The preferred master always remains active when it has equal or better priority. It goes into backup mode only when its links are down and regains its position once the links are up. The preferred master command is applicable only for active-standby failover, because in active-active failover both Switched Firewalls handle the load.

104 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuring VRRP Active-Standby Failover VRRP and the addition of a redundant Switched Firewall to the cluster make it possible to configure an effective, high-availability network that reduces the chance that a single point of failure can bring down the system. The following topics are addressed in this section: „

“Configuration Overview” on page 106

„

“Requirements” on page 107

„

“Configuration Check List” on page 109

„

“Configuring the Redundant Switched Firewall” on page 109

„

“Configuring Check Point Software for Active-Standby” on page 113

„

“Configuration Dump for VRRP Active-Standby Failover” on page 120

Redundant Firewalls „ 105 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuration Overview The network topology for a typical active-standby (high-availability) network with Switched Firewalls is shown in Figure 5-1. Client 200.1.1.150

4

200.1.1.100 (VIP)

4

NSF#1

3

1

2

2

NSF#2

3

Eth0 172.25.3.1/24 (Management) 100.1.1.100 (VIP) Eth1 10.10.1.1/24 (Sync) Eth3 200.1.1.1/24 Eth2 100.1.1.1/24 (Clean)

link 2

link 1 link 4

1

link 3

Eth0 172.25.3.2/24 (Management) Eth1 10.10.1.2/24 (Sync) Eth3 200.1.1.2/24 Eth2 100.1.1.2/24 (Clean)

172.25.3.10 (MIP)

Server 100.1.1.150

Check Point Management Server and Client 172.25.3.38

Figure 5-1 Active-Standby Failover Configuration This example uses layer 2 switches to supply redundant feeds to the firewalls (hubs may also be used for the same purpose). The default data path is through link3 and link4 since the VRRP Election process (see page 99) default-designates the firewall with the higher IP address (NSF#2 in this case) as the active master. If either link fails on the default path, the active mas-

106 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

ter will stop sending VRRP advertisements and transition both virtual routers into a fault state. When the backup doesn't receive VRRP advertisements, it will initiate the VRRP failover process (see “VRRP Failover” on page 100) and assume the role of active master. The sync connection on port 2 supports stateful failover (see “Synchronizing Nortel Switched Firewalls” on page 159 for configuration details), which is optional for high-availability networks.

Requirements The installation of a redundant firewall is handled as an expansion that creates a Switched Firewall cluster. The following conditions and equipment are required: „

A Switched Firewall must already be physically installed as described in Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C). The Switched Firewall must already be configured with basic parameters as described in Chapter 2, “Initial Setup.

„

You must reinstall the software on the first Firewall, if you enabled the Check Point SmartCenter Server on it during initial setup (see Step 12 on page 41).

„

The /cfg/net/vrrp/ha feature must be disabled on the first firewall before you add the second firewall. The addr1 and addr2 address for each interface must also be configured on the first firewall before you add the second firewall.

NOTE – If access lists are configured on the firewall#1, make sure that an access list entry for firewall#2 is added on firewall#1, or add an access list entry for the SSI network. „

You must be able to establish trust on both Switched Firewalls (see “Establishing Trust on Redundant Firewalls” on page 157).

„

The redundant Switched Firewall must be identical to the existing Switched Firewall. You cannot mix different models or software versions in the same cluster. For example, you cannot mix a 5109 and 5114; but you can mix a 5109 and a 5111-NE1. Similarly, you can mix a 5114 and a 5114-NE1.

Redundant Firewalls „ 107 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

A layer 2 switch or hub is required to provide redundant network feeds to both firewalls. NOTE—The switch or hub must have the ability to forward multicast packets.

CAUTION—Any Switched Firewall being added must have the same version of Firewall OS as the other Switched Firewall. See Chapter 8, “Upgrading and Reinstalling the Software,” for more information. CAUTION—Also, any Switched Firewall being added must be set to the factory default mode. If moving a previously configured Switched Firewall from another system, you must first delete the Firewall from the old cluster to reset its configuration. For more information, see the delete command in the Firewall menu on page 248.

!

Installing the Redundant Switched Firewall 1.

Make sure that the first Switched Firewall is on and operational. NOTE – Make sure that /cfg/net/vrrp/ha and /cfg/net/vrrp/aa are disabled at this point in the procedure.

2.

Rack mount the redundant Switched Firewall hardware. See the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C).

3.

Connect the power cable for the redundant Switched Firewall, but do not turn it on yet. Attach power as described in the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C).

4.

Connect the redundant network feeds to the Switched Firewalls. NOTE – Be sure to connect each network to the same port/interface on both Switched Firewalls.

108 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuration Check List 1.

Check Point sync network should be on a separate interface. It can also be in the SSI subnet.

2.

If the sync interface is not the SSI interface, then make sure /cfg/net/if /vrrp/ip1 and /cfg/net/if/vrrp/ip2 settings for the sync interface is 0.0.0.0.

3.

If a VLAN interface is used for sync, then the interface with the least VLAN number is selected (for example, if you haveVLAN 10 and 20 in the same port, select the interface with VLAN 10 as the sync interface).

4.

Make sure the routers are pointing to the ip1 and ip2 addresses in the /cfg/net/if /vrrp menu and not to addr1 and addr2 addresses in the /cfg/net/if menu.

5.

Do not use the SSI MIP as the default gateway.

6.

Make sure you have unchecked ClusterXL in the Cluster general properties tab in Check Point SmartDashboard™ tool.

7.

Do not enable Automatic proxy arp configuration in the SmartDashboard global properties tab.

8.

If you have NATing enabled in any of the VRRP interface, make sure VRRP packets (packets destined for 224.0.0.18) are not NATed. You can add this as the first manual NATing rule.

Configuring the Redundant Switched Firewall The commands in this example use the parameters in Figure 5-1 on page 106. Your configuration may differ but it should observe the same configuration patterns as in the example. 1.

Log in as the administrator.

2.

When the Setup Menu appears, select join and enter the basic configuration parameters, when prompted (see “Setting Up the Basic Configuration” on page 37). Enter a unique IP address, but enter the same MIP you used for firewall 1.

3.

Reboot and log back into NSF#1 to complete the VRRP configuration on both Switched Firewalls.

Redundant Firewalls „ 109 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

NOTE – The Nortel Single System Image (SSI) maps the Switched Firewall configuration across both firewalls in the cluster. That is, whatever you had configured for firewall NSF#1 previously is mapped to firewall NSF#2 and any changes you add when logged into firewall NSF#1 are mapped to firewall NSF#2. This ensures that the configuration of both firewalls is identical, a prerequisite for VRRP to work. Note also that you must enter license information manually per firewall and that you must push policies to each firewall individually.

NOTE – You must configure the vrid, ip1, ip2, addr1, and addr2 for each defined interface (except the Sync interface). Otherwise, active-standby (high availability) or active-active does not work on any interface. 4.

Configure the VRRP interfaces on both Switched Firewalls. Log on to firewall NSF#1 as the administrator and configure the interfaces. >> >> >> >> >> >> >> >> >> >>

5.

Main# Main# Main# Main# Main# Main# Main# Main# Main# Main#

/cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if

2/addr1 100.1.1.1 2/addr2 100.1.1.2 2/mask 255.255.255.0 2/port 3 2/ena 3/addr1 200.1.1.1 3/addr2 200.1.1.2 3/mask 255.255.255.0 3/port 4 3/ena

Configure the VRRP virtual IP addresses. NOTE – It is not necessary to configure ip2 for active-standby (high availability). However, if you are configuring active-active failover, then assign a specific value for ip2. For example, /cfg/net/if 2/vrrp/ip2 10.1.1.200 and /cfg/net/if 3/vrrp/ip2 20.1.1.200. >> >> >> >>

Main# Main# Main# Main#

/cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if

2/vrrp/ip1 2/vrrp/ip2 3/vrrp/ip1 3/vrrp/ip2

100.1.1.100 0.0.0.0 200.1.1.100 0.0.0.0

The VRRP virtual IP addresses must be on the same network as their router IP addresses.

110 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

6.

Enter the virtual router ID (vrid). Each virtual router interface gets a unique vrid, which is used to generate the virtual router MAC address (see “MAC Address Mapping” on page 101). NOTE—Vrids must be at least one number apart (for example, vrids 33 and 34 would not be acceptable; vrids 33 and 35 are acceptable). >> Main# /cfg/net/if 2/vrrp/vrid 33 >> Main# /cfg/net/if 3/vrrp/vrid 44

7.

Enable the failover type for the cluster. >> Main# /cfg/net/vrrp/ha y

(Enable active-standby failover)

or >> Main# /cfg/net/vrrp/aa y

(Enable active-active failover)

NOTE – If you are configuring active-active failover, then modify the second virtual IP address (/cfg/net/if #/vrrp/ip2) in Step 5 from 0.0.0.0 to a specific value. 8.

Set the adint, garp, gbcast, and phcintvl values. >> Main# /cfg/net/vrrp/adint 10 >> Main# /cfg/net/vrrp/garp 1 >> Main# /cfg/net/vrrp/gbcast 2

9.

default value default value

(optional) Set the Sync Interface. The optional Sync interface requires a dedicated port on both units and a local connection. Its configuration differs from the other virtual router interfaces in that both /cfg/net/if #/vrrp/ip1 and /cfg/net/if #/vrrp/ip2 are both set to 0.0.0.0. For additional information on the Sync interface, see “Synchronizing Nortel Switched Firewalls” on page 159. „ >> >> >> >> >> >>

Configure the real addresses for the router interface and enable the interface for the sync network. Main# Main# Main# Main# Main# Main#

/cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if /cfg/net/if

1/addr1 10.10.1.1 1/addr2 10.10.1.2 1/mask 255.255.255.0 1/vlanid 0 1/port 2 1/ena y

Redundant Firewalls „ 111 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

Configure the vrid for the sync network.

>> Main# /cfg/net/if 1/vrrp/vrid 192

„

Enable synchronization and apply the changes.

>> Main# /cfg/fw/sync/ena >> Main# apply

Enable synchronization

10. Enter the Check Point License. >> # /cfg/lic/pastelic List of current hosts: 1: 172.25.3.1 2: 172.25.3.2 Choice: 1 Enter the entire license string :cplic put 10.10.1.4 10Mar2005 puZgqs4cF-wUJedwq5z-8ZinqozZ3-oM4yzMhib cpmp-eval-1-3des-ng CKC40A2ED769CE

NOTE – You can also install licenses directly from the SmartCenter Server. 11. Apply the changes. >> Main# apply

12. Refer to the configuration dumps provided to verify your configuration. „

Active-Standby failover. Refer to “Configuration Dump for VRRP Active-Standby Failover” on page 120.

„

Active-Active failover. Refer to “Configuration Dump for Check Point ClusterXL Failover” on page 153

13. Launch the Check Point SmartDashboard tool to manage both firewalls as a cluster: „

Active-Standby failover. Refer to “Configuring Check Point Software for ActiveStandby” on page 113.

„

Active-Active failover. Refer to “Configuring Check Point Software” on page 126

This concludes the configuration for VRRP failover.

112 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuring Check Point Software for Active-Standby 1.

Enter the IP address of the external interface as shown below. Check Point Gateway Cluster’s IP address should be the IP addresses of the external interface (/cfg/net/if/addr1 or /cfg/net/if/addr2).

2.

Select Cluster Members and the verify the firewalls in the cluster. Firewall NSF#1 is the master for the virtual IP address 200.1.1.100 (ip1) on port 4 and backs up the virtual IP address 200.1.1.200 (ip2) on port 4. Firewall NSF#2 is the master for virtual IP address 200.1.1.200 (ip2) on port 4 and backs up virtual IP address IP 200.1.1.100 (ip1) on port 4.

Redundant Firewalls „ 113 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

a) Check for third party configuration.

114 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

b) Enable Synchronization.

3.

Do not let Check Point handle ARP in Active-Standby mode.

Redundant Firewalls „ 115 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

4.

Configure the topology so that VRRP packets are not dropped because of anti spoofing. a) Create a host-node for VRRP IP address.

b) Create a simple group object containing VRRP_IP node and SSI network.

116 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

c) Add this information in the cluster topology and cluster member’s topology (NSF#1 and NSF#2). This procedure shows NSF#1 only.

Redundant Firewalls „ 117 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

5.

Add your defined rule and push the policy.

6.

If you are using Check Point SmartDefence TTL fingerprint scrambling, then set TTL to 255 as shown below.

118 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

The remaining configuration in the cluster object can be set up according to the customer’s requirements.

Redundant Firewalls „ 119 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuration Dump for VRRP Active-Standby Failover /* /* Configuration dump taken Fri Apr 1 14:08:07 PDT 2005 /* Version 2.3.1 /* /* /cfg /cfg/sys /cfg/sys/time tzone "America/Los_Angeles" /cfg/sys/time/ntp /cfg/sys/dns /cfg/sys/cluster mip 172.25.3.10 /cfg/sys/cluster/host 1 ip 172.25.3.1 /cfg/sys/cluster/host 2 ip 172.25.3.2 /cfg/sys/accesslist /cfg/sys/adm idle 10m /cfg/sys/adm/telnet ena n /cfg/sys/adm/ssh ena n /cfg/sys/adm/web /cfg/sys/adm/web/http port 80 ena y /cfg/sys/adm/web/ssl port 443 ena n tls y sslv2 y sslv3 y /cfg/sys/adm/web/ssl/certs /cfg/sys/adm/web/ssl/certs/serv /cfg/sys/adm/web/ssl/certs/ca /cfg/sys/adm/snmp ena n model v2c level auth access d events n alarms n rcomm public

120 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/snmp/users /cfg/sys/adm/snmp/hosts /cfg/sys/adm/snmp/system /cfg/sys/adm/snmp/adv /cfg/sys/log/arch email none smtp 0.0.0.0 int "1, 0" size 0 /cfg/sys/user expire 0 /cfg/net /cfg/net/port 1 name "Host Port" autoneg on speed 0 mode full /cfg/net/port 2 name none autoneg on speed 0 mode full /cfg/net/port 3 name none autoneg on speed 0 mode full /cfg/net/port 4 name none autoneg on speed 0 mode full /cfg/net/if 1 addr1 10.10.1.1 addr2 10.10.1.2 mask 255.255.255.0 vlanid 0 port 2 ena y /cfg/net/if 1/vrrp vrid 10 ip1 0.0.0.0 ip2 0.0.0.0

Redundant Firewalls „ 121 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/if 2 addr1 100.1.1.1 addr2 100.1.1.2 mask 255.255.255.0 vlanid 0 port 3 ena y /cfg/net/if 2/vrrp vrid 20 ip1 100.1.1.100 ip2 0.0.0.0 /cfg/net/if 3 addr1 200.1.1.1 addr2 200.1.1.2 mask 255.255.255.0 vlanid 0 port 4 ena y /cfg/net/if 3/vrrp vrid 30 ip1 200.1.1.100 ip2 0.0.0.0 /cfg/net/vrrp ha y aa n adint 3 garp 1 gbcast 2 /cfg/net/adv /cfg/net/adv/route gateway 0.0.0.0 /cfg/net/adv/route/routes /cfg/net/adv/parp enable y /cfg/net/adv/parp/list add 100.1.1.200 /cfg/pnp /cfg/fw ena y /cfg/fw/sync ena y /cfg/fw/client /cfg/misc warn y

122 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuring VRRP Active-Active Failover The network topology for a typical active-active network with Switched Firewalls is shown in Figure 5-2. The following topics are addressed in this section: „

“Configuration Overview” on page 106

„

“Requirements” on page 125

„

“Installing the Redundant Switched Firewall” on page 125

„

“Configuration Check List” on page 125

„

“Configuring the Redundant Switched Firewall” on page 126

„

“Configuring Check Point Software” on page 126

„

“Configuration Dump for VRRP Active-Active Failover” on page 133

Configuration Overview An active-active configuration is similar to a active-standby configuration (see “Configuring VRRP Active-Standby Failover” on page 105) with these differences: „

Two real IP addresses (addr1 and addr2) are required on each interface. /cfg/net/if #/addr2 on one firewall host must be configured with same network as /cfg/net/if #/addr1 on the opposite firewall host.

„

Only symmetric routing is supported. For example, when a SYN packet passes through firewall firewall NSF#1, the server should return the SYN ACK packet to the firewall firewall NSF#1 gateway. If the SYN ACK happens to reach firewall NSF#2, it is dropped.

Redundant Firewalls „ 123 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

Active-active solutions are dependant on GARP messages to update ARP caches. External devices must not block GARP messages.

Client 200.1.1.150

Eth0 172.25.3.1/24 (SSI and CP Management) Eth1 10.10.1.1/24 (CP Sync)

4

200.1.1.200 (VIP 2)

200.1.1.100 (VIP 1)

4

NSF#1 Eth3 200.1.1.1/24 (Dirty) Eth2 100.1.1.1/24 (Clean)

3 31 100.1.1.100 (VIP 1)

1

link 2

2

2

NSF#2

3 100.1.1.200 (VIP 2)

link 4

link 1

1

Eth0 172.25.3.2/24 (SSI and CP Managem Eth1 10.10.1.2/24 (CP Sync) Eth3 200.1.1.2/24 (Dirty) Eth2 100.1.1.2/24 (Clean)

link 3

172.25.3.10 (MIP)

Server 100.1.1.150

Check Point Management Server and Client 172.25.3.38

Figure 5-2 Active-Active Failover Configuration In Figure 5-2, the network configuration uses separate routers and separate layer 7 switches to supply separate data feeds for the firewall hosts. The sync connection on port 2 supports stateful failover (see “Synchronizing Nortel Switched Firewalls” on page 159 for configuration details). Firewall NSF#1 is the master for the virtual IP address 200.1.1.100 (ip1) on port 4 and backs up the virtual IP address 200.1.1.200 (ip2) on port 4. Firewall NSF#2 is the master for virtual IP address IP 200.1.1.200 (addr2) on port 4 and backs up virtual IP address IP 200.1.1.100 (addr1) on port 4. When link 2 fails, NSF#2 takes over all of NSF#1’s interfaces and sends out

124 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

GARP messages to remote caches. Now NSF# 2 is the active master on all interfaces and handles all of NSF#1’s traffic. When the failure on link 2 is repaired, NSF#1 takes over its interfaces and becomes the active master again for all its virtual routers.

Requirements See “Requirements” on page 107.

Installing the Redundant Switched Firewall See “Installing the Redundant Switched Firewall” on page 108.

Configuration Check List 1.

The Check Point sync network should be in a separate interface. It can also be in the SSI subnet.

2.

If the sync interface is not the SSI interface, then make sure /cfg/net/if /vrrp/ip1 and /cfg/net/if/vrrp/ip2 settings for the sync interface is 0.0.0.0.

3.

If a VLAN interface is used for sync, then an interface with the least VLAN number is selected (for example, if you have VLAN 10 and 20 on the same port, select interface with VLAN 10 as the sync interface).

4.

Make sure the routers are pointing to the ip1 and ip2 addresses in the /cfg/net/if /vrrp menu (200.1.1.100 or 100.1.1.100 in the sample configuration ) and not to addr1 and addr2 addresses in the /cfg/net/if (200.1.1.100 or 100.1.1.100 in the sample configuration ) menu.

5.

Don’t use the SSI MIP as the default gateway.

6.

Make sure you have unchecked ClusterXL under the Cluster general properties tab in the Check Point SmartDashboard tool.

7.

Do not enable Automatic proxy arp configuration in the SmartDashboard global properties tab. If you want to enable proxy arp, then enable Proxy ARP in the CLI (/cfg/net/adv/parp/ena y) instead.

8.

If you have NATing enabled in any of the VRRP interface, make sure VRRP packets (packets destined for 224.0.0.18) are not at all NATed. You can add this as the first manual NATing rule.

Redundant Firewalls „ 125 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuring the Redundant Switched Firewall See “Configuring the Redundant Switched Firewall” on page 109.

Configuring Check Point Software 1.

Enter the IP address for the external interface. Check Point Gateway Cluster’s IP address should be one of the IP addresses of the external interface (/cfg/net/if /addr1 or /cfg/net/if /addr2).

126 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

a) Check for proper third party configuration.

Redundant Firewalls „ 127 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

b) Enable Synchronization.

2.

Do not let Check Point handle ARP in Active-Active mode.

128 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

3.

Configure the topology so that VRRP packets are not dropped because of anti spoofing. a) Create a host-node for VRRP IP address.

b) Create a simple group object containing VRRP_IP node and SSI network.

Redundant Firewalls „ 129 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

c) Add this information in the cluster topology and cluster member’s topology (NSF#1 and NSF#2). This procedure shows NSF#1 only.

130 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

4.

Add your defined rule and push the policy.

5.

If you are using Check Point SmartDefence TTL fingerprint scrambling, then set TTL to 255 as shown below.

Redundant Firewalls „ 131 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

The remaining configuration in the cluster object can be set up according to the customer’s requirements.

132 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuration Dump for VRRP Active-Active Failover /* /* Configuration dump taken Fri Apr 1 14:08:07 PDT 2005 /* Version 2.3.1 /* /* /cfg /cfg/sys /cfg/sys/time tzone "America/Los_Angeles" /cfg/sys/time/ntp /cfg/sys/dns /cfg/sys/cluster mip 172.25.3.10 /cfg/sys/cluster/host 1 ip 172.25.3.1 /cfg/sys/cluster/host 2 ip 172.25.3.2 /cfg/sys/accesslist /cfg/sys/adm idle 10m /cfg/sys/adm/telnet ena n /cfg/sys/adm/ssh ena n /cfg/sys/adm/web /cfg/sys/adm/web/http port 80 ena y /cfg/sys/adm/web/ssl port 443 ena n tls y sslv2 y sslv3 y /cfg/sys/adm/web/ssl/certs /cfg/sys/adm/web/ssl/certs/serv /cfg/sys/adm/web/ssl/certs/ca /cfg/sys/adm/snmp ena n model v2c level auth access d events n alarms n rcomm public

Redundant Firewalls „ 133 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/snmp/users /cfg/sys/adm/snmp/hosts /cfg/sys/adm/snmp/system /cfg/sys/adm/snmp/adv /cfg/sys/log/arch email none smtp 0.0.0.0 int "1, 0" size 0 /cfg/sys/user expire 0 /cfg/net /cfg/net/port 1 name "Host Port" autoneg on speed 0 mode full /cfg/net/port 2 name none autoneg on speed 0 mode full /cfg/net/port 3 name none autoneg on speed 0 mode full /cfg/net/port 4 name none autoneg on speed 0 mode full /cfg/net/if 1 addr1 10.10.1.1 addr2 10.10.1.2 mask 255.255.255.0 vlanid 0 port 2 ena y /cfg/net/if 1/vrrp vrid 10 ip1 0.0.0.0 ip2 0.0.0.0

134 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/if 2 addr1 100.1.1.1 addr2 100.1.1.2 mask 255.255.255.0 vlanid 0 port 3 ena y /cfg/net/if 2/vrrp vrid 20 ip1 100.1.1.100 ip2 100.1.1.200 /cfg/net/if 3 addr1 200.1.1.1 addr2 200.1.1.2 mask 255.255.255.0 vlanid 0 port 4 ena y /cfg/net/if 3/vrrp vrid 30 ip1 200.1.1.100 ip2 200.1.1.200 /cfg/net/vrrp ha n aa y adint 3 garp 1 gbcast 2 /cfg/net/adv /cfg/net/adv/route gateway 0.0.0.0 /cfg/net/adv/route/routes /cfg/net/adv/parp enable y /cfg/net/adv/parp/list add 100.1.1.200 /cfg/pnp /cfg/fw ena y /cfg/fw/sync ena y /cfg/fw/client /cfg/misc warn y

Redundant Firewalls „ 135 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuring Check Point ClusterXL Failover Check Point ClusterXL is used for clustering and load sharing functionality. ClusterXL is Check Point implementation of failover. For more information on ClusterXL, refer to the Check Point documentation. Figure 5-3 illustrates the topology for configuring Check Point ClusterXL failover. The following topics are addressed in this section: „

“Configuration Check List on the Management Station” on page 137

„

“Step-by-Step Configuration Procedure” on page 138

„

“Configuration Dump for Check Point ClusterXL Failover” on page 153

Server 100.1.1.150 gw 200.1.1.100

200.1.1.100 (Cluster IP)

4

4

NSF#1

3 Eth0 172.25.3.1/24 (Management) Eth1 10.10.1.1/24 (Sync)

1

2

2

NSF#2

3

100.1.1.100 ( Cluster IP)

1

Eth0 172.25.3.2/24 (Management) Eth1 10.10.1.2/24 (Sync) Eth3 200.1.1.2/24 Eth2 100.1.1.2/24 (Clean)

Eth3 200.1.1.1/24 Eth2 100.1.1.1/24 (Clean)

172.25.3.10 (MIP)

Client 100.1.1.150 gw 100.1.1.100

Check Point Management Server and Client 172.25.3.38

Figure 5-3 Configuring ClusterXL 136 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuration Check List on the Management Station Using the SmartDashboard tool on the management station, do the following: 1.

Decide on the cluster-IP address for the interfaces that you want to publish to other devices as gateway or routes. In this example, cluster-IP addresses 100.1.1.100 (port3) and 200.1.1.100 (port4) are published as gateway addresses.

2.

There is no cluster IP address configuration for the sync interface (port2).

3.

There is no cluster IP address configuration for the Management interface (port1).

4.

In this example, ClusterXL load sharing is used in unicast mode, as some routers may not support Multicast mac address. If your router supports Multicast Mac address, you can select multicast mode of ClusterXL (see page 149).

5.

Select IPs in the Advanced Load sharing configuration (see page 149).

6.

The Check Point Gateway Cluster IP Address should be the cluster-IP address of the external interface.

7.

Unlike Switched Firewalls active-standby and active-active configurations, you must let Check Point handle Proxy ARP (see page 152). In the Switched Firewall CLI configuration proxy arp is disabled (/cfg/net/adv/parp/enable n). NOTE – If you are using ClusterXL Load-sharing in multicast mode, then make sure your routers and switches can forward data packets with multicast MAC address.

Redundant Firewalls „ 137 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Step-by-Step Configuration Procedure 1.

Create a host node for SSI-MIP.

138 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Redundant Firewalls „ 139 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

2.

Click on Communication and provide the activation key.

140 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

3.

Press the Initialize button.

The Trust state shows “Trust established”. If trust is not established, then it means there is no communication between the management station and the firewall. Close the above window and the Cluster Members property window displays the DN details. 4.

Select the Topology tab.

Redundant Firewalls „ 141 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

142 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Redundant Firewalls „ 143 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

5.

Click on Communication and provide the activation key.

144 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

6.

Press the Initialize button.

The Trust state shows “Trust established”. If trust is not established, then it means there is no communication between the management station and the firewall. Close the above window and the Cluster Members property window displays the DN details. 7.

Select the Topology tab.

Redundant Firewalls „ 145 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

146 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Redundant Firewalls „ 147 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

148 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

8.

Select Load Sharing for ClusterXL properties.

Redundant Firewalls „ 149 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

150 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Redundant Firewalls „ 151 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

9.

Enable proxy ARP.

Complete the remaining configuration to add the necessary rules and push the policy to the firewalls. Make sure the sync is up by running cphaprob stat.

152 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuration Dump for Check Point ClusterXL Failover This section shows the configuration dump for Figure 5-3 on page 136. Note the following items in the dump: 1.

Sync is enabled.

2.

VRRP (ha/aa) is not enabled.

3.

ClusterXL is enabled (/cfg/net/vrrp/clusterxl).

4.

The IP address for individual member interfaces are configured using /cfg/net/if#/addr1 and /cfg/net/if#/addr2.

5.

Set /cfg/net/if#/vrrp/ip1 and /cfg/net/if#/vrrp/ip2 to 0.0.0.0.

6.

Port1 is used for SSI.

7.

Port2 is used for sync.

/* Configuration dump taken Fri Apr 1 14:08:07 PDT 2005 /* Version 2.3.1 /* /* /* /cfg /cfg/sys gateway 0.0.0.0 /cfg/sys/routes /cfg/sys/time tzone "America/Los_Angeles" /cfg/sys/time/ntp /cfg/sys/dns /cfg/sys/cluster mip 172.25.3.10 /cfg/sys/cluster/host 1 ip 172.25.3.1 /cfg/sys/cluster/host 2 ip 172.25.3.2 /cfg/sys/accesslist /cfg/sys/adm idle 10m /cfg/sys/adm/telnet ena n /cfg/sys/adm/ssh ena n /cfg/sys/adm/web Redundant Firewalls „ 153 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/web/http port 80 ena y /cfg/sys/adm/web/ssl port 443 ena n tls y sslv2 y sslv3 y /cfg/sys/adm/web/ssl/certs /cfg/sys/adm/web/ssl/certs/serv /cfg/sys/adm/web/ssl/certs/ca /cfg/sys/adm/snmp ena n model v2c level auth access d events n alarms n rcomm public /cfg/sys/adm/snmp/users /cfg/sys/adm/snmp/hosts /cfg/sys/adm/snmp/system /cfg/sys/adm/snmp/adv trapsrcip auto /cfg/sys/log debug n srcip auto /cfg/sys/log/syslog /cfg/sys/log/ela ena n addr 0.0.0.0 sev err /cfg/sys/log/arch email none smtp 0.0.0.0 int "1, 0" size 0 /cfg/sys/user expire 0 /cfg/net /cfg/net/port 1 name "Host Port" autoneg on speed 0 mode full

154 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/port 2 name none autoneg on speed 0 mode full /cfg/net/port 3 name none autoneg on speed 0 mode full /cfg/net/port 4 name none autoneg on speed 0 mode full /cfg/net/if 2 addr1 100.1.1.1 addr2 100.1.1.2 mask 255.255.255.0 vlanid 0 port 3 ena y /cfg/net/if 2/vrrp vrid 1 ip1 0.0.0.0 ip2 0.0.0.0 /cfg/net/if 3 addr1 200.1.1.1 addr2 200.1.1.2 mask 255.255.255.0 vlanid 0 port 4 ena y /cfg/net/if 3/vrrp vrid 1 ip1 0.0.0.0 ip2 0.0.0.0 /cfg/net/if 10 addr1 10.10.1.1 addr2 10.10.1.2 mask 255.255.255.0 vlanid 0 port 2 ena y

Redundant Firewalls „ 155 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/if 10/vrrp vrid 1 ip1 0.0.0.0 ip2 0.0.0.0 /cfg/net/parp enable n /cfg/net/parp/list /cfg/net/vrrp ha n aa n ClusterXL y adint 3 garp 1 gbcast 2 /cfg/net/adv /cfg/pnp /cfg/fw ena y /cfg/fw/sync ena y /cfg/fw/client /cfg/misc warn y

156 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Establishing Trust on Redundant Firewalls The ability to establish trust (Secure Internal Communication or SIC) on redundant firewalls is required so that you can push policies to them from the Check Point SmartCenter Server. Static routes must be added if your management station is on a different network from the firewall host network. In the example below, the management station is behind the firewall (a common strategy) on the same network as the virtual router interface (see Figure 5-1 on page 106). 1.

Open a DOS window on the management station and enter a static route between addr1 and the host #1 IP address (For this example, the management station interface IP address is 10.10.1.200. Use the addr1 IP address as the gateway): C:\ route add 10.10.1.193 mask 255.255.255.255 33.1.1.12 -p ^destination ^mask ^gateway

2.

Enter a static route between addr2 and the host #2 IP address (Use the addr2 IP address as the gateway): C:\ route add 10.10.1.194 mask 255.255.255.255 33.1.1.13 -p

3.

At the local console, add the management station IP address to the cluster access list: >> Main# /cfg/sys/accesslist/add Enter network address: 10.10.1.200 Enter netmask: 255.255.255.0 >> Main# apply

4.

Management station IP address Applies data to both firewalls

From the Check Point SmartDashboard, establish trust with both Firewall objects (firewall host #1 and firewall host #2). See “Re-establishing SIC” on page 367.

Managing through the VRRP Interface If the Nortel Switched Firewalls are connected to the management server through a VRRP interface, then you may not be able to establish SIC and push the policy. In that case, follow the procedure below. 1.

Clear all the ARP entries on the Management Server (arp –d ).

2.

Turn off HA (/cfg/net/vrrp/ha n/apply).

3.

Complete the SIC if not in the communicating status.

Redundant Firewalls „ 157 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

4.

Complete the SmartDashboard configuration.

5.

Push the policy.

6.

Turn on HA (/cfg/net/vrrp/ha y/apply).

158 „ Redundant Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Synchronizing Nortel Switched Firewalls Two Switched Firewalls can be synchronized to provide stateful failover of sessions. With synchronization, open sessions on a failed Switched Firewall are transparently reassigned to the backup Switched Firewall. You must configure synchronization using the CLI (see below) and the Check Point SmartDashboard (see page 115). The VRRP features and the virtual router must also be configured (see “Configuring the Redundant Switched Firewall” on page 109). Synchronization will impair system performance if traffic includes many short-lived sessions. Enable synchronization only for services that can benefit from it (such as Telnet) and not for services that do not (such as http). 1.

Configure the Sync interfaces (see Step 9 on page 111).

2.

Test the Sync network (test initiated on example Host 2). >> Main# /maint/fw/sync Cluster Mode: Sync only (OPSEC) Number Unique Address Firewall State (*) 1 (local) 10.10.1.193 active 2 10.10.1.193 active (*) FW-1 monitors only the sync operation and the security policy Use OPSEC’s monitoring tool to get the cluster status >> Firewall Maintenance#

3.

From the Check Point SmartDashboard, update the firewall interface information. See page 115.

4.

From the Check Point SmartDashboard, re-install the security policies on both Nortel Switched Firewalls.

Redundant Firewalls „ 159 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

160 „ Redundant Firewalls 213455-K, June 2005

CHAPTER 6

Layer 2 and Layer 3 Firewalls NSF 2.3.1 allows you to configure your firewall in bridge mode. This chapter describes how to configure the Nortel Switched Firewall for Layer 2 and Layer 3 firewalls. „

“Overview” on page 162

„

“Configuring Layer 2 Bridge Mode Firewall” on page 162

„

“Configuring a Layer 3 Firewall” on page 170

„

“Configuration Issues” on page 178

161 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Overview A bridge connects two separate network segments in a protocol-independent way. You implement a bridging firewall if you want to change your configuration without having to reconfigure your entire network topology. A bridging firewall is also called transparent or stealth firewall because it is effectively invisible on the network. All protocols traverse transparently through a bridge, because forwarding is done at Layer 2. Packets are forwarded based on the Ethernet address, rather than the IP address. An Ethernet bridge distributes Ethernet frames from one port to the other ports associated with the bridge interface. NOTE – Layer 2 and Layer 3 firewalls are not supported on the NSF 5109 model. NSF 2.3.1 supports two modes: Layer 2 and Layer 3 firewall. The procedures to configure Layer 2 or Layer 3 firewall differ only in the configuration of the bridge interface IP addresses. Layer 3 firewall requires valid IP addresses for addr1 and addr2 commands in the /cfg/net/bridge menu, and Layer 2 bridging firewalls require no IP addresses.

Configuring Layer 2 Bridge Mode Firewall To configure a Layer 2 bridge mode firewall, you must create a Layer 2 bridge and then add physical ports to the bridge. You can create up to 25 bridges and add any physical port other than SSI management port to these bridges. If you define bridges for specific VLANs, then the ports attached to the bridge listen to those VLANs only. If the SSI management interface is configured on a VLAN, the same VLAN cannot be used for the bridge. To configure a Layer 2 bridge mode firewall, perform the following: 1.

“Configuring the Firewall Software” on page 163

2.

“Configuring the Check Point Software” on page 166

162 „ Layer 2 and Layer 3 Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuring the Firewall Software Figure 6-1 shows the network topology for configuring a Layer 2 bridge mode firewall. NSF#1 and NSF#2 are configured for a layer 2 bridge mode firewall. The Layer 2 bridge is configured on interfaces eth2 and eth3 on ports 3 and 4. The sync (172.35.2.5/6) and management (172.16.2.144/145) network is configured on the port 1, but on different VLANs. Firewall console Management Station 172.16.2.147

L2 switch

172.35.2.6 1

1 172.35.2.5

NSF#1 172.16.2.143

eth

3

eth2

3 4

2

eth

3 4

L2 switch

L2 switch

Host 1 172.16.5.11

NSF#2 172.16.2.144

eth3

MIP: 172.16.2.145

Host 2 172.16.5.12

Host 3 172.16.5.13

Host 4 172.16.5.14

Figure 6-1 Configuring Layer 2 Bridging Firewall

Layer 2 and Layer 3 Firewalls „ 163 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

To configure a Layer 2 bridging firewall, follow this procedure on NSF#1 and then on NSF#2. 1.

Configure the bridge parameters on both firewalls. Specify the ports participating in the bridging firewall. (Set the VLAN ID if the ports are used by other interfaces.) >> # /cfg/net/bridge 1 Bridge 1# ports Bridge 1 Ports# add 3 Bridge 1 Ports# add 4 Bridge 1 Ports# .. Bridge 1# ena

(Port 3 participates in the bridge) (Port 4 participates in the bridge) (Enable the Layer 2 bridge)

The configuration menu allows you to create up to 25 bridges. You can add any physical port other than the SSI management port to these bridges. The bridge ID is the MAC address of one of the physical interfaces added to the bridge. NOTE – If the SSI management interface is configured on a VLAN, the same VLAN cannot be used for the bridge. Failover support: To support failover on Layer 2 firewalls, you must configure VRRP in one of the following two ways: „

Pure Layer 2 mode: Configure at least one non-bridge interface with VRRP and a bridge interface without VRRP and IP addresses.

„

Layer 2-Layer 3 mode: Configure the bridge interface with VRRP and IP addresses as follows: †

addr1 and addr2 in the cfg/net/bridge# menu

†

ip1 in the cfg/net/bridge#/vrrp menu

Configuring these addresses enables VRRP support on the bridge interface, but the firewall functions in Layer 3 mode. NOTE – Nortel recommends defining multiple interfaces with VRRP. If a single interface is configured as in Layer 2-Layer 3 mode, then failure of the interface breaks the cluster and stops the functioning of Layer 2 firewall.

164 „ Layer 2 and Layer 3 Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

2.

Verify Layer 2 bridge configuration. NOTE – Make sure the bridge address is 0.0.0.0. An IP address is not required for a pure Layer 2 bridge interface. >> Network Configuration# /info/net/bridge Bridge Information Id Ports Vlan Bridge Address VRRP Address == ==== ==== ========== ========= 1 3,4 0 1: 0.0.0.0/0 1: 0.0.0.0

VRID Status ==== ====== 1 Enabled

3.

On Hosts 1 through 4, configure the default gateway IP address 172.16.5.1 .

4.

Using the CLI, verify other interfaces configured on the firewall. The management network and sync configuration is connected through Interface 1. >> info_net# /info/net/if/ Interface Information Id Port Vlan Host Address == ==== ==== ==========

VRRP Address ==========

1

1: 0.0.0.0

1

2

1: 172.35.2.5/24 2: 172.35.2.6/24

VRID ==== 1

Status ====== Enabled

Proceed to the next section to configure Check Point software to support Layer 2 bridge mode.

Layer 2 and Layer 3 Firewalls „ 165 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuring the Check Point Software Follow this procedure to configure the Check Point software to support Layer 2 bridge mode. 1.

Configure the cluster to include Switched Firewall, NSF#1 and Switched Firewall, NSF#2.

2.

Select the Switched Firewall, NSF#1 and click Edit.

3.

Select the Topology tab and click “Get...” Interfaces. Check Point cannot identify a pure Layer 2 bridge device because the bridge interface does not hold a valid IP address.

166 „ Layer 2 and Layer 3 Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

4.

Repeat Step #2 and #3 for the Switched Firewall, NSF#2.

Layer 2 and Layer 3 Firewalls „ 167 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

5.

Manually add port 3 and 4. Manually add port 3 and 4 to eth2, eth3 with IP subnet 172.16.5.0/255.255.255.0 (host PC IP address range).

6.

Enable anti-address spoofing on all interfaces, including bridge interfaces. Check Point disables address spoofing on bridge ports unless they are manually added to the configuration as shown below (eth2 and eth3 are bridge ports).

7.

Configure sync network.

168 „ Layer 2 and Layer 3 Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

8.

Configure topology for the cluster.

Layer 2 and Layer 3 Firewalls „ 169 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

9.

Configure VRRP high availability. Make sure VRRP IP addresses (ip1 and ip2) are configured for the bridge interface.

Configuring a Layer 3 Firewall Nortel Switched Firewall 2.3.1 allows you to configure Layer 3 mode firewall using the CLI or the BBI. To configure a Layer 3 firewall, perform the following: 1.

“Configuring the Firewall Software” on page 170

2.

“Configuring the Check Point Software” on page 174

Configuring the Firewall Software Figure 6-2 shows the network topology for configuring a Layer 3 firewall. NSF#1 and NSF#2 are configured for a Layer 3 firewall. The Layer 3 firewall is configured on interfaces eth2 and eth3 on ports 3 and 4. The external network is configured on interface eth1 on port 2. The sync (172.35.2.5/6) and management (172.16.2.144/145) network is configured on the port 1, but on different VLANs.

170 „ Layer 2 and Layer 3 Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Figure 6-2 shows the network topology for configuring a Layer 3 firewall. Host 5

Host 6

Firewall console Management Station 172.16.2.147

router L2 switch

4 et h3

192.168.1.6 2 NSF#2 172.16.2.144 3 4 172.16.5.6 eth3

2

eth

eth1

1 eth 192.168.1.5 2 1 172.35.2.6

eth2

172.35.2.5 1 NSF#1 172.16.2.143 MIP: 172.16.2.145 3 172.16.5.5

External

L2 switch

L2 switch Internal

Host 1 172.16.5.11

Host 2 172.16.5.12

Host 3 172.16.5.13

Host 4 172.16.5.14

Figure 6-2 Configuring Layer 3 Firewall

Layer 2 and Layer 3 Firewalls „ 171 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

To configure Layer 2 bridging firewall, follow this procedure on NSF#1 and then on NSF#2. 1.

Configure basic firewall configuration on Switched Firewall, NSF#1. In the initial setup of the firewall, (see “Setting Up the Basic Configuration” on page 37) specify port 3 for the management network and the firewall IP address 172.16.2.143. Specify VLAN tag ID 3 with the MIP address, 172.16.2.145. Configure sync (IP address 172.35.2.5) and management interfaces (eth0) on port 1, but on different VLANs. eth0 : 172.16.2.143 (VLAN tag: 3) MIP : 172.16.2.145 (eth0.2:1) eth0 : 172.35.2.5 (VLAN tag:2, SYNC interface)

2.

Configure basic firewall configuration on Switched Firewall, NSF#2. In the initial setup of the firewall, (see “Setting Up the Basic Configuration” on page 37) specify port 3 for the management network and the firewall IP address 172.16.2.144. Specify VLAN tag ID 3 for the management traffic. Configure sync (IP address 172.35.2.6) and management interfaces (eth0) on port 1, but on different VLANs. eth0 : 172.16.2.144 (VLAN tag:3) eth0 : 172.35.2.6 (VLAN tag:2, SYNC interface)

3.

Configure IP addresses and other parameters on both the firewalls. Specify the ports participating in the Layer 3 firewall and set the VLAN ID if the ports are used by other interfaces. >> # /cfg/net/bridge 1 Bridge 1# addr1 172.16.5.5 Bridge 1# addr2 172.16.5.6 Bridge 1# mask 255.255.255.0 Bridge 1# ports Bridge 1 Ports# add 3 Bridge 1 Ports# add 4 Bridge 1 Ports# .. Bridge 1# vrrp/ip1 172.16.5.1 VrrpBridge 1# ../ena

(Set address 1 for bridge 1) (Set address 2 for bridge 1)

(Port 3 participates in the bridge) (Port 4 participates in the bridge)

(Enable bridge 1)

172 „ Layer 2 and Layer 3 Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

4.

Verify Layer 3 firewall configuration. >> Network Configuration# /info/net/bridge Bridge Information Id Ports Vlan Bridge Address VRRP Address == ==== ==== ========== ========= 1 2,3 0 1: 172.16.5.5/24 1: 172.16.5.1 2: 172.16.5.6/24

VRID ==== 10

Status ====== Enabled

5.

Internal network: On Hosts 1 through 4, configure the default gateway IP address 172.16.5.1 .

6.

External network: On Hosts 5 and 6, configure the default gateway IP address 192.168.1.1.

7.

Using the CLI, verify other interfaces configured on the firewall. The management network and sync configuration is connected through Interface 1 and the external network is connected through interface 2. >> info_net# /info/net/if/ Interface Information Id Port Vlan Host Address == ==== ==== ==========

VRRP Address ==========

1

1

2

1: 172.35.2.5/24 2: 172.35.2.6/24

1: 0.0.0.0

2

2

0

1: 192.168.1.5/24 2: 192.168.1.6/24

1: 192.168.1.1

VRID ==== 1

20

Status ====== Enabled

Enabled

Proceed to the next section to configure Check Point software to support Layer 3 firewall.

Layer 2 and Layer 3 Firewalls „ 173 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configuring the Check Point Software Follow this procedure to configure the Check Point software to support a Layer 3 firewall. 1.

Configure the cluster to include Switched Firewall, NSF#1 and Switched Firewall, NSF#2.

2.

Select the Switched Firewall, NSF#1 and click Edit.

3.

Select the Topology tab and click “Get...” Interfaces. Check Point identifies a Layer 3 device because, the bridge interface holds a valid IP address.

174 „ Layer 2 and Layer 3 Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

4.

Repeat Step #2 and #3 for the Switched Firewall, NSF#2.

Layer 2 and Layer 3 Firewalls „ 175 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

5.

Manually add ports 3 and 4. Manually add ports 3 and 4 to eth2, eth3 with real IP addresses (172.16.5.5/255.255.255.0 for NSF#1 and 172.16.5.6/255.255.255.0 for NSF#2).

6.

Enable anti-address spoofing on all interfaces, including bridge interfaces. The Check Point software disables Address Spoofing on bridge ports unless they are manually added to the configuration as shown below (eth2 and eth3 are bridge ports).

7.

Configure sync network. The configuration menu allows you to create up to 25 bridges. You can add any physical port other than SSI management port to these bridges. The bridge ID is the MAC address of one of the physical interfaces added to the bridge. If SSI management interface is configured on a VLAN, the same VLAN cannot be used for any bridge.

176 „ Layer 2 and Layer 3 Firewalls 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

8.

Configure topology for the cluster.

Layer 2 and Layer 3 Firewalls „ 177 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

9.

Configure VRRP High Availability. Make sure VRRP IP addresses (ip1 and ip2) are configured for the bridge interface.

Configuration Issues „

Nortel Switched Firewall does not support Spanning Tree Protocol even though the Linux kernel supports it.

„

A pure Layer 2 bridge does not show in “traceroute.”

„

All ports participating in the bridge should be in the same VLAN. Currently, nested bridge is not supported or a bridge cannot have different VLAN tags.

„

TCP proxies, NAT, VPN, and Syndefender are not supported on a Layer 2 firewall.

„

If VLANs are configured on the bridge, then TAG is always enabled for that interface. If you configure an interface on a VLAN, then do not connect a Windows PC directly to the firewall, instead add a 802.1q-capable Layer 2 switch between the PC and the firewall. A VLAN TAG 0 indicates an untagged port. For more information on VLAN and Layer 2 switch configuration, see“VLAN Tags” on page 66.

178 „ Layer 2 and Layer 3 Firewalls 213455-K, June 2005

CHAPTER 7

Applications This chapter describes several applications including Check Point applications that Nortel Switched Firewall 2.3.1 supports: „

“Uninterruptible Power Supply” on page 180

„

“RADIUS Authentication” on page 185

„

“VPN Support” on page 187

„

“ISP Redundancy” on page 188

„

“User Authority” on page 189

179 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Uninterruptible Power Supply Nortel Switched Firewall 2.3.1 supports the American Power Corporation (APC) UPS daemon. This enables your firewall to function during power outages. NSF 2.3.1 supports UPS with the following devices: „

USB port

„

Ethernet through SNMP

In a power failure, APC UPS daemon informs the firewall about the power failure and that a shutdown may occur. If power is not restored, a system shutdown follows when the battery is exhausted, a timeout (seconds) expires, or runtime expires based on internal APC calculations. NSF 2.3.1 allows you to monitor power with a battery meter, alarm, and finally the firewall shuts down when the UPS battery is exhausted. Sometimes power returns during the system shutdown process. Most UPS devices cannot shutdown when power is present; this would lead to deadlock (system halts until you restart it). However, the NSF 2.3.1 UPS daemon not only shuts down the UPS, but checks the power line just before the end of the halt script. If it detects that power has been restored, it reboots the firewall. Also, the detection of low battery signal from UPS can be used to immediately shut down the firewall.

Configuring UPS Support To configure the firewall to support UPS, you need to specify the UPS mode. Depending on the UPS mode, you are prompted to specify other parameters. Figure 7-1, Figure 7-2 on page 181, and Figure 7-3 on page 183 show three different UPS configurations. Figure 7-1 shows the Switched Firewall configured for UPS support in a basic standalone mode using the USB port. Firewall console

USB Power cable Nortel Switched Firewall

UPS device

Figure 7-1 Configuring UPS in a Standalone Mode

180 „ Applications 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Use the following commands to configure the firewall for the configuration shown in Figure 7-1: 1.

Select UPS type. >> # /cfg/sys/ups/type Current value: usb Enter UPS type [usb/snmp]:usb

2.

Specify the battery level (0—100%) of the UPS device at which the firewall will be shut down. >> # /cfg/sys/ups/level Current value:5 Enter battery level (%):

3.

(Specify the battery level)

Enable UPS Monitor. (Enables APC UPS monitor)

>> # /cfg/sys/ups/ena

Figure 7-2 shows the Switched Firewall configured for UPS support in a Master-Slave mode using the USB port. UPS device

Nortel Switched Firewall #1 Master USB

Po we r

ca

bl e

Power cable

Nortel Switched Firewall #2 Slave

Figure 7-2 Configuring UPS in a Master-Slave Mode using USB Port

Applications „ 181 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Use the following commands to configure the firewall for the configuration shown in Figure 7-2: 1.

Select UPS type. >> # /cfg/sys/ups/type Current value: usb Enter UPS type [usb/snmp]:usb

2.

Specify the Master firewall for the UPS device. >> # /cfg/sys/ups/master Current value: 0.0.0.0 UPS Master IP address:

3.

Specify the battery level (0—100%) of the UPS device at which the firewall will be shut down. >> # /cfg/sys/ups/level Current value:5 Enter battery level (%):

4.

(Enter master IP address)

(Specify the battery level)

Enable UPS Monitor. >> # /cfg/sys/ups/ena

(Enables APC UPS monitor)

182 „ Applications 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Figure 7-3 shows the Switched Firewall configured for UPS support in a Master-Slave mode using the Ethernet port through SNMP: UPS device

Nortel Switched Firewall #1 Master Ethernet port

Po we r

ca bl e

Power cable

Nortel Switched Firewall #2 Slave

Figure 7-3 Configuring UPS in a Master-Slave Mode using SNMP The APC UPS models are shipped with an additional card with a network port to use for SNMP-based support. Use the following commands to configure the firewall for the configuration shown in Figure 7-3: 1.

Select UPS type. >> # /cfg/sys/ups/type Current value: usb Enter UPS type [usb/snmp]:snmp

2.

Specify the Master firewall for the UPS device. >> # /cfg/sys/ups/master Current value: 0.0.0.0 UPS Master IP address:

3.

(Enter master IP address)

Specify the SNMP host for the UPS device. >> # /cfg/sys/ups/snmphost Current value: 0.0.0.0 Enter IP address of the UPS:

(Set IP address of SNMP UPS)

Applications „ 183 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

4.

Specify the SNMP port for the UPS device. >> # /cfg/sys/ups/snmpport Current value: 161 Enter SNMP port:

5.

Specify the SNMP community string of the UPS device. >> # /cfg/sys/ups/snmpcomm Current value: none Enter SNMP community string:

6.

(Set community string of the UPS)

Specify the battery level (0—100%) of the UPS device at which the firewall will be shut down. >> # /cfg/sys/ups/level Current value:5 Enter battery level (%):

7.

(Set port used by SNMP UPS)

(Specify the battery level)

Enable UPS Monitor. >> # /cfg/sys/ups/ena

(Enables APC UPS monitor)

Displaying UPS Configuration Verify UPS configuration with the following command: >> # /info/ups

(Displaying APC UPS status)

184 „ Applications 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

RADIUS Authentication Nortel Switched Firewall 2.3.1 allows you to log in to the firewall using RADIUS authentication. The RADIUS client on the Switched Firewall forwards the RADIUS message to a single or multiple RADIUS servers configured for authentication. RADIUS authentication applies to both standalone and cluster configurations. Use the following commands to configure the firewall for the RADIUS support: 1.

Add a user. >> # /cfg/sys/user >> User# add Name of user to add: tester1

2.

Select a group. Edit the user created in Step 1 and specify the group as “admin” or “oper.” >> User# edit tester1 >> User tester1# groups >> Groups# add Enter group name: admin

3.

Set a password. Specify a password for user “tester1.” >> User# edit tester1 >> User tester1# password Enter admin’s current password: Enter new password for tester1: Re-enter to confirm:

4.

Apply the changes. >> User tester1# apply

Applications „ 185 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

5.

Configure the RADIUS server. >> # /cfg/sys/adm/auth/servers >> RADIUS Authentication Servers# add IP address to add: 30.30.30.30 Port (default is 1812): Enter shared secret:secret123

6.

(Specify RADIUS server IP address) (Specify shared secret value of RADIUS server)

Enable RADIUS authentication. Set the Switched Firewall to use RADIUS authentication. >> # /cfg/sys/adm/auth >> Authentication# ena

7.

Apply the configuration. >> Authentication# apply

NOTE – The RADIUS server should have the same username and password that was configured in the CLI. The RADIUS server can also be set up in a high-availability configuration. The console session in the current master takes over and login is possible through the console and the BBI. If failover occurs, the Web session may log out and you must authenticate again.

186 „ Applications 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

VPN Support Nortel Switched Firewall 2.3.1 includes support for Virtual Private Networks (VPN) networks with IPSEC. This allows you to use Check Point’s VPN feature to process traffic through the Switched Firewall from external clients or sites running third-party VPN software. VPN support is entirely configured by the Check Point management tools. To enable VPN support, open the SmartDashboard, double-click the firewall Gateway object, and select VPN in the General Properties window (below, left). Then check options as needed in the VPN Advanced window (below, right):

Once VPN is enabled, use the VPN Manager tab on the SmartDashboard to build a VPN network from eligible clients and sites. See the Check Point documentation for instructions. For more information on VPN support, refer to the Check Point documentation.

Applications „ 187 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

ISP Redundancy Nortel Switched Firewall 2.3.1 guarantees reliable Internet connectivity by allowing a single or clustered Switched Firewall to connect to the Internet through redundant Internet Service Provider (ISP) links. ISP Redundancy monitors the ISP links and directs connections to the appropriate link, depending on the operating mode. These modes control the behavior of outgoing connections, that is, connections from clients in the internal networks towards the Internet. The available modes are „

Load Sharing In this mode, the load is distributed between the ISPs for all outgoing connections. New connections are randomly assigned to a link. If a link fails, all new outgoing connections are directed to the active link.

„

Primary/Backup In this mode the initial connection to the ISP is through the primary link. If the primary ISP link fails, then you are switched to the backup ISP link. When the primary link is restored new outgoing connections are assigned to it.

NOTE – To ensure uninterrupted secured service for the internet users accessing the hosts behind the firewall, the high-availability VRRP setup can be deployed with a gateway cluster. Refer to your Check Point documentation for more details on configuring for ISP redundancy. Do not use the ISP redundancy feature on an OSPF network. NOTE – When configuring ISP redundancy, do not change the default gateway on the Nortel Switched Firewall using the menu command, /cfg/net/gateway. The Check Point software automatically installs a default gateway based on the ISP links.

188 „ Applications 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

User Authority The User Authority feature in the Nortel Switched Firewall provides centralized management of user authentication and authorization. User authority provides a unified, secure communication layer for authenticating users to eBusiness applications. It enables applications to make intelligent authorization decisions based on VPN-1/FireWall-1 authentication and security information. The benefits of the user authority feature include: „

Reduced sign-on burden

„

Fine-grained access control

„

Integration with security infrastructure

NOTE – User authority is useful for Web applications which run on Internet Information Services (IIS) servers. The user authority feature is used by two kinds of users: „

LAN users Users on the LAN use user authority to access the external resources to provide various authentication and authorization facilities for each user level.

„

Remote users Internet users use SR/SC or SSL to access various web applications on the webserver in a secure and reliable way using authentication and authorization mechanisms. There are two kinds of remote users: †

Mobile user with SecuRemote/SecureClient —authenticated by the VPN-1 Pro gateway.

†

Mobile user without SecuRemote/SecureClient —connects with SSL from any computer —authenticated by the user authority WebAccess.

To configure the Switched Firewall for user authority, perform the following: 1.

Configure the Switched Firewall with basic firewalling. VPN connectivity should be established from the SecureRemote/SecureClient to the gateway

2.

Configure Check Point using SmartDashoard and its components.

Applications „ 189 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

3.

Configure user authority Server on the firewall module.

4.

Configure user authority WebAccess FP3 installed on top of Microsoft IIS (webserver) 4.0 or 5.0 in Windows 2000 or Windows NT server. Refer to your Check Point documentation for more details on configuring for the user authority feature. NOTE – Install the SVN foundation before installing WebAccess in the IIS machine.

190 „ Applications 213455-K, June 2005

CHAPTER 8

Upgrading and Reinstalling the Software The Nortel Switched Firewall relies on the software running on the Firewall, as well as on the Check Point management devices. From time to time, it may become necessary to upgrade one or more of the software components. This chapter describes the different types of software upgrades and provides detailed procedures as necessary. „

“Compatibility” on page 192

„

“Types of Upgrade” on page 192 †

“Nortel Switched Firewall SSI Upgrades” on page 192

†

“Built-In Firewall Software Upgrades” on page 193

†

“Check Point Management Station Upgrades” on page 193

„

“Upgrade and Reinstall Images” on page 194

„

“Upgrading to NSF 2.3.1 Software” on page 195 †

“Loading the New Software” on page 195

†

“Activating the Software” on page 197 —“Standalone Upgrade” on page 198 —“Cluster Upgrade” on page 199

„

“Reinstalling Software” on page 203 †

“Using the ISO Image” on page 203

†

“Using the IMG Image” on page 204

NOTE – All software upgrades for the Nortel Switched Firewall 5100 series or Check Point management devices must be obtained from Nortel Networks (for contact information, see “How to Get Help” on page 19).

191 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Compatibility When upgrading any software component, ensure that appropriate and compatible versions of software are installed. Be sure to check any accompanying release notes or readme files for software compatibility and special installation instructions. The following versions of software are required for this release: „

Nortel Switched Firewall 5100 series Single System Image (SSI), Release 2.2.X or higher The SSI resides on the firewall and includes the Firewall OS and built-in Check Point firewall software. The latest-released version is factory-installed and a copy of the software on CD ROM is included with each shipment.

„

Check Point FireWall-1 NG Management Software The management software resides on the management workstation and client workstations in your network. It is used to install, maintain, and monitor security policies for all your network firewalls. The Check Point SmartCenter Server may be enabled on your firewall (see page 41) or installed on a separate workstation. Check Point SMART Clients may be installed on the same machine as the SmartCenter Server or installed on separate machines. The management software version (NG with Application Intelligence) must be compatible with the Check Point software that you have on your firewall.

Types of Upgrade There are three major classes of software upgrades that may be required for maintaining the Nortel Switched Firewall: ones that affect the Nortel Switched Firewall SSI; ones that target only the Nortel Switched Firewall’s built-in Check Point firewall software; and ones that are installed on Check Point management stations.

Nortel Switched Firewall SSI Upgrades The following upgrades affect the Nortel Switched Firewall SSI. „

Major Releases This type of upgrade may contain important software corrections and feature enhancements for the Nortel Switched Firewall. It may affect any or all SSI components, the Firewall OS, or built-in Check Point firewall software.

192 „ Upgrading and Reinstalling the Software 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

The Nortel Switched Firewall will automatically reboot after a major upgrade, in order to initialize new features. All configuration data is retained. „

Minor Releases This type of upgrade typically corrects minor software problems on the Nortel Switched Firewall. Minor upgrades may temporarily stop the firewall. Configuration data is retained.

Built-In Firewall Software Upgrades The following upgrades affect the Nortel Switched Firewall’s built-in Check Point Firewall software: „

Check Point Feature Pack This type of upgrade may contain important firewall software corrections and feature enhancements. This may be necessary to ensure compatibility with the Check Point software installed on the supporting management stations. The Nortel Switched Firewall may automatically reboot after installation of a feature pack. All configuration data is retained.

„

Check Point Hotfix This type of upgrade typically corrects minor software problems in the Check Point firewall software that is built into the Nortel Switched Firewall. Hotfixes can usually be installed without rebooting the firewall, retaining normal operational traffic flow. All configuration data is retained.

Check Point Management Station Upgrades „

Management Station Check Point Feature Pack

„

Management Station Hotfix

Upgrading and Reinstalling the Software „ 193 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Upgrade and Reinstall Images Nortel Switched Firewall provides three images of the software: .iso, .img, and .pkg: „

The .pkg image is installed from an ftp/tftp/scp/sftp server using the /boot/software/download command. The .pkg image installs it in parallel with the existing version. For a step-by-step procedure of this upgade, see “Upgrading to NSF 2.3.1 Software” on page 195.

„

The .iso image removes the existing configuration and reimages the firewall software. You must download the .iso image to your CD-ROM. For more information of this reinstall, see “Reinstalling Software” on page 203.

„

The .img image is installed from an ftp/tftp/scp/sftp server using the boot user login with the ForgetMe password. The .img image overwrites the current software version. For more information of this reinstall, see “Reinstalling Software” on page 203.

NOTE – For .iso and .img installations, all configuration parameters, logs, etc. are lost. Be sure to save your configuration to an ftp/tftp/scp/sftp server using the /cfg/ptcfg command and restore it after reinstallation using the /cfg/gtcfg command.

194 „ Upgrading and Reinstalling the Software 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Upgrading to NSF 2.3.1 Software Upgrading the software on your Nortel Switched Firewall consists of the following tasks: 1.

Perform a backup of the Nortel Switched Firewall configuration. You can use the backup to restore the configuration (clone) in case you have problems during upgrade. To back up, use the command „

/cfg/sys/backup if you are running NSF 2.2.7.0

„

/maint/backup if you are running NSF 2.3.1

For more information on backing up your configuration, see Appendix B, “Backing Up and Cloning Configurations. 2.

Download the new software upgrade package or install image. Obtain the NSF5100_2.3.1.0_R55.pkg file and copy it to an FTP/TFTP/SCP/SFTP server or to a CDROM. The server must allow anonymous login. NOTE – Make certain that your FTP/TFTP/SCP/SFTP server is on a secure, trusted network. One way to ensure FTP security is to implement the server on the SmartCenter Server workstation.

3.

“Loading the New Software” on page 195

4.

“Activating the Software” on page 197

Loading the New Software To install a minor or major release upgrade on your Nortel Switched Firewall, you need the following: „

CLI access using the local console terminal or to the Firewall host IP address through a remote Telnet or SSH connection.

„

Verify that you have a rule on the Check Point management system that allows you to ping the FTP/TFTP/SCP/SFTP server and connect to it.

„

The host name or IP address of the FTP/TFTP/SCP/SFTP server. If you choose to specify the host name, please note that the DNS parameters must have been configured. For more information, see the “DNS Servers Menu” on page 246.

Upgrading and Reinstalling the Software „ 195 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Access can be accomplished through the local serial port, or remote Telnet or SSH (Secure Shell) connection. Note, however, that Telnet and SSH connections are disabled by default, and if desired, must be manually configured after you have set up the firewall. For more information about enabling Telnet and SSH connections, see Chapter 10, “The Command Line Interface,” on page 213. Use the following procedure to load the software to your Switched Firewall: 1.

Login into the firewall using the admin account and check the current version of the software as shown below. >> Main# /boot/software -----------------------------------------------------------[Software Management Menu] cur - Display current software status activate - Select software version to run download - Download a new software package via TFTP/FTP del - Remove downloaded (unpacked) releases >> Software Management# cur Version Name Status --------------2.2.7.0 tdo permanent

2.

FTP or TFTP download: If you downloaded the upgrade image to the FTP/TFTP/SCP/SFTP server, do the following (only anonymous ftp is supported): >> Main# /boot/software/download (FTP download) Select tftp/ftp/scp/sftp [tftp]: ftp Enter hostname or IP address of server: 172.17.124.46 Enter filename on server: NSF5100_2.3.1.0_R55.pkg Received 53212760 bytes in 27.2 seconds Unpacking... ok >> Software Management#

3.

CDROM download: If you downloaded the upgrade image to a CDROM, do the following: >> Main# /boot/software/cdrom (cdrom download) Insert the installation CD-ROM. press Enter when ready. Found /mnt/cdrom/isd/images/NSF5100_2.3.1.0_R55.pkg Software package imported successfully. >> Software Management#

196 „ Upgrading and Reinstalling the Software 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

4.

After the download is complete, check the current versions of the software and make sure the version you downloaded has a status ‘unpacked.’ >> Main# /boot/software/cur Version Name ---------2.3.1.0_R55 tdo 2.2.7 tdo

Status -----unpacked permanent

The downloaded software upgrade package is indicated with the status unpacked. The software versions can be marked with one out of four possible status values. The meaning of these status values are as follows: „

unpacked means that the software upgrade package has been downloaded and automatically decompressed.

„

current means that a software version marked as old or unpacked has been activated. As soon as the system has performed the necessary health checks, the current status changes to permanent.

„

permanent means that the software is operational and will survive a reboot of the system.

„

old means the software version has been permanent but is not currently operational. NSF 2.3.1 does not support downgrade from 2.3.1 to previous releases. You cannot “switch back” to the old version of the software.

Once the upgrade is loaded, the software must be activated as described in the following section.

Activating the Software The Nortel Switched Firewall can hold up to two versions of the same major software release simultaneously (for example, version 2.2.7 and version 2.3.1). To view the current software status, use the /boot/software/cur command. When a new version of the software is downloaded to the Nortel Switched Firewall, the software package is decompressed automatically and marked as unpacked. After you activate the unpacked software version (which causes the Nortel Switched Firewall to reboot), the software version is marked as permanent. The software version previously marked as permanent will then be marked as old. Refer to the one of the following two sections to upgrade your software: „

“Standalone Upgrade” on page 198

„

“Cluster Upgrade” on page 199

Upgrading and Reinstalling the Software „ 197 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Standalone Upgrade When you have downloaded the software upgrade package, you can inspect its status and activate it using the following command: 1.

Inspect the status of the software package: >> Main# /boot/software/cur

2.

Activate the new (unpacked) software package: >> Main# /boot/software/activate 2.3.1.0_R55 Confirm action 'activate'? [y/n]: y Activate ok, relogin Restarting system. login:

3.

Wait for the firewall to reboot. As a result of running the activate command, the system reboots and you have to re-login after the reboot. The reason for this is the CLI menus may be upgraded. Wait until the login prompt appears again, which may take up to two minutes while the system reboots.

4.

Wait for a 1-2 minutes for the firewall to initialize all system components.

5.

After the firewall comes up, wait for a 2-3 minutes, then check the firewall status by running the /info/clu command and make sure the firewall is ‘up.’

6.

Log in again and check the software status again: >> Main# /boot/software/cur Version Name ---------2.3.1.0_R55 tdo 2.2.7 tdo

Status -----permanent old

In this example, version 2.3.1.0 is now operational and survives a reboot of the system, while the software version previously indicated as permanent is now marked as old. 7.

(Optional) From the Management Server, change the version of the Check Point™ Gateway Object.

8.

If you are using centralized Check Point license, re-attach the licenses using SmartUpdate.

198 „ Upgrading and Reinstalling the Software 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

9.

Push the Policy to the firewall.

Cluster Upgrade When you have downloaded the software upgrade package, you can inspect its status and activate it using the following commands: 1.

Determine which firewall holds the MIP (the firewall with the * in the MIP column). >> Main# /info/summary IP addr type MIP Local cpu(%) mem(%) 10.10.1.193 master * * 26 42 10.10.1.194 master 26 42

op up up

2.

Login into one of the firewalls with the MIP using the admin account.

3.

Disable Check Point synchronization: >> Main# /cfg/fw/sync/dis >> Main# apply

4.

Wait for 2-3 minutes for Check Point applications to re-initialize.

5.

Verify that both firewalls are “up” with the /info/clu or info/sum commands.

6.

Check if an access list entries are configured on the firewall. If access lists are configured for networks other than the SSI network, add a new access list entry for SSI network (it is mandatory for NSF 2.3.1.x upgrade process to have entries for the SSI network). >> Main# /cfg/sys/accesslist/add

7.

Check the current version of the software. Verify that the version you downloaded has a status unpacked. >> Main# /boot/software/cur Version Name ---------2.3.1.0_R55 tdo 2.2.7 tdo

Status -----unpacked permanent

Upgrading and Reinstalling the Software „ 199 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

8.

Activate the new (unpacked) version software and do not disturb the system until it reboots: >> Main# /boot/software >> Software Management# activate 2.3.1.0_R55 Confirm action 'activate'? [y/n]: y Activate ok, relogin Restarting system.

Both the directors reboot. After two to three minutes, the status of the new software version change from unpacked to permanent, and the older version changes from permanent: >> Software Management# cur Version Name ---------2.3.1 tdo 2.2.7 tdo

9.

Status -----permanent old

Wait for a 1-2 minutes for the firewalls to initialize all system components.

10. (Optional) From the Management Server, change the version of the Check Point Cluster Object. 11. If you are using centralized Check Point license, re-attach the licenses using SmartUpdate. 12. Push the Policy to both the firewalls and make sure both firewalls are UP in the /info/summary menu. 13. Enable Check Point synchronization and verify operation. >> Main# /cfg/fw/sync/ena Current value: n Enabling sync may reboot all Firewall Hosts when you apply. Are you sure (y|n)? y

>> Main# apply

14. Both the firewalls reboot to update the Check Point configuration. 15. After both the firewalls come up, wait for a 2-3 minutes. It takes a longer time for NSF 2.3.1 version to come up because of the various Check Point packages.

200 „ Upgrading and Reinstalling the Software 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

16. Verify that the firewall is operational. Use the /info/clu command to check the firewall status under the “CP FW” column. Both firewalls show the total running time in hours, minutes, and seconds (Xh:Ym:Zs). 17. Verify VRRP status: „

High Availability (active-standby)

>> Main# /info/net/vrrp/status Host 10.10.1.193 VRRP Backup Host 10.10.1.194 VRRP Master

„

Active-Active

>> Main# /info/net/vrrp/status Host 10.10.1.193 > > Group1 VRRP Master > 20.20.20.1 > 30.30.30.1 > Group2 VRRP Backup > 20.20.20.2 > 30.30.30.2 > Host 10.10.1.194 > Group2 > > > Group1 > >

VRRP Master 20.20.20.2 30.30.30.2 VRRP Backup 20.20.20.1 30.30.30.1

18. When reboot completes, log in as admin and verify that sync is working properly by entering /maint/fw/sync command. Both firewalls should be active. 19. Verify that data traffic is forwarding properly by watching the Check Point logs using SmartView Tracker on the Check Point SMART Client.

Upgrading and Reinstalling the Software „ 201 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 8-1 shows the time it takes to complete an upgrade procedure. Table 8-1 Upgrade Time in Minutes Platform

Download time in minutes

Activate and Reboot Total time in in minutes minutes

5106

5

10

15

5111-NE1/5109

2

4

6

5114-NE1/5114

2

4

6

202 „ Upgrading and Reinstalling the Software 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Reinstalling Software Reinstalling the software is seldom required except after a serious malfunction. To reinstall software on the Firewall, you must connect directly to the firewall serial port and log in as the boot user. When the reinstallation is performed, the new Firewall is reset to its factory default configuration. All previous configuration data and software is erased, including old software image versions or upgrade packages. NOTE – Because a reinstallation erases all configuration data (including network settings), it is a good idea to first save all configuration data to a file on a TFTP server. Using the ptcfg command, installed keys and certificates are included in the configuration data and can later be restored by using the gtcfg command. For more information about these commands, see the “Configuration Menu” on page 240. There are two methods of reinstalling software on the firewall. „

Using the .iso image of the software Nortel Networks recommends this method to copy the .iso version of the software on a CD ROM and boot from it. This reinstall removes the current configuration and reimages the firewall. This type of reinstall is done by logging in as root user.

„

Using the .img image of the software This method installs the .img version of the software using TFTP or FTP. This reinstall overwrites the current configuration. This type of reinstall is done by logging in as boot or root user.

Using the ISO Image 1.

Save your current configuration to your TFTP server before installing new software. See the CLI commands /cfg/ptcfg and /cfg/gtcfg. Configuration parameters are lost when you install an ISO image.

2.

Put a blank CD in your CD-ROM burner and burn the .iso image onto the blank CD.

3.

When prompted, log in as root (no password is necessary).

Upgrading and Reinstalling the Software „ 203 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

4.

Enter the appropriate installation command (use lower case characters): install-nsf (or) install-nsf (or) install-nsf (or) install-nsf (or) install-nsf (or) install-nsf

5.

autodetect

(Detects the hardware platform)

nsf5106

(For the NSF 5106)

nsf5111-NE1

(For the NSF 5111-NE1)

nsf5109

(For the NSF 5109)

nsf5114-NE1

(For the NSF 5114-NE1)

nsf5114

(For the NSF 5114)

Wait for the installation script to finish (which will take several minutes). If the Firewall doesn't reboot automatically, take the software CD out and reboot the Firewall. NOTE – If you haven’t already removed the CD, do it now. Otherwise the system will reboot from the CD (as if you were re-installing the image) if an unintended reboot occurs.

6.

Login as admin and restore the configuration from the ftp/tftp server using the /cfg/gtcfg command. NOTE – Step 4 sets policy on the Alteon Firewall to deny all by default. For this step to work, you must provide access to your tftp/ftp server. To do this, use the /maint/diag/fw/unldplcy command, but exercise caution; the command provides access to all. Follow up with a policy push from your SmartCenter server as soon as possible.

7.

Reboot. This is required to apply the restored configuration file.

8.

Re-establish SIC and push policies from the Check Point SMART Client.

Using the IMG Image To reinstall the software using FTP/SCP/SFTP, you need the following: „

Access to the target Firewall through a direct connection to its serial port. Remote Telnet or SSH connections cannot be used for reinstalling software.

„

An .img file must be loaded on a FTP/SCP/SFTP server on your network.

204 „ Upgrading and Reinstalling the Software 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

The host name or IP address of the FTP/SCP/SFTP server. If you choose to specify the host name, the DNS parameters must have been configured. For more information, see the “DNS Servers Menu” on page 246.

„

The name of the .img file.

Reinstallation is performed using the following procedure. 1.

Save your current configuration to your TFTP server before installing new software. See the CLI commands /cfg/ptcfg and /cfg/gtcfg. Configuration parameters are lost when you install an ISO image.

2.

Log in as the boot user. The password is ForgetMe.

3.

After a successful login, follow the onscreen prompts and provide the required information. For example: login: boot Password: ******** Available network interfaces: br0 (00:00:00:00:00:00) eth0 (00:E0:81:29:22:1E) eth0.4000 (00:E0:81:29:22:1E) eth1 (00:E0:81:29:22:1F) eth2 (00:00:5E:00:01:01) eth3 (00:00:5E:00:01:05) eth4 (00:04:23:AD:6F:D5) eth5 (00:04:23:AD:6F:D4) Select a network interface [eth0]: Enter IP address for eth0: 10.10.1.1 Enter network mask [255.255.255.0]: Enter gateway IP address [none]: Available protocols: ftp scp sftp Select a protocol [ftp]: Enter ftp server address: 10.10.1.100 Enter ftp login [anonymous]: Enter file path & name of boot image: NSF5100_2.3.1.0_R55.img Downloading boot image... NSF5100_2.3.1.0_R55.img: 62.65 MB 600.33 kB/s Installing new boot image... Done Restarting... Restarting system.

Upgrading and Reinstalling the Software „ 205 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

If the Firewall has not been previously configured for network access, you must provide information about network settings such as IP address, network mask, and gateway IP address. After the new boot image has been installed, the Firewall will reboot and you can log in again when the login prompt appears. 4.

Restore the configuration from the tftp server using the /cfg/gtcfg command.

5.

Reboot. This is required to apply the restored configuration file.

6.

Re-establish SIC and push policies from the Check Point SMART Client.

206 „ Upgrading and Reinstalling the Software 213455-K, June 2005

CHAPTER 9

Basic System Management This chapter explains how to access system management features on the Nortel Switched Firewall. Management access is required for collecting system information, configuring system parameters beyond initial setup, establishing security policies, and monitoring policy effectiveness.

Management Tools The Nortel Switched Firewall provides the following system management tools: „

The Command Line Interface (CLI) The CLI offers a simple, text-based menu system for collecting system information and configuring system parameters. Use of the CLI is required for initial setup of the system. The CLI can be accessed locally at any Firewall or remotely through Telnet or Secure Shell (SSH) once access has been granted (see “Defining the Remote Access List” on page 214). For additional details, see “The Command Line Interface” on page 213.

„

The Browser-Based Interface (BBI) The BBI allows management through your Web browser. BBI access must be enabled through the CLI and Check Point SmartDashboard after initial setup is complete. Once enabled, the BBI provides a richly featured, graphical user interface that makes routine configuration and data collection easy. In previous releases, the BBI accessed the firewall through the SSI interface only. In NSF 2.3.1 however, because the SSI interface is separated from the Check Point policies, accessing the firewall host IP address compromises security. Instead of using the firewall gateway, you can now access the firewall using the VRRP virtual IP address. This allows you to control access to the firewall by adding user-defined Check Point policies.

207 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

For more details, see “VRRP Interface Menu” on page 291. Make sure management support is enabled for the interface using the command, /cfg/net/if#/mgmt/ena. For details, see Nortel Switched Firewall 5100 Series BBI Quick Guide (216483-B). „

The Check Point FireWall-1 NG interface The Check Point interface is used for managing firewall policies, and for viewing firewall logs and operational status. It is accessed through remote Check Point management stations or clients. A Check Point management station is required during initial system setup and for establishing firewall security policies, and monitoring policy effectiveness. For details, see your Check Point documentation.

Users and Passwords Access to system functions is controlled through the use of unique usernames and passwords. Once you are connected to the system through the local console, Telnet, SSH, or Web-browser, you are prompted to enter a password. To enable better system management and user accountability, four levels of user access have been implemented on the Nortel Switched Firewall. The default user names and password for each access level are listed in Table 9-1. User names and passwords are case sensitive. NOTE – Nortel Networks recommends that you change all the default passwords after initial configuration and as regularly as required under your network security policies. For more information, see “User Menu” on page 279 for CLI commands. Table 9-1 User Access Levels User Name Password

Description and Tasks Performed

oper

oper

The operator login is available through the CLI and BBI. The operator has no direct responsibility for system management. He or she can view all configuration information and operating statistics, but cannot make any configuration changes.

admin

admin

The administrator login is available through the CLI and BBI. The administrator has complete access to all menus, information, and configuration commands on the system, including the ability to add users and change passwords.

208 „ Basic System Management 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 9-1 User Access Levels (Continued)

!

User Name Password

Description and Tasks Performed

boot

ForgetMe

The boot login is available only through a local console terminal. The boot user can reinstall the Firewall software (see “Reinstalling Software” on page 203). To ensure that one avenue of access is always available in case all passwords are changed and lost, the boot user password cannot be changed.

root

ForgetMe

The root login is available only through a local console terminal. The root user has complete internal access to the operating system and software. Root user functions are outside the scope of this documentation.

CAUTION—The root login on this system is only intended for debugging and emergency repair, typically under the direction of support personnel. All modifications to the system, including configuration changes of any kind, must be made through the CLI available for the admin login. Modifications made using the root login may cause serious malfunction of the system, and may also be reversed by the system at any time.

Basic System Management „ 209 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

210 „ Basic System Management 213455-K, June 2005

Part 2: Command Reference This section provides detailed information about all Command Line Interface (CLI) commands and menu items, organized in the same way as the CLI. The section starts with listing the global commands, which can be used at any menu prompt, and then explains the remaining commands hierarchically:

213455-K, June 2005

„

Accessing the Command Line Interface

„

The Main Menu

„

The Configuration Menu

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

212 „ Command Reference 213455-K, June 2005

CHAPTER 10

The Command Line Interface The Command Line Interface (CLI) is the most direct method for viewing information about the Nortel Switched Firewall. In addition, you can use the CLI for performing all levels of system configuration. The CLI is text-based, and can be viewed using a basic terminal. The various commands are logically grouped into a series of menus and sub-menus. Each menu displays a list of commands and/or sub-menus that are available, along with a summary of what each command does. Below each menu is a prompt where you can enter any command appropriate to the current menu. This chapter describes how to access the CLI locally through any Firewall serial port, or remotely using a Telnet or Secure Shell (SSH) client. It also provides a list of commands and shortcuts that are commonly available from all the menus within the CLI. NOTE – Before the CLI can be used, a minimum configuration must be entered as discussed in Chapter 2, “Initial Setup” on page 33.

Accessing the Command Line Interface Using the Local Serial Port Any Firewall serial port provides direct, local access for managing the Nortel Switched Firewall. For details on attaching a console terminal to the serial port and establishing a connection, see the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C). Once the connection is initiated, you will be prompted to log in and enter a valid password. For more information about different access levels and initial passwords, see “Users and Passwords” on page 208. When the login is validated, the Main Menu of the CLI is displayed (see “The Main Menu” on page 220). 213 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Defining the Remote Access List The Nortel Switched Firewall can be managed remotely using Telnet, SSH, or the BBI. For security purposes, access to these features is restricted through the remote access list. The remote access list allows the administrator to specify IP addresses or address ranges that are permitted remote access to the system. There is only one remote access list which is shared by all remote management features. By default, the SSI or management network is on the access list meaning that remote management access is allowed if client IP address is in the SSI network. Client IP address not in the SSI network can be added to the access list. Then, the client is permitted to access all remote management features that have been enabled on the firewall. For example, if only the Telnet feature is enabled, the client will be able to use Telnet to reach the CLI. If the BBI is also enabled, the same client will be able to use their Web-browser to manage the system without any changes being made to the access list. NOTE – When a remote management feature is enabled, access will not be allowed if the access list is left empty. It is also vital that you review the access list regularly and keep it up to date.

Displaying the Access List The following CLI command is used to view the access list: >> # /cfg/sys/accesslist/list

Adding Items to the Access List The following CLI commands are used to permit remote management access to a specific IP address or range of IP addresses. 1.

Select the Access List menu: >> # /cfg/sys/accesslist

214 „ The Command Line Interface 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

2.

Add trusted remote IP addresses to the list: >> Access List# add

The add command can be repeated for as many remote managers as required. For example, to allow IP addresses 201.10.14.7 and 214.139.0.0/24 to access remote management features, the following commands could be used: (Select access list menu) >> # /cfg/sys/accesslist >> Access List# add 201.10.14.7 255.255.255.255(Add single address) >> Access List# add 214.139.0.0 255.255.255.0(Add range of addresses)

NOTE – Although each remote management feature (Telnet, SSH, and BBI) can be enabled or disabled independently, all share the same access list. All addresses on the access list are permitted to access any enabled management feature. You cannot enable SSH for some and Telnet for others. 3.

Apply the changes: >> Access List# apply

Using Telnet A Telnet connection allows convenient management of the Nortel Switched Firewall from any workstation connected to the network. Telnet access provides the same management options as those available through the local serial port. By default, Telnet access is disabled and all remote access is restricted. Depending on the severity of your security policy, you may enable Telnet and permit remote access to one or more trusted client stations (see “Defining the Remote Access List” on page 214). NOTE – Telnet is not a secure protocol. All data (including the password) between a Telnet client and the Nortel Switched Firewall is unencrypted and unauthenticated. If secure remote access is required, consider using Secure Shell (SSH) (see “Using Secure Shell” on page 217).

The Command Line Interface „ 215 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Enabling Telnet Access Before Telnet access is possible, some configuration must first be performed using the serial port. 1.

Log in as the administrator using the local serial port.

2.

Check that the Firewall is configured with proper IP addresses. The Firewall host requires its own unique IP address, as well as one Management IP (MIP) address. These IP addresses are configured during the initial setup (see Chapter 2, “Initial Setup,” on page 33).

3.

Enable Telnet. For security purposes, Telnet is initially disabled. To enable Telnet sessions on the Firewall, issue the following commands: >> # /cfg/sys/adm/telnet/ena >> Telnet Administration# apply

4.

Use the access list to permit remote access to trusted clients. If you have already configured the access list for SSH or the BBI, there is no need to repeat the process for remote Telnet sessions. Otherwise, to permit remote access for Telnet sessions, see “Defining the Remote Access List” on page 214.

5.

Use the Check Point SmartDashboard on your management client to add a security policy that allows Telnet traffic. The firewall policy should be constructed as follows: „

Source: The IP address of the Check Point SMART Client, or the IP address range of the management network

„

Destination: The host IP address of the firewall (not the MIP address)

„

Service: Telnet

„

Action: Allow

216 „ The Command Line Interface 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Starting the Telnet Session Remote Telnet access requires a workstation with Telnet client software. To establish a Telnet session, run the Telnet client software and issue the Telnet command on your workstation: telnet

Connect to the firewall’s host IP address. Once the Telnet session is initiated, you will be prompted to log in and enter a valid password. For more information about different access levels and initial passwords, see “Users and Passwords” on page 208. When the login is validated, the Main Menu of the CLI will be displayed (see “The Main Menu” on page 220.

Using Secure Shell A Secure Shell (SSH) connection allows convenient and secure management of the Nortel Switched Firewall from any workstation connected to the network. SSH access provides the same management options as those available through the local serial port. SSH access provides the following security benefits: „

Server host authentication

„

Encryption of management messages

„

Encryption of passwords for user authentication

By default, SSH access is disabled and all remote access is restricted. Depending on the severity of your security policy, you may enable SSH and permit remote access to one or more trusted client stations (see“Defining the Remote Access List” on page 214).

Enabling SSH Access on the Nortel Switched Firewall Before SSH access is possible, some configuration must first be performed using the serial port or enabled remote management feature. 1.

Log in as the administrator.

2.

Check that the Firewalls are configured with proper IP addresses. Each Firewall requires its own unique IP address, as well as one Management IP (MIP) address. These IP addresses are configured during the initial setup (see Chapter 2, “Initial Setup,” on page 33).

The Command Line Interface „ 217 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

3.

Enable SSH access. For security purposes, SSH access is initially disabled. To explicitly enable SSH, issue the following commands: >> # /cfg/sys/adm/ssh/ena >> SSH Administration# apply

4.

If necessary, generate new SSH keys. During the initial setup of the Switched Firewall, Nortel Networks recommended that you select the option to generate new SSH host keys. This is required to maintain a high level of security when connecting to the Nortel Switched Firewall using a SSH client. If you fear that your SSH host keys have been compromised, or at any time your security policy dictates, you can create new host keys using the following CLI command: >> # /cfg/sys/adm/ssh/sshkeys/generate >> SSH Administration# apply

When reconnecting to the Nortel Switched Firewall after having generated new host keys, your SSH client will display a warning that the host identification (or host keys) has been changed. 5.

Use the access list to permit remote access to trusted clients. If you have already configured the access list for Telnet or the BBI, there is no need to repeat the process. Otherwise, to permit access to only trusted clients, see “Defining the Remote Access List” on page 214.

6.

Use the Check Point SmartDashboard on your management client to add a security policy that allows SSH traffic. The firewall policy should be constructed as follows: „

Source: The IP address of the management client, or the IP address range of the management network

„

Destination: The firewall host IP address

„

Service: SSH

„

Action: Allow

Starting the SSH Session

218 „ The Command Line Interface 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Remote SSH access requires a workstation with SSH client software. To establish an SSH connection with the Nortel Switched Firewall, run the SSH program on your workstation by issuing the following SSH command: ssh -l

where the -l (lower case L) option is followed by the user name (admin, oper, and so on) being logged in, and the host IP address. NOTE – You cannot log in as boot or root using SSH. Once the SSH session is initiated, you will be prompted to log in and enter a valid password. For more information about different access levels and initial passwords, see “Users and Passwords” on page 208. When the login is validated, the Main Menu of the CLI will be displayed (see “The Main Menu” on page 220.

Using the Command Line Interface Basic Operation Using the CLI, Nortel Switched Firewall administration is performed in the following manner: „

The administrator selects from a series of menu and sub-menu items, and modifies parameters to create the desired configuration.

„

Most changes are considered pending and are not immediately put into effect or permanently saved. Only a few types of changes take effect when entered: changes to users and passwords.

„

The global cur command can be used to view the current settings for the commands in the current menu.

„

In order to save changes and make them take effect, the administrator must use the global apply command. This allows the administrator to make an entire series of changes and then put them into effect all at once.

„

The global diff command can be used to view pending changes before they are applied.

The Command Line Interface „ 219 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

To clear all pending changes, the administrator can use the global revert command and then continue the configuration session, or the global exit command to logout from the system. Closing your remote session will also discard pending changes, though exiting manually is preferred.

NOTE – When multiple CLI or BBI administrator sessions are open at the same time, only pending changes made during your current session will be affected by the diff, revert, or exit commands. However, if multiple CLI or BBI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence.

The Main Menu After initial system setup is complete and the user performs a successful connection and login, the Main Menu of the CLI is displayed. Figure 10-1 shows the Main Menu with administrator privileges: [Main Menu] info cfg boot maint diff validate security apply revert paste help exit >> Main#

-

Information Menu Configuration menu Boot menu Maintenance menu Show pending config changes Validate configuration Display security status Apply pending config changes Revert pending config changes Restore saved config with key Show command help Exit [global command, always

[global command] [global command] [global command] [global command] [global command] [global command] [global command] available]

Figure 10-1 Administrator Main Menu NOTE – If you are using the operator account, some menu options are not available. For more information about initial system setup, see Chapter 2, “Initial Setup,” on page 33. For details about accessing the CLI, see “Accessing the Command Line Interface” on page 213.

220 „ The Command Line Interface 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Idle Time-out By default, the system will disconnect your CLI session after five minutes of inactivity. This function is controlled by the idle time-out parameter as shown in the following command: >> # /cfg/sys/adm/idle

where the time-out period is specified in seconds, as an integer from 300-3600 seconds. Or you can specify time-out in minutes, from five minutes (5m) to 60 minutes (60m).

Multiple Administration Sessions It is possible to have more than one CLI or BBI administrator session open at the same time. Although each concurrent administrator session is independent, when configuration changes are saved to the Single Software Image (SSI) that is shared by the firewall, the saved changes affect all users. However, if multiple CLI or BBI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence.

Global Commands Some basic commands are recognized throughout the entire menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving configuration changes: Table 10-1 Global CLI Commands Command

Action

help []

Provides more information about a specific command on the current menu. When used without the command parameter, a summary of the global commands is displayed.

.

Redisplay the current menu.

.. or up

Go up one level in the menu structure.

/

If placed at the beginning of a command, go to the Main Menu. Otherwise, this is used to separate multiple commands placed on the same line.

apply

Apply and save pending configuration changes.

diff

Show any pending configuration changes.

exit

Exit from the CLI and log out.

The Command Line Interface „ 221 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 10-1 Global CLI Commands Command

Action

cur

Displays the settings for the commands on the current menu. The output of the cur command is for viewing only. It cannot be captured to a file and later restored. If you wish to save the configuration for restoration later on, use the dump or ptcfg commands.

validate

Use this command to validate your configuration.

security

Use this command to display the security status of your firewall.

lines

Set the number of lines (n) that display on the screen at one time. The default is 24 lines. When used without a value, the current setting is displayed.

nslookup

Find the IP address or host name of a network device. The format is as follows: nslookup In order to use this command, you must have configured the firewall to use a DNS server. If you did not specify a DNS server during the initial setup procedure, you can add a DNS server at any time by using the /cfg/sys/dns/add command.

paste

Set a password for restoring a saved configuration dump file that includes encrypted private keys.

ping

Use this command to verify station-to-station connectivity across the network. The format is as follows: ping [ []] Where address is the hostname or IP address of the device, tries (optional) is the number of attempts (1-32), and delay (optional) is the number of milliseconds between attempts. The DNS parameters must be configured if specifying hostnames (see “DNS Servers Menu” on page 246).

pwd

Display the command path used to reach the current menu.

222 „ The Command Line Interface 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 10-1 Global CLI Commands Command

Action

revert

Cancel all pending configuration changes.

traceroute

Use this command to identify the route used for station-to-station connectivity across the network. The format is as follows: traceroute [ []] Where address is the hostname or IP address of the target station, maxhops (optional) is the maximum distance to trace (1-16 devices), and delay (optional) is the number of milliseconds for wait for the response. As with ping, the DNS parameters must be configured if specifying hostnames.

verbose

Sets the level of information displayed on the screen: 0 = Quiet: Nothing appears except errors—not even prompts. 1 = Normal: Prompts and requested output are shown, but no menus. 2 = Verbose: Everything is shown. When used without a value, the current setting is displayed.

The Command Line Interface „ 223 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Command Line History and Editing Using the CLI, you can retrieve and modify previously entered commands with just a few keystrokes. The following options are available globally at the command line: Table 10-2 Command Line History and Editing Options Option

Description

history

Display a numbered list of the last 10 previously entered commands.

!!

Repeat the last entered command.

!

Repeat the nth command shown on the history list.

(Also the up arrow key.) Recall the previous command from the history list. This can be used multiple times to work backward through the last 10 commands. The recalled command can be entered as is, or edited using the options below.

(Also the down arrow key.) Recall the next command from the history list. This can be used multiple times to work forward through the last 10 commands. The recalled command can be entered as is, or edited using the options below.

Move the cursor to the beginning of command line.

Move cursor to the end of the command line.

(Also the left arrow key.) Move the cursor back one position to the left.

(Also the right arrow key.) Move the cursor forward one position to the right.

(Also the Delete key.) Erase one character to the left of the cursor position.

Delete one character at the cursor position.

Kill (erase) all characters from the cursor position to the end of the command line.

Redraw the screen.

Clear the entire line.

Other keys

Insert new characters at the cursor position.

224 „ The Command Line Interface 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Command Line Shortcuts Command Stacking As a shortcut, you can type multiple commands on a single line separated by forward slashes ( / ). You can connect as many commands as required to access the menu option that you want. For example, the command stack to access Access List menu from the Main# prompt is as follows: >> Main# cfg/sys/accesslist

Command Abbreviation Most commands can be abbreviated by entering the first characters that distinguish the command from the others in the same menu or sub-menu. For example, the command shown above could also be entered as follows: >> Main# c/s/acc

Tab Completion By entering the first letter of a command at any menu prompt and pressing , all commands in that menu beginning with the letter you typed are displayed. By typing additional letters, you can further refine the list of commands or options displayed. If only one command matches the letter(s) when is pressed, that command will be supplied on the command line. You can then execute the command by pressing . If the key is pressed without any input on the command line, the currently active menu is displayed.

The Command Line Interface „ 225 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

226 „ The Command Line Interface 213455-K, June 2005

CHAPTER 11

Command Reference / Main Menu After initial system setup is complete and the user performs a successful connection and login, the Main Menu of the CLI is displayed. [Main Menu] info cfg boot maint diff validate security apply revert paste help exit

-

Information Menu Configuration Menu Boot Menu Maintenance menu Show pending config changes Validate configuration Display security status Apply pending config changes Revert pending config changes Restore saved config with key Show command help Exit [global command, always

[global command] [global command] [global command] [global command] [global command] [global command] [global command] available]

227 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-1 Main Menu Command Syntax and Usage info

The Information Menu is used for displaying information about the current status of the Nortel Switched Firewall. See page 231 for menu items. cfg

The Configuration Menu is used for configuring the Nortel Switched Firewall. Some commands are available only from an administrator login. See page 240 for menu items. boot

The Boot Menu is used for upgrading Nortel Switched Firewall software and for rebooting, if necessary. The Boot Menu is accessible using an administrator login. See page 325 for menu items. validate

This global command is used to validate pending configuration changes made during your current administration session. This command does not include pending changes being made by other CLI or BBI administrator sessions that are running at the same time. When you enter the val command, your pending changes are examined to ensure that they are complete and consistent. If problems are found, warning or error messages are displayed. Warnings identify conditions that you should pay special attention to, but that will not cause errors or prevent the configuration from being applied when the you enter the apply command. Errors identify serious configuration problems that must be corrected before changes can be applied. Uncorrected errors will cause the apply command to fail. If the val command returns warning or error messages, heed the messages and make any necessary configuration changes. security

This global command lists the status (enabled or disabled) for remote management features such as Telnet, SSH, and the BBI for the cluster. It also lists which users (if any) are still using default passwords which should be changed. maint

The Maintenance Menu is used for sending dump files and log details on to the servers. See page 328 for menu items.

228 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-1 Main Menu (Continued) Command Syntax and Usage diff

This global command is available from any menu or sub-menu. It displays the difference between the applied configuration (the configuration that the system is currently using) and the pending configuration (the uncommitted changes that have not yet been applied). Only pending changes made during your current administrator session are included. Pending changes being made by other CLI or BBI administrator sessions are not included. apply

This global command is available from any menu or sub-menu. It is used to apply and save configuration changes made during your current administration session. Changes are considered pending and do not take effect until this command is issued. Pending changes being made by other CLI or BBI administrator sessions are not affected. When issued, the apply command first validates your session’s pending changes. If problems are found, applicable warning and error messages are displayed. Errors are serious and will cause the apply command to fail before any changes are applied. If there are no errors (warnings are allowed), the changes are saved and put into effect. Warning messages can be turned off using the /cfg/misc/warn command (see page 324). If multiple CLI or BBI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence. The global revert command clears pending changes and will not restore the configuration to it’s previous settings once the apply command is issued. revert y|n

This global command is available from any menu or sub-menu. It cancels all pending configuration changes made during your current administration session. Applied changes are not affected. Pending changes made by other open CLI or BBI sessions are also not affected.

Command Reference „ 229 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-1 Main Menu (Continued) Command Syntax and Usage paste []

This global command is available from any menu or sub-menu. It lets you restore a saved configuration dump file that includes encrypted private keys. If private keys were included when you created your configuration dump file (/cfg/dump), you were required to specify a password phrase for encrypting the private keys. When the paste command is issued, you will be prompted to supply the same password phrase. You can then open the configuration dump file in your text editor, copy the information, and paste it to the CLI window. When pasted, the configuration content is batch processed by the Nortel Switched Firewall. The pasted commands are entered as pending, and any included private keys are decrypted. You can view the pending configuration changes resulting from the batch processing by using the global diff command. To apply the pending configuration changes, use the global apply command. The paste password phrase remains in effect until cleared. To clear the password phrase, enter the paste command again. help []

This global command is available from any menu or sub-menu. It provides brief information about any specific command in the current menu. When used without a parameter, the help command displays a list of global commands. exit

This global command is available from any menu or sub-menu. It exits the CLI and logs out the current session. Pending changes made during your current session will be lost if not applied. This command does not affect other open CLI or BBI sessions.

230 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/info Information Menu [Information Menu] summary - Show summary of all hosts and operational status clu - Show runtime information of all hosts host - Show runtime information of one host net - Show network configuration fw - Show firewall configuration lic - Show all firewall licenses accesslist - Show Accesslist configuration telnet - Show Telnet configuration fwmon - Show FW Monitor ethereal - Show Ethereal Monitor brstat - Show all bridge statistics brmac - Show a list of bridge mac entries sensor - Show sensor information ssh - Show SSH configuration web - Show Web configuration log - Show Log configuration ups - Show UPS configuration about - Show information about the system alarms - List pending alarms dump - Dump all the current configuration under info menu capacity - Display the capacity of the system

The Information Menu is used for displaying information about the current status of the Nortel Switched Firewall. Table 11-2 Information Menu (/info) Command Syntax and Usage summary

This command displays the run time information for the firewall (host), including the host IP address, type (master), MIP, Local (all IP addresses in the local network route cache), cpu usage, mem (hard disk) usage of the log partition, and operational status (up/down). clu

This command displays runtime information for all Firewalls in the cluster. Information includes CPU usage, hard disk usage, status of important applications such as Web server, Check Point firewall, SNMP, and Inet server.

Command Reference „ 231 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-2 Information Menu (/info) (Continued) Command Syntax and Usage host

This command displays runtime information for the specified firewall host. Information includes CPU usage, hard disk usage of the log partition, and status of important applications such as Web server, Check Point firewall, SNMP, and Inet server. To view menu items, see page 234. net

This command displays the current network configuration. This is the same information that is displayed using the /cfg/net/cur command. To view menu items, see page 235. fw

This command displays the firewall status (enabled or disabled). This is the same information that is displayed using the /cfg/fw/cur command. lic

This command displays the current Check Point licenses added from the CLI, BBI, Check Point Smart Update, or from the root prompt. Displayed information includes host IP address, license expiration date, signature string, and feature string. See also “Firewall License Menu” on page 319. accesslist

This command displays the access rights configured for the cluster. This information is similar to the information displayed in the /cfg/sys/accesslist/list. Displays the list of enabled hosts/networks accessing the cluster members from the remote sites. telnet

This command displays the current Telnet configuration settings: enabled or disabled. This is the same information available using the /cfg/sys/adm/telnet/cur command. fwmon

This command replicates Check Point fw monitor command which is used to monitor FW-1/VPN-1 traffic. You can specify the timeout value when you take the capture and the log can be displayed on the console or uploaded to an USB memory stick or a remote device through an ftp/sftp/scp/tftp connection. This command supports all the filter options that are supported by the fw monitor command. If necesssary, you may add filter options such as src ip, dst ip, device or host.

232 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-2 Information Menu (/info) (Continued) Command Syntax and Usage ethereal

This text-based (command-based) interface of ethereal is used for getting information on the traffic log. It also can dump the output to the console, an USB memory stick, or a remote device using the ftp/sftp/scp/tftp command. brstat

This command displays the list of bridges configured on the Switched Firewall. This command is similar to the “brctl show” command from the root prompt. brmac

This command displays the list of mac addresses learned dynamically by the bridges configured on the Switched Firewall. This command is similar to the “brctl showmacs” command from the root prompt. sensor

This command displays the current status of various hardware parameters like temperature and fan rpm status. ssh

This command displays the current SSH configuration settings: enabled or disabled. This is the same information available using the /cfg/sys/adm/ssh/cur command. web

This command displays the current BBI configuration settings. Displayed information includes status (enabled or disabled) and service port number for HTTP and HTTPS (with SSL), and certificate information for SSL. This is the same information available using the /cfg/sys/adm/web/cur command. log

This command displays the configuration of the syslog, system log, ELA log, and log archiving. ups

This command displays the current UPS status such as the battery level, Cluster members running on UPS or main power supply, the voltage etc. about

This command displays the system information such as the hardware type, os-version, Check Point version, firewall version, firewall policies configured on the system, SIC state, licenses configured on the system, and the Check Point sync status.

Command Reference „ 233 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-2 Information Menu (/info) (Continued) Command Syntax and Usage alarms

This command lists the alarms generated in the system. The sensor module is responsible for generating the alarm events when the fan rpm values reaches the critical level or when the temperature reaches the maximum level. dump

This command displays the current configuration information available in this menu. capacity

This command displays the capacity of the software features, such as total number of interfaces, total number of ports, maximum number of VLANs, static routes, hardware type, memory usage etc.

/info/host Info_host Menu [info_host Menu] status link ether syslog

-

Show Show Show Show

runtime information physical ports link status ethernet stats syslog entries

This menu provides configuration, status, and statistics information on the host’s runtime, link, ethernet, and syslog parameters. Table 11-3 Info_Host Menu (/info/host) Command and Usage status

This command displays the runtime and application status for the specified host. link

This command displays the status information for all network interface ports. The autonegotiate status and link status (UP or DOWN) are always displayed. If the link status is UP, the port speed (10, 100, or 1000 MHz) and the mode (full duplex or half duplex) are displayed.

234 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-3 Info_Host Menu (/info/host) (Continued) Command and Usage ether

This command displays the statistics of all the interfaces configured in the cluster. The statistics are Rx Count, Tx Count, Rx Bytes, or Tx Bytes etc. syslog

This command displays the last 100 syslog messages. After each set of ten syslog messages are displayed, your are prompted whether to continue the display (enter y) or exit (enter n).

/info/net Information Menu [info_net Menu] if bridge arp gw gre route vrrp parp

-

Show Show Show Show Show Show Show Show

interface details bridge details Arp table entries default gateway gre details route configuration vrrp details parp configuration

The Information Menu shows the interface, route and VRRP details. Table 11-4 Info_net Menu (/info/net) Command and Usage if

This command displays the interface details (ID, IP address and netmask, port assignment, operational status, VLAN number). bridge

This command displays the list of L2/L3 bridges configured in the cluster. See page 237 for menu items. arp

This command displays the arp entries in the cluster. This command is similar to the “arp -n” command run from the root prompt .

Command Reference „ 235 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-4 Info_net Menu (/info/net) (Continued) Command and Usage gw

This command displays the default gateway configured in the cluster. When no gateway is configured, this command displays the following log message: no default gateway has been configured. gre

This command displays information on the configured GRE tunnels. route

This command opens the info_net_route Menu which has two options. Static displays static route configuration details (destination IP address, destination mask, gateway IP address, interface number) and ospf opens the OSPF Router Menu. See page 238 below for menu items. vrrp

This command opens the info_net_vrrp Menu, which displays VRRP configuration and status information. See page 239 for menu items. parp

This displays the Proxy ARP status (enable = y/n) and the list of Proxy ARP entries (IP address in dotted decimal notation and group #).

236 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/info/net/bridge Bridge 1 Information Menu [Bridge 1 Menu] port - list all ports and vlans in the bridges. stp - show stp status of bridges

The Bridge Information Menu displays the bridge ID, ports, VLAN, IP address (for Layer 3 firewall), status and ageing information on the configured bridge interfaces. Table 11-5 Bridge Information Menu (/info/net/bridge) Command and Usage port

This command lists all ports and VLANs on the bridge. stp

This command shows the STP status of the bridges.

/info/net/route Route Information Menu [info_net_route Menu] static - Show static routes configuration ospf - OSPF Router Menu

The Route Information Menu displays information on static and OSPF routes. Table 11-6 Route Information Menu (/info/net/route) Command and Usage static

This command displays all static routes configured on the system. ospf

This command opens the OSPF Router Information Menu. See page 238 for menu items.

Command Reference „ 237 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/info/net/route/ospf OSPF Router Information Menu [OSPF Router Information Menu] routes - Display routes learned from OSPF lsa - Display OSPF LSA information neigh - Display OSPF neighbor information if - Display OSPF interface information fib - Display OSPF router FIB ospf - Show OSPF configuration

The OSPF Router Information Menu displays status, configuration, and learned information on OSPF operation. Table 11-7 OSPF Router Information Menu (/info/net/ospf) Command and Usage routes

This command displays all OSPF routes from the unicast table. lsa

This command displays the OSPF Links State Advertisement (LSA) tables, which includes the link ID, ADV router, age, sequence #, checksum, and link count. neigh

This command displays information about the cluster’s OSPF neighbors. Neighbors are routing devices that maintain information about each others’ health. if

This command displays status and configuration information about the configured OSPF interfaces. fib

This command displays all OSPF routes contained in the Forwarding Information-Base (FIB) advertised by the Nortel Switched Firewall. This includes routes which have been redistributed from other protocols. ospf

Displays the current configuration for all of the OSPF setup parameters.

238 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/info/net/vrrp VRRP Information Menu [info_net_vrrp Menu] status - Show VRRP status cfg - Show VRRP configuration

The VRRP Information Menu displays information on the status and configuration of VRRP. Table 11-8 VRRP Information Menu (/info/net/vrrp) Command and Usage status

This command displays the status of the VRRP virtual router. cfg

This command displays the VRRP settings including high availability (enable/disable), active-active (enable/disable), ClusterXL (enable/disable), VRRP advertisement interval, GARP delay interval, GARP broadcast interval, Advanced Failover Check (AFC) and Preferred Master details.

Command Reference „ 239 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg Configuration Menu [Configuration Menu] sys - System-wide Parameter Menu net - Network Configuration Menu lic - Firewall License Menu fw - Firewall Configuration Menu ptcfg - Backup current configuration to TFTP/FTP/SCP/SFTP server gtcfg - Restore current configuration from TFTP/FTP/SCP/SFTP server misc - Miscellaneous Settings Menu dump - Dump configuration on screen for copy-and-paste

The Configuration Menu is used for configuring the Nortel Switched Firewall. Some commands are available only from the administrator login. Table 11-9 Configuration Menu (/cfg) Command Syntax and Usage sys

The System Menu is used for configuring system-wide parameters. See page 242 for menu items. net

The Network Configuration Menu is used to configure the networks passing traffic through the firewall. See page 286 for menu items. lic

The Firewall License Menu is used for pre-configuring Check Point licenses and for configuring Check Point licenses for the hosts in the cluster. You can also add licenses for any hosts that may be part of the cluster in the future. This helps in adding the licenses dynamically when a new firewall is added to the cluster at a later time. See page 319 for menu items. fw

The Firewall Configuration Menu is used to enable the firewall or reset the Check Point Secure Internal Communications (SIC). See page 320 for menu items.

240 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-9 Configuration Menu (/cfg) (Continued) Command Syntax and Usage ptcfg

This command saves the current configuration, including private keys and certificates, to a file on the selected TFTP/FTP/SCP/SFTP server. The information is saved in a plaintext file, and can later be restored by using the gtcfg command. You will be prompted to specify a password phrase before the information is sent to the TFTP/FTP/SCP/SFTP server. The password phrase is used to encrypt all included private keys. If you later restore the configuration using the gtcfg command, you will be prompted to reenter the password phrase. gtcfg

This command retrieves and applies a configuration file, including private keys and certificates, from the selected TFTP/FTP/SCP/SFTP server. You will be prompted to enter the same password phrase supplied when the file was created using the ptcfg command. NOTE – You must reboot the Switched Firewall after restoring a configuration using the /cfg/gtcfg command. misc

The Miscellaneous Settings Menu is used to turn on or off configuration warning messages. See page 324 for menu items. dump

This command displays the current configuration parameters in CLI compatible format. You can capture the screen display and save the configuration to a text editor file by performing a copy-and-paste operation. The configuration can later be restored by pasting the contents of the saved text file at any command prompt in the CLI. When pasted, the content is batch processed by the Nortel Switched Firewall. To view the pending configuration changes resulting from the batch processing, use the diff command. To apply the configuration changes, use the apply command. If you choose to include private keys in the configuration dump, you are required to specify a password phrase. The password phrase you specify will be used to encrypt all secret information. When restoring a configuration that includes secret information, use the global paste command. Before pasting the configuration, you will be prompted to reenter the password phrase.

Command Reference „ 241 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys System Menu [System Menu] time dns cluster accesslist adm log user ups

-

Date and Time Menu DNS Servers Menu Cluster Menu Access List Menu Administrative Applications Menu Platform Logging Menu User Access Control menu APC UPS Menu

The System Menu is used for configuring system-wide parameters. Table 11-10 System Menu (/cfg/sys) Command Syntax and Usage time

The Date and Time Menu is used to set the date, time, and time zone options. See page 244 for menu items. dns

The DNS Servers Menu lets you change Domain Name System (DNS) parameters. See page 246 for menu items. cluster

This command displays the Host Information menu, which allows you to configure the host IP and management IP (MIP) address for the firewall host. It also lets you assign a physical port to that network. See page 247 for menu items. accesslist

The Access List Menu is used to restrict remote access to Nortel Switched Firewall management features. You can add, delete, or list trusted IP addresses that are allowed Telnet, Secure Shell (SSH), or Browser-Based Interface (BBI) access to the system. If the access list is not configured, users will not be able to access remote management features even when those features are otherwise enabled. See page 250 for menu items.

242 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-10 System Menu (/cfg/sys) (Continued) Command Syntax and Usage adm

The Administrative Applications Menu is used to configure idle timeout as well as Nortel Switched Firewall remote management features such as Telnet, SSH, SNMP, and the BBI. See page 251 for menu items. log

The Platform Logging Menu is used to configure system message logging features. Messages can be logged to the system console terminal, ELA facility, and archived to a file that can be automatically e-mailed. See page 274 for menu items. user

The User Menu is used to add, modify, delete, or list Nortel Switched Firewall user accounts, and change passwords. See page 279 for menu items. ups

This menu is used for configuring the UPS support for the cluster. See page 284 for menu items.

Command Reference „ 243 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/time Date and Time Menu [Date and Time Menu] date - Set system date time - Set system time tzone - Set Timezone ntp - Configure NTP servers

The Date and Time Menu is used to set the system date, time, and time zone options. Table 11-11 Date and Time Menu (/cfg/sys/time) Command Syntax and Usage date

This command sets the system date according to the specified format. time

This command sets the system time using a 24-hour clock format. NOTE – It is recommended that you reboot the firewall after entering a time change that is greater than 1 minute. tzone

This command sets the system time zone. When entered without a parameter, you will be prompted to select your time zone from a list of continents/oceans, countries, and regions (if applicable). ntp

The NTP Settings Menu is used to synchronize system time with Network Time Protocol (NTP) servers. See page 245 for menu items.

244 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/time/ntp NTP Servers Menu [NTP Servers Menu] list - List all values del - Delete a value by number add - Add a new value

The NTP Servers Menu is used to add or delete Network Time Protocol (NTP) servers that synchronize system time. Table 11-12 NTP Servers Menu Options (/cfg/sys/time/ntp) Command Syntax and Usage list

This command lists all configured NTP servers by their index number and IP address. del

This command lets you remove an NTP server from the configuration by specifying the server’s index number. Use the list command to display the index numbers and IP addresses of configured NTP servers. add

This command lets you add an NTP server. The NTP server with the specified IP address will be added to the list of NTP servers used to synchronize the Nortel Switched Firewall system clock. A number of NTP servers (at least three) should be available in order to compensate for any discrepancies among the servers.

Command Reference „ 245 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/dns DNS Servers Menu [DNS Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

The DNS Servers Menu lets you change Domain Name System (DNS) parameters. Table 11-13 DNS Servers Menu (/cfg/sys/dns) Command Syntax and Usage list

This command displays all DNS servers by their index number and IP address. del

This command lets you remove a DNS server by index number. Use the list command to display the index numbers and IP addresses of added DNS servers. add

This command lets you add a new DNS server. The DNS server with the specified IP address will be added. insert

This command lets you add a new DNS server to the list at the specified index position. All existing items at the specified index number and higher are incremented by one position. move

This command removes the DNS server of the specified from index number and inserts it at the specified to index number.

246 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/cluster Cluster Menu [Cluster Menu] mip host

- Set management IP (MIP) address - Cluster Host Menu

The Host Information Menu allows you to configure the Firewall’s host IP address and Management IP (MIP) address. Table 11-14 Cluster Menu (/cfg/sys/host) Command Syntax and Usage mip

This command lets you change the Management IP (MIP) address. The management IP address must be unique on the network. Assign a MIP address that is on the same subnet as the Firewall host IP. NOTE – The MIP address supports clustered firewalls in a redundant failover network. You must configure the MIP address even if you do not have redundant Firewalls. host

This command provides access to the Cluster Host Menu for the specified host. For information on the Cluster Host Menu, see page 248.

Command Reference „ 247 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/cluster/host

Cluster Host Menu [Cluster Host 1 Menu] ip - Set IP address name - Set system name hwplatform - Display hardware platform halt - Halt the host reboot - Reboot the host delete - Remove the Host

This menu allows you to change host-specific parameters for the firewall host number. The host number can be found using the /cfg/sys/cluster/cur command. Table 11-15 Cluster Host Menu (/cfg/sys/cluster/host ) Command Syntax and Usage ip

This command is used to set the IP address of the currently selected host. Changing this address does not affect the MIP address which defines the cluster itself. The IP address is specified using dotted decimal notation. NOTE – You will be logged out when you apply the new IP address. name

This command allows you to give a user friendly name to each firewall. When you login as “admin,” the name of the firewall is displayed as part of the banner. This allows you to easily identify the firewall. hwplatform

Displays the specified host’s hardware platform model number (5106, 5111-N1, 5109, 5114-N1, or 5114). halt [y|n]

After confirmation, this command stops the currently selected host. Always use this command before turning off the device. If the host you want to halt has become isolated from the cluster, you will receive an error message when performing the halt command. You can then try logging in to the specific host using its local serial port (or a Telnet or SSH connection to the host’s individually assigned IP address) and use the /boot/halt command.

248 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-15 Cluster Host Menu (/cfg/sys/cluster/host ) Command Syntax and Usage reboot [y|n]

After confirmation, this command reboots the currently selected host. If the host you want to reboot has become isolated from the cluster, you will receive an error message when performing the reboot command. You can then try logging in to the specific host using its local serial port (or a Telnet or SSH connection to the host’s individually assigned IP address) and use the /boot/reboot command. delete

After confirmation, this command lets you remove the currently selected host “cleanly” from the cluster, and resets the removed host to its factory-default configuration. The other host in the cluster is unaffected. To ensure that you remove the intended host, view the current settings by using the cur command. To view the host number, type, and IP address for both hosts in a cluster, use the /cfg/sys/cluster/cur command. Once you have removed a host from the cluster using the delete command, you can only access the device through a console terminal attached directly to its local serial port. You can then log in using the administration account (admin) and the default password (admin) to access the Setup Menu. When two hosts are present in a cluster, you cannot delete a particular host if it is the only one that has a health status “up.” If that is the case, you will receive an error message when performing the delete command. To delete an host from the cluster while the other cluster member is down, see the /boot/delete command on page 325. NOTE – Nortel Networks recommends that, after deleting a host, you get the topology using the SmartDashboard and push the policies to the operational host. Then use the Setup utility to join the cluster.

Command Reference „ 249 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/accesslist Access List Menu [Access List Menu] list - List all values del - Delete a value by number add - Add a new value

The Nortel Switched Firewall can be managed remotely using Telnet, SSH, or the BBI. For security purposes, access to these features is restricted through the access list. The access list allows the administrator to specify IP addresses or address ranges that are permitted remote access to the system. There is only one access list which is shared by all remote management features. By default the management network is added to the access list NOTE – If you have configured Check Point User Authentication, the access list is ignored. Requests for remote management access from any client whose IP address is not on the access list are dropped. By default the management network is added to the access list You can ping the firewall host from an IP address not listed in the access list, however. When a client’s IP address is added to the access list, that client is permitted to access all enabled remote management features. The following options are available on the Access List Menu: Table 11-16 Access List Menu (/cfg/sys/accesslist) Command Syntax and Usage list

This command displays all index and IP address information for all trusted clients which can access enabled remote management features. del

This command lets you remove an access entry by index number. Use the list command to display the index numbers and IP addresses of access entries. add

This command lets you add a new IP address or range of addresses to the access list. Any added clients are considered trusted and may access any enabled remote management features. By default the management network is added to the access list.

250 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm Administrative Applications Menu [Administrative Applications Menu] idle - Set CLI idle timeout telnet - Telnet Administration Menu ssh - SSH Administration Menu web - Web Administration Menu snmp - SNMP Administration Menu audit - Audit Settings auth - Authentication Menu

The Administrative Applications Menu is used to configure Nortel Switched Firewall remote management features such as Telnet, SSH, SNMP, and the BBI. Table 11-17 Administrative Application Menu (/cfg/sys/adm) Command Syntax and Usage idle

This command sets amount of time that a local or remote CLI session can remain inactive before being automatically logged out. The time period is specified in seconds, from 300 to 3600. The default is 300 seconds (5 minutes). NOTE – If you make changes to the Firewall configuration and do not apply them before the CLI times out, all changes will be lost. telnet

The Telnet Administration Menu is used to enable or disable Telnet sessions for remote access to the Nortel Switched Firewall management CLI. NOTE – Enabling Telnet is not enough to provide access for remote Telnet sessions. The Telnet user’s IP address must also appear in the access list (see “Defining the Remote Access List” on page 214 and “/cfg/sys/accesslist” on page 250 for details). See page 253 for menu items. ssh

The SSH Administration Menu is used to enable or disable Secure Shell (SSH) for remote access to the Nortel Switched Firewall management CLI. This menu is also used for generating SSH host keys. See page 254 for menu items.

Command Reference „ 251 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-17 Administrative Application Menu (/cfg/sys/adm) (Continued) Command Syntax and Usage web

The Web Administration Menu is used to configure the Browser-Based Interface (BBI). The BBI provides HTTP or Secure Socket Layer (SSL) access for remote management of the Nortel Switched Firewall using a Web browser. See page 257 for menu items. snmp

The SNMP Administration Menu is used to control Simple Network Management Protocol (SNMP) read access and to enable or disable SNMP event and alarm messages for the Nortel Switched Firewall. This menu is also used for defining SNMP information, permission levels, and traps. See page 263 for menu items. audit

The Audit Settings Menu is to used to configure the servers to receive log messages on the commands executed in the CLI and the Web UI. See page 269 for menu items. auth

The Authentication Settings Menu is to used to configure RADIUS authentication. See page 272 for menu items.

252 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/telnet Telnet Administration Menu [Telnet Administration Menu] ena - Enable Telnet dis - Disable Telnet

The Telnet Administration Menu is used to enable or disable remote Telnet access to the Nortel Switched Firewall CLI. By default, Telnet access is disabled. Depending on the severity of your security policy, you may enable Telnet access and restrict it to one or more trusted clients. NOTE – Telnet is not a secure protocol. All data (including the password) between a Telnet client and the Nortel Switched Firewall is unencrypted and unauthenticated. If secure remote access is required, see “Using Secure Shell” on page 217. For more information on the Telnet feature, see “Using Telnet” on page 215. Table 11-18 Telnet Administration Menu (/cfg/sys/adm/telnet) Command Syntax and Usage ena

This command enables the Telnet management feature. When enabled, Telnet access to the host IP address is allowed for trusted clients which have been added to the access list (see “Defining the Remote Access List” on page 214). dis

This command disables the Telnet management feature. This is the default. When disabled, all active Telnet administration sessions will be terminated, and all Telnet requests sent to the host IP address will be dropped. NOTE – The Switched Firewall uses iptables to implement access control to its management interfaces (SSH, Telnet, http and https). Iptables inspects packets above FireWall-1 in the TCP/IP stack, which allows the Switched Firewall to limit external access to internal system management software that uses sockets to communicate.

Command Reference „ 253 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/ssh SSH Administration Menu [SSH Administration Menu] ena - Enable SSH dis - Disable SSH sshkeys - SSH host keys menu

The SSH Administration Menu is used to enable or disable Secure Shell (SSH) for remote access to the Nortel Switched Firewall management CLI. This menu is also used for generating SSH host keys. An SSH connection allows secure management of the Nortel Switched Firewall from any workstation connected to the network. SSH access provides server host authentication, encryption of management messages, and encryption of passwords for user authentication. By default, SSH is disabled. For more information on the SSH feature, see “Using Secure Shell” on page 217. Table 11-19 SSH Administration Menu (/cfg/sys/adm/ssh) Command Syntax and Usage ena

This command enables the SSH management feature. When enabled, SSH access to the host IP address is allowed for trusted clients which have been added to the access list (see “Defining the Remote Access List” on page 214). dis

This command disables the SSH management feature. This is the default. When disabled, all active SSH administration sessions will be terminated, and all net SSH requests sent to the host IP address will be dropped. sshkeys

This command allows you to configure and manage SSH host keys. See page 255 for menu items.

254 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/ssh/sshkeys SSH Host Keys Menu [SSH Host Keys Menu] generate - Generate new SSH host keys for the cluster show - Show current SSH host keys for the cluster knownhosts - SSH known host keys menu

The SSH Host Keys Menu is used to generate and manage SSH host keys. Table 11-20 SSH Host Keys Menu (/cfg/sys/adm/ssh/sshkeys) Command Syntax and Usage generate

This command is used to generate new SSH host keys. show

This command shows the current SSH host keys for the cluster. knownhosts

This command is used to manage SSH host keys of remote hosts. See page 256 for menu items.

Command Reference „ 255 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/ssh/sshkeys/knownhosts SSH Known Host Keys Menu [SSH Known Host Keys Menu] list - List known SSH keys of remote hosts del - Delete known SSH host key by index add - Add a new SSH host key import - Retrieve SSH key from remote host

The SSH Known Host Keys Menu is used to manage SSH host keys of remote hosts. Table 11-21 SSH Known Host keys Menu (/cfg/sys/adm/ssh/sshkeys/knownhosts) Command Syntax and Usage list

This command is used to list known SSH keys of remote hosts. del

This command deletes SSH host keys by index values. add

This command allows you to add a new SSH host key. import

This command allows you to retrieve the SSH host key of a remote host.

256 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/web Web Administration Menu [Web Administration Menu] http - HTTP Configuration Menu ssl - SSL Configuration Menu

The Web Administration Menu is used to configure the Browser-Based Interface (BBI). The BBI allows for refined, intuitive remote management of the Nortel Switched Firewall using a Web browser. The BBI can be configured to use HTTP (non-secure), HTTPS with Secure Socket Layer (SSL), or both. For more information, see the Nortel Switched Firewall 5100 Series BBI Quick Guide. Table 11-22 Web Administration Menu (/cfg/sys/adm/web) Command Syntax and Usage http

The HTTP Configuration Menu is used to configure BBI access using HTTP (nonsecure). See page 258 for menu items. ssl

The SSL Configuration Menu is used to configure BBI access using HTTPS with Secure Socket Layer (SSL). For security reasons, using SSL with the BBI is highly recommended. See page 259 for menu items.

Command Reference „ 257 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/web/http HTTP Configuration Menu [HTTP Configuration Menu] port - Set HTTP Port number ena - Enable HTTP dis - Disable HTTP

The HTTP Configuration Menu is used to configure BBI access using HTTP. By default, HTTP access is enabled, but restricted to trusted clients. Depending on the severity of your security policy, you may disable HTTP access and refine the list of trusted clients. NOTE – HTTP is not a secure protocol. All data (including passwords) between an HTTP client and the Nortel Switched Firewall is unencrypted and unauthenticated. If secure remote access is required, see the “SSL Configuration Menu” on page 259. For more information, see the Nortel Switched Firewall 5100 Series BBI Quick Guide. Table 11-23 HTTP Configuration Menu (/cfg/sys/adm/web/http) Command Syntax and Usage port

This command sets the logical HTTP port which is used by the built-in BBI Web server. By default, the Web server uses well-known HTTP port 80. This can be changed to use any port number, but should not be set to any port which is being used by other services. ena

This command enables HTTP access to the BBI. This is the default. When enabled, HTTP access to the host IP address is allowed for trusted clients which have been added to the access list (see “Defining the Remote Access List” on page 214). dis

This command disables HTTP access to the BBI. When disabled, HTTP requests to the host IP address are dropped.

258 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/web/ssl SSL Configuration Menu [SSL Configuration port ena dis tls sslv2 sslv3 certs -

Menu] Set SSL port number Enable SSL Disable SSL Set TLS Set SSL version 2 Set SSL version 3 Certificate Management Menu

The SSL Configuration Menu is used to configure BBI access using HTTPS. HTTPS uses Secure Socket Layer (SSL) to provide server host authentication, encryption of management messages, and encryption of passwords for user authentication. Using SSL with the BrowserBased Interface is highly recommended for security reasons. By default, SSL is disabled. In addition to enabling/disabling the HTTPS feature, this menu allows you to set the HTTPS port, set SSL version, and access menus for generating SSL certificates. For more information, see the Nortel Switched Firewall 5100 Series BBI Quick Guide. Table 11-24 SSL Configuration Menu (/cfg/sys/adm/web/ssl) Command Syntax and Usage port

This command sets the logical HTTPS port which is used by the built-in BBI Web server. By default, the Web server uses well-known HTTPS port 443. This can be changed to use any port number, but should not be set to any port which is being used by other services. ena

This command enables HTTPS access to the BBI. When enabled, HTTPS access to the host IP address is allowed for trusted clients which have been added to the access list (see “Defining the Remote Access List” on page 214). NOTE – An SSL certificate must be generated using the Certificate Management Menu (certs) before HTTPS will function. dis

This command disables HTTPS access to the BBI. This is the default. When disabled, HTTPS requests to the host IP address will be dropped. tls y|n

This command enables or disables Transport Level Security (TLS) for SSL. Command Reference „ 259 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-24 SSL Configuration Menu (/cfg/sys/adm/web/ssl) (Continued) Command Syntax and Usage sslv2 y|n

This command enables or disables SSL Version 2. sslv3 y|n

This command enables or disables SSL Version 3. certs

The Certificate Management Menu is used to configure server certificates and external Certificate Authority certificates required for SSL. See page 260 for menu items.

/cfg/sys/adm/web/ssl/certs Certificate Management Menu [Certificate Management Menu] serv - Server Certificate Management Menu ca - Certificate Authority Management Menu

The Certificate Management Menu is used to add or remove server certificates and external Certitude Authority certificates required for SSL. Table 11-25 Certificate Management Menu (/cfg/sys/adm/web/ssl/certs) Command Syntax and Usage serv

The Server Certificate Management Menu is used to generate a certificate request or create a self-signed certificate. See page 261 for menu items. ca

The Certificate Authority Management Menu is used to manage intermediate CA (Certification Authority) certificates. This is required if server certificates from external CAs are being used. See page 262 for menu items.

260 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/web/ssl/certs/serv Server Certificate Management Menu [Server Certificate Management Menu] gen - Generate certificate request - this erases old key exp - Export certificate request list - List server certificates del - Delete a server certificate add - Add a server certificate

The Server Certificate Management Menu is used to administer SSL server certificates. Table 11-26 Server Certificate Management Menu (/cfg/sys/adm/web/ssl/certs/serv) Command Syntax and Usage gen

This command will generate a certificate request or a self-signed certificate. exp

This command is used for exporting certificate requests to an external Certificate Authority (CA). This command produces output that can be copied and pasted into a text file and sent to the CA to be signed. Do not use this if creating a self-signed certificate. Once the CA has responded with a PEM encoded certificate, use the add command to enter the certificate into the system. list

This command displays a list of configured server certificates. del

This command is used for deleting a server certificate. add

This command is used for adding a signed server certificate. After you have entered this command, the system will expect you to paste the PEM encoded certificate into the CLI. When done pasting the certificate, add three periods (...) and press to return to the CLI.

Command Reference „ 261 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/web/ssl/certs/ca CA Certificate Management Menu [CA Certificate Management Menu] list - List CA certificates del - Delete a CA certificate add - Add a CA certificate

The CA Certificate Management Menu is used to administer SSL external Certificate Authority (CA) certificates. Table 11-27 CA Certificate Management Menu (/cfg/sys/adm/web/ssl/certs/ca) Command Syntax and Usage list

This command lists all configured CA certificates. del

This command is used to remove a CA certificate from the configuration. add

This command is used to add an intermediate CA certificate. After you have entered this command, the system will expect you to paste the PEM encoded certificate into the CLI. When you have finished pasting the certificate, add three periods (...) and press to return to the CLI.

262 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/snmp SNMP Administration Menu [SNMP Administration Menu] ena - Enable SNMP dis - Disable SNMP model - Set security model level - Set usm security level access - Set read access control events - Set trap events alarms - Set trap alarms rcomm - Set v2c read community users - SNMP USM Users Menu hosts - Trap Hosts Menu system - SNMP System Information Menu adv - Advanced SNMP Options Menu

The Nortel Switched Firewall software supports elements of the Simple Network Management Protocol (SNMP). If you are running an SNMP network management station on your network, you can read NSF configuration information and statistics using the following SNMP Managed Information Bases (MIBs): „

MIB II (RFC 1213)

„

Ethernet MIB (RFC 1643)

„

Bridge MIB (RFC 1493)

For more information on the list of supported MIBs, see NSF 2.3.1 Browser-Based Interface (BBI) Quick Access Guide (216383-C). Table 11-28 SNMP Administration Menu Options (/cfg/sys/adm/snmp) Command Syntax and Usage ena

This command enables the SNMP features. dis

This command disables the SNMP features. This is the default. model v2c|usm

This command is used to specify which form of SNMP security will be used by the Nortel Firewall: „ „

v2c: Use the SNMP version 2C security model. usm: Use the SNMP version 3 User-based Security Model (USM).

Command Reference „ 263 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-28 SNMP Administration Menu Options (/cfg/sys/adm/snmp) Command Syntax and Usage level auth|priv

This command is used only when usm is selected. It is used to specify the desired degree of SNMP USM security: auth: Verify the SNMP user password before granting SNMP access. SNMP information is transmitted in plain text. „ encrypt: Verify the SNMP user password before granting SNMP access and encrypt all SNMP information with the user’s individual key. USM user names, along with their passwords and encryption keys, are defined in the SNMP Users Menu (/cfg/sys/adm/snmp/users) „

access d|r

This command is used to enable read (r) or disable read (d) access for the read community. events y|n

This command is used to enable or disable sending event messages to the SNMP trap hosts. When enabled, messages regarding general occurrences (such as detection of a new components) are sent. alarms y|n

This command is used to enable or disable sending alarm messages to the SNMP trap hosts. Alarm messages indicate serious conditions which may require administrative action. rcomm

Displays the current read community value (default ‘public’) and allows you to change it. There is no restriction on the input string. users

The SNMP Users Menu is used to list, add, and remove USM users. When usm is selected as the security model, SNMP access is granted only for user/password combination that is defined in both the SNMP Users Menu and in the Access List Menu (/cfg/sys/adm/accesslist). See page 265 for menu items. hosts

The Trap Hosts Menu is used to add, remove, or list hosts which will receive event or alarm messages. See page 266 for menu items.

264 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-28 SNMP Administration Menu Options (/cfg/sys/adm/snmp) Command Syntax and Usage system

The SNMP System Information Menu is used to configure basic identification information such as support contact name, system name, and system location. See page 267 for menu items. adv

The Advanced SNMP Settings Menu is used to configure less common SNMP options. See page 268 for menu items.

/cfg/sys/adm/snmp/users SNMP Users Menu [SNMP Users Menu] list - List all users del - Delete a user by name add - Add a new user

The SNMP Users Menu is used list, add, and remove USM users. When usm is selected as the security model (/cfg/sys/adm/snmp/model), SNMP access is granted only for user/password combinations defined both in this menu and in the Access List Menu (see page 250). Table 11-29 SNMP Users Menu Options (/cfg/sys/adm/snmp/users) Command Syntax and Usage list

This command lists all configured USM users.

Command Reference „ 265 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-29 SNMP Users Menu Options (/cfg/sys/adm/snmp/users) (Continued) Command Syntax and Usage del

This command lets you remove a USM user from the configuration. Use the list command to display the configured USM users. add

This command lets you add a USM user. When the command is initiated, you will be prompted to enter the following: get and/or trap: specify whether the user is authorized to perform SNMP get requests and/or receive enabled trap event and alarm messages. Enter get trap to specify that both are allowed. „ authorization password (and confirmation): password the user must enter for access. „ encryption string (and confirmation): if the level encrypt option is used on the SNMP Administration Menu (/cfg/sys/adm/snmp), the encryption string is used to encode SNMP traffic between the user and the Nortel Switched Firewall. „

/cfg/sys/adm/snmp/hosts Trap Hosts Menu [Trap Hosts Menu] list del add insert move -

List all values Delete a value by number Add a new value Insert a new value Move a value by number

The Trap Hosts Menu is used to add, remove, or list hosts which receive SNMP event or alarm messages from the Firewall. Table 11-30 Trap Hosts Menu Options (/cfg/sys/adm/snmp/hosts) Command Syntax and Usage list

This command lists all configured trap hosts which receives SNMP event or alarm messages from the Firewall. del

This command lets you remove an SNMP trap host from the configuration by specifying the trap host’s index number. Use the list command to display the index numbers and IP addresses of configured trap hosts. 266 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-30 Trap Hosts Menu Options (/cfg/sys/adm/snmp/hosts) (Continued) Command Syntax and Usage add

This command lets you add an SNMP trap host. The trap host with the specified IP address will receive any enabled SNMP messages from the Firewall. Event messages and alarm messages can be independently enabled or disabled in the SNMP Administration Menu (see page 263). You will be prompted to enter port number, community string and trap user information. insert

This command lets you add a new trap host IP address to the access list at the specified index position. All existing items at the specified index number and higher are incremented by one position. move

This command removes the trap host IP address of the specified from index number and inserts it at the specified to index number in the access list.

/cfg/sys/adm/snmp/system SNMP System Information Menu [SNMP System Information Menu] contact - Set Contact name - Set Name loc - Set Location

The SNMP System Information Menu is used to configure basic identification information such as support contact name, system name, and system location. Table 11-31 SNMPSystem Information Menu (/cfg/sys/adm/snmp/system) Command Syntax and Usage contact

Configures the name of the system contact. The contact can have a maximum of 64 characters.

Command Reference „ 267 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-31 SNMPSystem Information Menu (/cfg/sys/adm/snmp/system) Command Syntax and Usage name

Configures the name for the system. The name can have a maximum of 64 characters. loc

Configures the name of the system location. The location can have a maximum of 64 characters.

/cfg/sys/adm/snmp/adv Advanced SNMP Settings Menu [SNMP Advanced Settings Menu] trapsrcip - Set source ip of traps

The Advanced SNMP Options Menu is used to configure less common SNMP options. Table 11-32 Advanced SNMP Settings Menu (/cfg/sys/adm/snmp/adv) Command and Usage trapsrcip auto|unique|mip

This command is used to configure which source IP address will be used with SNMP traps generated from the Nortel Firewall. auto: The IP address of the outgoing interface is used. This is the default. unique: The IP address of the individual Nortel Firewall is used. „ mip: The IP address of the cluster MIP is used. This setting is useful with applications (such as some versions of HP OpenView) that expect devices to be limited to only one IP address. „ „

268 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/audit Audit Menu [Audit Menu] servers vendorid vendortype ena dis

-

RADIUS Servers Menu Set vendor id for audit attribute Set vendor type for audit attribute Enable server Disable server

The Audit menu is used for configuring a RADIUS server to receive log messages about commands executed in the CLI or the Web User Interface. If auditing is enabled but no RADIUS server is configured, events are still generated to the event log and any configured syslog servers. Auditing is disabled by default. An event is generated whenever a user logs in/logs out or issues a command from a CLI session. The event contains information about user name and session id as well as the name of executed commands. This event is optionally sent to a RADIUS server for audit trail logging according to RFC 2866 (RADIUS Accounting). Table 11-33 Audit Menu (/cfg/sys/adm/audit) Command Syntax and Usage servers

This command displays the RADIUS Audit servers menu. To view menu options, see page 271. vendorid Assigns the SMI Network Management Private Enterprise Code—as defined by IANA in the file http://www.iana.org/assignments/enterprise-numbers—to the following vendor specific attribute: Vendor-Id. The Vendor-Id—represented by the private enterprise number—is one of the RADIUS vendor-specific attributes. The default vendor-Id is set to 1872 (Nortel). Note: If another vendor-Id is used by your RADIUS system, you can use the vendorid command to bring the RADIUS configuration in line with the value used by the remote RADIUS system. Contact your RADIUS system administrator for more information.

Command Reference „ 269 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-33 Audit Menu (/cfg/sys/adm/audit) (Continued) Command Syntax and Usage vendortype Assigns a number to the following vendor specific attribute used in RADIUS: Vendor type Used in combination with the Vendor-Id number, the vendor type number identifies the audit attribute which will contain the audit information. The default vendor type value is set to 2.

Tip! Finding audit entries in the RADIUS server log can be made easier by defining a suitable string in the RADIUS server dictionary (for example, Nortel-NSF-Audit-Trail) and mapping this string to the vendor type value. Note: If another number for vendor type is used by your RADIUS system, you can use the vendortype command to bring the RADIUS configuration in line with the value used by the remote RADIUS system. Contact your RADIUS system administrator for more information. ena

This command enables the Radius server. dis

This command disables the Radius server.

270 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/audit/servers Radius Audit Servers Menu [Radius Audit Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

The RADIUS Audit servers menu is used for adding, modifying and deleting information about RADIUS audit servers. Table 11-34 Radius Audit Servers Menu Options (/cfg/sys/adm/audit/servers) Command Syntax and Usage list Lists the IP addresses of currently configured RADIUS audit servers, along with their corresponding index numbers. del Removes the specified RADIUS audit server from the configuration. Use the list command to display the index numbers of all added RADIUS audit servers. add Adds a RADIUS audit server to the configuration. Specify the IP address, a TCP port number, and the shared secret. The next available index number is assigned automatically by the system. For backup purposes, several RADIUS audit servers can be added. The NSF contacts the server with the lowest index number first. If contact could not be established, the NSF tries to contact the server with the next index number in sequence and so on. Note: The default port number used for RADIUS audit is 1813. insert Assigns a specific index number to the RADIUS audit server you add. The index number you specify must be in use. RADIUS audit servers with an index number higher than (and including) the one you specify will have their current index number incremented by 1. The shared secret refers to the RADIUS server password. move Moves a RADIUS audit server up or down in the list of configured servers. The index numbers you specify must be in use. To view all servers currently added to the configuration, use the list command.

Command Reference „ 271 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/auth Authentication Menu [Authentication Menu] servers - RADIUS Authentication Servers menu timeout - Set RADIUS server timeout fallback - Use local password as fallback ena - Enable RADIUS Authentication dis - Disable RADIUS Authentication

The Authentication menu is used to configure RADIUS authentication. Table 11-35 Authentication Menu (/cfg/sys/adm/auth) Command Syntax and Usage servers

This command displays the RADIUS Authentication servers menu. To view menu options, see page 273. timeout

This command allows you to set a timeout period for the RADIUS server. fallback

This command allows you to use the local password as fallback. ena

This command enables Radius authentication. dis

This command disables Radius authentication.

272 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/adm/auth/servers Radius Authentication Servers Menu [Radius Authentication Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

The RADIUS Authentication servers menu is used for adding, modifying and deleting information about RADIUS authentication servers. Table 11-36 Radius Authentication Servers Menu (/cfg/sys/adm/auth/servers) Command Syntax and Usage list Lists the IP addresses of currently configured RADIUS authentication servers, along with their corresponding index numbers. del Removes the specified RADIUS authentication server from the configuration. Use the list command to display the index numbers of all added RADIUS authentication servers. add Adds a RADIUS authentication server to the configuration. Specify the IP address, a TCP port number, and the shared secret. The next available index number is assigned automatically by the system. For backup purposes, several RADIUS authentication servers can be added. The firewall contacts the server with the lowest index number first. If contact is not established, the firewall tries to contact the server with the next index number in sequence and so on. Note: The default port number used for RADIUS authentication is 1813. insert Assigns a specific index number to the RADIUS authentication server you add. The index number you specify must be in use. RADIUS authentication servers with an index number higher than (and including) the one you specify will have their current index number incremented by 1. The shared secret refers to the RADIUS server password. move Moves a RADIUS authentication server up or down in the list of configured servers. The index numbers you specify must be in use. To view all servers currently added to the configuration, use the list command.

Command Reference „ 273 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/log Platform Logging Menu [Platform Logging Menu] syslog - Syslog Logging Menu ela - ELA Logging Menu arch - Log Archiving Menu debug - Set syslog debugging srcip - Set syslog source ip mode

The Platform Logging Menu is used to configure system message logging features. Messages can be logged to the system console terminal, ELA facility, archived to a file which can be automatically e-mailed, and used for debugging. Table 11-37 Platform Logging Menu (/cfg/sys/log) Command Syntax and Usage syslog

The System Logging Menu is used to configure syslog servers. The Nortel Switched Firewall software can send log messages to specified syslog hosts. See page 275 for menu items. ela

The ELA Menu is used to configure the Event Logging API (ELA) feature. ELA allows log messages to be sent to a Check Point SmartCenter Server for display through the Check Point SmartView Tracker. See page 276 for menu items. arch

The Log Archiving Menu is used to archive log files when the file reaches a specific size or age. When log rotation occurs, the current log file is set aside or e-mailed to a specified address and a new log file is begun. See page 278 for menu items.

274 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-37 Platform Logging Menu (/cfg/sys/log) (Continued) Command Syntax and Usage debug y|n

This command is used to enable or disable specialized debugging log messages. This is disabled by default and should be enabled only as directed by Nortel Networks technical support. srcip auto|uniqe|mip

This command is used to configure which source IP address will be used with logs generated from the Switched Firewall. auto: The IP address of the outgoing interface is used. This is the default. unique: The IP address of the individual Switched Firewall is used. „ mip: The IP address of the cluster MIP is used. This setting is useful with applications (such as some versions of HP OpenView) that expect devices to be limited to only one IP address. „ „

/cfg/sys/log/syslog System Logging Menu [System Logging Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

The System Logging Menu is used to configure syslog servers. The Nortel Switched Firewall software can send log messages to specified syslog hosts. Table 11-38 System Logging Menu (/cfg/sys/log/syslog) Command Syntax and Usage list

This command displays all configured syslog servers by their index number, IP address, and facility number. del

This command lets you remove a syslog server from the configuration by specifying the server’s index number.

Command Reference „ 275 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-38 System Logging Menu (/cfg/sys/log/syslog) (Continued) Command Syntax and Usage add

This command lets you add a new syslog server, including its IP address and local facility number. The local facility number can be used to uniquely identify syslog entries. For more information, see the UNIX manual page for syslog.conf. insert

This command lets you add a new syslog server to the list at the specified index position. All existing items at the specified index number and higher are incremented by one position. move

This command removes the syslog server of the specified from index number and inserts it at the specified to index number.

/cfg/sys/log/ela ELA Logging Menu [ELA Logging Menu] ena - Enable ELA dis - Disable ELA addr - Set management station IP address sev - Set minimum logging severity dn - Set management station DN pull - Pull SIC certificate

The ELA Logging Menu is used to configure the Event Logging API (ELA) feature. ELA allows log messages to be sent to a Check Point SmartCenter Server for display through the Check Point SmartView Tracker. ELA configuration requires steps at both the Nortel Switched Firewall and at Check Point SmartCenter Server. For configuration details, see Appendix A, “Event Logging API”,” on page 337.

276 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

The ELA Logging Menu has the following options: Table 11-39 ELA Logging Menu (/cfg/sys/log/ela) Command Syntax and Usage ena

This command is used to enable the ELA feature. When enabled, system log messages will be sent to the Check Point SmartCenter Server. dis

This command is used to disable ELA. This is the default. addr

This command is used to set the IP address of the Check Point SmartCenter Server to which log messages will be sent. Specify the IP address in dotted decimal notation. sev emerg|alert|crit|err|warning|notice|info|debug

This command is used to set the minimum logging severity level. All messages at the specified level of severity or higher will be logged to the ELA dn

This command is used to set the Distinguished Name (DN) of the Check Point SmartCenter Server. The DN is defined in the Check Point SmartDashboard under the management server properties. The DN is found in the Secure Internal Communication (SIC) area. pull

This command is used to obtain a certificate for secure communication from the Check Point SmartCenter Server.

Command Reference „ 277 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/log/arch Log Archiving Menu [Log Archiving Menu] email - Set smtp - Set int - Set size - Set

e-mail address to send log SMTP server address log archive interval maximum size of archived log

The Log Archiving Menu is used to archive log files when the file reaches a specific size or age. When log rotation occurs, the current log file is set aside or e-mailed to a specified address and a new log file is begun. If the rotate size is set above 0, then log rotation occurs when the log surpasses the rotate size, or when the log rotation interval is reached, whichever occurs first. If the rotate size is set to 0, the file size is ignored and only the rotate interval is used. If an e-mail address and SMTP Server IP address are set, then the log file is e-mailed when rotated. Table 11-40 Log Archiving Menu (/cfg/sys/log/arch) Command Syntax and Usage email

This command is used in conjunction with smtp to set the e-mail address where log files will be sent when the log interval or maximum log size is reached. smtp

This command is used to set the IP address of the SMTP mail server that holds the e-mail address specified in the email command. The IP address should be specified in dotted decimal notation. NOTE – The specified SMTP server must be configured to accept messages from the Firewall. Also, a Check Point policy should be present to allow these messages through the firewall. int

This command is used to set the time interval at which the log files are rotated. The interval is specified in number of days and number of hours. size

This command is used to set the maximum size a log file is allowed to reach before triggering rotation. The size is specified in kilobytes. If set to 0, the file size is ignored and only the interval (int) is used to determine rotation.

278 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/user User Menu [User Menu] passwd expire list del add edit adv

-

Change own password Set password expire time interval List all users Delete a user Add a new user Edit a user Advanced User Configuration Menu

The User Menu is used to add, modify, delete, or list Nortel Switched Firewall user accounts, and change passwords. There are three default user accounts which cannot be deleted: admin, oper, and root. See “Users and Passwords” on page 208 for information about default passwords and privileges. Only the Administrator can change the passwords. Table 11-41 User Menu (/cfg/sys/user) Command Syntax and Usage passwd

This command lets you change the administrator password. The password can contain spaces and is case sensitive. There is no limitation on the number of characters. Only the admin user can perform this action. You will be prompted to enter the current administrator password. Then, you will be prompted to enter and confirm the new administrator password. expire

This command is used to set password expiration time in seconds. If the value is set to zero (the default), password expiration is not activated. After a password has expired, the user will be prompted at login to enter the old password once, and the new password twice. NOTE – This command is visible only to users in the admin group, and does not apply to the root user. list

This command lists all editable user accounts.

Command Reference „ 279 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-41 User Menu (/cfg/sys/user) (Continued) Command Syntax and Usage del

This command lets you delete user accounts. Only the admin user can perform this action. Of the four default users (admin, oper, and root), only the oper user can be deleted. add

This command lets you add a user account. Only the admin user can perform this action. After adding a user account, you must also assign the account to a group using the User Admin Menu (edit). edit

This command opens the User Oper Menu, which lets you edit the user account passwords and group privileges for the specified user. See page 281 for menu items. adv

This command opens the SSH User Menu, which provides options for administering SSH user access. See page 281 for menu items.

280 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/user/edit User user_name Menu [User user_name Menu] password - Login password groups - Groups

The User (user name) Menu is used to change passwords and assign group privileges for the user account specified by the user name. Table 11-42 User Oper Menu (/cfg/sys/user/edit) Command Syntax and Usage password

This command lets you change the password for the selected user. The password can contain spaces and is case sensitive. There is no limitation on the number of characters. Only the admin user can perform this action. You will be prompted to enter the current administrator password. Then, you will be prompted to enter and confirm the new user password. groups

This command lets you add or delete the selected user to or from a group. By default there are three predefined groups: admin, oper, and root. For the privileges of each group, see “Users and Passwords” on page 208. To view menu items, see“Groups Menu” on page 283.

/cfg/sys/user/adv SSH Users Menu [SSH Users Menu] user - SSH User Admin Menu

The SSH User Admin Menu opens the SSH User Admin Menu. You must specify a user name to open the menu.

Command Reference „ 281 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/user/adv/user SSH User Admin Menu [SSH User Admin Menu] name - Set Full name of User pubkey - Set RSA/DSA Public Key for User ena - Enable User Account dis - Disable User Account del - Remove SSH User

The SSH User Admin Menu allows you to create an SSH account on the Switched Firewall. This provides the specified user with SSH access to the Firewall OS shell. Changes do not take place until you apply them. Table 11-43 SSH User Admin Menu (/cfg/sys/user/adv/user ) Command Syntax and Usage name

Allows you to enter a descriptive name (like a full name) for the SSH account. pubkey

Allows you to specify the RSA/DSA (Rivest Shamir Adelman/Digital Signature Algorithm) public key for the SSH account. NOTE – The public key you enter must conform to OpenSSH v2 RSA or DSA format. ena

Enables the SSH account per the specified user name. dis

Disables the SSH account per the specified user name. del

Deletes the SSH account.

282 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/user/edit /groups Groups Menu [Groups Menu] list del add

- List all values - Delete a value by number - Add a new value

Table 11-44 Groups Menu (/cfg/sys/user/edit/groups) Command Syntax and Usage list

This command lists all group members by index number and name: for example, 1: admin 2: oper del

This command is used to delete a member from the selected group. Specify the member by its index number. add

This command is used to add a member to the selected group. Specify the member by its index number.

Command Reference „ 283 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/sys/ups APC UPS Menu [APC UPS Menu] type snmphost snmpport snmpcomm level master ena dis

- Set UPS type - Set IP address of SNMP UPS - Set port used by SNMP UPS - Set SNMP community string of the UPS - Set battery level (%) at which director shuts down - Set UPS Master IP address - Enable APC UPS Monitor - Disable APC UPS Monitor

The APC UPS Menu allows you to configure UPS support on the Switched Firewall. The items in this menu allow you to specify the communication type used to contact the UPS from the Switched Firewall. Table 11-45 APC UPS Menu (/cfg/sys/ups) Command Syntax and Usage type usb|snmp

This command lets you set the type of UPS communication type used to configure the UPS support in the Cluster. Select “USB” type when the Switched Firewall has been connected to the UPS through an USB cable. Select SNMP when the UPS is communicating with the Switched Firewall using the ethernet connection via SNMP. snmphost

This command lets you specify the IP address of the UPS system. This command is used when the UPS type is configured to communicate with the firewall via SNMP. snmpport

This command lets you specify the port number on which the UPS snmp listens on. The default value is the standard snmp protocol number, 161. snmpcomm

This command sets the snmp community name used for communicating with the UPS system. level

This command lets you specify the battery level for the UPS. When the UPS is running on batteries, this value is used as a minimum threshold value. If the battery level runs below this value, it shuts down the firewalls connected to it. The default value is 5%.

284 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-45 APC UPS Menu (/cfg/sys/ups) (Continued) Command Syntax and Usage master

This command lets you specify which Switched Firewall in the cluster should be the master to communicate with the UPS system. When the UPS type is selected as “USB,” configure the master to be the firewall that is directly connected to the UPS via the USB cable. If the UPS type is configured as “snmp,” then any cluster member can be the Master. ena

Enables the the UPS monitoring support in the cluster. dis

Disables the UPS support in the cluster.

Command Reference „ 285 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net Network Configuration Menu [Network Configuration Menu] port - Port Menu if - Interface Menu bridge - Bridge Configuration Menu vrrp - VRRP Settings Menu gateway - Set default gateway address routes - Routes Menu gre - GRE Tunnel Menu ospf - Open Shortest Path First (OSPF) Menu parp - Proxy Arp Menu dhcprl - DHCP Relay Menu

Table 11-46 Network Configuration Menu (/cfg/net) Command Syntax and Usage port

This command displays the Port menu for the selected port number. The Network Port Menu is used for configuring the specified physical port on the firewall. In addition to enabling or disabling ports, this menu is used to create and apply port filters, and specify port link characteristics. To view menu items, see page 288. NOTE – The 5106 and 5114 have four ports. The 5109 has six ports. if

This command displays the Interface menu for the selected Interface. To view menu items, see page 289. bridge

This command displays the Bridge Menu used for configuring L2/L3 bridge support in the cluster. To view menu items, see page 293. vrrp

This command displays the VRRP Settings Menu for the cluster. To view menu items, see page 296. gateway

This command configures the IP address of the Firewall’s default gateway, using dotted decimal notation. It should be set to the IP address of the network router interface that is adjacent to the Firewall to allow remote administrative (Telnet, SSH, BBI) access. 286 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-46 Network Configuration Menu (/cfg/net) (Continued) Command Syntax and Usage routes

The Routes Menu is used to add, delete, or list static routes. The Firewall uses these routes to route packets within the attached networks. See page 299 for menu items. gre

The Generic Routing Encapsulation Menu is used to configure GRE tunneling in the Nortel Switched Firewall. See page 300 for menu items. ospf

The OSPF Menu is used to configure Open Shortest Path First (OSPF) routing protocol. See page 301 for menu items. parp

The Proxy ARP menu is used to access the proxy arp list or enable proxy ARP support in the Switched Firewall. See page 300 for menu items. dhcprl

The DHCP Relay Menu is used to configure the DHCP Relay Agent support in the Switched Firewall. See page 316 for menu items.

Command Reference „ 287 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/port Port Menu [Port 1 Menu] name autoneg speed mode

-

Set Set Set Set

port name autonegotiation Speed full or half duplex mode

The Port Menu is used for configuring the port characteristics for a specified port. NOTE – A port must be configured at this menu before it can be added to a network interface.

Physical Port Connector Characteristics The SC fiber optic connectors are for attaching Gigabit Ethernet (1000Base-SX) segments to the port. The RJ-45 copper connector are for attaching 10/100 Mbps Ethernet (10Base-T or 100Base-TX) segments. For physical port specifications and LED behavior, see the Nortel Switched Firewall 5100 Series Hardware Installation Guide. Table 11-47 Port Menu (/cfg/net/port) Command Syntax and Usage name

This command sets a name for the port. The assigned port name appears next to the port number on some information screens. The default is set to None. autoneg on|off

This command is used to turn link autonegotiation on or off. If set to off, the port will operate at the speed set in the port speed command. NOTE – Turning autonegotiation on or off may cause temporary interruption to network traffic on all ports.

288 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-47 Port Menu (/cfg/net/port) (Continued) Command Syntax and Usage speed

This command is used to set the link speed of the port. Enter the port speed as an integer representing Mb/second. For Fast Ethernet ports, speed can be set to 10 or 100. For Gigabit Ethernet ports, speed is fixed at 1000. mode

This command is used to set the port duplex mode to either full-duplex or half-duplex. The default setting is full.

/cfg/net/if Interface Menu [Interface 1 Menu] addr1 - Set IP address for host 1 addr2 - Set IP address for host 2 mask - Set Subnet mask vlanid - Set VLAN tag id port - Set Port number vrrp - VRRP Interface Menu mgmt - Enable management through this interface ena - Enable interface dis - Disable interface del - Remove Interface

The Interface Menu is used to configure IP interfaces for the firewall. Each IP interface should be configured to represent a network attached to the firewall. NOTE – A network device that is attached to a firewall port must be configured to use an IP interface as its default gateway. This will direct traffic through the Firewall.

Command Reference „ 289 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

NOTE – Do not use the host IP address or any IP address in the Firewall subnet as the default gateway for a network. Table 11-48 Interface Menu (/cfg/net/if) Command Syntax and Usage addr1

This command configures the real IP address for host 1 interface using dotted decimal notation. Devices on the connected networks should use this IP address as their default gateway so that their outbound traffic is directed to the firewall. The Firewall will support up to 255 IP interfaces. NOTE – In NSF 2.3.1, real IP addresses are configured using this command (cfg/net/if/addr1), and virtual IP addresses are configured with the cfg/net/if_#/vrrp/ip1 command. If the interface is part of a VRRP high availability or active-active network configuration, addr1 is the real router IP address (see “VRRP Interface Menu” on page 291). addr2

This command configures the real second IP address for host 2 interface using dotted decimal notation. Addr2 should not be configured unless the interface is part of a VRRP active-active network configuration. Addr2 supports the second real router interface that is required for active-active network configurations (see the “VRRP Interface Menu” on page 291). The addr2 IP address on one Firewall in the cluster should be the same as the addr1 IP address on the other Firewall. NOTE – Addr2, if configured, must be on the same network as addr1. NOTE – In NSF 2.3.1, real IP addresses are configured using this command (cfg/net/if/addr2) and virtual IP addresses are configured with the cfg/net/if_#/vrrp/ip2 command. mask

This command configures the IP subnet address mask for the IP interface using dotted decimal notation. vlanid

This command allows you to enter the VLANID for traffic intended for a VLAN member on this interface. Only one vlanid is allowed per interface. The default VLANID is 0, which disables VLAN tagging for the interface. The maximum number of vlanids allowed per system is 255. For a sample configuration, see “VLAN Tags” on page 66).

290 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-48 Interface Menu (/cfg/net/if) (Continued) Command Syntax and Usage port

This command is used to assign a port to this IP interface. Only one port may be assigned to an interface. One port may be assigned to multiple interfaces, but the interface IP addresses must be on different networks. NOTE – A port must be configured before it can be assigned to an interface. To configure a port, see “Port Menu (/cfg/net/port)” on page 288. vrrp

The VRRP Menu is used for configuring an interface for high-availability when redundant firewall hosts are in a cluster. Virtual Router Redundancy Protocol (VRRP) ensures that if the active firewall host fails, the redundant firewall host will take over. In an active-standby (high-availability) configuration, each participating IP interface must be configured separately for VRRP. See page 291 for menu items. mgmt

This command enables management on this interface. ena

This command enables this IP interface. dis

This command disables this IP interface. del

This command removes this IP interface from the Firewall configuration.

/cfg/net/if /vrrp VRRP Interface Menu [VrrpInterface Menu] vrid - Set virtual router ID ip1 - Set first virtual IP ip2 - Set second virtual IP

The VRRP Interface Menu is used for configuring redundant interfaces when two hosts are present in a cluster. Virtual Router Redundancy Protocol (VRRP) ensures that if the active host fails, the backup host will take over.

Command Reference „ 291 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

With VRRP, the redundant interfaces form a virtual router. The interface IP address (/cfg/net/if /addr1) becomes the real IP address for both hosts, though it is only active on the active master. Two additional virtual sub-addresses (ip1 and ip2) must be assigned to the interface: ip1 represents host 1 and ip2 represents host 2. Each sub-address must be on the same network as the virtual router IP address. The virtual router IP address (/cfg/net/if /vrrp/ip1) becomes the virtual router IP address for both hosts, though it is only active on the active master. NOTE – Both hosts in the cluster must have the same configuration. The VRRP Interface options are described Table 11-49. For more information on VRRP see “VRRP on the Switched Firewall” on page 98 and “Configuring the Redundant Switched Firewall” on page 109. Table 11-49 VRRP Interface Menu options (/cfg/net/if/vrrp) Command Syntax and Usage vrid

This command assigns an ID for the virtual router interface. The vrid on this interface must be configured the same for both the active master and the backup. Separate interfaces must have unique vrids. NOTE – Vrids must be at least one number apart (e.g., vrids 1 and 2 are not acceptable; vrids 1 and 3 are acceptable). ip1

This command defines the virtual IP address used to represent Firewall #1 in this virtual router. The ip1 address must be in the same subnet as the interface IP address (see /cfg/net/if /addr1 or addr2 on page 289). WARNING! – In NSF 2.3.1, virtual IP addresses are configured using the command in this menu (cfg/net/if_#/vrrp/ip1)and real IP addresses are configured with the cfg/net/if_#/addr1 command. ip2

This command defines the virtual IP address used to represent Firewall #2 in this virtual router. The ip2 address must be in the same subnet as the interface IP address (see /cfg/net/if /addr1 or addr2 on page 289). WARNING! – In NSF 2.3.1, virtual IP addresses are configured using the command in this menu (cfg/net/if_#/vrrp/ip2), and real IP addresses are configured with the cfg/net/if_#/addr2 command.

292 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/bridge Bridge 1 Menu [Bridge 1 Menu] addr1 addr2 mask vlanid ageing ports vrrp ena dis del

-

Set IP address-1 Set IP address-2 Set Subnet mask Set VLAN tag id Set Bridge Ageing Time Ports Menu VRRP Bridge Menu Enable Bridge Disable bridge Remove Bridge

The Bridge Menu is used to configure Layer 2 or Layer 3 bridge mode firewall. Layer 2 firewalls are transparent firewalls, so IP addresses are not required. Layer 3 firewalls require IP addresses. Table 11-50 Bridge Menu (/cfg/net/bridge) Command Syntax and Usage addr1

This command configures the IP address on the bridge for host 1 interface using dotted decimal notation. addr2

This command configures the second IP address on the bridge for host 2 interface using dotted decimal notation. mask

This command configures the IP subnet address mask for the IP interface using dotted decimal notation. vlanid

This command allows you to enter the vlanid for traffic intended for a vlan member on this interface. Only one vlanid is allowed per interface. The default vlanid is 0, which disables VLAN tagging for the interface. The maximum number of vlanids allowed per system is 255. For a sample configuration, see “VLAN Tags” on page 66). ageing

This command configures the age-out timer for the MAC entries learned through bridging. The default is 300 seconds.

Command Reference „ 293 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-50 Bridge Menu (/cfg/net/bridge) (Continued) Command Syntax and Usage ports

This command is used to assign a port to this bridge interface. See page 294 for menu items. vrrp

The VRRP Bridge Menu is used for configuring an interface for high-availability when redundant hosts are in a cluster. See page 295 for menu items. ena

This command enables this bridge. dis

This command disables this bridge. del

This command removes the bridge from the firewall configuration.

/cfg/net/bridge /ports Bridge 1 Ports Menu [Bridge 1 Ports Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

The Bridge Ports Menu is used for adding or deleting ports on the bridge. Table 11-51 Bridge Ports Menu options (/cfg/net/bridge/ports) Command Syntax and Usage list

This command lists the ports attached to the bridge interface. del

This command lets you remove the port configured for the bridge interface by specifying the port’s index number.

294 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-51 Bridge Ports Menu options (/cfg/net/bridge/ports) (Continued) Command Syntax and Usage add

This command lets you add a new port to the bridge interface. insert

This command lets you add a new port to the list at the specified index position. All existing items at the specified index number and higher are incremented by one position. move

This command removes the port of the specified from index number and inserts it at the specified to index number.

/cfg/net/bridge /vrrp VRRP Bridge 1 Menu [Vrrp Bridge 1 Menu] vrid - Set virtual router ID ip1 - Set IP1 ip2 - Set IP2

The VRRP Bridge Menu is used for configuring redundant interfaces when two hosts are present in a cluster. Virtual Router Redundancy Protocol (VRRP) ensures that if the active host fails, the backup host will take over. With VRRP, the redundant interfaces form a virtual router. The interface IP address (/cfg/net/bridge /addr1) becomes the real IP address for both hosts, though it is only active on the active master. Two additional virtual IP addresses (ip1 and ip2) must be assigned to the interface: ip1 represents host 1 and ip2 represents host 2. Each virtual IP addresses must be on the same network as the real router IP address. The virtual router IP address (/cfg/net/bridge /vrrp/ip1) becomes the virtual router IP address for both hosts, though it is only active on the active master.

Command Reference „ 295 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-52 VRRP Bridge Menu options (/cfg/net/bridge/vrrp) Command Syntax and Usage vrid

This command assigns an ID for the virtual router interface. The vrid on this interface must be configured the same for both the active master and the backup. Separate interfaces must have unique vrids. NOTE – Vrids must be at least one number apart (e.g., vrids 1 and 2 are not acceptable; vrids 1 and 3 are acceptable). ip1

This command defines the virtual IP address used to represent Firewall #1 in this virtual router. The ip1 address must be in the same subnet as the bridge interface IP address (see/cfg/net/bridge /addr1 or addr2 on page 293). ip2

This command defines the virtual IP address used to represent Firewall #2 in this virtual router. The ip2 address must be in the same subnet as the bridge interface IP address (see/cfg/net/bridge /addr1 or addr2 on page 293).

/cfg/net/vrrp VRRP Settings Menu [VrrpSettings Menu] ha - Set aa - Set clusterxl - Set adint - Set garp - Set gbcast - Set afc - Set prefmaster - Set

high availability Active-Active Cluster XL Vrrp Advertisement Interval Garp Delay interval after failover Garp broadcast interval Advanced failover check Preferred Master

The VRRP Settings Menu is for setting the Virtual Router Redundancy Protocol (VRRP) parameters for the cluster. Valid addresses must be specified for /cfg/net/vrrp ip1 and /cfg/net/vrrp ip 2 before changes to the parameter values can be applied (see “VRRP Interface Menu” on page 291 for more information on VRRP). For example configurations, see “Configuring VRRP Active-Standby Failover” on page 105, or “Configuring VRRP Active-Active Failover” on page 123.

296 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

NOTE – Both firewall hosts in the cluster must have the same configuration. Table 11-53 VRRP Settings Menu (/cfg/net/vrrp) Command Syntax and Usage ha y|n

This command is used to enable (y) or disable (n) high-availability VRRP. Two iSD hosts, must be installed and configured for you to enable HA and apply the setting. Neither AA or Cluster XL can be enabled. aa y|n

This command is used to enable (y) or disable (n) active-active VRRP. Two iSD hosts must be installed and configured for you to enable AA and apply the setting. Neither HA or Cluster XL can be enabled. clusterxl y|n

This command enables (y) or disables (n) support for Cluster XL, the Check Point VRRP solution. Two iSD hosts must be installed and configured for you to enable Cluster XL. Neither HA or AA may be enabled. Cluster XL does not work with Proxy Arp. NOTE – If Cluster XL is enabled, the iSD host gateway may not be the same as ip1 or ip2 (verify static routes against ip1 and ip2 addresses). adint

This command displays the current advertisement interval in seconds and provides the option to change it. A VRRP advertisement message is sent by the active master to the backup. Only the active master sends VRRP advertisement messages. If the backup does not receive a VRRP advertisement from the active master within the adint interval, VRRP will initiate VRRP Failover (see “VRRP Failover” on page 100. The default value is 3. It is also the lowest recommended value. garp [1-600]

This command displays the current Gratuitous Address Resolution Protocol (GARP) value in seconds and allows you to set it. When the backup determines that the active master has failed, it immediately flashes a GARP message (an unsolicited ARP response) to all end-hosts on the virtual router interface. Then the backup delays a period of time set by the garp value before it begins sending continuous GARP messages (see the gbcast command). The flash GARP message forces end-hosts to update their ARP caches with the MAC address/IP address mapping for the newly active iSD host instead of waiting for end-hosts to learn it via periodic ARP requests. The default value is 1.

Command Reference „ 297 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-53 VRRP Settings Menu (/cfg/net/vrrp) (Continued) Command Syntax and Usage gbcast

This command displays the present Gratuitous Broadcast (gbcast) value and allows you to change it. The gbcast value sets the interval between GARP messages that are sent by the active master to ensure that all end-hosts have the correct MAC address/IP address mapping. Increasing the gbcast value cuts down on the gbcast traffic, but lengthens the interval between end-host ARP cache updates. The gbcast value is multiplied by the /cfg/net/vrrp/adint value to determine the interval in seconds between GARP messages. For example, if your adint value is 10 and your gbcast value is 3, the interval between GARP messages will be 30 (10 x 3) seconds. The default gbcast value is 2. afc y|n

This command is used to enable (y) or disable (n) Advanced Failover Checking (AFC). When AFC is enabled, the system ARPs before initiating a failover caused by missed VRRP advertisements. prefmaster

This command allows you to specify which Switched Firewall in the cluster is the VRRP Master. The preferred master always remains active when it has equal or better priority. It goes into backup mode only when its links are down and regains its position once the links are up.

298 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/routes Routes Menu [Routes Menu] list del add insert move

-

List all values Delete a value by number Add a new value Insert a new value Move a value by number

The Routes Menu is used to add, delete, or list static routes. The firewall uses these static routes to route packets to indirectly attached internal networks. You can configure up to 1K static routes. Table 11-54 Route Menu (/cfg/net/routes) Command Syntax and Usage list

This command lists all configured routes (dynamic routes generated by OSPF as well as static routes) by their index number and IP address information. del

This command lets you remove a route from the configuration by specifying the route index number. Use the list command to display the index numbers of configured routes. add

This command adds a static route based on destination IP address, destination subnet mask, and gateway IP address. Enter all addresses using dotted decimal notation. NOTE – The gateway IP address should be a previously specified interface address and should not be within the range specified by the destination IP address and mask. insert

This command lets you add a new static route at a specific position (index number) in the index. Use the list command to display the index numbers of configured routes. move

This command lets you move a static route from one position in the index to another.

Command Reference „ 299 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/gre GRE Tunnel 1 Menu [GRE Tunnel 1 Menu] name - Set GRE Tunnel name phyif - Set Physical Interface number remoteaddr - Set Remote IP address host1 - Host 1 tunnel settings host2 - Host 2 tunnel settings ena - Enable GRE Tunnel dis - Disable GRE Tunnel del - Remove GRETunnel

The GRE Settings Menu is used to configure the GRE tunnel parameters and create a GRE tunnel over an OSPF network. Table 11-55 GRE Settings Menu (/cfg/net/gre) Command Syntax and Usage name

This command allows you to define a unique name of up to 16 characters. phyif

This command is used to define the local GRE tunnel end point. remoteaddr

This command is used to define the address of the remote GRE tunnel end point. host1

This command is used to define the GRE IP address of the local tunnel end point. For example, if you are running OSPF over GRE, host1 is the OSPF interface IP address on the local system. host2

This command is used to define the GRE IP address of the remote tunnel end point. For example, if you are running OSPF over GRE, host2 is the OSPF interface IP address on the remote system. ena

This command is used to enable the GRE tunnel.

300 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-55 GRE Settings Menu (/cfg/net/gre) (Continued) Command Syntax and Usage dis

This command disables this GRE tunnel. del

This command removes this GRE tunnel from the configuration.

/cfg/net/ospf OSPF Menu [OSPF Menu] aindex if gre redist rtid1 rtid2 spf ena dis

-

OSPF Area (index) Menu OSPF Interface Menu OSPF GRE Tunnel Menu Route Redistribute Menu Set OSPF router ID for first 5100 Set OSPF router ID for second 5100 Set time interval between two SPF calculations Enable OSPF Disable OSPF

The OSPF Menu is used to configure OSPF routing protocol. OSPF creates a Link-State Database (LSDB) that is shared between routers in an OSPF area. Any change in routing information is flooded to all routers in the network. The routers use a link-state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination. The routers then select the least cost path for each routing request, which optimizes traffic speed and efficiency in the network.

Command Reference „ 301 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

For more information on OSPF, see Chapter 4, “Open Shortest Path First”.” Table 11-56 OSPF Menu (/cfg/net/ospf) Command Syntax and Usage aindex

The OSPF Area Index Menu is used for defining OSPF area numbers and parameters. NOTE – The area index specified in this menu option does not represent the actual OSPF area number. It is an arbitrary index used only on the Switched Firewall. The actual area value is defined in the OSPF Area Menu using the id option. See page 303 for menu items. if

The OSPF Interface Menu is used for attaching IP interface networks to OSPF areas. See page 304 for menu items. gre The OSPF GRE interface tunnel menu is used for attaching OSFP networks to the GRE interface. See page 307 for menu items. redist

The Route Redistribution Menu is used to define how routes from other protocols are converted for use with OSPF. See page 310 for menu items. rtrid1

This command sets a static router ID 1 for this cluster. The router ID is expressed in dotted decimal IP address format. OSPF, when enabled, uses the router ID to identify the routing device. If no router ID is specified or if the router IP is set to 0.0.0.0 and the Switched Firewall is rebooted, the cluster dynamically selects one of the active IP interfaces on the cluster as the router ID. rtrid2

This command sets a static router ID 2 for this cluster. The router ID is expressed in dotted decimal IP address format. OSPF, when enabled, uses the router ID to identify the routing device. If no router ID is specified or if the router IP is set to 0.0.0.0 and the Switched Firewall is rebooted, the cluster dynamically selects one of the active IP interfaces on the cluster as the router ID. spf

This command sets the time interval, in seconds, between each calculation of the shortest path tree. The default for spf calculation interval is 5 seconds and the default for spf calculation hold time is 10 seconds. 302 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-56 OSPF Menu (/cfg/net/ospf) (Continued) Command Syntax and Usage ena

This command globally turns on OSPF. dis

This command globally turns off OSPF.

/cfg/net/ospf/aindex OSPF Area Index Menu [OSPF Area Index 1 Menu] id - Set area ID type - Set area type ena - Enable area dis - Disable area del - Remove OSPF Area Index

The OSPF Area Index Menu is used for defining OSPF area numbers and parameters. For more information on OSPF, see Chapter 4, “Open Shortest Path First”.” Table 11-57 OSPF Area Index Menu (/cfg/net/ospf/aindex) Command Syntax and Usage id

This command sets the OSPF area number in dotted decimal notation. The area number can be set using the last octet format (0.0.0.1 for area 1) or using multi-octet format (1.1.1.1), though the same format should be used throughout an area. type transit|stub

This command sets the area type: transit for the backbone. stub for any area that contains no external routes. The default type is transit.

„ „

ena

This command enables this area.

Command Reference „ 303 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-57 OSPF Area Index Menu (/cfg/net/ospf/aindex) (Continued) Command Syntax and Usage dis

This command disables this area. del

This command deletes this area index from the configuration.

/cfg/net/ospf/if OSPF Interface Menu [OSPF Interface 1 Menu] aindex - Set area index prio - Set interface router priority cost1 - Set Cost for first 5100 cost2 - Set Cost for second 5100 hello - Set hello interval in seconds dead - Set dead interval in seconds trans - Set transmit delay in seconds retra - Set retransmit delay in seconds auth - Set authentication type key - Set password authentication key md5key - Set MD5 authentication key ena - Enable interface dis - Disable interface

The OSPF Interface Menu is used for attaching IP interface networks to OSPF areas. For more information on using OSPF, see Chapter 4, “Open Shortest Path First” on page 75.

304 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

NOTE – The hello interval (hello), dead interval (dead), transmit interval (trans) and retransmit interval (retra) must be the same on all OSPF routing devices within an area. Using incompatible values could keep adjacencies from forming and could stop or loop routing updates. Table 11-58 OSPF Interface Menu (/cfg/net/ospf/if>) Command Syntax and Usage aindex

This command sets the OSPF area index to attach to the network for the current IP interface. prio

This command sets the IP interface (IF) priority that is used when electing a Designated Router (DR) and Backup Designated Router (BDR) for the area. The default is 1 (lowest priority). A value of 0 specifies that the elected interface is DROTHER and cannot be used as a DR or BDR. cost1

This command sets the cost of output routes on this interface. Cost is used in calculating the shortest path tree throughout the AS. Cost is based on bandwidth. Low cost indicates high bandwidth. The default is 1. cost2

This command sets the cost of output routes on this interface. Cost is used in calculating the shortest path tree throughout the AS. Cost is based on bandwidth. Low cost indicates high bandwidth. The default is 1. hello

This command sets the hello interval in seconds. The switch sends hello messages to inform neighbors that the link is up. The default is 10 seconds. This value must be the same on all routing devices within the area. dead

This command sets the router dead interval, in seconds. If the switch does not receive hello on the IP interface within the dead interval, the switch will declare the interface to be down. Typically, the dead value is four times the value of hello. The default is 40 seconds. This value must be the same on all routing devices within the area. trans

This command sets the transmit delay, in seconds. This is the estimated time required to transmit an LSA to adjacencies on this interface, taking into account transmission and propagation delays. The default is 1 second. This value must be the same on all routing devices within the area.

Command Reference „ 305 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-58 OSPF Interface Menu (/cfg/net/ospf/if>) (Continued) Command Syntax and Usage retra

This command sets the time interval, in seconds, between each transmission of LSAs to adjacencies on this interface. The default value is five seconds. This value must be the same on all routing devices within the area. auth none|password|md5

This command sets the authentication type for this interface: none turns off OSPF authentication. password turns on type 1 (plain text) password authentication. The password is set using the key option. „ md5 turns on MD5 (strong encryption) password authentication. The password is defined using md5key option. For more information, see “Authentication” on page 80. „ „

key

This option is used with the previous OSPF auth option. When the auth option is set to password, the key option sets the password to be used for OSPF authentication on this IP interface. Specify a type 1 (plain text) password of up to eight characters. To clear the key, specify none as the value. md5key

This option is used to define an MD5 password for OSPF authentication on this IP interface. Specify the key ID number of an MD5 password defined in the above OSPF auth md5 key Entry Menu. Assigned passwords are ignored until MD5 authentication is enabled in the auth option. ena

This command enables this interface. dis

This command disables this interface.

306 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/ospf/gre OSPF GRE Tunnel 1 Menu [OSPF GRE Tunnel aindex prio cost1 cost2 hello dead trans retra auth key md5key ena dis

1 -

Menu] Set area index Set interface router priority Set Cost for first 5100 Set Cost for second 5100 Set hello interval in seconds Set dead interval in seconds Set transmit delay in seconds Set retransmit delay in seconds Set authentication type Set password authentication key Set MD5 authentication key Enable interface Disable interface

The OSPF GRE tunnel menu is used to attach the GRE tunnel interface to the OSPF areas. For more information on using OSPF, see Chapter 4, “Open Shortest Path First”. NOTE – The hello interval (hello), dead interval (dead), transmit delay (trans) and retransmit delay (retra) must be the same on all OSPF routing devices within an area. Using incompatible values helps adjacencies from forming and may stop or loop routing updates. The OSPF GRE Tunnel Menu has the following items: Table 11-59 OSPF GRE Tunnel Interface Menu Options (/cfg/net/ospf/gre) Command Syntax and Usage

aindex This command sets the OSPF area index to attach to the network for the current IP interface. prio This command sets the IP interface (IF) priority that is used when electing a Designated Router (DR) and Backup Designated Router (BDR) for the area. The default is 1 (lowest priority). A value of 0 specifies that the elected interface is DROTHER and cannot be used as a DR or BDR.

Command Reference „ 307 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-59 OSPF GRE Tunnel Interface Menu Options (/cfg/net/ospf/gre) Command Syntax and Usage

cost1 This command sets the cost of output routes on this interface. Cost is used in calculating the shortest path tree throughout the AS. Cost is based on bandwidth. Low cost indicates high bandwidth. The default is 10. cost2 This command sets the cost of output routes on this interface. Cost is used in calculating the shortest path tree throughout the AS. Cost is based on bandwidth. Low cost indicates high bandwidth. The default is 10. hello This command sets the hello interval in seconds. The firewall holding the MIP sends hello messages to inform neighbors that the link is up. The default is 10 seconds. This value must be the same on all routing devices within the area. dead This command sets the router dead interval, in seconds. If the firewall holding the MIP does not receive hello on the IP interface within the dead interval, the firewall holding the MIP will declare the interface to be down. Typically, the dead value is four times the value of hello. The default is 40 seconds. This value must be the same on all routing devices within the area. trans This command sets the transmit delay, in seconds. This is the estimated time required to transmit an LSA to adjacencies on this interface, taking into account transmission and propagation delays. The default is 1 second. This value must be the same on all routing devices within the area. retra This command sets the time interval, in seconds, between each transmission of LSAs to adjacencies on this interface. The default value is five seconds. This value must be the same on all routing devices within the area.

308 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-59 OSPF GRE Tunnel Interface Menu Options (/cfg/net/ospf/gre) Command Syntax and Usage

auth none|password|md5 This command sets the authentication type for this interface: none turns off OSPF authentication. password turns on plain text password authentication. The password is set using the key option. „ md5 turns on MD5 (strong encryption) password authentication. The password is defined using the md5key option. OSPF allows packet authentication and uses IP multicast when sending and receiving packets. This ensures less processing on routing devices that are not listening to OSPF packets. „ „

key This option is used with the OSPF auth option. When the auth option is set to password, the key option sets the password to be used for OSPF authentication on this IP interface. Specify a plain text password of up to eight characters. To clear the key, specify none as the value. md5key This option is used to define a password for OSPF authentication on this IP interface. Assigned passwords are ignored until MD5 authentication is enabled in the auth option. ena This command enables this interface. dis This command disables this interface.

Command Reference „ 309 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/ospf/redist Route Redistribution Menu [Route Redistribution Menu] connected - Connected Route Redistribution Menu static - Static Route Redistribution Menu defaultgw - Default Gateway Redistribution Menu

The Route Redistribution Menu is used to redistribute static and default gateway routes via OSPF. If the routes are learned from a certain routing protocol, you have to enable that protocol for those routes to be redistributed into the network. Table 11-60 Route Redistribution Menu (/cfg/net/ospf/redist) Command Syntax and Usage connected

The Connected Route Redistribution Menu is used for advertising connected routes via OSPF. See page 311 for menu items. static

The Static Route Redistribution Menu is used for advertising static routes via OSPF. See page 312 for menu items. defaultgw

The Default Gateway Redistribution Menu is used for advertising default gateway routes via OSPF. See page 313 for menu items.

310 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/ospf/redist/connected OSPF Connected Route Redistribution Menu [OSPF Connected Route Redistribution Menu] metric - Set Metric assigned to connected routes rmap - Set OSPF Connected Redistribute RMAP Number ena - Enable redistribution of connected routes dis - Disable redistribution of connected routes

The OSPF Connected Route Redistribution Menu is used to redistribute connected routes into OSPF. Table 11-61 OSPF Connected Route Redistribution Menu (/cfg/net/ospf/redist/connected) Command Syntax and Usage metric

Sets metric of advertised connected routes. The metric cost range is 1 to 16777214 (0none) and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 10. The metric type is t1 or t2 (type 1 or type 2). OSPF Type1 is defined in the same units as OSPF interface cost (that is, in terms of the link state metric). OSPF Type 2 external metrics are an order of magnitude larger; any Type 2 metric is considered greater than the cost of any path internal to the AS. This configuration parameter can be used to have an OSPF domain prefer type1 routes over type 2. OSPF Type 1 is default. rmap

This command allows you to specify the route map #. ena

Enables advertising of connected routes. dis

Disables advertising of connected routes.

Command Reference „ 311 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/ospf/redist/static OSPF Static Route Redistribution Menu [OSPF Static Route Redistribution Menu] metric - Set Metric assigned to connected routes rmap - Set OSPF Static Redistribute RMAP Number ena - Enable redistribution of connected routes dis - Disable redistribution of connected routes

The OSPF Static Route Redistribution Menu is used to redistribute static routes into OSPF. Table 11-62 OSPF Static Route Redistribution Menu (/cfg/net/ospf/redist/static) Command Syntax and Usage metric

Sets metric of advertised static routes. The metric cost range is 1 to 16777214 (0-none) and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 10. The metric type is t1 or t2 (Type 1 or Type 2).

OSPF Type1 is defined in the same units as OSPF interface cost (that is, in terms of the link state metric). OSPF Type 2 external metrics are an order of magnitude larger; any Type 2 metric is considered greater than the cost of any path internal to the AS. This configuration parameter can be used to have an OSPF domain prefer Type1 routes over Type 2. OSPF Type 1 is default. rmap

This command allows you to specify the route map #. ena

Enables advertising of static routes. dis

Disables advertising of static routes.

312 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/ospf/redist/defaultgw OSPF Default Gateway Route Redistribution Menu [OSPF Default Gateway Route Redistribution Menu] metric - Set Metric assigned to connected routes ena - Enable redistribution of connected routes dis - Disable redistribution of connected routes

The OSPF Default Gateway Route Redistribution Menu is used to redistribute default gateway routes into OSPF. Table 11-63 OSPF Default Gateway Route Redistribution Menu (/cfg/net/ospf/redist/defaultgw) Command Syntax and Usage metric

Sets metric of advertised default gateway routes. The metric cost range is 1 to 16777214 (0none) and indicates the relative cost of this route. The larger the cost, the less preferable the route. The default is 10.

OSPF Type1 is defined in the same units as OSPF interface cost (that is, in terms of the link state metric). OSPF Type 2 external metrics are an order of magnitude larger; any Type 2 metric is considered greater than the cost of any path internal to the AS. This configuration parameter can be used to have an OSPF domain prefer type1 routes over type 2. OSPF Type 1 is default. ena

Enables advertising of default gateway routes. dis

Disables advertising of static routes.

Command Reference „ 313 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/parp Proxy Arp Menu [Proxy Arp Menu] list - Proxy ARP List Menu enable - Set Proxy ARP enable/disable

The Proxy Arp Menu is used to configure IP addresses that the cluster will ARP for. The feature allows the Switched Firewall to respond to ARP requests intended for devices behind the firewall, including VLAN and VRRP interfaces. Table 11-64 Proxy ARP Menu (/cfg/net/parp) Command Syntax and Usage list

This command opens the Proxy ARP List Menu, which allows you add, delete and list IP addresses that the cluster ARPs for. enable y|n

This command lets you enable (y) or disable (n) Proxy ARP for the cluster. Proxy ARP is disabled by default.

314 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/parp/list Proxy Arp List Menu [Proxy ARP List Menu] list - List all values del - Delete a value by number add - Add a new value

The Proxy ARP List Menu is used to add, delete, or list IP addresses which the cluster Proxy ARPs for. Table 11-65 Proxy ARP List Menu (/cfg/net/parp/list) Command Syntax and Usage list

This command displays all Proxy ARP addresses in order by their index number. del

This command lets you remove a Proxy ARP address by specifying its index number. Use the list command to display the Proxy ARP index numbers. add

This command lets you add an address to the Proxy ARP list. Use dotted decimal notation to specify the address. The maximum number of addresses is 2,048, however, the recommended limit is 256. Typically the IP addresses are on the Untrusted Network(s). The group # indicates whether the entry is for a device on addr1 or addr2 (see “/cfg/net/if ” on page 289). If you have a VRRP HA configuration, enter 1. If you have a VRRP AA configuration, enter 1 or 2 as appropriate. If you do not have a VRRP configuration, enter 1. A typical Proxy ARP entry is a virtual IP address on the interface that faces the external network. Next, a route is required between the Proxy ARP address and the destination address (see “/cfg/net/parp” on page 314). Finally, you must open the Check Point SmartDashboard and enter Network Address Translation (NAT) rules and policies to allow the Firewall to Proxy ARP for incoming ARP requests.

Command Reference „ 315 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/dhcprl DHCP Relay Menu [DHCP Relay Menu] if server ena dis clrlocsts -

DHCP Relay Interface Menu DHCP Server Menu Enable DHCP Relay Disable DHCP Relay Clear local DHCP Relay stats

The DHCP Relay Menu is used to configure DHCP relay commands for NSF. The default value for DHCP Relay is disabled. Table 11-66 DHCP Relay Menu (/cfg/net/dhcprl) Command Syntax and Usage if

This command is used to specify the interface to allow DHCP requests to enter the network. See page 317 for menu items. server

This command is used to add the DHCP server information to the NSF configuration. See page 318 for menu items. ena Enables the use of DHCP relaying globally. dis

Disables the use of DHCP relaying globally. clrlocsts

This commands clears DHCP statistics on the local Firewall Director.

316 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/dhcprl/if DHCP Relay Interface Menu [DHCP Relay Interface 1 Menu] ena - Allow DHCP Relay on Interface dis - Disable DHCP Relay on Interface

The DHCP Relay Interface Menu is used to configure DHCP Relay requests into the network. The default value for DHCP Relay Interface is disabled. Table 11-67 DHCP Relay Interface Menu (/cfg/net/dhcprl/if) Command Syntax and Usage ena

This command allows DHCP clients to enter the network through this interface. dis

This command does not allow DHCP clients to enter the network through this interface.

Command Reference „ 317 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/net/dhcprl/server DHCP Server Menu [DHCP Server 1 Menu] addr - Set DHCP Server IP address vrrpg - Set Affinity to vrrp group for AA configuration ena - Enable DHCP Server dis - Disable DHCP Server del - Remove DHCP Server

The DHCP Server Menu is used to add DHCP server information to the NSF configuration. The DHCP server is disabled by default. Table 11-68 DHCP Relay Server Menu (/cfg/net/dhcprl/server) Command Syntax and Usage addr This command adds a DHCP server to the system configuration. The DHCP server added here will supply clients entering the network with an IP address and a default gateway. When the DHCP server receives the IP address request from the client, the DHCP server will look up the client’s source network to identify a valid range of IP addresses.The default value is set to 0.0.0.0. vrrpg

This command allows you to specify the group (VRID#) that you want the DHCP server affiliated with. To see a list of configured VRIDs, enter the /info/net/if command. ena

This command enables the use of this DHCP server. dis

This command disables the use of this DHCP server. del

This command removes this DHCP server from being used by Nortel Switched Firewall.

318 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/lic Firewall License Menu [Firewall License Menu] list - List detailed status of current IPs and Licenses del - Delete firewall license add - Add firewall license pastelic - Paste firewall license

The Firewall License Menu is used for pre-configuring Check Point licenses for the Firewall. Table 11-69 Firewall License Menu (/cfg/lic) Command Syntax and Usage list

This command is used to list the IP addresses and Check Point licenses currently in the Plug N Play resource pool. Listed data includes the expiration dates of the licenses. Licenses configured using the Check Point central licensing mechanism will not be listed using this command. del

This command is used to remove an IP address and/or Check Point license from the Plug N Play resource pool. You will be prompted to enter the IP address you wish to have removed from the pool. Only unused resources can be deleted. add

This command is used to add a Check Point license.You will be prompted to enter Check Point license information. NOTE – The add command is for adding a license that is bound to the IP address of the Firewall. pastelic

This command is used to paste the entire license string. First, you will be prompted to select the firewall and then asked to paste the license string. See “Installing Firewall License” on page 43 on using this command.

Command Reference „ 319 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/fw Firewall Configuration Menu [Firewall Configuration Menu] ena - Enable Firewall dis - Disable Firewall sic - Reset Check Point SIC. sync - Sync Configuration Menu client - SMART Clients smart - Smart Update Configuration Menu secureid - Download secure-id configuration file from an FTP server

The Firewall Configuration Menu is used to enable the firewall or reset the Check Point Secure Internal Communications (SIC). Table 11-70 Firewall Configuration Menu (/cfg/fw) Command Syntax and Usage ena

Enable the Check Point FireWall-1 NG processing on all healthy firewalls. dis

Disable the Check Point FireWall-1 NG processing on the firewall and mark the firewall as down. The Check Point SmartCenter Server cannot be used to manage firewall policies in the disabled state. However, the current firewall policies are maintained. NOTE – When /cfg/fw/dis is entered, remote access to the Firewall CLI or the BBI is lost. Be sure to use the command when you are accessing the Firewall CLI at the local console. sic

This command is used to reset the Check Point Secure Internal Communication (SIC) state for a specific firewall. You will be prompted to enter the IP address of the target firewall in dotted decimal notation. sync

The Sync Configuration Menu is used to enable/disable session state synchronization between clustered Firewalls in a redundant configuration. See page 322 for menu items.

320 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-70 Firewall Configuration Menu (/cfg/fw) (Continued) Command Syntax and Usage client

The SMART Clients Menu allows you to edit the list of SMART Clients that can access the Firewall when the SmartCenter Server is enabled on the Firewall. See page 323 for menu items. smart

The SmartUpdate Configuration Menu is used to enable/disable Check Point software updating using the SmartUpdate utility. See page 324 for menu items. secureid

The command allows you to download secureid configuration from an FTP server. You are prompted for the FTP server address, remote directory, username, and password.

Command Reference „ 321 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/fw/sync Sync Configuration Menu [Sync Configuration Menu] ena - Enable Sync dis - Disable Sync

The Sync Configuration Menu is used to enable/disable session state synchronization for clustered Firewalls in a redundant configuration. This allows for a stateful failover to the backup Nortel Firewall when the active Nortel Firewall fails. NOTE – You should turn off synchronization for services that don't benefit much from it, such as HTTP. Table 11-71 Sync Configuration Menu (/cfg/fw/sync) Command Syntax and Usage ena

This command enables session state synchronization in a redundant configuration. For synchronization to work, there must be a redundant Switched Firewall in the cluster that is properly configured (see the “VRRP Interface Menu” on page 291 and the “VRRP Settings Menu” on page 296). For instructions on how to test the synchronization network, see the /maint/diag/fw/sync command on page 329. You must also update the firewall interface information for state synchronization at the Check Point SmartDashboard (see “Configuring Check Point Software for ActiveStandby” on page 113). dis

This command disables session state synchronization in a redundant configuration.

322 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/fw/client SMART Clients Menu [SMART Clients Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

The SMART Clients Menu allows you to specify SMART Clients by IP address that may manage the Firewall, when the SmartCenter Server is enabled on the management port. Table 11-72 SMART Clients Menu (/cfg/fw/client) Command Syntax and Usage list

Displays the list of SMART Clients with access to the Nortel Switched Firewall management server. del

Allows you to delete a specified member from the SMART Clients list. add

Allows you to add a member to the SMART Clients list. New members are appended to the end of the list. insert

Allows you to insert a new member at the specified point in the SMART Clients list. move

Allows you to change the order of members in the SMART Clients list. This option is for display purposes only. The order of the list has no impact on SMART Client access.

Command Reference „ 323 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/cfg/fw/smart SmartUpdate Configuration Menu [SmartUpdate Configuration Menu] ena - Enable Smart Update Mode dis - Disable Smart Update Mode

The SmartUpdate Configuration Menu is used to enable/disable support for Check Point software updating using the SmartUpdate utility. SmartUpdate is an optional module for VPN1/FireWall-1 that automatically distributes software applications and updates for Check Point and OPSEC Certified products (such as the Nortel Firewall). You can also use SmartUpdate to manage product licenses.

Table 11-73 SmartUpdate Configuration Menu (/cfg/fw/smart) Command Syntax and Usage ena

Enables support for SmartUpdate on the Switched Firewall. dis

Disables support for SmartUpdate on the Switched Firewall.

/cfg/misc Miscellaneous Settings Menu [Miscellaneous Settings Menu] warn - Enable warnings when configuration is applied

The Miscellaneous Settings Menu is used to turn on or off configuration warning messages. Table 11-74 Miscellaneous Settings Menu (/cfg/misc) Command Syntax and Usage warn y|n

This command is used to turn on or off warning messages. When enabled (the default), whenever the global apply command is issued, applicable warning are displayed if problems are found in the pending configuration changes. Warnings will not cause the apply command to fail, but can be helpful for managing configuration issues. 324 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/boot Boot Menu [Boot Menu] software halt reboot delete

-

Software Management Menu Halt the iSD Reboot the iSD Delete the iSD

The Boot Menu is used for upgrading Nortel Switched Firewall software and for rebooting, if necessary. The Boot Menu is only accessible using an administrator login. Table 11-75 Boot Menu (/boot) Command Syntax and Usage software

The Software Management Menu is used to load, activate, or remove Nortel Switched Firewall software upgrade packages. See page 326 for menu items. halt

After confirmation, this command stops the firewall to which you have connected via Telnet, SSH, or a console terminal. If using Telnet or SSH, use this command only when you have connected to a particular firewall’s individually assigned IP address. WARNING! – If you do not enter the halt command before powering off the Firewall, all configurations may be lost and the firewall will be reset to factory default settings. reboot

After confirmation, this command reboots the particular firewall to which you have connected via Telnet, SSH or console terminal. When using Telnet or SSH, use this command only when you have connected to a particular firewall’s individually assigned IP address. delete

After confirmation, this command resets the firewall to its factory default configuration. If you are using Telnet or SSH, only use this command when you are connected to the firewall host IP address. Once you have reset the firewall to factory defaults, you can access the device only through a console terminal attached directly to the local serial port. You can then log in using the administration account (admin) and the default password (admin) to access the initial Setup utility.

Command Reference „ 325 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/boot/software Software Management Menu [Software Management Menu] cur - Display current software status activate - Select software version to run download - Download a new software package via TFTP/FTP/SCP/SFTP cdrom - Get a new software package via CD-ROM del - Remove downloaded (unpacked) releases patch - Software Patches Menu

The Software Management Menu is used to load, activate, or remove Nortel Switched Firewall software upgrade packages. Table 11-76 Software Management Menu (/boot/software) Command Syntax and Usage cur

This command displays the software status of the particular firewall to which your current Telnet, SSH, or a console terminal is connected. activate

This command activates a downloaded and unpacked Nortel Switched Firewall software upgrade package. The unpacked software package will be labeled as permanent. If serious problems occur while running the new software version, you may revert to using the previous version by activating the software version labeled as old. NOTE – You will be logged out after confirming the activate command. download

This command lets you download an Nortel Switched Firewall software upgrade package from a FTP or TFTP server. When prompted, select either tftp or ftp server, provide the host name or IP address of the TFTP server, and enter the file name of the software upgrade package cdrom

This command lets you download a Nortel Switched Firewall software upgrade package from the CDROM drive. This command deletes the most recently downloaded software upgrade package.

326 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-76 Software Management Menu (/boot/software) (Continued) Command Syntax and Usage del

After confirmation, this command lets you remove a software upgrade package that has been downloaded using the download command. This command deletes the most recently downloaded software upgrade package. patch

The Software Patches Menu is used to is install minor, corrective software elements on the Nortel Switched Firewall. This command installs any .rpm file. See page 327 for menu items.

/boot/software/patch Software Patches Menu [Software Patches cur install uninstall

Menu] - Display current software patches installed - Download software patch from FTP server - Remove software upgrade package

The Software Patches Menu is used to install or remove small Nortel Switched Firewall software patches (rpm files). Table 11-77 Software Patches Menu (/boot/software/patch) Command Syntax and Usage cur

This command lists the names of the NSF software patches currently installed. install

This command lets you download an Nortel Switched Firewall software patch (rpm files) from an FTP server. When prompted, enter the host name or IP address of the FTP server, and then enter the file name of the software patch. uninstall

After confirmation, this command lets you remove a software upgrade package that has been installed using the install command.

Command Reference „ 327 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/maint The Maintenance Menu [Maintenance Menu] fw tsdump backup chkcfg ospf cplog emc logdetail -

Firewall Maintenance Menu Tech Support Dump Menu Backup and Restore system configuration Check applied configuration OSPF Debug Menu Check Point Logs EMC Server's admin password change Obtain extensive detail about the log/error code dumped

The Maintenance Menu is used for administering OSPF logs and technical support dumps, loading Firewall policies, and testing the synchronization network between hosts in a cluster. Diagnostics logs or stats can only be done at the request of Nortel Networks technical support. Table 11-78 Maintenance Menu (/maint) Command Syntax and Usage fw

The Firewall Maintenance Menu allows you to load and unload Check Point policy. For details see page 329. tsdump

The Technical Support Menu provides options for creating dump files with configuration or log information. For details see page 331. backup

This command allows you to backup your configuration locally, remotely, or to the USB device. See page 332 for menu items. chkcfg

This command allows you to verify the applied configuration. ospf

The OSPF Debug Menu provides options for logging OSPF events. See page 333 for menu items.

328 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-78 Maintenance Menu (/maint) (Continued) Command Syntax and Usage cplog

This command provides a .tgz file of the Check Point logs. emc

This command allows you to modify the password for the SmartCenter Server. This command works if you have enabled CP SmartCenter Server on the firewall during the initial configuration. For more information, see Step 12 on page 41. logdetail

This command allows you to get more details on the log message.

/maint/fw Firewall Maintenance Menu [Firewall maintenance Menu] sync - Test sync network ldplcy - Load Check Point Policy unldplcy - Unload Check Point Policy clearlog - Clear firewall logs peakconnec - Peak connections policy - Firewall policy status - Firewall status

Table 11-79 Firewall Maintenance Menu (/maint/fw) Command Syntax and Usage sync

This command tests the session state synchronization network for redundant Firewalls in a cluster. Session state synchronization allows for stateful failover in the event that the active unit fails and the backup takes over. The VRRP features and the virtual router must also be configured before you can test the synchronization network (see the “VRRP Interface Menu” on page 291 and the “VRRP Settings Menu” on page 296). ldplcy

This command is used to load the firewall policies that were previously downloaded from the Check Point SmartDashboard. If no policies were previously downloaded, the default firewall policy, i.e., no access, is applied.

Command Reference „ 329 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Table 11-79 Firewall Maintenance Menu (/maint/fw) (Continued) Command Syntax and Usage unldplcy

This command is used to unload the current firewall policies. NOTE – Unloading the firewall policies allows all traffic to pass through the Nortel Firewall. Remember to push your firewall policies from the Check Point SmartDashboard after you have re-established trust. clearlog

This command clears all firewall log files. peakconnec

This command is used to display the Check Point connection table statistics for all firewalls in the cluster. policy

This command lists all the Check Point policies currently installed on the firewall. status

This command displays the firewall status such as, policy and traffic information.

330 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/maint/tsdump Tech Support Dump Menu [Tech Support Menu] dump - Create a tech support dump ftp - FTP tech support dump to an FTP server scp - SCP tech support dump to SCP server sftp - SFTP tech support dump to SFTP server floppy - Copy Tech Support Dump to Floppy usbstick - Copy Tech Support Dump to USB memory stick cur - Current Tech Support Information

The Tech Support Dump Menu is for creating tech support dumps that you can copy to a floppy disk or load on an FTP server. Table 11-80 Tech Support Dump Menu (maint/tsdump) Command Syntax and Usage dump

Dumps the current configuration (no logs) to the default file tsdump.tgz. The size of the file is typically small enough to fit on a floppy disk. NOTE – The previous contents of the file are overwritten each time you use this command. ftp [] []

Loads the dump file tsdump.tgz onto the specified ftp server at the specified directory. You must enter the username and password previously selected for the ftp server. scp

This commands performs a secure file transfer of the .tgz file. sftp

This commands performs a secure file transfer of the .tgz file using the SFTP protocol. floppy

Copies the dump file tsdump.tgz to the floppy disk drive after prompting you to place a floppy disk in the drive. usbstick

This command copies the dump file (.tgz) to the USB memory stick. cur

Displays the dump file system data, that is file name, creation date, size.

Command Reference „ 331 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/maint/backup Backup Menu [Backup Menu] local remote usbstick

- Backup the system - Backup the system ftp/tftp/scp/sftp - Backup the system memory stick

configuration to local folder configuration to server configuration to a USB

The Backup Menu allows you to back up the firewall configuration and restore it later to the same state. The backup and restore feature is for a firewall only and not the cluster. To back up an entire cluster, you must login to each firewall and create backups separately. You cannot create a backup from one member of the cluster and use it to restore another member. A backup taken from a firewall can be used only to restore that same firewall or a replacement for that firewall. For more information on how to back up the firewall configuration, see “Backing Up a Configuration” on page 346. Table 11-81 Backup Menu (/maint/backup) Command Syntax and Usage local

This command prompts you to back up the configuration locally. remote

This command prompts you to back up the configuration to a remote server. usbstick

This command prompts you to back up the configuration to the USB memory stick.

332 „ Command Reference 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

/maint/ospf OSPF Debug Menu [OSPF Debug Menu] events ism lsa nsm packets msgs -

Set log OSPF generic events Set log OSPF ISM events Set log OSPF LSA events Set log OSPF NSM events Set log OSPF packets View last 100 debug messages

The OSPF Debug Menu is for administering the log of OSPF events. By enabling generic OSPF events or specific (ism, lsa, nsm, packets) OSPF events, you can create a log of OSPF event messages that provides a useful picture of OSPF activity. Below are typical OSPF event messages: 2003/04/18 2003/04/18 2003/04/18 2003/04/18

19:20:51 19:20:51 19:20:51 19:20:51

OSPF: OSPF: OSPF: OSPF:

LSA[Refresh]:ospf_lsa_refresh_walker(): start LSA[Refresh]: ospf_lsa_refresh_walker(): next index 236 LSA[Refresh]: ospf_lsa_refresh_walker(): refresh index 235 LSA[Refresh]: ospf_lsa_refresh_walker(): end

Table 11-82 OSPF Debug Menu (/maint/ospf) Command and Usage events n|y

Enables logging of generic OSPF events. ism n|y

Enables logging of interface state machine (ism) events. lsa n|y

Enables logging of link state advertisements (lsa). nsm n|y

Enables logging of neighbor state machine (nsm) events. packets n|y

Enables logging of OSPF packets. msgs

Displays the last 100 messages from the log file.

Command Reference „ 333 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

334 „ Command Reference 213455-K, June 2005

Part 3: Appendices

213455-K, June 2005

„

Appendix A, “Event Logging API”

„

Appendix B, “Backing Up and Cloning Configurations”

„

Appendix C, “Common Tasks”

„

Appendix D, “Troubleshooting”

„

Appendix E, “Software Licenses”

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

336 „ Appendices 213455-K, June 2005

APPENDIX A

Event Logging API The Nortel Switched Firewall Event Logging API (ELA) is an OPSEC application that allows system log messages to be sent to a Check Point management station for display through the Check Point SmartView Tracker. Log messages are transported to the Check Point SmartCenter Server through a secure, encrypted channel. For information on configuring and administering OPSEC applications in Check Point, please refer to your complete Check Point FireWall-1 NG documentation. ELA configuration requires steps at both the Check Point SmartCenter Server and at the Nortel Switched Firewall. For each Firewall, you must create a new OPSEC application at the Check Point SmartCenter Server, and initialize Secure Internal Communication (SIC). For each Firewall, the certificate associated with the SIC must be pulled to the Firewall before the ELA will operate. This chapter details the steps required to use ELA.

337 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configure the Check Point SmartCenter Server Open the Check Point SmartDashboard to create an ELA OPSEC application for the Firewall. 1.

Create a new OPSEC application. In the tabbed menu on the left, click on the OPSEC Applications tab and choose New OPSEC Application.

338 „ Event Logging API 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

2.

Initialize the OPSEC application by filling in the following fields:

„

The Name field should be given an appropriate identifier. You will need to use this name when pulling the certificate to the Firewall.

„

The Host field should refer to the Nortel Switched Firewall.

„

The Vendor should be “User defined.”

„

“ELA” should be checked in the Client Entries box.

„

Secure Internal Communication needs to be initialized (see next step).

Event Logging API „ 339 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

3.

Initialize Secure Internal Communication (SIC). Click on the Communication... button and enter an Activation Key in the box provided. You will need to use this Activation Key later when pulling the certificate to the Firewall.

NOTE – When initialized, the trust state will be displayed as “Initialized but trust not established.” This is normal and will not change even after an SIC certificate is pulled from the Check Point SmartCenter Server (see Step 5 on page 343). 4.

Install the policy to the Firewall. From the menu bar, select Policy | Install:

When the Install Policy window appears, select the object and click on the OK button.

340 „ Event Logging API 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

NOTE – If the Check Point antispoofing feature is not enabled, a warning message will appear. See your Check Point documentation to determine whether antispoofing is necessary for your firewall. Click on the OK button to initiate installing the rulebase.

Close the Install Policy window when the process is complete.

Event Logging API „ 341 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Configure the Firewall Configuration of the Firewall is performed through the CLI or the BBI. The following steps use the BBI method. For configuring the ELA using the CLI, see “ELA Logging Menu” on page 276. 1.

Log on to the BBI using the host IP address.

2.

Select the Cluster / ELA form and define the general settings.

Set the following items: „

Set Status to “enabled.”

„

Set Management Station IP to the IP address of the Check Point management station, in dotted decimal notation.

„

Set Minimum Severity if a different level is desired. All messages at the specified level of severity or higher will be logged to ELA.

„

Set the Server Distinguished Name (see Step 3 in the next page to find out how to determine it).

342 „ Event Logging API 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

3.

In the Check Point SmartDashboard, get Distinguished Name of server. In the Check Point SmartDashboard, access the properties of the SmartCenter Server by double clicking on its displayed icon. The distinguished name (DN) is found in the Secure Internal Communication area.

Be sure to set the Server Distinguished Name in the BBI window. 4.

Return to the BBI Cluster / ELA form, save and apply the settings. Click on the Save Settings button to submit your changes. Then use the global apply button to make your changes take effect.

5.

Pull the SIC certificate from the SmartCenter Server. In order for ELA to function, a separate certificate for SIC communication needs to be installed on each of the individual Firewalls. In the Pull SIC Certificate section of the Cluster / ELA form, set the following parameters:

6.

„

Set the Host IP to the IP address of the individual Firewall being updated.

„

Set the Client SIC Name to match the name specified when creating an OPSEC application in the Check Point SmartDashboard. Each host should map to a unique OPSEC application. In the example, we set host 10.10.1.1 to the OPSEC application “ela1.”

„

Set the password to match that specified when configuring SIC for the OPSEC application.

Click the Update Certificate button to finish. Event Logging API „ 343

213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

The Check Point SmartView Tracker To view the logs, open the Check Point SmartView Tracker.

The logging will not occur unless the firewall and registry are up and running on the Firewall. This happens late in the booting process. Messages are cached locally until they can be sent to the ELA logging server. It therefore may take a few moments before messages begin appearing after a reboot.

344 „ Event Logging API 213455-K, June 2005

APPENDIX B

Backing Up and Cloning Configurations This appendix describes how to perform cluster backup and cloning on the Nortel Switched Firewall 5100 Series for NSF 2.3.1. „

“Overview” on page 346

„

“Backing Up and Cloning” on page 346 †

“Backing Up a Configuration” on page 346

†

“Troubleshooting for Backup” on page 347

†

“Cloning a Configuration” on page 348

345 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Overview Remote Backup You can back up the configuration to or from a remote FTP/TFTP/SCP/SFTP server using the CLI interface (/maint/backup/remote). The user can restore the configuration from a remote FTP/TFTP/SCP/SFTP server using the clone command from the root login.

Clone Command The backup-restore procedure can be used for cloning. On a fresh firewall, you can use the clone command to restore the full configuration of a previous setup. The new firewall will be a clone of the original and can replace the original firewall in the network setup.

Local Backup Using the CLI interface, you can perform a backup to the local firewall. Backup automatically happens on soft reboot or when you push a new policy. This backup is used by the system automatically if there is a disk crash.

Backing Up and Cloning In this scenario, two NSF 5100 Series firewalls are configured in a high-availability setup. The Check Point rules are framed, gateway cluster is formed, and the policies are installed on both the NSF firewalls. Make sure your setup is set correctly and the master, backup positions are in place. Each NSF 5100 Series in the cluster must then be backed up individually as described in this section.

Backing Up a Configuration 1.

Verify if the Check Point sync is working correctly. Log in as admin and enter the following command. >> # /maint/fw/sync

Both firewalls should be active.

346 „ Backing Up and Cloning Configurations 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

If the sync is working only for one side of the interface, then reset the SIC on both NSF firewalls and install the policies again. Reboot both the NSF firewalls and proceed with the above step. 2.

Enter the backup command. >> # /maint/backup/remote

3.

Select the backup mode and provide the corresponding FTP/ TFTP/SCP/SFTP server name and configuration filename as follows: Enter the IP address (or 'all' for cluster): all Select tftp/ftp/scp/sftp [tftp]: Enter the tftp/ftp/scp/sftp Server IP Address :172.16.2.183 Configuration filename : test Uploading configuration file of 32696320 bytes... Configuration file test_10.10.1.3:32696320 bytes saved to TFTP server Uploading configuration file of 32491520 bytes... Configuration file test_10.10.1.4:32491520 bytes saved to TFTP server

4.

If you chose TFTP, make sure your TFTP server supports file uploads greater than 32Mb. Typically, the configuration file size is at least 70 Mb and some Windows-based TFTP servers do not support file uploads greater than 32 Mb.

Troubleshooting for Backup If the output is Upload failed, check the following scenarios: „

When using TFTP, a file with the same name as the configuration file should exist on the TFTP server.

„

When using FTP to save a configuration, anonymous FTP should be enabled in the FTP server. The anonymous ftp login should have file list and file put permission.

„

When using FTP to save a configuration, the put command should store the file in the user-specified folder. (In some FTP server configuration, all files put in anonymous login are stored in an incoming folder. This configuration should not be used).

„

Check Point should not drop packets sent to the TFTP/FTP server. Check whether FTP and TFTP access to the TFTP/FTP server is working from root login.

Backing Up and Cloning Configurations „ 347 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Cloning a Configuration 1.

Log in as root to the firewall and enter the command clone.

2.

Follow the procedure as shown below: [root@a10-10-1-4 root]# clone Select a network port (1-6, or i for info) [1]: Enter VLAN tag id (or zero for no VLAN tag) [0]: Enter IP address for this iSD [172.16.2.155]: Enter network mask [255.255.255.0]: Enter gateway IP address [none]: Select tftp/ftp/scp/sftp [tftp]: Enter TFTP server address: 172.16.2.183 Enter configuration file name in TFTP server: test Downloading configuration ... Validating downloaded configuration Configuring System... System will be configured on reboot Restarting system

Once the cloning operation is completed, Check Point takes up to five minutes to re-sync its configuration information. 3.

Verify if both firewalls are active. If both firewalls are not active, disable sync (/cfg/fw/sync/dis/apply), wait 2 minutes and again enable sync (/cfg/fw/sync/ena/apply). This will automatically reboot both firewalls. After the system is up again, check the sync status with the cphaprob stat command.

4.

From Check Point Management station, push the policies again to the NSF firewalls.

348 „ Backing Up and Cloning Configurations 213455-K, June 2005

APPENDIX C

Common Tasks This appendix describes procedures for the most common management tasks. „

“Installing a New Image From CD-ROM” on page 350

„

“Enabling USB Support” on page 351

„

“Mounting a Floppy Disk on the firewall” on page 355

„

“Mounting a CD-ROM on the firewall” on page 356

„

“Mounting the USB Port” on page 356

„

“Tuning Check Point NG Performance” on page 357

„

“Reading System Memory Information” on page 359

„

“Generating Public/Private DSA Key Pair” on page 360

349 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Installing a New Image From CD-ROM 1.

Obtain an Nortel Switched Firewall bootable CD and put it in the firewall CD-ROM drive.

2.

Reboot the firewall.

3.

When prompted, log in as root (no password is necessary).

4.

Enter the appropriate installation command (use lower case characters): install-nsf (or) install-nsf (or) install-nsf (or) install-nsf (or) install-nsf (or) install-nsf

autodetect

(Detects the hardware platform)

nsf5106

(For the NSF 5106)

nsf5111-NE1

(For the NSF 5111-NE1)

nsf5109

(For the NSF 5109)

nsf5114-NE1

(For the NSF 5114-NE1)

nsf5114

(For the NSF 5114)

5.

Wait for the installation script to finish (which will take several minutes). If the firewall doesn't reboot automatically, take the software CD out and reboot the firewall.

6.

Log in as admin (the password is admin). The installation is complete. NOTE – If you haven’t already removed the CD, do it now. Otherwise the system will reboot from the CD (as if you were re-installing the image) if an unintended reboot occurs.

350 „ Common Tasks 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Enabling USB Support The USB support on the Nortel Switched Firewall 5109 and 5114 hardware platforms are disabled by default. In NSF 2.3.1 however, it is mandatory for the USB ports to be enabled, because various downloads/uploads such as, tsdump, backup configuration and the USB-based UPS feature require USB support. This section describes how to enable the USB port in the BIOS for the Nortel Switched Firewall 5109 and 5114 hardware platforms only. NOTE – The BIOS setup on the NSF must be modified carefully, because any incorrect configuration might affect the firewall operation. Follow the procedures given in this section and contact Nortel Technical Support if you need more information.

Verify USB Support on the Firewall Before modifying the BIOS settings, verify if the USB ports are enabled or disabled on your firewall. 1.

Upgrade your firewall to NSF 2.3.1 software. For more information on upgrading, see “Upgrading to NSF 2.3.1 Software” on page 195.

2.

Reboot the firewall after the upgrade. If USB support is not enabled in the BIOS, a log message USB Support is disabled in BIOS is displayed on the console. Then, follow the instructions to modify the BIOS for USB support. If you didn’t see the message or you missed the boot up messages, verify the message in the /var/log/messages file. From the root prompt, enter cat /var/log/messages | grep –i “USB Support” or download the /var/log/messages file from the BBI (cluster > Logs) and search for the above string.

Common Tasks „ 351 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Enabling the USB Support in the BIOS 1.

Connect a monitor and a keyboard connected to your NSF 5100 Series firewall. Please refer to the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C) for more information on how to connect a monitor and keyboard to your NSF 5100 Series firewall. The initial boot-up screen is displayed as shown below:

2.

Press ‘F1’ to enter Configuration/Setup Utility. The Configuration/Setup Utility screen is displayed as shown below.

352 „ Common Tasks 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

3.

Select the Devices and I/O Ports option. The Devices and I/O Ports screen is displayed as shown below.

4.

Highlight the USB Setup option and press enter. The USB Setup menu appears.

5.

Enable USB Support. Use the right arrow to toggle the settings and enable it as shown below.

Common Tasks „ 353 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

6.

Press twice. This exits the USB Setup Menu and the Configuration/Setup Utility. The Exit Setup dialog box appears as shown below.

7.

Select Yes, save and exit the Setup Utility and Press .

8.

The firewall reboots with USB support enabled in the BIOS.

9.

Verify if USB support is enabled in the BIOS. See “Verify USB Support on the Firewall” on page 351.

354 „ Common Tasks 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Mounting a Floppy Disk on the firewall The following procedure can be used for mounting a floppy disk to read or write files on the firewall. 1.

Insert a DOS-formatted floppy into the firewall.

2.

Log in as root. root

3.

Enter the following command: #mount /mnt/floppy

4.

Copy files (if you need the log files). For example: #cp /var/log/message /mnt/floppy

5.

To unmount the floppy disk, enter the following command: #umount /mnt/floppy

6.

Remove the floppy disk from the firewall by pressing the eject button.

Common Tasks „ 355 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Mounting a CD-ROM on the firewall The following procedure can be used for mounting a CD-ROM to read files on the firewall. 1.

Insert a CD-ROM into the firewall.

2.

Log in as root. root

3.

Enter the following command: #mount /mnt/cdrom

4.

To unmount the CD-ROM enter the following command: #umount /mnt/cdrom

Mounting the USB Port Typically, all uploads and downloads automatically occur on USB ports. When you request for an upload or download, the USB port is mounted and dismounted automatically after the file is copied. However, if you need to manually mount the USB ports, perform the following: 1.

Insert a CDROM into the firewall.

2.

Log in as root. root

3.

Enter the following command: #usbmount

4.

To unmount the USB port enter the following command: #usbumount

356 „ Common Tasks 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Tuning Check Point NG Performance Connection Parameters To tune connection parameters, right-click on the firewall object in the Check Point SmartDashboard. Select Edit. Open the Logs and MastersCapacity Optimization tab, and edit the Maximum concurrent sessions.

„

Raise the maximum concurrent sessions level to one that is consistent with the specifications for the model you are using (see Table 1-2 on page 29). The default is 25000.

„

The connections hash size and memory pool should be configured automatically by selecting “Automatically” radio button. The automatically configured hash size of the connections is 4194304 because it matches the increased number of connections on the firewall. The default is 32768.

Common Tasks „ 357 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

NAT Parameters If Network Address Translation (NAT) policy is being used by a large number of concurrent sessions, then the following two parameters can be modified (This is optional since setting the connections table value also sets the NAT connections table value for FP3, R54, R55 and above.): „

nat_hash_size: The current limit is 16384. It should be increased to 131072.

„

nat_limit: The current limit is 25,000. It should be increased to 180,000.

You can tune the performance of the Check Point NG by entering the following commands at the firewall CLI and at the Check Point management station command line. 1.

Log in to the local terminal as admin to disable the firewall: >> /cfg/fw/dis

Allow several minutes for FireWall-1 services to stop before entering /cfg/fw/ena NOTE – The Switched Firewall automatically restarts FireWall-1 services unless you use the /cfg/fw/dis command to disable the unit. For that reason, Nortel Networks recommends that you do not use the cpstop/cpstart commands at the management station to disable/enable the firewall. 2.

Log out of the local terminal and re-log in as root.

3.

Edit the file: $FWDIR/conf/objects_5_0.C (see “Tuning Check Point NG Performance” on page 357 for parameters to tune). NOTE – Nortel Networks recommends that you use the guidbedit utility from within the Check Point management station to edit objects_5_0.C. You can download the guidbedit utility from http://www.checkpoint.com/tech support/downloadsng/utilities.html#dbtool.

4.

Logout of the local terminal and re-login as admin.

5.

Re-enable the firewall: >> /cfg/fw/ena

6.

Start the SMART Client.

358 „ Common Tasks 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

7.

Reinstall the policies and download them to the firewall using the SMART Client.

Reading System Memory Information General Linux memory information: free or vmstat or cat /proc/meminfo or top

Kernel modules information: lsmod

NG memory information: fw ctl pstat

Common Tasks „ 359 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Generating Public/Private DSA Key Pair The following screen captures demonstrate the generation of the DSA key pair; creating an SSH account on a firewall; and opening an SSH session on the firewall. Scenario: One Linux host from which to launch an SSH connection and one firewall. 1.

Generate the public/private DSA key pair. NOTE – The commands you enter are in bold face. „

On the Linux host enter the DSA key generate commands:

[test@Phantom test]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/test/.ssh/id_dsa): tkey tkey already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in tkey. Your public key has been saved in tkey.pub. The key fingerprint is: 2d:77:72:7d:35:58:2c:4b:a4:f8:56:50:73:42:92:ae test@Phantom

You will use the passphrase in Step 5 on page 362. „

Print the public and private keys to the screen:

[test@Phantom test]$ cat tkey.pub ssh-dss AAAAB3NzaC1kc3MAAACBAKEdba7LVbswXDoYDmQaPifvruRFxa465FffwsGmF/LQ98tP YqwJvwLgtCyQVUL9GyUvAlECvPTlBCsAATnITo0KYL03axqqRr9PmdgaxrCcAkyQlLoO HcDzuhUXB0wYXc9ymDTP+4HFSFEuJWNkz7taAmftapuxrmOrah6fejqJAAAAFQDwRbUK QkRQpwdRyW7AhhbZEsUdsQAAAIAQlpw56WRG7c6oH9MV3ppjUIQdLXylMY1+aVEqcAki VqxKwEbpjsSfn4v465ZLHOIXv9aku7FpyXoOwkESNDIvIdyecu2BchK6fc1CWPCLM/cq GxmSm3gWyvfKCdofcroNeTgVblB2VvMn4QuDLj7jbENoHL708Nida3eb/xxAEAAAAIEA k1hg9Y2Q8u9sEgWNN870LsrXkcySc8YJJfPSCsd0ePewU5j41VojQda8a6C2xKypbQth zshaXdPO2WiNzJWAzGdWcM73yIrqGSpFNkpCB48GKkMdRYj/Ntv3QwX/bUcMilJZEHwT EdRyjP84WbIZAK4kpbw3mz6ptYhEvLcPvyA= test@Phantom

The public key includes every character after the command line (ssh-dss—test@Phantom).

360 „ Common Tasks 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

2.

Create an SSH account on the firewall. „

Log onto the firewall and enter the user (account) name information:

>> Main# /cfg/sys/user/adv/user Enter user name: test Creating SSH User test -----------------------------------------------------------[SSH User test Menu] name - Set Full name of User pubkey - Set RSA/DSA Public Key for User ena - Enable User Account dis - Disable User Account del - Remove SSH User >> SSH User test# name Current value: none Enter a descriptive name for user: Phantom >> SSH User test# pubkey Current value: none Enter RSA/DSA public key for user: ssh-dss AAAAB3NzaC1kc3MAAACBAKEdba7LVbswXDoYDmQaPifvruRFxa465FffwsGmF/LQ98t PYqwJvwLgtCyQVUL9GyUvAlECvPTlBCsAATnITo0KYL03axqqRr9PmdgaxrCcAkyQlL oOHcDzuhUXB0wYXc9ymDTP+4HFSFEuJWNkz7taAmftapuxrmOrah6fejqJAAAAFQDwR bUKQkRQpwdRyW7AhhbZEsUdsQAAAIAQlpw56WRG7c6oH9MV3ppjUIQdLXylMY1+aVEq cAkiVqxKwEbpjsSfn4v465ZLHOIXv9aku7FpyXoOwkESNDIvIdyecu2BchK6fc1CWPC LM/cqGxmSm3gWyvfKCdofcroNeTgVblB2VvMn4QuDLj7jbENoHL708Nida3eb/xxAEA AAAIEAk1hg9Y2Q8u9sEgWNN870LsrXkcySc8YJJfPSCsd0ePewU5j41VojQda8a6C2x KypbQthzshaXdPO2WiNzJWAzGdWcM73yIrqGSpFNkpCB48GKkMdRYj/Ntv3QwX/bUcM ilJZEHwTEdRyjP84WbIZAK4kpbw3mz6ptYhEvLcPvyA= test@Phantom >> SSH User test# ena >> SSH User test# apply **NOTE** Telnet, SSH and Web (HTTP) are enabled. Changes applied successfully. >> SSH User test#

Common Tasks „ 361 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

3.

Enter the Linux host network and network mask into the firewall access list: >> Main# /cfg/sys/accesslist/add Enter network address: 33.1.1.0 Enter netmask: 255.255.255.0 >> Access List# apply **NOTE** Telnet and Web (HTTP) are enabled. Changes applied successfully.

4.

Enable SSH on the firewall host and apply the change: >> Main# /cfg/sys/adm/ssh/ena/apply **NOTE** Telnet, SSH and Web (HTTP) are enabled.

5.

Connect to the firewall shell using SSH: [test@Phantom test]$ ssh -l test 33.1.1.18 -2 [email protected]'s password:

For a password enter the passphrase you entered when you generated the SSH keys in Step 1 on page 360.

362 „ Common Tasks 213455-K, June 2005

APPENDIX D

Troubleshooting This appendix provides solutions for problems that you may encounter using the Nortel Switched Firewall. „

“Failed to Establish Trust between SmartCenter Server and Firewall” on page 364

„

“Managing Licenses” on page 366

„

“Re-establishing SIC” on page 367

„

“Poor Performance with Other Devices” on page 368

„

“Cannot Log Into the Management Station from the SMART Client” on page 369

„

“Check Point Sends Connection Failed Messages to Firewall” on page 369

„

“VRRP Configuration Tips” on page 370

„

“VRRP: Active Master Backup Fails” on page 371

„

“VRRP: Both Masters are Active” on page 372

„

“Poor Performance Under Heavy Traffic” on page 372

„

“Configure Mandatory IP Addresses” on page 373

363 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Failed to Establish Trust between SmartCenter Server and Firewall In this scenario, the user is unable to establish trust between the SmartCenter Server and the Firewall. NOTE – This scenario assumes you are logged into a SmartCenter Server that is installed on a separate workstation. Failure to establish trust may also mean that you cannot download policies to the Firewall (see “Re-establishing SIC” on page 367).

Actions „

Verify that the management station is connected to the correct port by entering the following command on the Firewall:

/info/net/if

„

Reset the Secure Internal Communication (using the one-time password) using the following command.

/cfg/fw/sic

NOTE – One-time password is used to establish the first-time communication. After that, the password is negotiated by the devices and changed to another password, which is used for the rest of the session. „

Unload the firewall policies:

/maint/fw/unldplcy

!

CAUTION—Unloading the firewall policies allows all traffic to pass through the firewall. Remember to push your firewall policies from the Check Point SmartDashboard after you have re-established trust.

364 „ Troubleshooting 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

„

Enter the following command to see if the firewall is enabled in the configuration:

/cfg/fw/cur (or) /info/host/status

The following steps require you to be logged into the firewall as the root user. „

Verify your network connections.

„

Verify your management station’s connectivity.

„

Enter the following command to see if the Firewall MAC address is learned:

arp -a

This command should display the firewall’s IP address and MAC address. If not, check the gateway information on the management server. „

Enter the following command to see if ICMP reaches the Firewall from your source IP address:

tcpdump -n icmp

Troubleshooting „ 365 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Managing Licenses Re-installing an Existing License If the Firewall crashed and was re-imaged before the license was deleted from the Firewall, the management server will not allow you to install the same license remotely into the Firewall. To work around the problem, have the original license file stored on a floppy disk (drive ‘a’), and perform the following steps. 1.

At the Check Point management station, enter the following command: Rename c:\winnt\fw1\5.0\conf\licenses.c to licenses.old.

2.

At the Check Point management station enter the following command (make sure you have the license file on the floppy disk in drive ‘a’): cplic put -l a:ip_address_module.lic

Where ip_address is the IP address of the license; for example, 172.21.9.200_module.lic.

Installing a License on an NT Workstation Ordinarily, you should use SmartUpdate to maintain licensing on the SmartCenter Server. However, this procedure may be necessary if you are running the SmartCenter Server and SMART Client on an NT workstation. NOTE – This procedure should not be needed, if you are managing licenses from the SmartCenter server using SmartUpdate. 1.

Click on your desktop Start button and select Run. When the Run window appears, specify cmd as the program to open and click on the OK button. In the command window, enter the license installation command in the following format: cplic put

Use the Firewall name as entered in the hosts file (page 248). Be sure to enter the information exactly as shown on your specific Check Point license.

366 „ Troubleshooting 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

2.

To verify that the local license is installed properly, log in as root on the Firewall and enter the following command: cplic print -x -type

The output of this command should display the installed license information.

Re-establishing SIC You must re-establish Secure Internal Communications (SIC), if you can’t access the firewall after you push the policy. Check Point FireWall-1 NG with Application Intelligence uses a one-time password to initiate SIC between configured objects and the management station. NOTE – This procedure assumes your SmartCenter Server is installed on a separate workstation. If you enabled SmartCenter Server on the firewall in Step 12 on page 41, you do not need to establish SIC. 1.

Establish SIC at the firewall by entering these commands: >> Main # /cfg/fw/sic Enter the Host IP Address :192.168.1.2 Enter new Check Point SIC Password : Confirm password: This operation may take a while to complete and traffic can be interrupted for 5 minutes. Do you want to continue (y/[n])? y SIC Reset Succeeded...

NOTE – What is referred to as password on the firewall is referred to as Activation Key at the SmartDashboard.

Troubleshooting „ 367 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Cannot Download Policy on Firewall After downloading the policy into the Firewall, you cannot check the communication or download the policy again. NOTE – Users often forget to update the SmartDashboard after add/delete interfaces from Firewall console. As a result, anti-spoofing blocks the traffic because incorrect interfaces were used.

Action „

Delete the existing policies by entering the command below and retrieve the interfaces from the SMART Client again.

/maint/fw/unldplcy

!

CAUTION—Unloading the firewall policies allows all traffic to pass through the firewall. Remember to push your firewall policies from the Check Point SmartDashboard after you have re-established trust.

Poor Performance with Other Devices In this scenario, you see poor performance when using the Nortel Switched Firewall with another network device such as a router.

Actions „

From the Nortel Switched Firewall console, manually configure the link parameters for the port(s) suspected of poor performance. Turn off auto negotiation. Set the port speed (10,100, 1000) and duplex mode (full, half) to be compatible with the adjacent device. Verify that compatible parameters are set on the adjacent device.

368 „ Troubleshooting 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Cannot Log Into the Management Station from the SMART Client The SMART Client cannot log into the management station.

Actions „

If the SMART Client and SmartCenter Server are not in the same network, add a rule to allow Check Point Management Interface (CPMI) to go through these two networks.

„

Enter the command cpconfig on the management station to see if client IP address is on the SMART Client list. If you are running your management station from the Firewall, log in as root before entering this command.

Check Point Sends Connection Failed Messages to Firewall In this scenario, you receive fwconn_record_conn: Id_set_wto(connections) failed messages during the session. This occurs when the session limit of Check Point is reached. The default is 25000 connections.

Action Increase the session limit on the management station. Refer to “Tuning Check Point NG Performance” on page 357.

Troubleshooting „ 369 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

VRRP Configuration Tips VRRP configuration tasks must be performed in a particular order: 1.

Do not enable synchronization or VRRP on either iSD host until you have added the second iSD host to the cluster.

2.

Make sure both virtual router interfaces can communicate with each other. „

3.

Configure the virtual router interface on both iSD hosts using CLI (see “/cfg/net/if ” on page 289) or BBI (NetworkInterfaces).

„

Ping iSD host 1’s virtual router IP address from iSD host 2 (or vice versa).

„

If unsuccessful, troubleshoot cabling and make sure port LEDs for your model are properly lighted. See “Port LED Indicators” in the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C).

Establish trust with both units. „

Make sure you can ping both iSD host IP addresses from the management station (if the management station and iSD host IP address are not on the same network, add static routes as needed on the management station).

„

Reset cluster SIC using Check Point SMART Client (see “Re-establishing SIC” on page 367).

„

Reset cluster SIC using CLI (see /cfg/fw/sic page 320).

4.

Once SIC completes (which can take several minutes), push policies from the Check Point SmartDashboard to the cluster.

5.

Configure VRRP for both firewall hosts. „

Configure vrid (see /cfg/net/if /vrrp/vrid on page 291).

„

Configure ip1 (see /cfg/net/if /vrrp/ip2 on page 291).

„

Configure ip2 (see /cfg/net/if /vrrp/ip2 on page 291).

„

Enable synchronization (optional) (see “/cfg/fw/sync” on page 322).

„

Enable VRRP (see “/cfg/net/bridge ” on page 293) and set the rest of the VRRP parameters.

„

Apply changes.

370 „ Troubleshooting 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

VRRP: Active Master Backup Fails In this scenario, the active master fails, but failover doesn’t take place. A likely cause is loss of trust between the firewall and the SmartCenter Server.

Actions „

Log in as root and check the firewall status:

root# fw stat

„

If the SmartCenter Server and the firewall are not communicating, the firewall will return a status message indicating that the policy and host identities are unknown:

HOST POLICY DATE ------ [>eth0] [eth1] [eth2] [eth3] [eth0] [eth1] [eth2] [eth3] [ Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

384 „ Software Licenses 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type ‘show w’. This is free software, and you are welcome to redistribute it under certain conditions; type 'show c' for details. The hypothetical commands ‘show w’ and ‘show c’ should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than ‘show w’ and ‘show c’; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright disclaimer” for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program 'Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.

Software Licenses „ 385 213455-K, June 2005

Nortel Switched Firewall 2.3.1 User’s Guide and Command Reference

386 „ Software Licenses 213455-K, June 2005