Beruflich Dokumente
Kultur Dokumente
Copyright © 2004 Nortel Networks, Inc., 4655 Great America Parkway, Santa Clara, California, 95054,
USA. All rights reserved. Part Number: 217014-A.
This document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and decompilation. No part of this document may be reproduced in any form by any means
without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without
warranty of any kind, either express or implied, including any kind of implied or express warranty of non-
infringement or the implied warranties of merchantability or fitness for a particular purpose.
U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR
2.101 (Oct. 1995) and contains “commercial technical data” and “commercial software documentation” as
those terms are used in FAR 12.211-12.212 (Oct. 1995). Government End Users are authorized to use this
documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR
12.211- 12.212 (Oct. 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov. 1995).
Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without
notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products
described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of
this product does not convey a license under any patent rights, trademark rights, or any other intellectual
property rights of Nortel Networks, Inc.
Alteon, Alteon Switched Firewall, Alteon 5014, 6400, 6600, 6414, Alteon Firewall Director, Firewall OS,
Alteon Firewall Accelerator, and Alteon Accelerator OS are trademarks of Nortel Networks, Inc. in the
United States and certain other countries.
Check Point, SecureXL, SmartCenter, SmartDashboard, SmartView Tracker, OPSEC, and SmartView
Monitor are trademarks of Check Point Software Technologies Ltd. FireWall-1 and VPN-1 are registered
trademark of Check Point Software Technologies Ltd. Any other trademarks appearing in this manual are
owned by their respective companies.
Originated in the USA.
Export
This product, software and related technology is subject to U.S. export control and may be subject to export
or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations.
A license to export or reexport may be required by the U.S. Department of Commerce.
Licensing
2
217014-A, November 2004
Contents
Preface 9
Who Should Use This Book 10
How This Book Is Organized 10
Part 1: Getting Started 10
Part 2: Command Reference 11
Part 3: Appendices 11
How to Get Help 12
Typographic Conventions 13
Chapter 1: Overview 17
Feature Summary 17
Alteon Switched Firewall Basics 20
Basic Operation 22
Port Filtering 22
Topology Specifics 23
Security Processing 24
3
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
4 Contents
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Contents 5
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
6 Contents
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Contents 7
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Index 379
8 Contents
217014-A, November 2004
Preface
This User’s Guide and Command Reference describes the Alteon Switched Firewall system
with version 4.0.2 software (and higher). This guide introduces the components and features of
the system and explains how to perform installation, configuration and maintenance. The fol-
lowing topics are discussed in the Preface.
9
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
10 Preface
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Part 3: Appendices
Appendix A, “Event Logging API,” describes how to view Alteon Switched Firewall log
messages with your Check Point SmartView Tracker.
Appendix D, “Software Licenses,” provides licensing information for the software used in this
product.
Preface 11
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
If you purchased a Nortel Networks service program, contact one of the following Nortel Net-
works Technical Solutions Centers:
Additional information about the Nortel Networks Technical Solutions Centers is available at
the following URL:
http://www.nortelnetworks.com/help/contact/global
An Express Routing Code (ERC) is available for many Nortel Networks products and services.
When you use an ERC, your call is routed to a technical support person who specializes in sup-
porting that product or service. To locate an ERC for your product or service, refer to the fol-
lowing URL:
http://www.nortelnetworks.com/help/contact/erc/index.html
12 Preface
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Typographic Conventions
The following table describes the typographic styles used in this book.
AaBbCc123 This type is used for names of commands, View the readme.txt file.
files, and directories used within the text.
<AaBbCc123> This italicized type appears in command To establish a Telnet session, enter:
examples as a parameter placeholder. Replace host# telnet <IP address>
the indicated text with the appropriate real
name or value when using the command. Do
not type the brackets.
This also shows book titles, special terms, or Read your User’s Guide thoroughly.
words to be emphasized.
Preface 13
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
14 Preface
217014-A, November 2004
Part 1: Getting Started
This section discusses basic Firewall functions and Alteon Switched Firewall components. The
following topics are included in this section:
16 Getting Started
217014-A, November 2004
CHAPTER 1
Overview
The Alteon Switched Firewall (ASF) is a high-performance firewall system for network secu-
rity. The system uses a versatile, multi-component approach to deliver unparalleled firewall
processing power, reliability, and scalability. This chapter describes the following topics for
Alteon Switched Firewall model 6614 and 6414.
Feature Summary
“Alteon Switched Firewall Basics” on page 20
Feature Summary
The following features have been added to the Alteon Switched Firewall release 4.0.2 since the
last major release:
17
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
18 Chapter 1: Overview
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Supports the Open Shortest Path First (OSPF) routing protocol—This implementation
conforms to the OSPF version 2 specifications detailed in Internet RFC 1583 and
route redistribution is also supported.
Supports the Router Interface Protocol (RIP) version 1 and 2 with route redistribu-
tion.
Scalability and Management
Flexible Management
To help you minimize the amount of time spent manually configuring individual
devices, ASF gives you a flexible set of management options to control the configura-
tion, policy-creation, deployment and on-going management of your ASF security
solutions. You can use the CLI, BBI, or the Management Console.
Centralized Management
Provides dynamic scalability—Additional processing power can be added to the clus-
ter without disrupting the firewall traffic.
Provides dynamic Plug N Play—Added components can be automatically configured
and brought into service.
Provides a Single System Image (SSI)—all components in a given Alteon Switched
Firewall cluster are configured together as a single system.
Supports SNMP version 2c and 3 event and alarm traps.
Chapter 1: Overview 19
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Untrusted
Client
Trusted
Internet Network
Untrusted
Networks
DMZ Servers
11353EA
The Networks
Trusted Networks
These represent internal network resources that must be protected from unauthorized
access. Trusted networks usually provide internal services such as a company’s intranet, as
well as valued applications made available to external clients, such as public e-commerce
Web sites.
Semi-trusted Networks
To increase security, services intended primarily for external clients are often placed on a
separate network so that a hostile intrusion would not affect the company’s internal net-
works. A network isolated in this way is also known as a De-Militarized Zone (DMZ).
Untrusted Networks
These are the external networks that are presumed to be potentially hostile, such as the
Internet.
20 Chapter 1: Overview
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
The Firewall
Alteon Switched Firewall
The Alteon Switched Firewall is placed in the path between your various trusted, semi-
trusted, and untrusted networks. It examines all traffic moving between the connected net-
works and either allows or blocks that traffic, depending on the security policies defined
by the administrator. The Alteon Switched Firewall consists of multiple Firewall Director
and Firewall Accelerator components that are clustered together to act as a single system.
Firewall Director
The Firewall Director is a compact, high-performance computing device running Firewall
Operating System (OS) software. It uses built-in Check Point FireWall-1 NG software to
inspect network traffic and enforce firewall policies. For increased firewall processing
power, additional Firewall Directors can be attached to the cluster.
Firewall Accelerator
The Firewall Accelerator is an Alteon switch running Accelerator OS software. It offloads
the processing of secured traffic from the Firewall Director, enhancing firewall performance.
For high-availability configurations, a second Firewall Accelerator and Firewall Director
can be attached to the cluster.
Chapter 1: Overview 21
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
policy changes made in a management client are forwarded to the SmartCenter which then
loads them onto the firewalls. For convenience, a management client can be installed on
the SmartCenter.
Basic Operation
Traditional firewall solutions involve running firewall software on a workstation or server with
a general-purpose OS. Such general-purpose OS solutions have security holes, and software
firewall solutions running on them perform poorly. The Alteon Switched Firewall was created
to solve these problems.
The Alteon Switched Firewall is a combination of dedicated hardware and software (hardened
OS, security applications, and networking technology). It addresses the needs for security, per-
formance and ease of use.
Port Filtering
The Firewall Accelerator features wire speed packet filters that allow or deny traffic based on a
variety of address and protocol characteristics. These port filters screen packets before they
reach the firewall inspection engine. The logging information for these filters can be passed to
the Check Point ELA log and can be viewed with the Check Point SmartView Tracker™.
Security and speed can be enhanced dramatically by using Alteon port filters.
22 Chapter 1: Overview
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Topology Specifics
The classic software firewall model can become a security speed bump. Typically, data enters
from one network card, passes through the a policy inspection engine, and is deposited on
another network card. When relying on the single processing path such systems offer, there are
major limitations on speed and expandability.
The Alteon Switched Firewall solution flattens the security speed bump and boosts the speed
of data.
Server Cluster
Classic Firewall Scenario
Firewall
Clients Switch
Router
Internet
Server Cluster
Alteon Switched Firewall Solution Alteon Switched Firewall
Clients Firewall Acceleration
Router
Internet
Firewall
Accelerator
Load Balanced
Firewall Traffic
Control
Firewall Directors
Untrusted Networks Trusted Networks
Check Point FireWall-1 NG is a stateful inspection firewall. The Alteon Switched Firewall per-
forms policy checking for every new connection request, manages the connection table, and
specifies the rules for handling the subsequent packets in a session. Once a session is active,
policy checking for packets is handled by the Firewall Accelerator.
Chapter 1: Overview 23
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Security Processing
The Firewall Director connection table is mirrored by the Firewall Accelerator. This is accom-
plished through the Nortel Appliance Acceleration Protocol (NAAP).
After the Firewall Director inspection engine accepts the setup packets in a session, subsequent
packets belonging to the session are inspected and forwarded by the Firewall Accelerator with-
out the involvement of the Firewall Director. This solution achieves a tremendous improve-
ment in firewall performance because approximately 90% of the data can be accelerated at
wire speed.
Traditionally, a stateful inspection firewall would either interrogate every packet or run in a cut
through mode or fast mode, which would inspect the first packet and then, once the packet is
accepted, allow all further packets without investigation until the session ends. By using a high
speed switch as a hardware accelerator, this inspection can be done at Gigabit speeds without
compromising security.
24 Chapter 1: Overview
217014-A, November 2004
CHAPTER 2
Initial Setup
This chapter describes how to perform initial setup for the minimal Alteon Switched Firewall
configuration (one Firewall Director and one Firewall Accelerator).
It is assumed that you have installed the Alteon Switched Firewall hardware as described in the
Alteon Switched Firewall Hardware Installation Guide including mounting the components,
attaching network cables, turning on power, and connecting a console terminal.
NOTE – For configurations with multiple Firewall Directors or Firewall Accelerators, first
install the minimum system as described in the Alteon Switched Firewall Hardware Installa-
tion Guide and perform initial setup as described in this chapter. When the minimum system is
fully configured, add and setup the extra components as described in Chapter 7, “Expanding
the Cluster,” on page 105.
25
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
NOTE – The highest IP address and lowest IP address in the subnet range are reserved for
broadcasts and cannot be assigned to specific cluster devices.
A list of subnets that will be statically configured on the firewall for internal subnets, plus
the IP address of the internal router that handles routes for these subnets.
The IP address of the default gateway for data moving from the Alteon Switched Firewall
to the Internet.
An IP address reserved for the Alteon Switched Firewall on each trusted, untrusted, and
semi-trusted subnet that will connect directly to the firewall.
A Check Point SmartCenter station and management console client, SmartDashboard on
one of the networks attached to the Firewall Accelerator.
NOTE – Before upgrading the software on the Firewall Accelerator and Firewall Director, you
must perform the initial setup procedures as explained in this chapter. Once initial setup is
complete, see Chapter 8, “Upgrading the Software,” on page 127 for more information.
Example Network
The following example network will be used to illustrate the procedures described in this chap-
ter:
Alteon Switched Firewall
MIP: 10.10.1.10
Firewall Accelerator
Network A (Untrusted) Network B (Trusted)
IP: 10.10.1.2
Gateway: 20.1.1.2
IP: 30.1.1.0/16
Internet 2 IF1 IF2 3
Gateway: 30.1.1.1
IP: 20.1.1.1 IP: 30.1.1.1
Router
11
Inside Interface–
IP: 20.1.1.2
Firewall Director
IP: 10.10.1.1
Check Point SmartCenter
IP: 30.1.1.10
Press <Enter> on the console terminal to establish the connection. The Alteon Switched Fire-
wall login prompt will appear. Enter the default login name (admin) and the default password
(admin). If the Alteon Switched Firewall is set to factory defaults, a special Setup utility
menu will appear:
login: admin
Password: admin (not displayed)
>> Setup#
NOTE – If the Setup Menu does not appear, disconnect the Firewall Director from the cluster
and reset it to its factory default state using the /boot/delete command (see page 174).
Below is an example of the Setup utility prompts and configuration. Follow the example to ini-
tialize a “new” installation. After answering the various Setup questions, the built-in Check
Point software will be initialized.
NOTE – The IP addresses shown here and in the following steps are taken from the example
network on page 27. Enter information for your specific network configuration.
5. Set your time zone by selecting continent or ocean, then country, then region.
For example:
Timezone setting
1 - Africa
2 - America
3 - Antarctica
4 - Arctic
5 - Asia
6 - Atlantic
7 - Australia
8 - Europe
9 - Indian
10 - Pacific
Select a continent or an ocean, or enter a full timezone name: 2
Countries:
1 - Antigua&Barbuda 18 - Ecuador 35 - Panama
2 - Anguilla 19 - Grenada 36 - Peru
3 - Antilles 20 - French Guiana 37 - St Pierre & Miquelon
4 - Argentina 21 - Greenland 38 - Puerto Rico
5 - Aruba 22 - Guadeloupe 39 - Paraguay
6 - Barbados 23 - Guatemala 40 - Suriname
7 - Bolivia 24 - Guyana 41 - El Salvador
8 - Brazil 25 - Honduras 42 - Turks & Caicos Is
9 - Bahamas 26 - Haiti 43 - Trinidad & Tobago
10 - Belize 27 - Jamaica 44 - United States
11 - Canada 28 - St Kitts&Nevis 45 - Uruguay
12 - Chile 29 - Cayman Islands 46 - St Vincent
13 - Colombia 30 - St Lucia 47 - Venezuela
14 - Costa Rica 31 - Martinique 48 - Virgin Islands (UK)
15 - Cuba 32 - Montserrat 49 - Virgin Islands (US)
16 - Dominica 33 - Mexico
17 - Dom. Republic 34 - Nicaragua
Select a country: 44
6. Select a time server and set the current date and time:
8. Generate a new Secure Shell (SSH) host key for use secure remote administration ses-
sions:
It is recommended that you generate a new SSH key in order to maintain a high level of secu-
rity when connecting to the Alteon Switched Firewall using an SSH client. Answer the prompt
by pressing the y or n key. Do not press <Enter>.
The one-time password entered here will be required later when establishing Secure Internal
Communications (SIC) between the SmartCenter and the Firewall Director.
Accelerators Supported
1) 6600
2) 6400
Select the default type: 1
Once this Setup process is complete, you will need to log in and configure Check Point
licenses as shown in the following section.
Once the Setup utility has been used for basic system configuration, the Setup menu is no
longer displayed upon subsequent log-ins. Instead, the CLI Main Menu is displayed:
[Main Menu]
info - Information Menu
cfg - Configuration Menu
boot - Boot Menu
maint - Maintenance Menu
diff - Show pending config changes [global command]
validate - Validate configuration
security - Display security status
apply - Apply pending config changes [global command]
revert - Revert pending config changes [global command]
paste - Restore saved config with key [global command]
help - Show command help [global command]
exit - Exit [global command, always available]
>> Main#
Use the following CLI commands to install your Check Point licenses and to configure infor-
mation about the network.
1. If local licensing is used, enter Check Point licensing information for the Firewall Direc-
tor.
NOTE – If central licensing is used, skip this step. With central licensing, the license is pushed
from the SmartCenter in a later step.
The license information will be part of your Check Point package. The expected information
will appear similar to this:
Log in to the Firewall Director using the administrator account. Be sure to enter the informa-
tion exactly as shown on your specific Check Point license.
>> # /cfg/pnp/add
Enter the IP Address: 10.10.1.1 (address of the Firewall Director)
Enter the Expiry date for the License: <Expiration date>
Enter the Feature string: <Feature string>
Enter the License string: <License string>
NOTE – Local license installation is performed through the CLI only. Do not install local
licenses using the root login or SmartUpdate or they will be automatically deleted.
NOTE – You can also specify a MAC address in the Accelerator 1 Configuration menu. How-
ever, when the automatic discovery feature is enabled, the Alteon Switched Firewall automati-
cally determines the MAC address of the Firewall Accelerator. Auto discovery is on by
default, but can be turned on or off using the /cfg/acc/auto command.
NOTE – Interface broadcast addresses will be automatically calculated from the network mask
unless configured manually.
This command applies the configuration changes on Firewall Director as well as on the Fire-
wall Accelerator (no manual configuration is required on the Firewall Accelerator). The Fire-
wall Director will also upgrade the Firewall Accelerator software if required.
Once the apply process is complete, the Link LED indicators for correctly configured ports
will be green.
In our example network, you can verify that the Firewall Accelerator configuration has been
updated by examining the port LEDs.
Once this is complete, proceed to the following section and install the Check Point manage-
ment tools on the management station.
This procedure outlines how to install the Check Point management tools (SmartServer and
SmartConsole) NG with Application Intelligence (R55). The Management Client tools are
being installed on the SmartCenter station. These tools may also be installed on a remote sta-
tion. For details about this or any other version of Check Point software, please refer to your
complete Check Point documentation at http://www.checkpoint.com/support/technical/docu-
ments/index.html (ID and password required).
1. Make sure that your SmartCenter station meets or exceeds the minimum requirements.
Check Point SmartCenter requires a workstation or server with the following:
Operating System: Windows NT 4.0 SP6a or Windows 2000 Server and Advanced Server
(SP2)
2. Insert the Check Point software CD-ROM into the SmartCenter station drive. The instal-
lation program will start automatically.
The following material will explain any important prompts and the expected responses. For
prompts not covered in these steps, follow any onscreen instructions.
Select the checkboxes for the following items and click on the Next button:
SmartCenter
SmartConsole
Make sure Policy Server is not checked. The SmartConsole selection includes all of the GUI
Client tools you need for the SMART Client that administers the Check Point features on the
Firewall.
At this point, the installation program will begin installation of each component. First, a com-
mon Check Point component knows as the SVN Foundation will be automatically installed and
configured. When completed, the SmartCenter software, and finally the SmartConsole compo-
nents. The Application Intelligence software is automatically installed during a later step.
6. Select Management Server as the type of product to install and click on the Next button.
At this point, the program will install the SVN Foundation software (standard), SmartCenter (if
selected) and SmartConsole components. The installation status is displayed in the Installation
Status window.
8. Select Primary SmartCenter as the type of product and click on the Next button.
Check Point Enterprise/Pro preselects all of the SmartConsole components. Check Point
Express preselects the top four components. The selection rationales are discussed on the
Check Point Web site:
http://www.checkpoint.com/products/enterprise/smartcenter.html
NOTE – In previous versions of the Check Point management tool software, backward compat-
ibility was an option. With R55, backward compatibility is a standard feature that is installed in
the background.
12. Follow the onscreen prompts until asked to specify the SmartConsole GUI clients to be
installed:
Select the checkboxes and click on the Next button to install the management client software.
13. Once the software is installed, click on the OK button to configure licenses:
14. When prompted, specify a valid Check Point license for the SmartCenter Server. Select
the Fetch From File... or Add... button (below, left) and specify the appropriate license
data (below, right):
When you have entered the license data, click OK, and Next.
15. When prompted, click the Add… button (below, left) and enter login information for
SmartCenter administrators (below, right):
When you have entered the administrator information, click OK and Next.
16. When prompted, add any remote management clients (also known as SMART Clients):
Enter localhost or the host’s IP address if the GUI client is on the same host as the SmartCenter
Server. Also specify the DNS hostname or IP address of other management clients that will be
permitted to interface with this management station. Click Next to continue.
17. When prompted, type random characters for the cryptographic seed:
NOTE – Do not type excessively quickly. When overfilled, the input buffer may take a few
moments to process.
When the cryptographic seed is generated, click the Next button to continue.
18. Initialize the Certificate Authority. If the FQDN is correct, click the Send to CA button:
After you initialize the Certificate Authority, you should not change the IP address or the name
of the management station.
As a security measure, this fingerprint will be required in a later step to ensure that no one has
impersonated the administrator.
Once the station is rebooted, installation of the SmartCenter and SmartDashboard are com-
plete. The next task is to use the SmartDashboard to define and install firewall policies.
Task Overview
The initial configuration of firewall policies involves the following tasks:
Enter one of the user name/password combinations configured during the installation of the
SmartCenter tools during Step 15 on page 42.
Also specify the IP address of the SmartCenter Server and click OK. NOTE—Be sure you have
added this IP address in the client access list to allow SMART Client access to the Firewall.
Click the Approve button to verify that the fingerprint is the same as the one obtained during
installation of the SmartCenter tools during Step 19 on page 44.
2. Select Classic mode when the Check Point installed Gateway creation window appears.
Name: The name of the newly installed Firewall Director. The SmartCenter must be con-
figured to resolve this name to the IP address below.
IP Address: The address of the newly installed Firewall Director. In our example, the
address is 10.10.10.1.
Check Point products: Select NG Application Intelligence (AI).
FireWall-1: Check this item from the list window.
NOTE – Only FireWall-1 is currently supported on this product. VPN-1® is not used.
Leave the Workstation Properties window open for use in the next steps.
To establish SIC, click on the Communication button in the Workstation Properties window.
The Communications window will appear:
Enter the same one-time SIC password that was defined during the Firewall Director initial
setup in Step 9 on page 31 and click on the Initialize button.
The SmartCenter will attempt to contact the Firewall Director and exchange security informa-
tion. When successful, the window will indicate “Trust established.”
Select the Topology section of the Check Point Gateway window and click on the Get Topol-
ogy button. This will retrieve the interfaces that were configured from the Firewall Director.
The Get Topology button displays linked and enabled networks only.
NOTE – When using antispoofing, a message may appear stating that the Get Topology func-
tion was only partially successful. When this occurs, “IP addresses behind the interface” will
be undefined. Select each interface and use the Edit button to manually configure the unde-
fined address. The address should represent the full range of valid source IP addresses attached
through the interface. These addresses must be configured prior to loading policies to the Fire-
wall Director.
NOTE – If local licensing was used in configuring interfaces in Step 1 on page 32, skip ahead to
“Create and Install Firewall Policies” on page 53.
1. Start the SmartUpdate management tool on your management client station (Smart-
Center).
2. From the SmartUpdate menu bar, select Licenses > New Licenses.
Enter the information exactly as shown on your specific Check Point license.
The license will be automatically sent to the Check Point Management Console license reposi-
tory and then installed to the Firewall Director.
For more details on installing central licenses, see your complete Check Point documentation
at http://www.checkpoint.com/support/technical/documents/index.html (ID and password
required).
From the SmartDashboard tool menu bar, select Rules | Add Rule | Top. A new rule will be
added to the rulebase. The default action of the new rule is “drop,” indicating that all traffic
from any source to any destination will not pass through the firewall.
Change the action of the new rule to “accept” by right-clicking on the “drop” action icon and
selecting “accept” as the new action from the pop-up list.
Also change the track setting to “log” by right-clicking on the “none” setting and selecting
“log” as the new track setting from the pop-up list.
NOTE – If the Check Point antispoofing feature is not enabled, a warning message will appear.
Please refer to your company’s security policy and your Check Point documentation at http://
www.checkpoint.com/support/technical/documents/index.html (ID and password required) to
determine whether antispoofing is necessary for your firewall.
If the effort to push policies fails, click Show Errors. A common cause of errors is an expired
license. If this is the case, update the license on the SmartCenter Server using SmartUpdate and
push policies again.
Close the Install Policy window when the process is complete.
3. Use the SmartView Tracker program to confirm proper operation of the Firewall Direc-
tor.
The SmartView Tracker lists all traffic being processed, accepted, dropped, and so on. To con-
firm that the Alteon Switched Firewall is properly configured, select the SmartView Tracker
Active Mode. Use a client station to ping the firewall. If the SmartView Tracker displays an
entry for the ping traffic, the configuration is good. Before you ping the Firewall, make sure
you enable the Accept ICMP Replies field in the Global properties tab.
NOTE – The SmartView Tracker is an excellent tool for debugging and enhancing your secu-
rity rules. For details regarding this tool, see your complete Check Point documentation at
http://www.checkpoint.com/support/technical/documents/index.html (ID and password
required).
4. Use the SmartDashboard tool to remove the test rule generated in Step 1.
5. Create and install complete firewall security rules.
The rules you apply to your security policy will depend on the security needs of your network.
In general, you should drop all traffic that is not specifically required. Refer to your company’s
security policy and Check Point documentation at http://www.checkpoint.com/support/techni-
cal/documents/index.html (ID and password required) for more information about creating and
maintaining effective security policies.
Built on the client/server model, DHCP allows hosts or clients on an IP network to obtain their
configurations from a DHCP server, thereby reducing network administration. The most sig-
nificant configuration the client receives from the server is its required IP address; (other
optional parameters include the “generic” file name to be booted, the address of the default
gateway, and so forth).
Nortel Networks DHCP relay agent eliminates the need to have DHCP/BOOTP servers on
every subnet. It allows the administrator to reduce the number of DHCP servers deployed on
the network and to centralize them. Without the DHCP relay agent, there must be at least one
DHCP server deployed at each subnet that has hosts needing to perform the DHCP request.
57
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
DHCP defines the methods through which clients can be assigned an IP address for a finite
lease period and allowing reassignment of the IP address to another client later. Additionally,
DHCP provides the mechanism for a client to gather other IP configuration parameters it needs
to operate in the TCP/IP network.
In the DHCP environment, the Alteon Switched Firewall acts as a relay agent. The DHCP
relay feature (/cfg/net/dhcprl) enables the Firewall to forward a client request for an IP
address to DHCP servers with IP addresses that have been configured on the Alteon Switched
Firewall.
When Alteon Switched Firewall receives a UDP broadcast on port 67 from a DHCP client
requesting an IP address, the request is then forwarded as a UDP Unicast MAC layer message
to DHCP servers whose IP addresses are configured on the Firewall. The servers respond with
a UDP Unicast message back to the Firewall, with the default gateway and IP address for the
client. The destination IP address in the server response represents the interface address on the
Alteon Switched Firewall that received the client request. This interface address tells the
Alteon Switched Firewall on which VLAN to send the server response to the client.
Boston Atlanta
20.1.1.1
10.1.1.0
The client request is forwarded to all DHCP servers configured on the Firewall. The use of two
servers provide failover redundancy. However, no health checking is supported.
DHCP Relay functionality is assigned on a per interface basis. At least one server and one
interface must be enabled for DHCP, otherwise the configuration will fail validation. Use the
following commands to configure the Alteon Switched Firewall as a DHCP relay agent:
>> # /cfg/net/dhcprl
>> DHCP Relay# ena
>> # /cfg/net/dhcprl/server 1
>> DHCP Server 1# addr 10.1.1.1 (Set IP address of 1st DHCP server)
>> DHCP Server 1# ena (Enable the DHCP server)
>> DHCP Server 1# ../server 2 (Set IP address of 2nd DHCP server)
>> DHCP Server 2# addr 10.1.1.2 (Set IP address of 2nd DHCP server)
>> DHCP Server 2# ena (Enable the DHCP server)
When a Firewall Director holding the MIP receives a routing update that contains a new or
changed destination network entry, the Firewall Director holding the MIP adds 1 to the metric
value indicated in the update and enters the network in the routing table. The IP address of the
sender is used as the next hop.
Stability
RIP version 1 was distributed in the early years of the Internet and advertised default class
address without subnet masking. RIP is stable, widely supported, and easy to configure. Use
RIP in stub networks and in small autonomous systems that do not have many redundant paths.
RIP includes a number of other stability features that are common to many routing protocols.
For example, RIP implements the split horizon and holddown mechanisms to prevent incorrect
routing information from being propagated.
RIP prevents routing loops from continuing indefinitely by implementing a limit on the num-
ber of hops allowed in a path from the source to a destination. The maximum number of hops
in a path is 15. The network destination network is considered unreachable if increasing the
metric value by 1 causes the metric to be 16 (that is infinity). This limits the maximum diame-
ter of a RIP network to less than 16 hops.
61
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
This implementation of RIP currently allows for up to 8K total routes, which include the
default routes, interfaces, static routes, and dynamically learned routes from RIP and or OSPF.
Loop prevention is performed through the use of Split Horizon algorithm to prevent the re-
broadcast of a route on the same interface that it was received on. Poison Reverse is used to
send routing updates with a hop count of 16 for dead routes.
Routing Updates
RIP sends routing-update messages at regular intervals and when the network topology
changes. RIP uses broadcast User Datagram Protocol (UDP) data packets to exchange routing
information. Each router “advertises” routing information by sending a routing information
update every 30 seconds. If a router does not receive an update from another router within 90
seconds, it marks the routes served by the non-updating router as being unusable. If no update
is received within 240 seconds, the router removes all routing table entries for the non-updat-
ing router.
When a router receives a routing update that includes changes to an entry, it updates its routing
table to reflect the new route. The metric value for the path is increased by 1, and the sender is
indicated as the next hop. RIP routers maintain only the best route (the route with the lowest
metric value) to a destination.
100.100.2.1 100.100.3.1
Router 1 Router 2
100.100.2.80 Alteon Switched 100.100.3.150
Firewall
In Figure 4-1 the Alteon Switched Firewall is configured as an ASBR between two domains,
OSPF and RIP. The ASF is connected to two routers, Router 1 in the OSPF domain and Router
2 in the RIP domain. ASF is required to advertise the OSPF routes from the OSPF domain into
the RIP domain. In this example, two IP interfaces are needed on the ASF: one for the OSPF
domain on 100.100.2.0/24 and one for the RIP domain on 100.100.3.0/24.
1. Configure the IP interface to the backbone router for the OSPF domain that is connected
to port 1 of the Alteon Switched Firewall.
2. Configure the IP interface for the RIP domain that is connected to port 2 of the Alteon
Switched Firewall.
6. Enable RIP for VLAN 22 and specify the RIP version if required.
Configure OSPF in Router 1 and verify if the Alteon Switched Firewall and Router 1 are able
to send and receive routes between them. Configure Router 1 to send OSPF routes to the
Alteon Switched Firewall. Verify the routing table on Router 2 and confirm that these routes
are not advertised and installed in Router 2, because it is not a OSPF router.
8. Configure the ASF to convert the OSPF routes into RIP routes.
When routes are redistributed, you must define a metric that is understands the receiving proto-
col. If you want to change the metric of the redistributed route, then enter the new metric under
/cfg/net/route/rip/redist/ospf/metric.
Verify if Router 2 is able to see all the routes from the OSPF domain.
“OSPF Overview” on page 68. This section provides information on OSPF concepts:
Types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database,
authentication, and internal versus external routing.
“Alteon Switched Firewall OSPF Implementation” on page 73. This section gives you
information specific to the Alteon Switched Firewall implementation of OSPF: Configu-
ration parameters, electing the designated router, summarizing routes and so forth.
“GRE Tunnel Support” on page 79. This section describes how ASF 4.0.2 supports
Generic Routing Encapsulation (GRE) on the Firewall Directors.
“OSPF Configuration Examples” on page 83. This section provides step-by-step instruc-
tions on configuring four different configuration examples:
Creating a simple OSPF domain
Creating virtual links
Summarizing routes
Redistributing routes
67
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
OSPF Overview
OSPF is designed for routing traffic within a single IP domain called an Autonomous System
(AS). The AS can be divided into smaller logical units known as areas.
All routing devices maintain link information in their own Link State Database (LSDB). The
LSDB for all routing devices within an area is identical but is not exchanged between different
areas. Only routing updates are exchanged between areas, thereby significantly reducing the
overhead for maintaining routing information on a large, dynamic network.
Stub Area—an area that is connected to only one other area. External route information is
not distributed into stub areas.
Not-So-Stubby-Area (NSSA)—similar to a stub area with additional capabilities. Routes
originating from within the NSSA can be propagated to adjacent transit and backbone
areas. External routes from outside the AS can be advertised within the NSSA but are not
distributed into other areas.
Transit Area—an area that allows area summary information to be exchanged between
routing devices. The backbone (area 0), any area that contains a virtual link to connect two
areas, and any area that is not a stub area or an NSSA are considered transit areas.
Backbone
Area 0
(Also a Transit Area)
ABR ABR
ABR
Internal LSA
Routes Virtual
Stub Area Transit Area Link
External LSA
Routes
ASBR
Stub Area, NSSA,
ABR = Area Border Router or Transit Area
ASBR = Autonomous System Connected to Backbone
Non-OSPF Area Boundary Router via Virtual Link
RIP/BGP AS
Internal Router (IR)—a router that has all of its interfaces within the same area. IRs main-
tain LSDBs identical to those of other routing devices within the local area.
Area Border Router (ABR)—a router that has interfaces in multiple areas. ABRs maintain
one LSDB for each connected area and disseminate routing information between areas.
Autonomous System Boundary Router (ASBR)—a router that acts as a gateway between
the OSPF domain and non-OSPF domains, such as RIP, BGP, and static routes.
BGP Backbone
Area 3
Area 0
Inter-Area Routes
External ABR
ASBR (Summary Routes)
Routes
RIP
ABR ABR
Internal
ASBR Router
Area 1 Area 2
Neighbors are routing devices that maintain information about each others’ health. To establish
neighbor relationships, routing devices periodically send hello packets on each of their inter-
faces. All routing devices that share a common network segment, appear in the same area, and
have the same health parameters (hello and dead intervals) and authentication parameters
respond to each other’s hello packets and become neighbors. Neighbors continue to send peri-
odic hello packets to advertise their health to neighbors. In turn, they listen to hello packets to
determine the health of their neighbors and to establish contact with new neighbors.
Adjacencies are neighbors that exchange OSPF database information. In order to limit the
number of database exchanges, not all neighbors in an area (IP network) become adjacent to
each other. Instead, the hello process is used for electing one of the neighbors as the area’s Des-
ignated Router (DR) and one as the area’s Backup Designated Router (BDR).
The DR is adjacent to all other neighbors and acts as the central contact for database
exchanges. Each neighbor sends its database information to the DR, which relays the informa-
tion to the other neighbors.
Because of the overhead required for establishing a new DR in case of failure, the hello pro-
cess also elects a Backup Designated Router (BDR). The BDR is adjacent to all other neigh-
bors (including the DR). Each neighbor sends its database information to the BDR just as with
the DR, but the BDR merely stores this data and does not distribute it. If the DR fails, the BDR
will take over the task of distributing database information to the other neighbors.
Each routing device transmits a Link-State Advertisement (LSA) on each of its interfaces.
LSAs are entered into the LSDB of each routing device. OSPF uses flooding to distribute
LSAs between routing devices.
When LSAs result in changes to the routing device’s LSDB, the routing device forwards the
changes to the adjacent neighbors (the DR and BDR) for distribution to the other neighbors.
OSPF routing updates occur only when changes occur, instead of periodically. For each new
route, if an adjacency is interested in that route (for example, if configured to receive static
routes and the new route is indeed static), an update message containing the new route is sent
to the adjacency. For each route removed from the route table, if the route has already been
sent to an adjacency, an update message containing the route to withdraw is sent.
The cost of an individual interface in OSPF is an indication of the overhead required to send
packets across it. The cost is inversely proportional to the bandwidth of the interface. A lower
cost indicates a higher bandwidth.
Authentication
OSPF also allows packet authentication and uses IP multicast when sending and receiving
packets. This ensures less processing on routing devices that are not listening to OSPF packets.
It is also useful to tell routers outside your network (upstream providers or peers) about the
routes you have access to in your network. Sharing of routing information between autono-
mous systems is known as external routing.
Typically, an AS will have one or more border routers (peer routers that exchange routes with
other OSPF networks) as well as an internal routing system enabling every router in that AS to
reach every other router and destination within that AS.
When a routing device advertises routes to boundary routers on other autonomous systems, it
is effectively committing to carry data to the IP space represented in the route being advertised.
For example, if the routing device advertises 192.204.4.0/24, it is declaring that if another
router sends data destined for any address in the 192.204.4.0/24 range, it will carry that data to
its destination.
Configurable Parameters
In the Alteon Switched Firewall 4.0.2, OSPF parameters can be configured through the Com-
mand Line Interface (CLI) or Browser-Based Interface (BBI).
The CLI supports the following parameters: interface output cost, interface priority, dead and
hello intervals, retransmission interval, and interface transmit delay.
Shortest Path First (SPF) interval—Time interval between successive calculations of the
shortest path tree using the Dijkstra’s algorithm.
Stub area metric—A stub area can be configured to send a numeric metric value such that
all routes received via that stub area carry the configured metric to potentially influence
routing decisions.
Defining Areas
If you are configuring multiple areas in your OSPF domain, one of the areas must be desig-
nated as area 0, known as the backbone. The backbone is the central OSPF area and is usually
physically connected to all other areas. The areas inject routing information into the backbone
which, in turn, disseminates the information into other areas.
Since the backbone connects the areas in your network, it must be a contiguous area. If the
backbone is partitioned (possibly as a result of joining separate OSPF networks), parts of the
AS will be unreachable, and you will need to configure virtual links to reconnect the parti-
tioned areas (see “Virtual Links” on page 77).
An OSPF area is defined by assigning two pieces of information—an area index and an area
ID. The command to define an OSPF area is as follows:
NOTE – The aindex option above is an arbitrary index used only on the Alteon Switched
Firewall and does not represent the actual OSPF area number. The actual OSPF area number is
defined in the id portion of the command as will be explained below.
For example, the following commands define OSPF area 1 because that information is held in
the area ID portion of the command, even though the arbitrary area indexes do not agree with
the area IDs:
NOTE – Although both types of area ID formats are supported, be sure that the area IDs are in
the same format throughout an area.
For example, the following commands could be used to configure IP interface 14 for a pres-
ence on the 10.10.10.1/24 network, to define OSPF area 1 using index 2 on the Alteon
Switched Firewall, and to attach the area to the network:
Interface Cost
The OSPF link-state algorithm (Dijkstra’s algorithm) places each routing device at the root of a
tree and determines the cumulative cost required to reach each destination. Usually, the cost is
inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth.
You can manually enter the cost for the output route with the following commands:
DR and BDR elections are made through the hello process. The election can be influenced by
assigning a priority value to the OSPF interfaces. The commands are as follows:
A priority value of 255 is the highest, and 1 is the lowest. A priority value of 0 specifies that
the interface cannot be used as a DR or BDR. In case of a tie, the routing device with the
higher router ID wins.
Summarizing Routes
Route summarization condenses routing information. Without summarization, each routing
device in an OSPF network would retain a route to every subnet in the network. With summa-
rization, routing devices can reduce some sets of routes to a single advertisement, reducing
both the load on the routing device and the perceived complexity of the network. The impor-
tance of route summarization increases with network size.
Summary routes can be defined for up to 256 IP address ranges using the following command:
where range number is a number from 1 to 256, IP address is the base IP address for the range,
and subnet mask is the IP address mask for the range. For a detailed configuration example, see
“Example 3: Summarizing Routes” on page 89.
Virtual Links
Usually, all areas in an OSPF AS are physically connected to the backbone. In some cases
where this is not possible, you can use a virtual link. Virtual links are created to connect one
area to the backbone through another non-backbone area (see Figure 5-1 on page 69).
The area which contains a virtual link must be a transit area and have full routing information.
Virtual links cannot be configured inside a stub area or NSSA. The area type must be defined
as transit using the following command:
The virtual link must be configured on the routing devices at each endpoint of the virtual link,
though they may traverse multiple routing devices. To configure an Alteon Switched Firewall as
one endpoint of a virtual link, use the following commands:
where link number is a value between 1 and 64, area index is the OSPF area index of the transit
area, and router ID is the router ID of the virtual neighbor (nbr), the routing device at the target
endpoint. Another router ID is needed when configuring a virtual link in the other direction. To
provide the Alteon Switched Firewall with a router ID, see the following section Router ID
configuration example.
For a detailed configuration example, see “Example 2: Virtual Links” on page 85.
Router ID
Routing devices in OSPF areas are identified by a router ID. The router ID is expressed in IP
address format. The IP address of the router ID is not required to be included in any IP inter-
face range or in any OSPF area.
Authentication
OSPF protocol exchanges are authenticated so that only trusted devices can participate. Alteon
Switched Firewall 4.0.2 supports simple authentication (plain text passwords) and MD5 authen-
tication (encrypted data and passwords) among neighboring routing devices in an area.
Simple Authentication
OSPF simple passwords are configured and enabled individually for each defined interface and
virtual link. The plain text passwords up to eight characters long
MD5 Authentication
OSPF MD5 passwords use strong cryptographic to protect data and passwords. To preserve
security, MD5 passwords should be changed frequently.
MD5 passwords are configured and enabled individually for each defined interface and virtual
link. MD5 passwords are defined with a key ID (1-255) and a password up to 16 characters.
Similarly, for virtual links the following CLI commands can be used:
You can configure up to 5 GRE tunnels on an OSPF network. All GRE-OSPF packets are for-
warded to the Management IP address (MIP). If GRE packets are IPSec, IPSec-GRE-OSPF
encrypted packets are decrypted by Check Point software and is then forwarded by GRE to the
MIP.
In this release, static GRE routes cannot be propogated in the unicast route table via the Com-
mand Line Interafce (CLI). GRE loopback interfaces are also not supported.
In Figure 5-3 the OSPF network is on the GRE interface 50.1.1.0/24; the GRE tunnel end
points is on physical interface 3.
30.1.1.2/8 20.1.1.2/8
GRE Tunnel
To configure for GRE tunneling support, do the following on ASF-California and ASF-New
York firewalls:
1. Configure the two firewalls ASF-California and ASF-New York for basic operation.
Configure IP interfaces
Define the OSPF areas
Configure OSPF interface parameters
Enable OSPF on the GRE interface (do not enable OSPF on physical interface 3)
NOTE – A physical interface must be configured for the GRE Tunnel end points. In Figure 5-3
physical interface 3 is configured for each of GRE tunnel end points, 20.1.1.1 and 30.1.1.1.
NOTE – Make sure OSPF is enabled on the GRE tunnel interface (50.1.1.0) only. To avoid infi-
nite loops, do not configure OSPF on the 20.1.1.1/8 or 30.1.1.1/8 networks. For more informa-
tion, see “Avoiding Loops in the GRE Tunnel” on page 82.
>> # /i/n/gre
GRE Tunnel Information
Num GRETunnel Phylcl Phyrmte GRElcl GRErmte GREMask
=== ======= ===== ====== ===== ===== ======
1 tunnel_one 30.1.1.1 20.1.1.1 50.1.1.1 50.1.1.2 255.255.255.255
>> # /i/n/r/table
Route Table Information
30 total routes:
Num Destination Gateway Metric Source Vlan Vnic
=== =========== ======= ====== ====== ==== ====
1 default 30.1.1.2 gw 30 v30
2 11.0.0.0/8 50.1.1.2 20 ospf <unreachable?>
3 20.0.0.0/8 50.1.1.2 20 ospf <unreachable?>
The above screen shows that a loop exists because data packets on the GRE tunnel end point
(50.1.1.2 subnet) and the OSPF subnet (20.0.0.0 subnet) have the same destination.
1. Configure IP interfaces.
One IP interface is required for each desired network (range of IP addresses) being assigned to
an OSPF area on the Alteon Switched Firewall.
IF 1 IF 2
10.10.7.1 10.10.12.1
Network Network
10.10.7.0/24 10.10.12.0/24
2. Enable OSPF.
>> OSPF Area index 1 # ../aindex 1 (Select menu for area index 1)
>> OSPF Area index 1 # id 0.0.0.1 (Set the area ID for OSPF area 1)
>> OSPF Area index 1 # type stub (Define area as stub type)
>> OSPF Area index 1 # ena (Enable the area)
3. Enable OSPF.
If OSPF is already enabled, then you must disable and enable OSPF for the router ID to be
active.
>> OSPF Area index 1 # ../aindex 1 (Select menu for area index 1)
>> OSPF Area index 1 # id 0.0.0.1 (Set the area ID for OSPF area 1)
>> OSPF Area index 1 # ena (Enable the area)
>> OSPF Area index 2 # ../if 1 (Select OSPF menu for IP interface 1)
>> OSPF Interface 1 # ena (Enable the backbone interface)
The nbr router ID configured in this step must be the same as the router ID that will be config-
ured for ASF 2 in Step 2 on page 88.
3. Enable OSPF.
If OSPF is already enabled, then you must disable and enable OSPF for the router ID to be
active.
>> OSPF Area Index 0 # ../aindex 1 (Select menu for area index 1)
>> OSPF Area Index 1 # id 0.0.0.1 (Set the area ID for OSPF area 1)
>> OSPF Area Index 1 # ena (Enable the area)
>> OSPF Area Index 1 # ../aindex 2 (Select the menu for area index 2)
>> OSPF Area Index 2 # id 0.0.0.2 (Set the area ID for OSPF area 2)
>> OSPF Area Index 2 # type stub (Define area as stub type)
>> OSPF Area Index 2 # ena (Enable the area)
>> OSPF Area Index 2 # ../if 1 (Select OSPF menu for IP interface 1)
>> OSPF Interface 1 # aindex 1 (Attach network to transit area index)
>> OSPF Interface 1 # ena (Enable the transit area interface)
Only the endpoints of the virtual link are configured. The virtual link path may traverse multi-
ple routers in an area as long as there is a routable path between the endpoints.
If the network IP addresses in an area are assigned to a contiguous subnet range, you can con-
figure the ABR to advertise a single summary route that includes all the individual IP
addresses within the area.
The following example shows one summary route from area 1 (stub area) injected into area 0
(the backbone). The summary route consists of all IP addresses from 36.128.192.0 through
36.128.254.255.
Backbone Stub Area
Area 0 Area 1
(0.0.0.0) (0.0.0.1)
IF 1 IF 2
10.10.7.1 36.128.192.1
Summary 36.128.255.255/24 to
Route 36.128.255.0/24
ABR
10.10.7.0/24 36.128.192.0/18
Network Network
NOTE – You can also specify an address range to prevent advertising by using the hide option
on the OSPF Summary Range Menu.
1. Configure IP interfaces for each network which will be attached to OSPF areas.
2. Enable OSPF.
>> OSPF Area index 1 # ../aindex 2 (Select menu for area index 2)
>> OSPF Area index 2 # id 0.0.0.1 (Set the area ID for OSPF area 1)
>> OSPF Area index 2 # type stub (Define area as stub type)
>> OSPF Area index 2 # ena (Enable the area)
>> OSPF Area index 2 # ../if 1 (Select OSPF menu for IP interface 1)
>> OSPF Interface 1 # ena (Enable the backbone interface)
6. Configure route summarization by specifying the starting address and mask of the range
of addresses to be summarized.
100.100.2.1 100.100.3.1
Router 1 Router 2
100.100.2.80 Alteon Switched 100.100.3.150
Firewall
In Figure 5-7 the Alteon Switched Firewall is configured as an ASBR between two domains,
RIP and OSPF. The ASF is connected to two routers, Router 1 in the OSPF domain and Router
2 in the RIP domain. ASF is required to advertise the RIP routes from the RIP domain into
OSPF. In this example, two IP interfaces are needed on the ASF: one for the OSPF domain on
100.100.2.0/24 and one for the RIP domain on 100.100.3.0/24.
1. Configure the IP interface to the backbone router for the OSPF domain that is connected
to port 1 of the Alteon Switched Firewall.
2. Configure the IP interface for the RIP domain that is connected to port 2 of the Alteon
Switched Firewall.
6. Enable RIP for VLAN 2 and specify the RIP version if required.
Configure RIP in Router 2 and verify if the Alteon Switched Firewall and Router 2 are able to
send and receive routes between them. Configure Router 2 to send RIP routes to the Alteon
Switched Firewall. Verify the routing table on Router 1 and confirm that these routes are not
advertised and installed in Router 1, because it is not a RIP router.
When routes are redistributed, you must define a metric that is understands the receiving proto-
col. If you want to change the metric of the redistributed route, then enter the new metric under
/cfg/net/route/ospf/redist/rip/metric.
Verify if Router 1 is able to see all the routes from the RIP domain.
/info/net/route/ospf/routes
/info/net/route/ospf/lsa
/info/net/route/ospf/neigh
/info/net/route/ospf/if
/info/net/route/ospf/fib
/info/net/route/ospf/spf
An Intrusion Detection System gathers and analyzes information from various areas within a
computer or a network to identify possible security breaches, which include both intrusions
(attacks from outside the organization) and misuse (attacks from within the organization).
IDS servers monitor traffic by performing in-depth traffic analysis and detect inappropriate,
incorrect, or anomalous activity on your network. Intrusion detection functions include:
95
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Alteon Switched Firewall allows the switch to forward the IP packets to an Intrusion Detection
server. You must enable IDS SLB on the port and allocate a IDS server group containing IDS
servers. The IDS SLB-enabled Firewall copies all incoming packets to this group of intrusion
detection servers. For each connection to the Firewall, a hashing algorithm is used to select the
IDS server based on the client and server IP addresses.
The IDS server receives copies of all the processed frames that are forwarded to the destination
devices. Session entries are maintained so that all the frames of a given session are forwarded
to the same IDS server. ASF load balances ingress and egress traffic between IDS server
groups.
Each IDS server must be connected directly to a different Firewall Accelerator ports because
ASF uses link state to determine health of the IDS server. Because the traffic is mirrored to the
IDS ports, connecting multiple IDS servers to a single Accelerator port via a hub or layer 2
switch will result in all IDS servers analyzing the same traffic as opposed to sharing the load.
An enforcement, NAAP, or monitor port cannot be enabled for IDS load balancing. A port that
is a member of one IDS group cannot be added to another IDS group. A single IDS group can
monitor traffic from multiple VLANs. An IDS group cannot be specified for automatic
VLANs.
Example 1
This example illustrates a basic configuration for load balancing client traffic on a single
VLAN to an IDS server group.
In Figure 6-1, ingress and egress traffic from Client 1 and 2 are being monitored by IDS serv-
ers 1 and 2. The client traffic enters the Firewall via layer 2 switches or routers.
IF 1: 192.168.1.1/24
11 12 Alteon Switched
6 10
2 5 Firewall
3
IF 2: 20.20.20.1
IF 3: 30.30.30.1
Client 1
20.20.20.88
Server 1
30.30.30.66
Client 2
20.20.20.90
Server 2
30.30.30.67
To configure your switch for load balancing IDS servers, do the following:
NOTE – Each IDS server must be connected directly to a different switch port. Link health
check is performed to check the status of the IDS servers.
Connect IDS server 1 and IDS server 2 to port 5 and port 6 respectively on the Firewall Accel-
erator 6600.
The client traffic is load balanced between the two IDS servers. The hashing algorithm which
hashes on both source and destination IP addresses ensures that all the ingress/egress traffic
from Client 1 is copied to IDS server 1 and all the ingress/egress traffic from Client 2 is copied
to IDS server 2.
Example 2
A single IDS group can monitor traffic from multiple VLANs. This example shows the Fire-
wall configuration in a high availability environment with IDS group of servers monitoring
multiple VLANS. The mirrored traffic sent to the IDS servers will be VLAN-tagged, so the
IDS servers should be capable of handling VLAN-tagged traffic.
In this example, the IDS port on the Accelerator is VLAN-tagged. Also, the inter Accelerator
port is always tagged when IDS load balancing is enabled. However, this is done internally by
the Alteon Switched Firewall. You must not enable VLAN tagging manually on the IDS ports
or the inter accelerator port.
When you add a port to an IDS group, the port on both Firewall Accelerators are configured as
IDS ports. You can choose to connect an IDS server to one of the Accelerators on that specific
port. For IDS high availability, you must connect at least one IDS server on both the Accelera-
tors.
Figure 6-2 illustrates two Firewall Accelerators 6600 installed in a redundant configuration.
Both Firewalls are monitoring client traffic on two different VLANs with 2 IDS servers. The
client traffic enter the Firewall via layer 2 switches. In this example, the Firewall Accelerator
(master) performs IDS load balancing on both ingress and egress client traffic.
Client 1 Client 2
(VLAN 10) (VLAN 20)
20.20.20.88 25.25.25.60
Firewall
Firewall Accelerator
Accelerator 2 3 5 (Backup)
(Master) 5 10 4 10.10.1.102
10.10.1.101
Server 2
30.30.30.67
Management Console
192.168.1.41 Server 1
30.30.30.66
To configure your switch for load balancing IDS servers, do the following:
NOTE – Each IDS server must be connected directly to a different switch port. Link health
check is performed to check the status of the IDS servers.
For example, continuing with the network shown in Figure 6-2 on page 101, two VLANs
(VLAN 10 and 20) are being monitored on two IP interfaces: IP Interface #2 uses 20.20.20.1
and IP interface #3 uses 25.25.25.1. To configure the VRRP on each IP interface, refer to the
commands shown in the example in Step 5 on page 110.
Make sure that all virtual routers have unique VRRP group IDs. The VRRP group IDs should
be unique not only within the ASF configuration, but also between other VRRP devices on the
same segment as your ASF. The VRRP group ID is set using the command cfg/net/adv/
vrrp/vrid. For more information on the command, see “Advanced VRRP Configuration
Menu” on page 322.
The client traffic is load balanced between the two IDS servers. The hashing algorithm which
hashes on both source and destination IP addresses ensures that all the ingress/egress traffic
from VLAN 10 (Client 1 network) and from VLAN 20 (Client 2 network) are copied to IDS
Group 1 servers.
A redundant Firewall Accelerator and extra Firewall Directors can be added to create a
high-availability firewall. With a high-availability solution, the failure of any single com-
ponent or network link will not cause the firewall to fail.
Firewall Directors can be added seamlessly to the cluster, increasing firewall processing
capacity without taking the system offline.
Firewall Directors can be synchronized to provide stateful failover of sessions. With syn-
chronization, if a Firewall Director fails, its open sessions will be transparently reassigned
to a healthy Firewall Director.
Each of these avenues for expansion is discussed in detail in the following sections:
105
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
For high-availability, each Firewall Accelerator is attached to the same networks using the
same ports, and each has at least one Firewall Director. One of the Firewall Accelerators in this
network acts as the master, and the other acts as a backup. Selection of the master is performed
using Virtual Router Redundancy Protocol (VRRP).
The master Firewall Accelerator performs load balancing and firewall acceleration services for
all active Firewall Directors in the cluster, including those that are attached to the backup.
While the master Firewall Accelerator is healthy, the backup is passive and merely provides
connectivity between its attached Firewall Directors and the master Firewall Accelerator. The
backup mirrors sessions on the master, and will take over if the master fails.
Requirements
The installation of a redundant Firewall Accelerator is handled as an expansion to an existing
cluster and requires the following:
A basic cluster (one Firewall Director and one Firewall Accelerator) must be already be
physically installed as described in the Alteon Switched Firewall Hardware Installation
Guide.”
The basic cluster must already be configured with basic parameters as described in Chap-
ter 2, “Initial Setup.”
Optionally, the basic cluster can include additional Firewall Directors (attached to the
master Firewall Accelerator), installed as described in “Adding Firewall Directors” on
page 111.
The redundant Firewall Accelerator being added must be identical to the existing Firewall
Accelerator. You cannot mix different models of Firewall Accelerator in the same cluster.
NOTE – No Firewall Directors should be attached to the redundant Firewall Accelerator while
it is being initially installed and configured.
3. Connect the power cable for the new Firewall Accelerator, but do not turn it on yet.
Heed the power precautions and attach power as described in the Alteon Switched Firewall
Hardware Installation Guide.
If dual physical connectors are available on the IAP, the connection can be made using either
the gigabit LC fiber optic connector, the 10/100/1000 Mbps RJ-45 copper connector, or both.
If both are connected, then the gigabit optical link is used as the preferred link and the copper
link is used as the backup. The active link is then selected according to the redundant connec-
tor rules (see the Alteon Switched Firewall Hardware Installation Guide).
5. Connect the trusted, untrusted and semi-trusted network feeds to the new Firewall Accel-
erator.
NOTE – For redundant operation, the same networks which are connected to the master Fire-
wall Accelerator must be connected to the redundant Firewall Accelerator. Be sure to use con-
nect each network to the same port on both Firewall Accelerators.
In this example, since Network A is on port 1 and Network B is on port 2 of the master Fire-
wall Accelerator, we must connect Network A to port 1 and Network B to port 2 on the backup
as well.
NOTE – The Firewall Accelerator cannot be configured through its own console port. Instead,
configuration is performed using the Command Line Interface (CLI) as discussed in Chapter
10, or the Browser-Based Interface (BBI) as discussed in Alteon Switched Firewall Browser-
based Interface Guide. The following procedures focus on the CLI method.
2. Verify that the redundant Firewall Accelerator’s MAC address has been detected.
Use the following command to verify whether auto-discovery is enabled and to display the
detected MAC addresses:
>> # /info/det
If the MAC addresses have been correctly detected, proceed to Step 3. However, if auto-dis-
covery is disabled, you can set the MAC address of the new Firewall Accelerator using the fol-
lowing command:
>> # /cfg/acc
>> Accelerator Configuration# ac2/mac <MAC address>
The redundant Firewall Accelerator IP address must be a unique address on the same subnet as
the master Firewall Accelerator.
For example, continuing with the network shown in Figure 2-1 on page 27, there are two IP
interfaces: IP Interface #1 uses 10.1.1.1 on Network A, and IP interface #2 uses 10.2.0.1 on
Network B. The following configuration commands could be used:
Make sure that all virtual routers have unique VRRP group IDs. The VRRP group IDs should
be unique not only within the ASF configuration, but also between other VRRP devices on the
same segment as your ASF. The VRRP group ID is set using the command
cfg/net/adv/vrrp/vrid. For more information on the command, see “Advanced
VRRP Configuration Menu” on page 322.
Requirements
The installation of additional Firewall Directors is handled as an expansion to the existing clus-
ter and requires the following:
A basic cluster (one Firewall Director and one Firewall Accelerator) must already be
physically installed as described in the Alteon Switched Firewall Hardware Installation
Guide.”
The basic cluster must already be configured with basic parameters as described in Chap-
ter 2, “Initial Setup.”
Optionally, the cluster can include a redundant Firewall Accelerator installed and config-
ured as described in “Adding a Second Firewall Accelerator” on page 106.
The redundant Firewall Director being added must be identical to the existing Firewall
Director.
The following criteria are required to facilitate proper integration of the new equipment with
the established cluster:
CAUTION—Any Firewall Director being added to the cluster must have the same version of
! Firewall OS as the other Firewall Directors in the cluster. See Chapter 8, “Upgrading the Soft-
ware,” for more information.
CAUTION—Also, any Firewall Director being added to the cluster must be set to the factory
default mode. If moving a previously configured Firewall Director from another established
cluster, you must first delete the Firewall Director from the old cluster to reset its configura-
tion. For more information, see the delete command in the SFD Host menu on page 206.
3. Connect the power cable for the new Firewall Director, but do not turn it on yet.
Heed the power precautions noted and attach power as described in the Alteon Switched Fire-
wall Hardware Installation Guide.
To change the Firewall Accelerator uplink ports, see “Changing the Firewall Accelerator
Ports” on page 125.
NOTE – See the Alteon Switched Firewall Hardware Installation Guide for cable information.
NOTE – The newly added Firewall Director will not become fully operational until configura-
tion is complete (see “Configuring the New Firewall Director” on page 112), trust is estab-
lished with the Check Point management console, and firewall policies are loaded.
To utilize Plug N Play, the cluster must be pre-configured with resource information, consist-
ing of a list of available IP addresses. If local licensing is used, Check Point licenses must be
also be added. Then, when each new Firewall Director is detected, the cluster will automati-
cally assign the pre-configured resources and bring the new device into the cluster.
By default, the Plug N Play feature is enabled without resources. The following procedure is
used to enable Plug N Play and add resources. If you instead wish to configure the new Fire-
wall Director manually, see “Manually Adding a Firewall Director” on page 120.
NOTE – When using Plug N Play, do not log in to the newly installed Firewall Director’s serial
port. Instead, connect to the cluster MIP address using established equipment.
>> # /cfg/pnp/cur
If Plug N Play is enabled, and valid IP addresses and Check Point licenses are listed as
unused, pre-configuration of resources has already been done and you can proceed to “Add
Policies for the New Firewall Director” on page 114.
If Plug N Play is disabled, you must either enable it or configure the new Firewall Director
manually. See “Manually Adding a Firewall Director” on page 120 for manual configuration.
Otherwise, to enable Plug N Play, use the following command:
4. If local licensing is used, enter Check Point licensing information for the new Firewall
Director.
You will be prompted whether to add a Check Point license at this time:
NOTE – If central licensing is used, enter n at the prompt. With central licensing, the license
must be pushed from the management server before the firewall policy can be installed. For
more information, see Chapter 2, “Initial Setup,” Step 8 on page 51.
If local licensing is used, enter y at the prompt. You will then be asked to specify the following
information:
The license information will be part of your Check Point package. The expected information
will appear similar to the following example:
Expiry date: 02aug2003
Feature string: CPSUITE-EVAL-3DES-NG CK-CHECK-POINT
License string: aBZUeTWHR-FyxGGcdej-QiiS89a6N-isMP6Ywnn
Be sure to enter the information exactly as shown on your specific Check Point license.
NOTE – Only FireWall-1 is currently supported on this product. VPN-1 is not used.
Leave the Workstation Properties window open for use in the next step.
To establish SIC, click on the Communication button in the Workstation Properties window.
The Communications window will appear:
Enter the same one-time SIC password that was defined when adding the new Firewall Direc-
tor to the cluster in Step 3 on page 113 and click on the Initialize button.
The management station (SmartCenter) will attempt to contact the Firewall Director and
exchange security information. When successful, the window will indicate “Trust established.”
NOTE – Trust cannot be established if the cluster firewall software has been disabled
(/cfg/fw/dis).
NOTE – If local licensing was used when adding the new Firewall Director to the cluster in
Step 4 on page 114, skip this step.
Use the SmartUpdate module to enter central licenses. For more information on installing
licenses, refer to “Using Central Licensing” on page 2-51.
To verify that the central license is installed properly, login as root on the Firewall Director
and issue the following command:
If this is the first time you are adding a Firewall Director to an established cluster, you must
create a gateway cluster object. If you created the gateway cluster object during a previous
installation, there is no need to repeat this step.
To create a new gateway cluster object, right click on “Check Points”, “New”, and then “Gate-
way Cluster” in the Network Objects tree on the left side of the window. The Gateway Cluster
properties tab will be displayed.
Click on the Cluster Members tab to add Firewall Directors as cluster members.
Select a Firewall Director and click OK. This process has to be repeated until all the Firewall
Directors in the cluster are added as members.
Select the Security - Standard tab and right click on INSTALL ON column in the table. Select
Add | Targets to show a list of gateway clusters.
Select the Alteon Switched Firewall gateway cluster object and click OK.
10. Click on the 3rd Party Configuration tab to specify 3rd party solution.
This completes the procedure to add policies to the new Firewal Director.
The following procedure requires the Firewall Director to be physically installed as described
in “Installing the New Firewall Director” on page 112. This includes mounting the device,
powering it on, and connecting it to an existing cluster.
NOTE – A new Firewall Director cannot be configured manually through the cluster MIP
address. Access the CLI directly through the serial port of the device being installed (see
Alteon Switched Firewall Hardware Installation Guide).
login: admin
Password: admin (not displayed)
NOTE – Since the new Firewall Director is still set to factory defaults, you must use the default
admin password regardless of whether the password has been changed on the rest of the clus-
ter.
>> Setup#
4. Follow the onscreen prompts to manually configure the new Firewall Director.
>> # /cfg/pnp/add
Enter the IP Address: 10.10.1.2
Enter the Expiry date for the License:25Oct2003
Enter the Feature string:cpsuite-eval-3des-ng CK-FDFA9AA20D27
Enter the License string:aWkxm4Pj6-zbcfsY7Ju-AUsu8FKvS-KrsokXokv
When synchronizing the Firewall Directors, isolate the synchronization traffic using dedicated
ports (10/100/1000 Mbps port 2) on the Firewall Directors. Using the dedicated ports requires
additional cabling, but can provide better performance under heavy traffic.
To achieve stateful failover, synchronization must be configured both on the Alteon Switched
Firewall and on the Check Point management server as follows:
>> # /cfg/fw/sync/cur
2. Synchronize with dedicated ports defining a network for use with the synchronization
traffic.
When using the dedicated ports, a unique network address should be used for synchronization
traffic. This network should not be on the same subnet as the MIP. For example:
NOTE – The synchronization network uses the same subnet mask specified in the System
Menu netmask option (/cfg/sys/netmask) to define the synchronization network
range.
4. Using the SmartDashboard management tool, update the firewall interface information.
Start the SmartDashboard application on your management client station. From within the
SmartDashboard, select a Firewall Director in the cluster and edit its properties. Select the
Topology tab in the Properties window and click on the Get Interfaces button.
Verify that the list of detected interfaces includes the appropriate Ethernet device with an IP
address on the synchronization network defined in Step 2. For example, the appropriate Ether-
net device for ASF 5014 would be FE2.
Check for a gateway cluster object representing the Alteon Switched Firewall. This object
should have been created when a new Firewall Director was initially added to the existing clus-
ter. If no object exists, see Step 8 through Step 9 starting on page 116.
6. Right click on the gateway cluster object and select Edit from the pop-up menu. When the
properties dialog appears, select the Synchronization tab and check the “Use State Synchroni-
zation” box.
Click on the Add button to add a synchronization network and enter the following information:
Network Name: Enter your choice of network name to represent the synchronized net-
work.
IP Address: Enter the base network IP address which will be used for synchronization.
This should be the same address specified in Step 2.
Click OK to add the configured synchronization network.
7. From the SmartDashboard tool, re-install the security policies on the firewall cluster.
8. If using the dedicated synchronization ports, connect all Firewall Director SyncNet ports
together.
Connect synchronization port 2 on all Firewall Directors in the cluster. If connecting the ports
directly together, use a crossover network cable. If connecting the ports through a hub or layer-
2 switch, use a straight-through network cable.
If there are more than two Firewall Directors in the cluster, connect all of them together
through a hub or layer-2 switch using straight-through network cables. In such a case, synchro-
nization port 2 of all the Firewall Directors should be connected to the hub or layer-2 switch.
The IAP number must be the same for both Firewall Accelerators. Use the following com-
mands to configure the IAP ports:
Where dual physical connectors are available on the Inter-Accelerator Port (IAP), connection
can be made using either the gigabit LC fiber-optic connector, the 10/100/1000 Mbps RJ-45
copper connector, or both. If both are connected, then the gigabit optical link is used as the pre-
ferred link and the 10/100/1000 Mbps copper link is used as the backup. The active link is then
selected according to the redundant connector rules (see the Alteon Switched Firewall Hard-
ware Installation Guide).
where fiber specifies the gigabit optical link and copper specifies the 10/100/1000
Mbps copper link.
To select the backup link:
To configure any Firewall Accelerator port for use with a Firewall Director, use the following
commands:
NOTE – By default, NAAP is enabled on port 12 of the Firewall Accelerator 6600 and on port
28 of the Firewall Accelerator 6400. If you plan to use port 12 and port 28 for network traffic,
make sure you disable NAAP on those ports.
However, network traffic can be attached to the Firewall Accelerator on any port where NAAP
is disabled.To configure any Firewall Accelerator port for use with a trusted, untrusted, or
semi-trusted networks, use the following command to disable NAAP:
127
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
An Alteon Switched Firewall running software version 3.5.1.x, 3.5.2.1, 4.0.1 or higher
Command Line Interface (CLI) access to the Alteon Switched Firewall via local console
terminal or to the cluster MIP address through a remote Telnet or SSH connection.
The version 4.0.2 software upgrade package (identified by the .pkg extension) loaded on
an FTP server on your network. The FTP server must allow anonymous login.
The host name or IP address of the FTP server. If you choose to specify the host name,
please note that the DNS parameters must have been configured. For more information,
see the “DNS Servers Menu” on page 204.
See the product Readme file for any other upgrade limitations or restrictions.
Typically, the cluster FireWall Accelerator software is automatically upgraded along with the
cluster Firewall Directors. However, to manually upgrade the Firewall Accelerator, see “Man-
ually Upgrading the Firewall Accelerator” on page 351.
3. Load the Alteon Switched Firewall 4.0.2 upgrade package into the Alteon Switched Fire-
wall.
To load the software package, log in to the Alteon Switched Firewall Command Line Interface
(CLI) and issue to following menu command:
4. When prompted, enter the protocol FTP to download the upgrade package.
TFTP will not work because the upgrade package file is greater than 32MB.
ok
The downloaded software upgrade package is indicated with the status unpacked. In this
example, version 4.0.2 is being installed.
login:
NOTE – After activating the new version, the Firewall Directors will reboot. When they have
rebooted, there may be a brief period of time during which the new menus may not yet be ini-
tialized. It this occurs, log out and then log back in again after a brief wait.
10. When the system reboots, log in again and check the software status:
In this example version 4.0.2 is now operational and will survive a reboot of the system, while
the software version previously indicated as permanent now is marked as old.
NOTE – At this point, your firewall will still be running, but may have turned firewall acceler-
ation off.
Wait for the Firewall Director to reboot after the Check Point software upgrade.
11. In the SmartDashboard management tool on your management client, change the ver-
sion ID of the firewall cluster object.
12. Push your policies to the upgraded Alteon Switched Firewall cluster.
Verifying compatibility
Identifying the type of upgrade you wish to install
Loading the new software upgrade package or install image onto an FTP server on your
network
Downloading the new software from the FTP server to your Alteon Switched Firewall
Activating the new software image on your Alteon Switched Firewall cluster.
Compatibility
When upgrading any software component, take care to ensure that appropriate and compatible
versions of software are installed. Be sure to check any accompanying product Readme file
and Release Notes for software compatibility and special installation instructions.
Types of Upgrade
There are three major classes of software upgrades that may be required for maintaining the
Alteon Switched Firewall: those that affect the Alteon Switched Firewall SSI, those that target
only the Alteon Switched Firewall’s built-in Check Point firewall software, and those are
installed on Check Point management stations outside the cluster.
Major Releases: This type of upgrade may contain important software corrections an fea-
ture enhancements for the Alteon Switched Firewall. It may affect any or all SSI compo-
nents: the Firewall OS, Accelerator OS, or built-in Check Point firewall software.
The Alteon Switched Firewall will automatically reboot after a major upgrade, in order to
initialize new features. All configuration data is retained.
Minor Releases: This type of upgrade typically corrects minor software problems on the
Alteon Switched Firewall. All upgrades installed will require rebooting the cluster. All
configuration data is retained.
Patches: This type of upgrade corrects individual software issues on the Alteon Switched
Firewall. Patches are usually extremely small and target specific sub-files in the SSI.
Patches can usually be installed without rebooting the cluster, retaining normal operational
traffic flow. All configuration data is retained.
Check Point Feature Pack: This type of upgrade may contain important firewall soft-
ware corrections an feature enhancements. This may be necessary to ensure compatibility
with the Check Point software installed on the supporting management stations.
The Alteon Switched Firewall may automatically reboot after installation of a feature
pack. All configuration data is retained.
Check Point Hotfix: This type of upgrade corrects minor software problems in the Check
Point software built into the Alteon Switched Firewall. After installing Hotfixes, you must
reboot the cluster. All configuration data is retained.
CLI access via local console terminal or to the cluster MIP address through a remote Tel-
net or SSH connection.
The software upgrade package loaded on an FTP server on your network. The FTP server
must allow anonymous login.
The host name or IP address of the FTP server. If you choose to specify the host name,
please note that the DNS parameters must have been configured. For more information,
see the “DNS Servers Menu” on page 204.
A firewall rule that allows FTP traffic (and DNS traffic if using a host name) to pass to and
from the Firewall Directors.
The name of the software upgrade package (upgrade packages are identified by the .pkg
extension).
All of the cluster components cooperate to provide a single system view. Thus, you need only
to connect to the cluster MIP address to perform a cluster-wide software upgrade. The upgrade
will be automatically extended to all the cluster components which are in operation at the time
of the upgrade. All configuration data is retained.
Access can be accomplished via local serial port, or remote Telnet or SSH (Secure Shell) con-
nection. Note, however, that Telnet and SSH connections are disabled by default, and if
desired, must be manually configured after you have set up the initial cluster. For more infor-
mation about enabling Telnet and SSH connections, see Chapter 10, “The Command Line
Interface,” on page 145.
Once you have logged in to the CLI, use the following procedure.
2. When prompted, enter the protocol FTP to download the upgrade package.
3. When prompted, enter the host name or IP address of the FTP server.
4. Enter the name of the new software file on the FTP server.
ok
For minor and major releases, the software change will take part synchronously among the
components in a cluster. If one or more components are not operational when the software is
upgraded, they will be automatically upgraded with the new version when they are started.
NOTE – If more than one software upgrade has been performed to a cluster while a Firewall
Accelerator or Firewall Director has been out of operation, the device must be reinstalled with
the software version currently in use in that cluster. For more information see “Reinstalling the
Software” on page 137.
When you have downloaded the software upgrade package, you can inspect its status and acti-
vate it using the following commands.
The downloaded software upgrade package is indicated with the status unpacked. The soft-
ware versions can be marked with one out of four possible status values. The meaning of these
status values are as follows:
unpacked means that the software upgrade package has been downloaded and automati-
cally decompressed.
current means that a software version marked as old or unpacked has been activated. As
soon as the system has performed the necessary health checks, the current status changes
to permanent.
permanent means that the software is operational and will survive a reboot of the system.
old means the software version has been permanent but is not currently operational. If a
software version marked old is available, it is possible to switch back to this version by
activating it again.
login:
As a result of running the activate command, you will be logged out and have to log in
again. The reason for this is the CLI menus may be upgraded. Wait until the login prompt
appears again, which may take up to two minutes depending on whether the system reboots.
In this example version 4.0.2.0 is now operational and will survive a reboot of the system,
while the software version previously indicated as permanent now is marked as old.
NOTE – If you encounter serious problems while running the new software version, you can
revert to the previous software version (now indicated as old). To do this, activate the software
version number indicated as old. When you log in again after having activated the old software
version, its status is indicated as current for a short while. After about one minute, when the
system has performed the necessary health checks, the current status is changed to permanent.
Reinstallation resets the Firewall Director configuration to factory defaults. All previous data
and software is erased, including old software image versions and upgrade packages.
2. Obtain an Alteon Switched Firewall bootable CD-ROM and place it in the Firewall
Director CD-ROM drive.
3. Reboot the Firewall Director issue and confirm the following command:
>> # /boot/reboot
4. When the system reboots, login as root (no password is necessary when booting from
the CD-ROM).
root
6. Wait for the installation script to finish. If the Firewall Director doesn't reboot automati-
cally, take the software CD-ROM out and reboot the Firewall Director.
139
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Management Tools
The Alteon Switched Firewall provides the following system management tools:
The default user names and passwords for each access level are listed in Table 9-1. User names
and passwords are case sensitive.
oper oper The operator login is available through the CLI and BBI. The operator
has no direct responsibility for system management. He or she can view
all configuration information and operating statistics, but cannot make
any configuration changes.
admin admin The administrator login is available through the CLI and BBI. The
administrator has complete access to all menus, information, and configu-
ration commands on the system, including the ability to add users and
change passwords.
boot ForgetMe The boot login is available only through a local console terminal. The
boot user can restore default passwords by reinstalling the Firewall Direc-
tor software if no other method of access is available (see “Recovering
from a Lock-Out” on page 355). To ensure that one avenue of access is
always available in case all passwords are changed and lost, the boot user
password cannot be changed.
root ForgetMe The root login is available only through a local console terminal. The root
user has complete internal access to the operating system and software.
Root user functions are outside the scope of this documentation.
NOTE – It is recommended that you change all the default passwords after initial configuration
and as regularly as required under your network security policies. For more information, see
“User Menu” on page 237 for CLI command or the Alteon Switched Firewall Browser-based
Interface Guide for BBI forms.
Through the SSI, most configuration commands affect the entire Alteon Switched Firewall
cluster. In general, features cannot be enabled or disabled on individual Firewall Directors.
The SSI is also used when updating system software. Just as with configuration changes, soft-
ware updates installed at any CLI or BBImanagement point are automatically installed on all
other components as required.
This chapter describes how to access the CLI locally through any Firewall Director serial port,
or remotely using a Telnet or Secure Shell (SSH) client. It also provides a list of commands
and shortcuts that are commonly available from all the menus within the CLI. The CLI is
described in following sections:
NOTE – Before the CLI can be used, minimal configuration must be performed as discussed in
Chapter 2, “Initial Setup” on page 25.
145
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Once the connection is initiated, you will be prompted to log in and enter a valid password. For
more information about different access levels and initial passwords, see “Users and Pass-
words” on page 141.
When the login is validated, the Main Menu of the CLI will be displayed (see “The Main
Menu” on page 154).
The remote access list allows the administrator to specify IP addresses or address ranges that
are permitted remote access to the system. There is only one remote access list which is shared
by all remote management features.
If a client whose IP address is not on the list requests remote management access, the request is
dropped. By default, the access list is empty, meaning that all remote management access is
initially disallowed.
When a client’s IP address is added to the access list, that client is permitted to access all
enabled remote management features. For example, if only the Telnet feature is enabled, the
client will be able to use Telnet to reach the CLI. If the BBI is also enabled, the same client will
be able to use their Web-browser to manage the system without any changes being made to the
access list.
NOTE – When a remote management feature is enabled, access will not be allowed if the
access list is left empty. Add all trusted management clients to the access list when initially
enabling any remote management feature. It is also vital that you review the access list regu-
larly and keep it up to date.
>> # /cfg/sys/accesslist/list
>> # /cfg/sys/accesslist
>> Access List# add <base IP address to permit> <network mask for range>
The add command can be repeated for as many remote managers as required. For example, to
allow IP addresses 201.10.14.7 and 214.139.0.0/24 to access remote management features, the
following commands could be used:
NOTE – Although each remote management feature (Telnet, SSH, and BBI) can be enabled or
disabled independently, all share the same access list. All addresses on the access list are per-
mitted to access any enabled management feature. You cannot enable SSH for some and Telnet
for others.
Using Telnet
A Telnet connection allows convenient management of the Alteon Switched Firewall from any
workstation connected to the network. Telnet access provides the same management options as
those available through the local serial port.
By default, Telnet access is disabled and all remote access is restricted. Depending on the
severity of your security policy, you may enable Telnet and permit remote access to one or
more trusted client stations.
NOTE – Telnet is not a secure protocol. All data (including the password) between a Telnet cli-
ent and the Alteon Switched Firewall is unencrypted and unauthenticated. If secure remote
access is required, consider using Secure Shell (SSH) (see “Using Secure Shell” on page 150).
2. Check that the Firewall Directors are configured with proper IP addresses.
Each Firewall Director requires its own unique IP address, as well as one Management IP
(MIP) address which represents the entire Alteon Switched Firewall cluster. These IP
addresses are configured during the initial setup of the cluster (see Chapter 2, “Initial Setup,”
on page 25).
>> # /cfg/sys/adm/telnet/ena
>> Administration Applications# apply
NOTE – The telnet command affects the entire Alteon Switched Firewall cluster. Telnet
access cannot be enabled or disabled on individual Firewall Directors.
5. Use the Check Point SmartDashboard on your management client to add a security pol-
icy that allows Telnet traffic.
The firewall policy should be constructed as follows:
Connect to the cluster MIP address. Using the MIP, you can make configuration changes to the
cluster as a whole, and you can use the individual CLI host menus to halt or reboot a particular
Firewall Director in a cluster or reset its configuration to the factory default settings. There is
no need to connect to the IP address of a particular Firewall Director.
Once the Telnet session is initiated, you will be prompted to log in and enter a valid password.
For more information about different access levels and initial passwords, see “Users and Pass-
words” on page 141.
When the login is validated, the Main Menu of the CLI will be displayed (see “The Main
Menu” on page 154.
2. Check that the Firewall Directors are configured with proper IP addresses.
Each Firewall Director requires its own unique IP address, as well as one Management IP
(MIP) address which represents the entire Alteon Switched Firewall cluster. These IP
addresses are configured during the initial setup of the cluster (see Chapter 2, “Initial Setup,”
on page 25).
>> # /cfg/sys/adm/ssh/ena
>> Administration Applications# apply
NOTE – The ssh command affects the entire Alteon Switched Firewall cluster. SSH access
cannot be enabled or disabled on individual Firewall Directors.
If you fear that your SSH host keys have been compromised, or at any time your security pol-
icy dictates, you can create new host keys using the following CLI command:
>> # /cfg/sys/adm/ssh/gensshkey
>> Administration Applications# apply
When reconnecting to the Alteon Switched Firewall after having generated new host keys,
your SSH client will display a warning that the host identification (or host keys) has been
changed.
6. Use the Check Point SmartDashboard on your management client to add a security pol-
icy that allows SSH traffic.
The firewall policy should be constructed as follows:
where the -l (lower case L) option is followed by the user name (admin, oper, and so on)
being logged in, and the cluster MIP address.
Using the MIP address, you can make configuration changes to the cluster as a whole and to
individual Firewall Directors as appropriate. There is no need to connect to the IP address of a
particular Firewall Director.
Once the SSH session is initiated, you will be prompted to log in and enter a valid password.
For more information about different access levels and initial passwords, see “Users and Pass-
words” on page 141.
When the login is validated, the Main Menu of the CLI will be displayed (see “The Main
Menu” on page 154.
To log in, the user has to authenticate using the public key/private key mechanism. DSA
or RSA key pairs can be used but has to be in OpenSSH format version 2 format only.
Password based authentication is not allowed.
The IP address of the remote user must be part of the access list.
The Check Point policy must allow the SSH connection between the remote user and
the ASF.
To manage remote SSH users, use the following CLI command:
>> # /cfg/sys/user/adv/user
Basic Operation
Using the CLI, Alteon Switched Firewall administration is performed in the following manner:
The administrator selects from a series of menu and sub-menu items, and modifies param-
eters to create the desired configuration.
Most changes are considered pending and are not immediately put into effect or perma-
nently saved. Only a few types of changes take effect when entered (such as changes to
users and passwords). Commands that take effect immediately are noted in the command
descriptions (see Chapter 11, “The Main Menu”).
The global cur command can be used to view the current settings for the commands in
the current menu.
In order to save changes and make them take effect, the administrator must use the global
Apply command. This allows the administrator to make an entire series of changes and
then put them into effect all at once.
Using the validate command on the Main Menu, the administrator can validate the
configuration to check for any configuration problems prior to applying them. If the con-
figuration is in an invalid state, the apply command will not be allowed.
The global diff command can be used to view pending changes before they are applied.
To clear all pending changes, the administrator can use the global revert command and
then continue the configuration session, or the global exit command to logout from the
system. Closing your remote session will also discard pending changes, though exiting
manually is preferred.
NOTE – When multiple CLI or BBI administrator sessions are open at the same time, only
pending changes made during your current session will be affected by the diff, revert, or
exit commands. However, if multiple CLI or BBI administrators apply changes to the same
set of parameters concurrently, the latest applied changes take precedence.
[Main Menu]
info - Information Menu
cfg - Configuration Menu
boot - Boot Menu
maint - Maintenance Menu
diff - Show pending config changes [global command]
validate - Validate configuration
security - Display security status
apply - Apply pending config changes [global command]
revert - Revert pending config changes [global command]
paste - Restore saved config with key [global command]
help - Show command help [global command]
exit - Exit [global command, always available
>> Main#
For more information about initial system setup, see Chapter 2, “Initial Setup,” on page 25. For
details about accessing the CLI, see “Accessing the Command Line Interface” on page 146.
Idle Time-out
By default, the system will disconnect your CLI session after ten minutes of inactivity. This func-
tion is controlled by the idle time-out parameter as shown in the following command:
Global Commands
Some basic commands are recognized throughout the entire menu hierarchy. These commands
are useful for obtaining online help, navigating through menus, and for applying and saving
configuration changes:
Command Action
help [<command>] Provides more information about a specific command on the current
menu. When used without the command parameter, a summary of the glo-
bal commands is displayed.
cur Displays the settings for the commands on the current menu. The output of
the cur command is for viewing only. It cannot be captured to a file and
later restored. If you wish to save the configuration for restoration later on,
use the dump or ptcfg commands.
lines <n> Set the number of lines (n) that display on the screen at one time. The
default is 24 lines. When used without a value, the current setting is dis-
played.
nslookup Find the IP address or host name of a network device. The format is as fol-
lows:
nslookup <host name|IP address>
In order to use this command, you must have configured the cluster to use
a DNS server. If you did not specify a DNS server during the initial setup
procedure, you can add a DNS server at any time by using the
/cfg/sys/dns/add command.
paste Set a password for restoring a saved configuration dump file that includes
encrypted private keys.
Command Action
ping Use this command to verify station-to-station connectivity across the net-
work. The format is as follows:
ping <address> [<tries> [<delay>]]
Where address is the hostname or IP address of the device, tries (optional)
is the number of attempts (1-32), and delay (optional) is the number of
milliseconds between attempts. The DNS parameters must be configured
if specifying hostnames (see “DNS Servers Menu” on page 204).
pwd Display the command path used to reach the current menu.
traceroute Use this command to identify the route used for station-to-station connec-
tivity across the network. The format is as follows:
traceroute <address> [<max-hops> [<delay>]]
Where address is the hostname or IP address of the target station, max-
hops (optional) is the maximum distance to trace (1-16 devices), and delay
(optional) is the number of milliseconds for wait for the response. As with
ping, the DNS parameters must be configured if specifying hostnames.
Option Description
<Ctrl-p> (Also the up arrow key.) Recall the previous command from the history list. This can
be used multiple times to work backward through the last 10 commands. The recalled
command can be entered as is, or edited using the options below.
<Ctrl-n> (Also the down arrow key.) Recall the next command from the history list. This can be
used multiple times to work forward through the last 10 commands. The recalled com-
mand can be entered as is, or edited using the options below.
<Ctrl-b> (Also the left arrow key.) Move the cursor back one position to the left.
<Ctrl-f> (Also the right arrow key.) Move the cursor forward one position to the right.
<Backspace> (Also the Delete key.) Erase one character to the left of the cursor position.
<Ctrl-k> Kill (erase) all characters from the cursor position to the end of the command line.
Command Stacking
As a shortcut, you can type multiple commands on a single line separated by forward slashes
( / ). You can connect as many commands as required to access the menu option that you want.
For example, the command stack to access Cluster Configuration menu from the Main#
prompt is as follows:
Command Abbreviation
Most commands can be abbreviated by entering the first characters which distinguish the com-
mand from the others in the same menu or sub-menu. For example, the command shown above
could also be entered as follows:
Tab Completion
By entering the first letter of a command at any menu prompt and pressing <Tab>, all com-
mands in that menu beginning with the letter you typed are displayed. By typing additional let-
ters, you can further refine the list of commands or options displayed. If only one command
matches the letter(s) when <Tab> is pressed, that command will be supplied on the command
line. You can then execute the command by pressing <Enter>. If the <Tab> key is pressed
without any input on the command line, the currently active menu will be displayed.
[Main Menu]
info - Information Menu
cfg - Configuration Menu
boot - Boot Menu
maint - Maintenance Menu
diff - Show pending config changes [global command]
validate - Validate configuration
security - Display security status
apply - Apply pending config changes [global command]
revert - Revert pending config changes [global command]
paste - Restore saved config with key [global command]
help - Show command help [global command]
exit - Exit [global command, always available
info
The Information Menu is used for displaying information about the current status of the
Alteon Switched Firewall.
See page 163 for menu items.
cfg
The Configuration Menu is used for configuring the Alteon Switched Firewall. Some
commands are available only from an administrator login.
See Chapter 12, “The Configuration Menu” for menu items.
boot
The Boot Menu is used for upgrading Alteon Switched Firewall software and for reboot-
ing, if necessary.
See page 173 for menu items.
159
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
maint
The Maintenance Menu is used for system diagnostics. This should be used only at the
request of Nortel Networks technical support.
See page 177 for menu items.
diff
This global command is available from any menu or sub-menu. It displays the difference
between the applied configuration (the configuration that the system is currently using)
and the pending configuration (the uncommitted changes that have not yet been applied).
Only pending changes made during your current administrator session are included.
Pending changes being made by other CLI or BBI administrator sessions are not
included.
validate
This command is used to validate pending configuration changes made during your cur-
rent administration session. This command does not include pending changes being
made by other CLI or BBI administrator sessions that are running at the same time.
When you enter the validate command, your pending changes are examined to
ensure that they are complete and consistent. If problems are found, warning or error
messages are displayed.
Warnings identify conditions that you should pay special attention to, but that will not
cause errors or prevent the configuration from being applied when the you enter the
apply command.
Errors identify serious configuration problems that must be corrected before changes
can be applied. Uncorrected errors will cause the apply command to fail.
If the validate command returns warning or error messages, heed the messages and
make any necessary configuration changes.
security
This command lists the status (enabled or disabled) for remote management features
such as Telnet, SSH, and the BBI for the cluster. It also lists which users (if any) are still
using default passwords which should be changed.
apply
This global command is available from any menu or sub-menu. It is used to apply and
save configuration changes made during your current administration session. Changes
are considered pending and do not take effect until this command is issued. Pending
changes being made by other CLI or BBI administrator sessions are not affected.
When issued, the apply command first validates your session’s pending changes. If
problems are found, applicable warning and error messages are displayed. Errors are
serious and will cause the apply command to fail before any changes are applied. If
there are no errors (warnings are allowed), the changes are saved and put into effect.
Warning messages can be turned off using the /cfg/misc/warn command (see
page 332).
If multiple CLI or BBI administrators apply changes to the same set of parameters con-
currently, the latest applied changes take precedence.
The global revert command clears pending changes and will not restore the configu-
ration to it’s previous settings once the apply command is issued.
revert
This global command is available from any menu or sub-menu. It cancels all pending
configuration changes made during your current administration session. Applied
changes are not affected. Pending changes made by other open CLI or BBI sessions are
also not affected.
paste
This global command is available from any menu or sub-menu. It lets you restore a saved
configuration dump file that includes encrypted private keys.
If private keys were included when you created your configuration dump file (/cfg/
dump), you were required to specify a password for encrypting the private keys. When
the paste command is issued, you will be prompted to supply the same password
phrase. You can then open the configuration dump file in your text editor, copy the infor-
mation, and paste it to the CLI window.
When pasted, the configuration content is batch processed by the Alteon Switched Fire-
wall. The pasted commands are entered as pending, and any included private keys are
decrypted. You can view the pending configuration changes resulting from the batch
processing by using use the global diff command. To apply the pending configuration
changes, use the global apply command.
The paste password phrase remains in effect until cleared. To clear the password
phrase, enter the paste command again.
/info
Information Menu
[Information Menu]
clu - Display runtime information of all Directors
host - Display runtime information of one Directors
det - Display detected Accelerator(s)
net - Network Display Menu
syslog - Display syslog entries
fw - Display firewall configuration
log - Display Platform Logging configuration
lic - Display installed license(s)
acc - Display Accelerator configuration
telnet - Display Telnet configuration
ssh - Display SSH configuration
snmp - Display SNMP configuration
web - Display Web configuration
time - Display Time Settings
asfnet - Display ASF Internal Network configuration
The Information Menu is used for displaying information about the current status of the Alteon
Switched Firewall.
clu
This command displays runtime information for all the Firewall Directors in the cluster.
Information includes CPU usage, hard disk usage, status of important applications such
as Web server, firewall, Inet server, as well as status of firewall acceleration.
net
The Network Display Menu is used for displaying current network information for the
Alteon Switched Firewall cluster. Information includes network ports, trunking, inter-
faces, and routing.
See page 166 for menu items.
syslog
This command displays the last syslog messages. After each set of ten syslog messages
are displayed, your are prompted whether to continue the display (enter y) or exit (enter
n).
fw
This command displays the current firewall configuration settings. Displayed informa-
tion includes firewall status (enabled or disabled), management IP addresses, and syn-
chronization network configuration. This is the same information available using the
/cfg/fw/cur command.
log
This command displays the current system message logging settings. This is the same
information available using the /cfg/sys/log/cur command.
telnet
This command displays the current Telnet configuration settings: enabled or disabled.
This is the same information available using the /cfg/sys/adm/telnet/cur
command.
ssh
This command displays the current SSH configuration settings: enabled or disabled. This
is the same information available using the /cfg/sys/adm/ssh/cur command.
snmp
This command displays the current SNMP configuration settings. Displayed information
includes a list of trap hosts, and status of event and alarm messages. This is the same
information available using the /cfg/sys/adm/snmp/cur command.
web
This command displays the current BBI configuration settings. Displayed information
includes status (enabled or disabled) and service port number for HTTP and HTTPS
(with SSL), and certificate information for SSL. This is the same information available
using the /cfg/sys/adm/web/cur command.
time
This command displays the current time and date settings, including any NTP server set-
tings. This is the same information available using the /cfg/sys/time/cur command.
asfnet
This command displays the current network settings for the Alteon Switched Firewall
cluster and hosts. This is the same information available using the /cfg/sys/clus-
ter/cur command.
/info/net
Network Display Menu
[Network Display Menu]
port - Display configured ports
trunk - Display configured trunks
if - Display configured interfaces
gre - Display GRE tunnel interfaces
route - Route Information Menu
dhcprl - DHCP Relay Information Menu
dump - Display all network configuration
The Network Display Menu is used for displaying current network information for the Alteon
Switched Firewall cluster. Information includes network routes, ports, interfaces, and gateways.
port
This command displays information about all ports configured on the Firewall Accelera-
tor. Displayed information includes port name, type (IP or NAAP), assigned interfaces,
VLAN, VLAN tagging status, and filters.
trunk
This command displays information about all port trunks configured on the Firewall
Accelerator. For each trunk, displayed information includes the trunk number, master
port, and a list of other ports that belong to the trunk.
if
This command displays information about all the IP interfaces configured on the system.
Displayed information includes IP addresses, masks, VLANs, and the ports to which the
IP interfaces are assigned. It also displays the names of interfaces devices that are auto-
matically created for each IP interface.
gre
This command displays information about all the GRE tunnel interfaces configured on
the system. Displayed information includes GRE tunnel number, GRE tunnel name,
local and remote GRE tunnel physical interfaces, local and remote GRE tunnel end
points.
route
The Route Information Menu is used for displaying current information about the various
routing protocols used with the Alteon Switched Firewall. Information includes static
routes, default gateways, RIP and OSPF settings.
See page 168 for menu items.
dhcprl
The DHCP Relay Information menu is used for displaying current information about the
DHCP servers used with the Alteon Switched Firewall.
See page 172 for menu items.
dump
This command displays all information for each option in the Information Menu.
/info/net/route
Route Information Menu
The Route Information Menu is used for displaying current information about the various rout-
ing protocols used with the Alteon Switched Firewall cluster.
static
This command displays all the static routes configured on the system.
gw
This command displays all the gateways configured and enabled on the system.
rip
The RIP Router Information Menu is used for displaying current RIP information.
See page 169 for menu items.
ospf
The OSPF Router Information Menu is used for displaying current OSPF information.
See page 170 for menu items.
table
This command lists all unicast routes on the system.
find
This command can find a route in the unicast route table.
/info/net/route/rip
RIP Router Information Menu
The RIP Router Information Menu is used for displaying RIP routing information.
routes
This command displays all RIP routes from the unicast table.
fib
This command displays all RIP routes contained in the Forwarding Information-Base
(FIB) advertised by the Alteon Switched Firewall. This includes routes which have been
redistributed from other protocols.
/info/net/route/ospf
OSPF Router Information Menu
The OSPF Router Information Menu is used for obtaining information about OSPF routes,
links, neighbors, and interfaces.
routes
This command displays all OSPF routes from the unicast table.
lsa
This command displays the OSPF Links State Advertisement (LSA) tables.
dbcnt
This command displays the number of different LSA types per area (router, network,
ABR summary, and ASBR summary) and the number of the LSA external routes in the
domain.
neigh
This command displays a brief summary on the firewall’s OSPF neighbor. Neighbors are
routing devices that maintain information about each others’ health.
infonbr
This command displays detailed information on all the OSPF neighbors.
spf
This command displays the OSPF network routing table, OSPF router routing table, and
the OSPF external routing table (after calculating the SPF). The external LSAs in the
OSPF external routing table are not area specific but are common to the entire OSPF
domain.
if
This command displays information about the configured OSPF interfaces.
fib
This command displays all OSPF routes contained in the Forwarding Information-Base
(FIB) advertised by the Alteon Switched Firewall. This includes routes which have been
redistributed from other protocols.
/info/net/dhcprl
DHCP Relay Information Menu
The DHCP Relay Information Menu is used for displaying current information about the
DHCP protocol used with the Alteon Switched Firewall cluster.
settings
This command displays the current DHCP relay settings.
locstats
This command displays the local DHCP Relay statistics configured and enabled on the
system.
mipstats
This command is used for displaying DHCP Relay statistics configured and enabled on
the MIP.
/boot
Boot Menu
[Boot Menu]
software - Software Management Menu
halt - Halt the Firewall Director
reboot - Reboot the Firewall Director
delete - Delete the Firewall Director
The Boot Menu is used for upgrading Alteon Switched Firewall software and for rebooting, if
necessary.
NOTE – The Software Management Menu option is not available using the operator account.
software
The Software Management Menu is used to load, activate, or remove Alteon Switched
Firewall software upgrade packages.
See page 175 for menu items.
halt
This command should be used only when the target Firewall Director has been isolated
from the cluster and cannot be halted using the preferred /cfg/sys/clu/
host <host number>/halt command.
After confirmation, this command stops the particular Firewall Director to which you
have connected via Telnet, SSH, or a console terminal. If using Telnet or SSH, use this
command only when you have connected to a particular Firewall Director’s individually
assigned IP address. Do not use the halt command when connected to the Management
IP (MIP) address.
reboot
This command should be used only when the target Firewall Director has been isolated
from the cluster and cannot be rebooted using the preferred /cfg/sys/clu/
host <host number>/reboot command.
After confirmation, this command reboots the particular Firewall Director to which you
have connected via Telnet, SSH or console terminal. When using Telnet or SSH, use this
command only when you have connected to a particular Firewall Director’s individually
assigned IP address. Do not use the reboot command when connected to the Manage-
ment IP (MIP) address.
delete
This command should be used only when the target Firewall Director has been isolated
from the cluster and cannot be deleted using the preferred /cfg/sys/clu/
host <host number>/delete command.
After confirmation, this command removes the particular Firewall Director to which you
have connected via Telnet, SSH, or a console terminal. It also resets the removed Fire-
wall Director to its factory default configuration.
If you are using Telnet or SSH, only use this command when you have connected to the
Firewall Director’s individually assigned IP address. Do not use the delete command
when connected to the cluster Management IP (MIP) address.
If there are other Firewall Directors in the cluster, you should also connect to the cluster
MIP address (locally or remotely) and purge the deleted Firewall Director configuration
from the cluster by using the /cfg/sys/cluster/host <host number>/delete
command.
Once you have removed a Firewall Director from the cluster, you can only access the
device through a console terminal attached directly to its local serial port. You can then
log in using the administration account (admin) and the default password (admin) to
access the Setup Menu.
/boot/software
Software Management Menu
[Software Management Menu]
cur - Display current software status
activate - Select software version to run
download - Download a new software package via TFTP/FTP
cdrom - Get a new software package via CD-ROM
del - Remove downloaded (unpacked) releases
patch - Software Patches Menu
The Software Management Menu is used to load, activate, or remove Alteon Switched Fire-
wall software upgrade packages.
cur
This command displays the software status of the particular Firewall Director to which
your current Telnet, SSH, or a console terminal is connected.
activate <software version>
This command activates a downloaded and unpacked Alteon Switched Firewall software
upgrade package. Use the cur command to find the version of the downloaded and
unpacked software package. You will be prompted for a confirmation before the soft-
ware is activated.
If serious problems occur while running the new software version, you may revert to
using the previous version by activating the software version labeled as old.
Note that you will be logged out after confirming the activate command.
download <protocol>
This command lets you specify a protocol (FTP or TFTP) to download an ASF software
upgrade package from an FTP or TFTP server that allows anonymous login. Nortel rec-
ommends you to specify FTP, because ASF images are too large for a TFTP server. After
you specify the protocol, you will be prompted for a host name or IP address of the FTP
server, as well as the file name of the software upgrade package.
To use this feature, you must install a firewall rule that allows FTP traffic to pass to and
from the Firewall Directors.
cdrom
This command lets you download a new software package via CD-ROM.
del
After confirmation, this command lets you remove a software upgrade package that has
been downloaded using the ftp command. This command removes all upgrades and
changes the Firewall Director to a “new” state.
patch
The Software Patches Menu is used to is install minor, corrective software elements on
the ASF.
See page 176 for menu items.
/boot/software/patch
Software Patches Menu
The Software Patches Menu is used to install or remove small Alteon Switched Firewall soft-
ware patches.
/maint
The Maintenance Menu
[Maintenance Menu]
diag - Diagnostic Tools Menu
debug - Debug Information Menu
tsdump - Tech Support Dump Menu
swfc - SFA Flow Control Configuration Menu
backup - Backup/Restore Firewall Director Menu
The Maintenance Menu is used for system diagnostic and for sending a technical support dump
to an FTP server.
CAUTION—All commands in the Maintenance menu and its submenus are not commonly used,
! and should not be used without proper guidance from Nortel Networks Technical Support.
diag
The Diagnostic Tools Menu is used run diagnostic tools on the ASF.
See page 179 for menu items.
debug
The Debug Information Menu displays debug information on ASF.
See page 180 for menu items.
tsdump
The Tech Support Dump Menu is used to provide dumps for Technical Support.
See page 193 for menu items.
swfc
The Firewall Accelerator Flow Control Configuration Menu is used to set software flow
control settings to protect the Accelerator from DOS attacks.
See page 194 for menu items.
backup
The Backup/Restore Firewall Director Menu allows you to backup the Director configu-
ration and restore it later to the same state.
See page 195 for menu items.
/maint/diag
Diagnostics Tools Menu
[Diagnostics Tools Menu]
sync - Test sync network
ldplcy - Load Check Point policy
unldplcy - Unload Check Point policy
The Diagnostics Tools Menu is used to run diagnostic tools on the ASF.
sync
This command allows you to run the diagnostic utility to check connectivity in sync
network. It will ARP for each IP address in the sync network and notify you if that IP
address can be connected over the sync net.
ldplcy
This command uses the Check Point’s fw fetch localhost command to
load the installed policy. You can load the policy on a specific Director or all Directors
in the cluster.
uldplcy
This command uses Check Point’s fw unloadlocal command to
unload the installed policy. You can unload the policy on a specific Director or
all Directors in the cluster.
/maint/debug
Debug Information Menu
[Debug Information Menu]
aim - AIM Statistics
fw - FW-1 Statistics
ac1 - Accelerator 1 Information
ac2 - Accelerator 2 Information
dbgroute - Debug routes send via ISD-SFA communication
ospf - OSPF Debug Menu
rip - RIP Debug Menu
aim
This command displays debugging information for the Accelerator Interface Module.
See page 182 for menu items.
fw
This command displays the FW-1 Statistics menu, which allows you to run certain
Check Point Firewall commands and view the results. This menu is useful for users
already familiar with the Check Point Firewall.
See page 185 for menu items.
ac1
This command displays debugging information for Firewall Accelerator 1, and allows
you to run certain commonly used commands on the Firewall Accelerator.
See page 186 for menu items.
ac2
This command displays debugging information for Firewall Accelerator 2, and allows
you to run certain commonly used commands on the Firewall Accelerator. This menu is
the same as ac1 but displays information about the second Firewall Accelerator (if
present).
See page 188 for menu items.
dbgroute
This command displays debug routes sent to the Firewall Accelerator from the Firewall
Director.
See page 190 for menu items.
ospf
This command displays information on OSPF.
See page 191 for menu items.
rip
This command displays information on RIP.
See page 192 for menu items.
/maint/debug/aim
AIM Statistics Menu
The AIM Statistics Menu allows you to run some Firewall Director commands and view the
results.
cur
This command displays the current AIM state and is equivalent to the Director’s
/proc/aim/cur command.
conns
This command displays information about the AIM connection table, and is equivalent
to the Director’s /proc/aim/conns command.
naap
This command displays the NAAP statistics, and is equivalent to the Director’s
/proc/aim/naap command.
accel
This command displays the acceleration statistics, and is equivalent to the Director’s
/proc/aim/acp command.
acp
This menu displays the statistics for the AIM control packets.
See page 184 for menu items.
app
This command displays the statistics for the AIM data packets, and is equivalent to the
Director’s /proc/aim/app command.
tng
This command displays the TNG statistics, and is equivalent to the Director’s
/proc/net/tng command.
/maint/debug/aim/acp
AIM Control Packets Menu
The AIM Control Packets Statistics Menu allows you to display statistics for AIM control
packets.
api
This command displays the Secure XL API Call Statistics and is equivalent to the Direc-
tor’s /proc/aim/acp/api command.
conns
This command displays information about the AIM connection table and is equivalent to
the Director’s /proc/aim/acp/conns command.
ctxt
This command displays the AIM Call Context statistics and is equivalent to the Direc-
tor’s /proc/aim/acp/ctxt command.
err
This command displays the AIM error statistics and is equivalent to the Director’s
/proc/aim/acp/err command.
ha
This command displays AIM high availability statistics and is equivalent to the Direc-
tor’s /proc/aim/acp/ha command.
tbl
This command displays the AIM database usage statistics and is equivalent to the Direc-
tor’s /proc/aim/acp/tbl command.
/maint/debug/fw
FW-1 Statistics Menu
The FW-1 Statistics Menu allows you to run some Check Point Firewall commands and view
the results.
ver
This command displays version information and is equivalent to Check Point’s
fw ver command.
stat
This command displays information about the installed policy, and is equivalent to
Check Point’s fw stat command.
lic
This command displays the installed licenses, and is equivalent to Check Point’s
cplic print -x command.
ctlpstat
This command displays Check Point Firewall internal statistics, and is equivalent to
Check Point’s fw ctl pstat command.
/maint/debug/ac1
Accelerator 1 Information Menu
The Accelerator 1 Information Menu allows you to run CLI commands on the Firewall Accel-
erator and see the output.
sys
This command displays the output of the /info/sys (system information) command
from the Firewall Accelerator.
boot
This command displays the output of the /boot/cur (boot settings) command from
the Firewall Accelerator.
naap
This command displays the output of the /info/naap/dump (NAAP status) com-
mand from the Firewall Accelerator.
vrrp
This command displays the output of the /info/vrrp (VRRP status) command from
the Firewall Accelerator.
sess
This command displays the output of the /info/slb/sess/dump (session table)
command from the Firewall Accelerator.
prtstat
This command displays the output of the /stats/slb/port <#>/maint
(port maintenance status) command from the Firewall Accelerator.
btinfo
This command displays the output of the /maint/btinfo command from the Fire-
wall Accelerator. The output explains the reason for the last reboot (power cycle, reset
from console, panic, and so on) and also whether a panic dump is present.
clear
This command clears all statistics on Firewall Accelerator 1.
back
This command makes Firewall Accelerator 1 the backup. The command forces the
Accelerator to a backup state using the /oper/vrrp/back command on the Acceler-
ator.
reboot
This command reboots Firewall Accelerator 1 using the /boot/reset command.
/maint/debug/ac2
Accelerator 2 Information Menu
The Accelerator 2 Information Menu allows you to run CLI commands on the Firewall Accel-
erator and see the output.
sys
This command displays the output of the /info/sys (system information) command
from the Firewall Accelerator.
boot
This command displays the output of the /boot/cur (boot settings) command from
the Firewall Accelerator.
naap
This command displays the output of the /info/naap/dump (NAAP status) com-
mand from the Firewall Accelerator.
vrrp
This command displays the output of the /info/vrrp (VRRP status) command from
the Firewall Accelerator.
sess
This command displays the output of the /info/slb/sess/dump (session table)
command from the Firewall Accelerator.
prtstat
This command displays the output of the /stats/slb/port <#>/maint
(port maintenance status) command from the Firewall Accelerator.
btinfo
This command displays the output of the /maint/btinfo command from the Fire-
wall Accelerator. The output explains the reason for the last reboot (power cycle, reset
from console, panic, and so on) and also whether a panic dump is present.
clear
This command clears all statistics on Firewall Accelerator 2.
back
This command makes Firewall Accelerator 2 the backup. The command forces the
Accelerator to a backup state using the /oper/vrrp/back command on the Acceler-
ator.
reboot
This command reboots Firewall Accelerator 2 using the /boot/reset command.
/maint/debug/dbgroute
Debug Route Information Menu
The Debug Route Information Menu displays Unicast, IGMP, and PIM routes pushed to the
Firewall Accelerator from the Firewall Director.
uni
This command displays the Unicast routes sent to the Firewall Accelerator.
igmp
This command displays the IGMP routes sent to the Firewall Accelerator.
pim
This command displays the PIM routes sent to the Firewall Accelerator.
/maint/debug/ospf
OSPF Debug Menu
events
This command allows you to turn on debugging for OSPF events.
ism
This command allows you to turn on debugging for the interface state machine.
lsa
This command allows you to turn on debugging for link state advertisements.
nsm
This command allows you to turn on debugging for the neighbor state machine.
packets
This command allows you to turn on debugging for OSPF packets.
msgs
This command displays the last 100 messages from the log file.
/maint/debug/rip
RIP Debug Menu
The RIP Debug Information Menu is used to display debug information for RIP.
events
This command allows you to turn on RIP events.
packets
This command displays details on RIP packets.
msgs
This command displays the last 100 messages from the log file.
/maint/tsdump
Tech Support Dump Menu
[Tech Support Menu]
dump - Create a Tech Support dump
exdump - Create a Tech Support dump including logs
ftp - FTP tech support dump to an FTP server
floppy - Copy Tech Support Dump to Floppy
The Tech Support Dump Menu is used to create dumps for Technical support.
dump
This command creates a Technical support dump without including the logs. The size of
the dump is typically small enough to fit on a floppy diskette.
exdump
This command creates a Technical support dump including all available logs. The size of
of the dump is typically more than 1 MB.
/maint/swfc
SFA Flow Control Configuration Menu
[SFA Flow Control Configuration Menu]
window - Set Window Size
sync - Set Sync Interval
ena - Enable SFA Flow Control
dis - Disable SFA Flow Control
The SFA (switched firewall accelerator) Flow Control Configuration Menu is used to configure
settings to protect the Firewall from a DOS attack.
window
This command sets the “window” size for flow control. This is similar to the window
concept for TCP transmission. The Firewall Accelerator makes sure that the outstanding
requests to the Director are within this limit. If it exceeds the limit, the Firewall Acceler-
ator starts dropping packets destined to that Firewall Director. The default value is 1000.
sync
This command sets the interval at which the Firewall Accelerator and the Firewall Direc-
tor exchange flow control information. The default value is 1 second.
ena
This command enables the SFA flow control.
dis
This command disables the SFA flow control.
/maint/backup
Backup Restore Menu
[Backup Restore Menu]
backup - Backup Firewall Director to FTP server
The Backup Restore Menu allows you to backup the Director configuration and restore it later
to the same state.
The backup and restore feature is for a Director only and not the cluster. To backup an entire
cluster, you must login to each Director and create backups separately. You cannot create a
backup from one member of the cluster and use it to restore another member. A backup taken
from a Director can be used only to restore that same Director or a replacement for that Direc-
tor.
For more information on how to backup the Director configuration, see “Backup and Restore
Firewall Configuration” on page 347.
backup
This command prompts you to provide an FTP server. The FTP server should allow
anonymous login.
/cfg
Configuration Menu
[Configuration Menu]
sys - System-wide Parameter Menu
pnp - SFD IP and Firewall License Menu
acc - Accelerator Configuration Menu
net - Network Configuration Menu
fw - Firewall Configuration Menu
apps - Third party applications
ptcfg - Backup current configuration to TFTP/FTP server
gtcfg - Restore current configuration from TFTP/FTP server
misc - Miscellaneous Settings Menu
dump - Dump configuration on screen for copy-and-paste
197
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
The Configuration Menu is used for configuring the Alteon Switched Firewall. Some com-
mands are available only from the administrator login.
sys
The System Menu is used for configuring system-wide parameters on a per cluster basis.
See page 200 for menu items.
pnp
The SFD IP and Firewall License (Plug N Play) Menu is used for pre-configuring
resources that are used by the system to automatically configure any new components
when they are added to the cluster. Resources configured under this menu include a pool
of IP addresses and Check Point licences.
See page 242 for menu items.
acc
The Accelerator Configuration Menu is used to configure parameters for the cluster Fire-
wall Accelerators. This includes the IP addresses and MAC addresses of the Firewall
Accelerators and options for high availability and auto detection.
See page 244 for menu items.
net
The Network Configuration Menu is used to configure the networks passing traffic
through the firewall.
See page 250 for menu items.
fw
The Firewall Configuration Menu is used to configure firewall related options such as
enabling firewall or resetting the Check Point Secure Internal Communications (SIC).
See page 323 for menu items.
apps
The Third-party Applications Menu is used to configure a secure route for a third party
application.
See page 330 for menu items.
/cfg/sys
System Menu
[System Menu]
time - Date and Time Menu
dns - DNS Servers Menu
cluster - Cluster Menu
accesslist - Access List Menu
adm - Administrative Applications Menu
log - Platform Logging Menu
user - User access control menu
The System Menu is used for configuring system-wide parameters on a per cluster basis.
time
The Date and Time Menu is used set the cluster date, time, time zone, and NTP options.
See page 202 for menu items.
dns
The DNS Servers Menu lets you change Domain Name System (DNS) parameters.
See page 204 for menu items.
cluster
The Cluster Menu is used for assigning the cluster management address and for access-
ing individual Firewall Director menus.
See page 205 for menu items.
accesslist
The Access List Menu is used to restrict remote access to Alteon Switched Firewall
management features. You can add, delete, or list trusted IP addresses which are allowed
Telnet, Secure Shell (SSH), or Browser-Based Interface (BBI) access to the system. If
the access list is not configured, users will not be able to access remote management fea-
tures even when those features are otherwise enabled.
See page 209 for menu items.
adm
The Administrative Applications Menu is used to configure Alteon Switched Firewall
remote management features such as Telnet, SSH, SNMP, and the BBI.
See page 210 for menu items.
log
The Platform Logging Menu is used to configure system message logging features. Mes-
sages can be logged to the system console terminal, ELA facility, and archived to a file
that can be automatically e-mailed.
See page 231 for menu items.
user
The User Menu is used to add, modify, delete, or list Alteon Switched Firewall user
accounts, and change passwords.
See page 237 for menu items.
/cfg/sys/time
Date and Time Menu
The Date and Time Menu is used to set the cluster date, time, and time zone options.
date <YYYY-MM-DD>
This command sets the system date according to the specified format.
time <HH:MM:SS>
This command sets the system time using a 24-hour clock format.
tzone [<time zone string>]
This command sets the system time zone. When entered without a parameter, you will be
prompted to select your time zone from a list of continents/oceans, countries, and
regions (if applicable). If you know your time zone from a previous use of this com-
mand, you can set the value directly by including the time zone string within quotes.
ntp
The NTP Servers Menu is used to synchronize system time with Network Time Protocol
(NTP) servers.
See page 203 for menu items.
/cfg/sys/time/ntp
NTP Servers Menu
The NTP Servers Menu is used to add or delete Network Time Protocol (NTP) servers to syn-
chronize system time.
NOTE – In order to use this feature, you must install a firewall rule that allows NTP traffic to
pass to and from the Firewall Directors.
list
This command lists all configured NTP servers by their index number and IP address.
del <index number>
This command lets you remove an NTP server from the cluster configuration by specify-
ing the server’s index number. Use the list command to display the index numbers
and IP addresses of configured NTP servers.
add <NTP server IP address>
This command lets you add an NTP server. The NTP server with the specified IP address
will be added to the list of NTP servers used to synchronize the Alteon Switched Fire-
wall system clock. A number of NTP servers (at least three) should be available in order
to compensate for any discrepancies among the servers.
/cfg/sys/dns
DNS Servers Menu
The DNS Servers Menu lets you change Domain Name System (DNS) parameters.
NOTE – In order to use this feature, you must install a firewall rule that allows DNS traffic to
pass to and from the Firewall Directors.
list
This command displays all DNS servers by their index number and IP address.
del <index number>
This command lets you remove a DNS server by index number. Use the list command
to display the index numbers and IP addresses of added DNS servers.
add <DNS server IP address>
This command lets you add a new DNS server. The DNS server with the specified IP
address will be added.
insert <index number> <IP address>
This command lets you add a new DNS server to the list at the specified index position.
All existing items at the specified index number and higher are incremented by one posi-
tion.
move <from index number> <to index number>
This command removes the DNS server of the specified from index number and inserts it
at the specified to index number.
/cfg/sys/cluster
Cluster Configuration Menu
[Cluster Menu]
net - Set ASF internal subnet network
mask - Set ASF internal subnet mask
mip - Set management IP (MIP) address
host - SFD Host Menu
The Cluster Menu is used for assigning the cluster management address and for accessing indi-
vidual Firewall Director menus.
This menu is used for performing actions on a specific Firewall Director, identified by host
number. The host number can be found using the /cfg/sys/cluster/cur command.
type master|slave
This command lets you set the currently selected Firewall Director as master or slave. A
master is capable of hosting the cluster Management IP (MIP) address. Up to four mas-
ters can be present in a cluster. If an active master fails, one of the other masters will
become active and host the MIP address. Depending on the total number of Directors in
a cluster and the desired level of redundancy, it is recommended that two to four Director
hosts are configured as masters.
When installing the first Firewall Director in a new cluster (by selecting new in the
Setup Menu), it is automatically configured as master. When adding more Firewall
Directors to the same cluster (by selecting join in the Setup Menu), the first three addi-
tional Firewall Directors in a cluster will also be masters.
When adding one or more Firewall Directors to a cluster that already contains four mas-
ters, any added Firewall Directors are automatically configured as slave.
Normally, you will only need to change the type setting when you have removed one or
more master Firewall Directors from a cluster. In this case, if there are any slave devices,
you may want to promote one of them to become a master.
To determine which Firewall Director is currently hosting the MIP address, use the /
info/clu command. To view the host number of each Firewall Director in a cluster,
use the /cfg/sys/cluster/cur command.
halt
After confirmation, this command stops the currently selected Firewall Director. Always
use this command before turning off the device.
If the Firewall Director you want to halt has become isolated from the cluster, you will
receive an error message when performing the halt command. You can then try log-
ging in to the specific Firewall Director using its local serial port (or a Telnet or SSH
connection to the Firewall Director’s individually assigned IP address) and use the /
boot/halt command.
reboot
After confirmation, this command reboots the currently selected Firewall Director.
If the Firewall Director you want to reboot has become isolated from the cluster, you will
receive an error message when performing the reboot command. You can then try log-
ging in to the specific Firewall Director using its local serial port (or a Telnet or SSH
connection to the Firewall Director’s individually assigned IP address) and use the /
boot/reboot command.
delete
This command lets you remove the currently selected Firewall Director “cleanly” from
the cluster, and resets the removed Firewall Director to its factory default configuration.
Other Directors in the cluster are unaffected.
To ensure that you remove the intended Firewall Director, view the current settings by
using the cur command. To view the host number, type (master or slave), and IP
address for all Firewall Directors in a cluster, use the /cfg/sys/cluster/cur com-
mand.
Once you have removed a Firewall Director from the cluster using the delete com-
mand, you can only access the device through a console terminal attached directly to its
local serial port. You can then log in using the administration account (admin) and the
default password (admin) to access the Setup Menu.
When multiple Firewall Directors are present in a cluster, you cannot delete a particular
Firewall Director if it is the only one that has a health status “up.” If that is the case, you
will receive an error message when performing the delete command. To delete a Fire-
wall Director from the cluster while all the other cluster members are down, see the
/boot/delete command on page 173.
/cfg/sys/accesslist
Access List Menu
The Alteon Switched Firewall can be managed remotely using Telnet, SSH, or the BBI. For
security purposes, access to these features is restricted through the cluster access list.
The access list allows the administrator to specify IP addresses or address ranges that are per-
mitted remote access to the system. There is only one access list which is shared by all remote
management features.
Requests for remote management access from any client whose IP address is not on the access
list are dropped. By default, the access list is empty, meaning that all remote management
access is initially disallowed.
When a client’s IP address is added to the access list, that client is permitted to access all
enabled remote management features, provided that a firewall rule exists to allow the type of
traffic, and that the user supplies the appropriate password.
list
This command displays all index and IP address information for all trusted clients which
can access enabled remote management features.
del <index number>
This command lets you remove an access entry by index number. Use the list com-
mand to display the index numbers and IP addresses of access entries.
add <user IP address> <IP subnet mask>
This command lets you add a new IP address or range of addresses to the access list. Any
added clients are considered trusted and have access to any enabled remote management
features.
/cfg/sys/adm
Administrative Applications Menu
The Administrative Applications Menu is used to configure Alteon Switched Firewall remote
management features such as Telnet, SSH, SNMP, and the BBI.
web
The Web Administration Menu is used to configure the Browser-Based Interface (BBI).
The BBI provides HTTP or Secure Socket Layer (SSL) access for remote management
of the Alteon Switched Firewall using a Web browser.
See page 221 for menu items.
audit
The Audit Settings Menu is to used to configure the servers to receive log messages on
the commands executed in the CLI and the Web UI.
See page 228 for menu items.
/cfg/sys/adm/telnet
Telnet Administration Menu
The Telnet Administration Menu is used to enable or disable remote Telnet access to the
Alteon Switched Firewall CLI. By default, Telnet access is disabled. Depending on the sever-
ity of your security policy, you may enable Telnet access and restrict it to one or more trusted
clients.
NOTE – Telnet is not a secure protocol. All data (including the password) between a Telnet cli-
ent and the Alteon Switched Firewall is unencrypted and unauthenticated. If secure remote
access is required, see “Using Secure Shell” on page 150. For more information on the Telnet
feature, see “Using Telnet” on page 148.
ena
This command enables the Telnet management feature. When enabled, Telnet access to
the cluster MIP address is allowed for trusted clients which have been added to the clus-
ter access list (see “Defining the Remote Access List” on page 146).
dis
This command disables the Telnet management feature. This is the default. When dis-
abled, all active Telnet administration sessions will be terminated, and all net Telnet
requests sent to the MIP address will be dropped.
/cfg/sys/adm/ssh
SSH Administration Menu
The SSH Administration Menu is used to enable or disable Secure Shell (SSH) for remote
access to the Alteon Switched Firewall management CLI. This menu is also used for generat-
ing SSH host keys.
An SSH connection allows secure management of the Alteon Switched Firewall from any
workstation connected to the network. SSH access provides server host authentication, encryp-
tion of management messages, and encryption of passwords for user authentication. By
default, SSH is disabled.
NOTE – To use this feature, you must install a firewall rule that allows SSH traffic to pass to
and from the Firewall Directors.
For more information on the SSH feature, see “Using Secure Shell” on page 150.
ena
This command enables the SSH management feature. When enabled, SSH access to the
cluster MIP address is allowed for trusted clients which have been added to the cluster
access list (see “Defining the Remote Access List” on page 146).
dis
This command disables the SSH management feature. This is the default. When dis-
abled, all active SSH administration sessions will be terminated, and all net SSH
requests sent to the MIP address will be dropped.
gensshkeys
This command generates new SSH host keys.
/cfg/sys/adm/snmp
SNMP Administration Menu
The Alteon Switched Firewall software supports elements of the Simple Network Management
Protocol (SNMP). If you are running an SNMP network management station on your network,
you can read and write ASF configuration information and collect statistics using the following
SNMP Managed Information Bases (MIBs):
NOTE – To use this feature, you must install a firewall rule that allows SNMP traffic to pass to
and from the Firewall Directors.
ena
This command enables the SNMP features.
dis
This command disables the SNMP features. This is the default.
model v1|v2c|usm
This command is used to specify which form of SNMP security will be used by the ASF:
v1c: Use the SNMP version 1C security model.
v2c: Use the SNMP version 2C security model. (Default)
usm: Use the SNMP version 3 User-based Security Model (USM).
level none|auth|priv
This command is used only when usm is selected. It is used to specify the desired degree
of SNMPv3 (also called USM) security:
none: No SNMPv3 encryption/authentication.
auth: SNMPv3 authentication only. Verify the SNMP user password before granting
SNMP access. SNMP information is transmitted in plain text.
priv: SNMPv3 authentication and encryption. Verify the SNMP user password
before granting SNMP access and encrypt all SNMP information with the user’s indi-
vidual key. (Default)
USM user names, along with their passwords and encryption keys, are defined in the
SNMP Users Menu (/cfg/sys/adm/snmp/users)
access d|r|rw
This command sets the SNMP access control:
d: Disable SNMP read capability. Users will be sent only enabled event and alarm
messages and are not permitted to read SNMP information from the ASF. (Default)
r: Enable SNMP read capability. Users will be sent enabled event and alarm mes-
sages and are also allowed to read SNMP information from the supported ASF MIBs.
rw: Enable SNMP read and write capability. Users will be sent enabled event and
alarm messages and are also allowed to read and write SNMP information from the
supported ASF MIBs.
events y|n
This command is used to enable or disable sending cluster event messages to the SNMP
trap hosts. When enabled, messages regarding general occurrences (such as detection of
a new components) are sent. The default is disabled.
alarms y|n
This command is used to enable or disable sending cluster alarm messages to the SNMP
trap hosts. Alarm messages indicate serious conditions which may require administrative
action. The default is disabled.
/cfg/sys/adm/snmp/users
SNMP Users Menu
The SNMP Users Menu is used list, add, and remove USM users. When usm is selected as the
security model (/cfg/sys/adm/snmp/model), SNMP access is granted for user/pass-
word defined in this menu.
list
This command lists all configured USM users.
del <user name>
This command lets you remove a USM user from the cluster configuration. Use the
list command to display the configured USM users.
add <user name>
This command lets you add a USM user. When the command is initiated, you will be
prompted to enter the following:
get and/or trap: specify whether the user is authorized to perform SNMP get
requests and/or receive enabled trap event and alarm messages. Enter get trap to
specify that both are allowed.
user password (and confirmation): password the user must enter for access.
/cfg/sys/adm/snmp/hosts
Trap Hosts Menu
The Trap Hosts Menu is used to add, remove, or list hosts which will receive SNMP event or
alarm messages from the cluster.
list
This command lists all configured trap hosts which will receive SNMP event or alarm
messages from the cluster.
del <index number>
This command lets you remove an SNMP trap host from the cluster configuration by
specifying the trap host’s index number. Use the list command to display the index
numbers and IP addresses of configured trap hosts.
add <trap host IP address> <port number> <community string> <trap user (usm)>
This command lets you add an SNMP trap host. The trap host with the specified IP
address will receive any enabled SNMP messages from the cluster. Event messages and
alarm messages can be independently enabled or disabled in the SNMP Administration
Menu (see page 214). The default port number is 162 and the default community string
is v2c.
If the traps are sent in SNMPv1 or SNMPv2c, then the community string should be set.
Note that the firewall supports a single version only, so the ASF configuration deter-
mines if the community string is used (for example, if the firewall is set to v1 or v2, then
a community string is required).
If the traps are sent in SNMPv3 (USM), then specify the trap user. This is only needed if
you configure usm.
/cfg/sys/adm/snmp/system
SNMP System Information Menu
The SNMP System Information Menu is used to configure basic identification information
such as support contact name, system name, and system location.
/cfg/sys/adm/snmp/adv
Advanced SNMP Settings Menu
The Advanced SNMP Options Menu is used to configure less common SNMP options.
allinf y|n
This command determines which interfaces will accept SNMP requests. If enabled (y), SNMP
requests will be accepted on all interfaces. If disabled (n), SNMP requests will be accepted only at
the cluster MIP address or individual Firewall Director IP address. This option is disabled by
default.
trapsrcip auto|unique|mip
This command is used to configure which source IP address will be used with SNMP
traps generated from the Alteon Switched Firewall.
auto: The IP address of the outgoing interface is used. This is the default.
unique: The IP address of the individual Firewall Director is used.
mip: The IP address of the cluster MIP is used. This setting is useful with applications
(such as some versions of HP OpenView) that expect devices to be limited to only one
IP address.
/cfg/sys/adm/web
Web Administration Menu
The Web Administration Menu is used to configure the Browser-Based Interface (BBI). The
BBI allows for refined, intuitive remote management of the Alteon Switched Firewall using a
Web browser. The BBI can be configured to use HTTP (non-secure), HTTPS with Secure
Socket Layer (SSL), or both.
NOTE – In order to use this feature, you must install a firewall rule that allows HTTP or
HTTPS traffic to pass to and from the Firewall Directors.
For more information, see the Alteon Switched Firewall Browser-based Interface Guide.
http
The HTTP Configuration Menu is used to configure BBI access using HTTP (non-
secure).
See page 222 for menu items.
ssl
The SSL Configuration Menu is used to configure BBI access using HTTPS with Secure
Socket Layer (SSL). For security reasons, using SSL with the BBI is highly recom-
mended.
See page 223 for menu items.
/cfg/sys/adm/web/http
HTTP Configuration Menu
The HTTP Configuration Menu is used to configure Browser-Based Interface (BBI) access
using HTTP. By default, HTTP access is enabled, but restricted to trusted clients. Depending
on the severity of your security policy, you may disable HTTP access and refine the list of
trusted clients.
NOTE – HTTP is not a secure protocol. All data (including passwords) between an HTTP cli-
ent and the Alteon Switched Firewall is unencrypted and unauthenticated. If secure remote
access is required, see the “SSL Configuration Menu” on page 223.
For more information on using the BBI, see Alteon Switched Firewall Browser-based Inter-
face Guide.
/cfg/sys/adm/web/ssl
SSL Configuration Menu
The SSL Configuration Menu is used to configure BBI access using HTTPS. HTTPS uses
Secure Socket Layer (SSL) to provide server host authentication, encryption of management
messages, and encryption of passwords for user authentication. Using SSL with the BBI is
highly recommended for security reasons. By default, SSL is disabled.
In addition to enabling/disabling the HTTPS feature, this menu allows you to set the HTTPS
port, set SSL version, and access menus for generating SSL certificates.
For more information on using the BBI, see the Alteon Switched Firewall Browser-based
Interface Guide.
tls y|n
This command enables or disables Transport Level Security (TLS) for SSL.The default
value is enabled.
sslv2 y|n
This command enables or disables SSL Version 2. The default value is enabled.
sslv3 y|n
This command enables or disables SSL Version 3. The default value is enabled.
certs
The Certificate Management Menu is used to configure server certificates and external
Certificate Authority certificates required for SSL.
See page 225 for menu items.
/cfg/sys/adm/web/ssl/certs
Certificate Management Menu
[Certificate Management Menu]
serv - Server Certificate Management Menu
ca - Certificate Authority Management Menu
The Certificate Management Menu is used to add or remove server certificates and external
Certificate Authority certificates required for SSL.
serv
The Server Certificate Management Menu is used to generate a certificate request or cre-
ate a self-signed certificate.
See page 226 for menu items.
ca
The Certificate Authority Management Menu is used to manage CA (Certification Author-
ity) certificates. This is required if server certificates from external CAs are being used.
See page 227 for menu items.
/cfg/sys/adm/web/ssl/certs/serv
Server Certificate Management Menu
The Server Certificate Management Menu is used to administer SSL server certificates.
/cfg/sys/adm/web/ssl/certs/ca
CA Certificate Management Menu
The CA Certificate Management Menu is used to administer SSL external Certificate Author-
ity (CA) certificates.
list
This command lists all configured CA certificates.
del
This command is used to remove a CA certificate from the cluster configuration.
add
This command is used to add a CA certificate. After you have entered this command, the
system will expect you to paste the PEM encoded certificate into the CLI. When done
pasting the certificate, add three periods (...) and press <Enter> to return to the CLI.
/cfg/sys/adm/audit
Audit Menu
[Audit Menu]
servers - Radius Servers Menu
vendorid - Set vendor id for group attribute
vendortype - Set vendor type for audit attribute
ena - Enable Server
dis - Disable Server
The Audit menu is used for configuring a RADIUS server to receive log messages about com-
mands executed in the CLI or the Web User Interface. If auditing is enabled but no RADIUS
server is configured, events will still be generated to the event log and any configured syslog
servers. Auditing is disabled by default.
An event is generated whenever a user logs in/logs out or issues a command from a CLI ses-
sion. The event contains information about user name and session id as well as the name of
executed commands. This event is optionally sent to a RADIUS server for audit trail logging
according to RFC 2866 (RADIUS Accounting).
servers
This command displays the RADIUS Audit servers menu.
To view menu options, see page 230.
vendorid
Assigns the SMI Network Management Private Enterprise Code—as defined by IANA in the file
http://www.iana.org/assignments/enterprise-numbers—to the following vendor specific attribute:
Vendor-Id.
The Vendor-Id—represented by the private enterprise number—is one of the RADIUS vendor-
specific attributes.
The default vendor-Id is set to 1872 (Alteon).
Note: If another vendor-Id is used by your RADIUS system, you can use the vendorid com-
mand to bring the RADIUS configuration in line with the value used by the remote RADIUS sys-
tem. Contact your RADIUS system administrator for more information.
vendortype
Assigns a number to the following vendor specific attribute used in RADIUS: Vendor type
Used in combination with the Vendor-Id number, the vendor type number identifies the audit
attribute which will contain the audit information.
The default vendor type value is set to 2.
Tip! Finding audit entries in the RADIUS server’s log can be made easier by defining a suitable
string in the RADIUS server’s dictionary (for example, Alteon-ASF-Audit-Trail) and mapping this
string to the vendor type value.
Note: If another number for vendor type is used by your RADIUS system, you can use the ven-
dortype command to bring the RADIUS configuration in line with the value used by the remote
RADIUS system. Contact your RADIUS system administrator for more information.
ena
This command enables the Radius server.
dis
This command disables the Radius server.
/cfg/sys/adm/audit/servers
Radius Audit Servers Menu
The RADIUS Audit servers menu is used for adding, modifying and deleting information
about RADIUS audit servers.
list
Lists the IP addresses of currently configured RADIUS audit servers, along with their correspond-
ing index numbers.
del
Removes the specified RADIUS audit server from the configuration. Use the list command to
display the index numbers of all added RADIUS audit servers.
/cfg/sys/log
Platform Logging Menu
The Platform Logging Menu is used to configure system message logging features. Messages
can be logged to the system console terminal, ELA facility, archived to a file which can be
automatically e-mailed, and used for debugging.
syslog
The System Logging Menu is used to configure syslog servers. The Alteon Switched
Firewall software can send log messages to specified syslog hosts.
See page 233 for menu items.
ela
The ELA Menu is used to configure the Event Logging API (ELA) feature. ELA allows
cluster log messages to be sent to a Check Point management server for display through
the Check Point SmartView Tracker.
See page 234 for menu items.
arch
The Log Archiving Menu is used to archive log files when the file reaches a specific size
or age. When log rotation occurs, the current log file is set aside or e-mailed to a speci-
fied address and a new log file is begun.
See page 236 for menu items.
debug y|n
This command is used to enable or disable specialized debugging log messages. This is
disabled by default and should be enabled only as directed by Nortel Networks technical
support.
srcip auto|unique|mip
This command is used to configure which source IP address will be used with logs gen-
erated from the Alteon Switched Firewall.
auto: The IP address of the outgoing interface is used. This is the default.
unique: The IP address of the individual Firewall Director is used.
mip: The IP address of the cluster MIP is used. This setting is useful with applications
(such as some versions of HP OpenView) that expect devices to be limited to only one
IP address.
/cfg/sys/log/syslog
System Logging Menu
The System Logging Menu is used to configure syslog servers. The Alteon Switched Firewall
software can send log messages to specified syslog hosts.
list
This command displays all configured syslog servers by their index number, IP address,
and facility number.
del <syslog index number>
This command lets you remove a syslog server from the cluster configuration by specify-
ing the server’s index number.
add <syslog server IP address> <severity level>
This command lets you add a new syslog server, including its IP address and local facil-
ity number. The local facility number can be used to uniquely identify syslog entries. For
more information, see the UNIX manual page for syslog.conf.
The severity level is used to set the logging severity level. All messages at the specified
level of severity or higher will be logged to the ELA. The severity level can be emerg,
alert, crit, err, notice, info, or debug. The default value is set to err.
insert <index number> <IP address> <severity level>
This command lets you add a new IP address to the access list at the specified index
position. All existing items at the specified index number and higher are incremented by
one position. Obtain the index number from the above list command.
The severity level is used to set the logging severity level. All messages at the specified
level of severity or higher will be logged to the ELA. The severity level can be emerg,
alert, crit, err, notice, info, or debug. The default value is set to err.
move <from index number> <to index number>
This command removes the IP address of the specified from index number and inserts it
at the specified to index number in the access list.
/cfg/sys/log/ela
ELA Logging Menu
The ELA Logging Menu is used to configure the Event Logging API (ELA) feature. ELA
allows cluster log messages to be sent to a Check Point management server for display through
the Check Point SmartView Tracker.
ELA configuration requires steps at both the Alteon Switched Firewall and at Check Point
management server. For configuration details, see Appendix A, “Event Logging API,” on
page 335.
ena
This command is used to enable the ELA feature. When enabled, system log messages
will be sent to the Check Point management server.
dis
This command is used to disable ELA. This is the default.
addr <IP address>
This command is used to set the IP address of the management server to which cluster
log messages will be sent. Specify the IP address in dotted decimal notation. The default
address is set to 0.0.0.0.
sev emerg|alert|crit|err|notice|info|debug
This command is used to set the severity of the log messages that is sent to the Check
Point logger. All messages at the specified level of severity or higher is logged to the
ELA. The default value is set to err. The list of severities below goes from most severe
to least severe:
emerg: Emergency
alert: Alert
crit: Critical
err: Error
notice: Notice
info: Info
debug: Debug
dn <OPSEC SIC name>
This command is used to set the Distinguished Name (DN) of management server. The
DN is defined in the Check Point SmartDashboard tool under the management server
properties. The DN is found in the Secure Internal Communication (SIC) area.
pull
This command is used to obtain a certificate for secure communication from the manage-
ment server.
/cfg/sys/log/arch
Log Archiving Menu
The Log Archiving Menu is used to archive log files when the file reaches a specific size or
age. When log rotation occurs, the current log file is set aside or e-mailed to a specified address
and a new log file is begun.
If the rotate size is set above 0, then log rotation occurs when the log surpasses the rotate size,
or when the log rotation interval is reached, whichever occurs first. If the rotate size is set to 0,
the file size is ignored and only the rotate interval is used. If an e-mail address and SMTP
Server IP address are set, then the log file is e-mailed when rotated.
/cfg/sys/user
User Menu
[User Menu]
passwd - Change own password
expire - Set password expire time interval
list - List all users
del - Delete a user
add - Add a new user
edit - Edit a user
adv - Advanced User Configuration Menu
The User Menu is used to add, modify, delete, or list Alteon Switched Firewall user accounts,
and change passwords.
There are four default user accounts which cannot be deleted: admin, oper, root, and
boot. See “Users and Passwords” on page 141 for information about default passwords and
privileges. Only the administrator can change the passwords.
The password for the boot user cannot be changed. This ensures that if you were to lose all
system passwords, the boot user would be able to access the system through the local serial port.
passwd
This command is used to change the administrator password. Only the admin user can
perform this action. You will be prompted to enter the current administrator password.
Then, you will be prompted to enter and confirm the new administrator password.
expire [<days>d][<hours>h][<minutes>m][<seconds>s]
This command sets the interval that user passwords expire. Time can be specified in sec-
onds (s), minutes (m), hours (h), or days (d). When a user attempts to log in using the
expired password, they will be prompted to change the password. When the expiration
value is set to 0 (zero), passwords do not expire. The default is 0.
list
This command lists all editable user accounts. The boot user is not listed because this
account cannot be altered.
del <user name>
This command lets you delete user accounts. Only the admin user can perform this action.
Of the four default users (admin, oper, root, and boot), only oper can be deleted.
The Edit User Menu is used to change passwords and assign group privileges for the user
account specified by the user name.
password
This command is available for admin user only. The command lets you change the
password for the admin user. You will be prompted to enter the current administrator
password; then, you will be prompted to enter and confirm the new user password.
groups <group name>
This command lets you assign the selected user to a group. By default there are three pre-
defined groups: admin, oper, and root. For the privileges of each group, see “Users
and Passwords” on page 141.
You can also define your own groups. Any user placed in a group other than one of the
predefined groups will be given oper privileges only.
See page 239 for menu items.
/cfg/sys/user/edit <user>/groups
Groups Menu
[Groups Menu]
list - List all values
del - Delete a value by number
add - Add a new value
The Groups Menu is used to assign the selected user to one or more groups.
By default there are three predefined groups: admin, oper, and root. For the privileges of
each group, see “Users and Passwords” on page 141. You can also define your own groups.
Any user placed in a group other than one of the predefined groups will be given oper privi-
leges only.
list
This command displays all configured groups to which the user belongs by their index
number.
del <group index number>
This command lets you remove the user from a group by specifying the group’s index
number.
add <group name>
This command lets you add the user to the specified group.
/cfg/sys/user/adv
Advanced User Configuration Menu
User
This command allows you to manage remote SSH users.
See page 240 for menu items.
/cfg/sys/user/adv/user
SSH User <user name> Menu
This menu allows remote users to login to troubleshoot or perform maintenance on the fire-
wall. This feature must be used cautiously, because it provides users with the ability to login
remotely using SSH and access the Linux shell. Remote users with root password can use the
the Linux utility, su and run “su root”. By default the remote SSH user account is disabled.
To log in, the user has to authenticate using the public key/private key mechanism. DSA
or RSA key pairs can be used but has to be in OpenSSH format version 2 format only.
Password based authentication is not allowed.
The IP address of the remote user must be part of the access list.
The Check Point policy must allow the SSH connection between the remote user and
the ASF.
name
This command sets the full name of the user.
pubkey
This command allows you to set the RSA or DSA public key for the user. The user will
not be able to login until this value is set correctly and the SSH client is configured to use
the corresponding private key for authentication. The RSA or DSA key has to be in
OpenSSH v2 format only.
ena
This command enables the user account.
dis
This command disables the user account.
del
This command removes the user account.
/cfg/pnp
SFD IP and Firewall License Menu
[SFD IP and Firewall License Menu]
list - List detailed status of current IPs and Licenses
del - Delete IP address and firewall license
add - Add new IP address and firewall license
ena - Enable Plug N Play
dis - Disable Plug N Play
The SFD IP and Firewall License Menu is used for pre-configuring resources that allow the
system to automatically configure any new Firewall Directors that are added to the cluster.
Resources configured under this menu include a pool of IP addresses and Check Point
licences. When Plug N Play is enabled and if resources are available, a new Firewall Director
attached to the cluster will automatically be configured and brought into service.
list
This command is used list the IP addresses and Check Point licenses currently in the
Plug N Play resource pool. Listed data includes the expiration dates of the licenses.
Licenses configured using the Check Point central licensing mechanism will not be listed
using this command.
del
This command is used to remove an IP address and/or Check Point license from the
Plug N Play resource pool. You will be prompted to enter the IP address you wish to
have removed from the pool. Only unused resources can be deleted. To remove a Fire-
wall Director which is presently a member of the cluster, see the delete command in
the Firewall Director Host Menu on page 208.
add
This command is used to add and IP address and/or Check Point license to the
Plug N Play resource pool. You will be prompted to enter an IP address and Check Point
license information.
ena
This command is used to turn on the Plug N Play feature. This is the default. If resources
are available (using the add command), Plug N Play allows the cluster to automatically
detect new Firewall Directors, join them to the cluster, configure them, and start them
participating in firewall processing.
dis
This command is used to turn off the Plug N Play feature. When Plug N Play is disabled,
you must manually configure each new Firewall Director being added to the cluster.
/cfg/acc
Accelerator Configuration Menu
[Accelerator Configuration Menu]
auto - Set auto discovery
ha - Set high availability
vma - Set VMA-based performance
rearp - Set re-ARP period in minutes
passwd - Set accelerator password
ac1 - Accelerator 1 Menu
ac2 - Accelerator 2 Menu
master - preferred HA master
det - Display detected accelerators
hc - Health Check Menu
mgmtnet - Set higher priority management network
The Accelerator Configuration Menu is used to configure parameters for the cluster Firewall
Accelerators. This includes the IP addresses and MAC addresses of the Firewall Accelerators
and options for high availability and auto detection.
auto y|n
This command is used to configure the automatic discovery feature. If this feature is
enabled, when the Firewall Director boots up, it will automatically detect the attached
Firewall Accelerator and use it for acceleration when the firewall software starts. By
default this command is enabled.
If auto detect is disabled, the administrator must manually configure the MAC addresses
of the Firewall Accelerators which will be used by the Firewall Directors to accelerate
firewall processing (see ac1 and ac2).
ha y|n
This command is used to enable or disable the high-availability feature. This is disabled by
default. High-availability requires two Firewall Accelerators installed in a redundant con-
figuration. See Chapter 7, “Expanding the Cluster,” on page 105 for more information.
vma on|off
This command is used to configure the Virtual Matrix Architecture (VMA) feature on
the Firewall Accelerator.
on: All Firewall Accelerator ports share session resource information. This is used
primarily in complex network environments where a session’s responses may use a
different port path than the session’s requests. VMA is on by default.
off: All Firewall Accelerator ports are responsible for their own session information.
This increases firewall speed, but requires simpler network structures where a ses-
sion’s responses return on the same port path as the session’s requests.
rearp <time period (2 to 120 minutes)>
Sets the re-ARP period in minutes. The Alteon Switched Firewall periodically sends
ARP (Address Resolution Protocol) requests to refresh its address database. This com-
mand is used for setting the interval between ARP refreshes of the next IP address in the
database. The default interval is 10 minutes.
passwd
This command lets you change the password used for direct access to the Firewall
Accelerator console port. The default password is admin, but can be changed for secu-
rity purposes. When this command is entered, you will be prompted to enter and confirm
the new password.
ac1
The Accelerator 1 Menu is used to configure the MAC and IP addresses of the first Fire-
wall Accelerator in the cluster.
See page 247 for menu items.
ac2
The Accelerator 2 Menu is used to configure the MAC and IP addresses of the second
Firewall Accelerator in the cluster. This is needed only in high-availability configura-
tions.
See page 248 for menu items.
master 1|2
This command is used to select which Firewall Accelerator is preferred for firewall
acceleration in a high-availability configuration. This setting is ignored when the auto-
matic discovery feature is enabled (see the auto command on page 244).
Specify 1 to use the Firewall Accelerator defined in ac1, and 2 for ac2.
det
When automatic discovery (auto) is enabled, the first discovered Firewall Accelerator in
a high-availability configuration is used for the firewall acceleration. This command lists
the MAC address and IP address of the active Firewall Accelerator that is currently
being used for firewall acceleration.
hc
The Health Check Parameters Menu is used to configure parameters to determine when a
Firewall Accelerator should be determined up or down.
See page 249 for menu items.
mgmtnet <management network IP address> <subnet mask>
This command is used to configure a priority management network for the Alteon
Switched Firewall. Traffic on the priority management network is favored from being
dropped under conditions of excessive firewall load. This prevents the Alteon Switched
Firewall from losing contact with management tools during denial-of-service attacks.
The default values are set to 0.0.0.0 with mask 255.0.0.0.
/cfg/acc/ac1
Accelerator 1 Menu
[Accelerator 1 Menu]
mac - Set MAC Address
addr - Set IP Address
iap - Set inter-accelerator Port
The Accelerator 1 Menu is used to configure the MAC and IP addresses of the first Firewall
Accelerator in the cluster.
/cfg/acc/ac2
Accelerator 2 Menu
[Accelerator 2 Menu]
mac - Set MAC Address
addr - Set IP Address
iap - Set inter-accelerator Port
The Accelerator 2 Menu is used to configure the MAC and IP addresses of the second Firewall
Accelerator in the cluster. This is needed only in high-availability configurations.
/cfg/acc/hc
Health Check Parameters Menu
The Health Check Parameters Menu is used to configure parameters to determine when a Fire-
wall Accelerator should be determined up or down.
Each Firewall Accelerator tests the status of the other. These tests are performed at regular,
definable intervals. If a Firewall Accelerator fails its test a definable number of times, the
device is classified as down. If the master Firewall Accelerator in a high-availability configu-
ration is down, the backup will take over.
/cfg/net
Network Configuration Menu
[Network Configuration Menu]
port - Port Menu
vlan - VLAN Menu
if - Interface Menu
gre - GRE Tunnel Menu
route - Routing Settings Menu
dhcprl - DHCP Relay Menu
mirr - Port Mirroring Menu
idslb - IDS Load Balancing Menu
adv - Advanced Settings Menu
Use the Network Configuration Menu to configure networks passing traffic through the firewall.
gre
The Generic Routing Encapsulation Menu is used to configure GRE tunneling in the
Alteon Switched Firewall.
See page 268 for menu items.
route
The Routing Settings Menu is used to configure default IP gateways, static routes, RIP,
and OSPF parameters.
See page 270 for menu items.
dhcprl
The DHCP Relay Menu is used to configure DHCP relaying with Alteon Switched Fire-
wall.
See page 306 for menu items.
mirr
The Port Mirroring Menu is used to monitor ports for diagnostics.
See page 309 for menu items.
idslb
The IDS Load Balancing Menu is used to load balance IDS servers.
See page 312 for menu items.
adv
The Advanced Settings Menu is used to configure domain name, port filter, local route
caching, VRRP, and proxy ARP parameters.
See page 314 for menu items.
[Port 1 Menu]
name - Set port name
copper - Copper Physical Link Menu
fiber - Fiber Physical Link Menu
pref - Set preferred physical connector
back - Set backup physical connector
trunk - Set trunk membership
ena - Enable port
dis - Disable Port
del - Remove Port
o------- - --When trunked, items below are set by master port--o
filt - Port Filters Menu
enf - Set filtering
naap - Set NAAP
vtag - Set VLAN tagging
The Network Port Menu is used for configuring the specified physical port on the Firewall
Accelerator. In addition to enabling or disabling a port, this menu is used to specify port link
characteristics, apply port filters, and trunk ports together. A port is disabled by default.
Firewall Accelerator RJ-45 (Copper gig) LC (Fiber gig) Dual: RJ-45 and LC
The LC fiber optic connectors are for attaching Gigabit Ethernet (1000Base-SX) segments to
the port. The RJ-45 copper connector are for attaching 10/100/1000 Mbps Ethernet (10Base-T,
100Base-TX, or 1000Base-TX) segments.
On ports with dual physical connectors, either connector may be used, depending on the net-
work devices being attached to the system. When connecting devices which use dual-homing
technology to achieve link redundancy, one of the dual connectors can be used as the preferred
link, and the other can be used as a backup.
On ports with only one physical connector, some of the options described in the Port Menu and
submenus do not apply. Although all options appear on all models of Firewall Accelerator, any
configuration settings for options which do not apply are disregarded.
For physical port specifications and LED behavior, see the section “Connecting Network Cables”
in the Alteon Switched Firewall Hardware Installation Guide.
naap y|n
This command enables or disables Nortel Appliance Acceleration Protocol (NAAP) on
the port. NAAP is required to be enabled for any Firewall Accelerator port connected to
one or more Firewall Directors. NAAP should be disabled for Firewall Accelerator ports
connected to trusted, untrusted, or semi-trusted networks.
The default settings for Firewall Accelerator 6600 depends on the port number:
Ports 1 through 10 are initially reserved for network traffic and have NAAP disabled.
Ports 11 and 12 are initially reserved for Firewall Director connections and have
NAAP enabled.
The default settings for Firewall Accelerator 6400 is as follows:
Ports 1, 24, 27, and 28 are initially reserved for Firewall Director connections or for
connecting to a redundant Firewall Accelerator and have NAAP enabled.
Ports 2–23, 25, and 26 are initially reserved for network traffic and have NAAP dis-
abled.
If the port belongs to a trunk, settings for this item are taken from the master trunk port.
vtag y|n
This command enables or disables VLAN tagging for this port. It is disabled by default.
VLAN tagging is required whenever the port participates in multiple VLANs. If the port
belongs to a trunk, settings for this item are taken from the master trunk port.
Port Trunking
Port trunks can provide super-bandwidth connections between the ASF and other trunk-capa-
ble devices. A trunk is a group of ports that act together, combining their bandwidth to create a
single, larger capacity port with built-in fault tolerance. Port trunking has the following rules:
To specify a trunk group consisting of ports 1, 2, and 3, with port 1 as the master, the following
commands could be used:
NOTE – If you trunk ports to a non-master port or fail to define a master port, the CLI will
report configuration errors when the apply command is given, and the apply will fail.
The Copper Physical Link Menu is used to configure link characteristic when using the RJ-45
copper connector on the Firewall Accelerator ports. You can set port speed, duplex mode, flow
control, and negotiation mode for the port link.
NOTE – Fast Physical Link Menu options are disregarded if the port has no RJ-45 connector.
speed 10|100|1000|any
When autonegotiation (auto) is disabled, this command specifies the link speed. The
choices include:
10: 10 Mbps
100: 100 Mbps
1000: 1000 Mbps
any: automatic detection (default)
mode full|half|any
When autonegotiation (auto) is disabled, this command specifies the duplex operating
mode. The choices include:
full: Full-duplex
half: Half-duplex
any: automatic negotiation (default)
fctl rx|tx|both|none
When autonegotiation (auto) is disabled, this command specifies the flow control. The
choices include:
rx: Receive flow control
tx: Transmit flow control
both: Both receive and transmit flow control (default)
none: No flow control
auto y|n
This command enables or disables autonegotiation for the port. This is enabled by
default. When enabled, the Firewall Accelerator negotiates with the connected device to
find the best port speed, duplex mode, and flow control, and overrides the manual
speed, mode, and fctl settings. When autonegotiation is disabled, manual port set-
tings are used.
If you have difficulty establishing a link with other network devices, turn autonegotia-
tion off and set the port properties manually.
The Fiber Physical Link Menu is used to configure link characteristic when using the LC fiber
optic connector on the Firewall Accelerator ports. You can set port flow control, and negotia-
tion mode for the port link.
NOTE – Fiber Physical Link Menu options are disregarded if the port has no LC connector.
fctl rx|tx|both|none
When autonegotiation (auto) is disabled, this command specifies the flow control. The
choices include:
rx: Receive flow control
tx: Transmit flow control
both: Both receive and transmit flow control (default)
none: No flow control
auto y|n
This command enables or disables autonegotiation for the port. This is enabled by
default. When enabled, the Firewall Accelerator negotiates with the connected device to
find the best flow control, and overrides the manual fctl setting. When autonegotiation
is disabled, the fctl setting is used.
If you have difficulty establishing a link with other network devices, turn autonegotia-
tion off and set the port properties manually.
The Port Filters Menu is used to assign, remove, or list port filters for a specific port. Port fil-
ters can allow or deny traffic according to a variety of address and protocol specifications.
list
This command displays all filters assigned to this port by their index number.
del <index number>
This command lets you remove a filter from this port by specifying its index number.
Use the list command to display the index numbers of filters on this port.
add <filter number>
This command lets you assign a filter to this port. Before filters can be assigned, they
must first be created using the Advanced Filtering Menu (see page 316).
[VLAN 1 Menu]
name - Set VLAN Name
port - VLAN Ports Menu
jumbo - Set Jumbo Frames
idsgrp - Set IDS group to which traffic will be mirrored
ena - Enable VLAN
dis - Disable VLAN
del - Remove VLAN
The VLAN Menu is used to configure Virtual Local Area Networks (VLANs). By default
VLAN is disabled. VLANs are commonly used to split up groups of network users into man-
ageable broadcast domains, to create logical segmentation of workgroups, and to enforce secu-
rity policies among logical segments. For the Alteon Switched Firewall, VLANs are
configured for various reasons:
If any of the networks attached to the cluster use VLAN tagging, then VLANs must be
configured and VLAN tagging must be enabled on participating ports.
If there are two IP interfaces on the same port which belong to two different networks,
then the IP interface must be placed in separate VLANs. If this is not configured, it will be
done automatically.
Up to 253 VLANs can be configured, though each can be given an identifying number
between 1 and 4093. However, VLAN 4092 is reserved for internal use. If you configure
VLAN 1, then you can configure up to 252 VLANs.
The default VLAN is 0, however, if required VLANs are not configured by the administrator,
they will be automatically assigned an appropriate VLAN number in the 1–4093 range.
VLANs are assigned on a per-port basis. Each port on the Firewall Accelerator can belong to
one or more VLANs, and each VLAN can have any number of Firewall Accelerator ports in its
membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging
enabled (see the “Port Menu” on page 252).
The VLAN Ports Menu is used to assign, remove, or list Firewall Accelerator ports for this
VLAN.
list
This command displays all ports assigned to this VLAN by their index number.
del <index number>
This command lets you remove a port from the VLAN by specifying the port’s index
number. Use the list command to display the index numbers of assigned ports.
add <port number>
This command lets you add the specified port to the VLAN.
NOTE – All ports must belong to at least one VLAN. Any port that is removed from a VLAN
and that is not a member of any other VLAN is automatically assigned a unique VLAN
number.
Also, you cannot add a port to more than one VLAN unless the port has VLAN tagging turned
on (see the vtag command on page 255).
[Interface 1 Menu]
port - Interface Ports Menu
addr - Set IP address
mask - Set subnet mask
broad - Set broadcast address
vlan - Set VLAN number
vrrp - VRRP Menu
ena - Enable interface
dis - Disable interface
del - Remove Interface
The Interface Menu is used to configure IP interfaces for the cluster. Primarily, each IP inter-
face represents a network attached to the Firewall Accelerator. Up to 255 IP interfaces can be
configured. The default value for the interface is disabled.
In essence, IP interfaces play a role similar to that of the Network Interface Cards (NICs) in a
typical firewall. A typical firewall usually has only two NICs: one for connecting to the exter-
nal, untrusted network on the outside of the firewall, and another for connecting to the internal,
trusted side of the firewall. The NICs provide the physical port connections for the firewall,
and the NIC IP addresses are used as the default gateway in the network devices attached to
them, thus directing traffic to the firewall.
The Alteon Switched Firewall IP interfaces are similar, but far more versatile. Up to 255 IP
interfaces can be defined, and each IP interface can be assigned to multiple physical ports on
the Firewall Accelerator. This allows the cluster to have a presence on many networks. Just as
with typical NICs, network devices attached to the Firewall Accelerator ports must be config-
ured to use an IP interface as their default gateway. Do not use the MIP address or any IP
address in the cluster subnet as the default gateway for a network.
port
The Interface Ports Menu is used to assign, remove, or list ports for this IP interface.
See page 266 for menu items.
addr <interface IP address (such as 192.4.17.101)>
This command configures the IP address of the IP interface using dotted decimal nota-
tion. This gives the cluster a presence on a connected trusted, untrusted, or semi-trusted
network. Devices on the connected networks should use this IP address as their default
gateway to that their outbound traffic is directed to the firewall. The default address is set
to 0.0.0.0.
mask <IP subnet mask (such as 255.255.255.0)>
This command configures the IP subnet address mask for the IP interface using dotted
decimal notation. The default mask is set to 0.0.0.0.
broad <broadcast address (such as 192.4.17.255)>
This command configures the IP broadcast address for the IP interface using dotted dec-
imal notation. The default broadcast address is set to 0.0.0.0.
vlan <VLAN number>
This command configures the VLAN number for this IP interface. Each interface can
belong to one VLAN, though any VLAN can have multiple IP interfaces in it. The
default VLAN number is 0.
vrrp
The VRRP Menu is used for configuring a the IP interface for high-availability when
redundant Firewall Accelerators are used. Virtual Router Redundancy Protocol (VRRP)
ensures that if the active Firewall Accelerator fails, the redundant Firewall Accelerator
will take over. In a high-availability configuration, each participating IP interface must
be configured separately for VRRP.
See page 267 for menu items.
ena
This command enables this IP interface.
dis
This command disables this IP interface.
del
This command removes this IP interface from the cluster configuration.
The Interface Ports Menu is used to assign, remove, or list ports for the specified IP interface.
list
This command displays all ports assigned to this IP interface by their index number.
del <index number>
This command lets you remove a port from the IP interface by specifying the port’s
index number. Use the list command to display the index numbers of assigned ports.
add <port number>
This command lets you add the specified port to the IP Interface.
[VRRP Menu]
vrid - Set virtual router ID
ip1 - Set IP1
ip2 - Set IP2
The VRRP Menu is used for configuring a cluster for high-availability when redundant Fire-
wall Accelerators are used. Virtual Router Redundancy Protocol (VRRP) ensures that if the
active Firewall Accelerator fails, the redundant Firewall Accelerator will take over. In a high-
availability configuration, each participating IP interface must be configured separately with
its own VRRP parameters.
VRRP is enabled or disabled cluster-wide using the ha command under the Accelerator Con-
figuration Menu (see page 244).
When VRRP is used, the IP interface acts as a virtual router. This means that the IP interface’s
IP address is shared by both Firewall Accelerators, but is only active on the master. To accom-
plish this without duplicating the shared IP address on two physical devices on the network,
the IP interface is assigned two sub-addresses: one new IP address on the same subnet for each
Firewall Accelerator.
The GRE Settings Menu is used to configure the GRE tunnel parameters and create a GRE tun-
nel over an OSPF network.
dis
This command disables this GRE tunnel.
del
This command removes this GRE tunnel from the configuration.
/cfg/net/route
Routing Settings Menu
The Routing Settings Menu is used to configure routing parameters. Firewall Accelerator 6600
supports up to a total of 8K routes which can be defined among default gateways, static routes,
RIP routes, and OSPF routes.
gate
The Default Gateways Menu is used to configure default IP gateways for the cluster.
See page 271 for menu items.
static
The Static Routing Table Menu is used to add, delete, or list static routes. The cluster
uses these routes to route packets within the attached networks.
See page 274 for menu items.
rip
The RIP Menu is used to configure Router Interface Protocol (RIP) parameters for RIP
version 1 and RIP version 2 (multicasting) networks.
See page 275 for menu items.
ospf
The OSPF Menu is used to configure the ASF for use with Open Shortest Path First
(OSPF) routing protocol.
See page 286 for menu items.
/cfg/net/route/gate
Default Gateways Menu
The Default Gateways Menu is used to configure up to four default IP gateways for the cluster.
The default IP gateways are used to route the network traffic.
The Default Gateway Menu is used to configure up to four default IP gateways for the cluster.
The default IP gateways are used to route traffic through the firewall. For example, packets
from the internal networks that arrive at the firewall with an external destination address are
typically sent to the default gateway as their next hop toward an external router. By default, the
newly created gateway is disabled.
If multiple default gateways are configured and healthy, the cluster will use the metric
option (see page 271) on the Default Gateways Menu (/cfg/net/route/gate) to deter-
mine the appropriate default gateway.
NOTE – The default gateways configured here are for routing traffic away from the firewall, not
to it. To direct traffic to the firewall, networks attached to the Firewall Accelerators use IP inter-
faces for their default gateways. See the “Interface Menu” on page 264 for more information.
arp y|n
This command enables or disables ARP-only (Address Resolution Protocol) health
checks. This option is disabled by default.
ena
This command enables this default IP gateway for use.
dis
This command disables this default IP gateway.
del
This command removes this default IP gateway from the cluster configuration.
/cfg/net/route/static
Static Routing Table Menu
The Static Routing Table Menu is used to add, delete, or list static routes. The cluster uses
these routes to route packets within the attached networks. The ASF routing table is shared by
the static and dynamic routes. If you configure more static routes, then you have less space for
the dynamic routes.
Firewall Accelerators 6600 allows you to configure a total of 8K static and dynamic routes.
Firewall Accelerators 6400 allows you to configure a total of 4K static and dynamic routes.
Each interface on the ASF adds three entries to the routing table. The Firewall Accelerator will
have an additional interface than the user-defined interface on the Firewall Director.
list
This command lists all configured routes by their index number and IP address informa-
tion.
del <index number>
This command lets you remove a route from the cluster configuration by specifying the
routes index number. Use the list command to display the index numbers of config-
ured routes.
add <destination IP address> <destination mask> <gateway IP address> <interface number>
This command adds a static route based on destination IP address, destination subnet
mask, and gateway IP address. Enter all addresses using dotted decimal notation.
/cfg/net/route/rip
RIP Menu
[RIP Menu]
vlan - RIP Vlan Menu
version - Set default RIP version
redist - Route Redistribute Menu
metric - Set Default RIP metric
distance - Set Default RIP distance
update - Set RIP Update broad/multicast interval
timeout - Set RIP route timeout
ena - Enable RIP
dis - Disable RIP
The RIP Menu is used to configure Router Interface Protocol (RIP) parameters. The Alteon
Switched Firewall supports either RIP version 1 or RIP version 2 (multicasting) networks.
vlan <1-4093>
The RIP VLAN Menu is used to configure VLANs for use with RIP. Do not define
VLAN ID 4092, because it is used internally. You can configure up to 253 VLANs. If
you configure VLAN 1 however, then you can configure up to 252 VLANs.
See page 277 for menu items.
version v1|v2
This command is used to specify which version of RIP is used on the Alteon Switched
Firewall: version 1 (v1) or multicast version 2 (v2). The default is v2.
redist
The Route Redistribution Menu is used to define how routes from other protocols are
converted for use with RIP.
See page 280 for menu items.
metric <default RIP metric value (1-16)>
This command sets the default RIP metric used for advertising RIP routes.
The default is 1.
The RIP VLAN Menu is used to configure VLANs for use with RIP. A VLAN is required for
each network which will be attached to the cluster. RIP is is disabled by default and must be
enabled on VLAN basis.
splithz y|n
This command enables or disables split horizon with poison reverse for this VLAN. The
split horizon algorithm helps prevent broadcast loops. When enabled (y), learned routes
are not advertised back to the router from which they were learned. The default is
enabled (y). When disabled (n), the command does poison reverse which advertises
back all the learned routes with a metric of 16.
listen y|n
This command enables or disables listen only for this VLAN. When enabled (y), the
VLAN will learn routes from other routers, but will not transmit RIP updates. When dis-
abled (n), the VLAN will learn routes and transmit updates. The default is disabled.
txver default|v1|v2|v1v2
This command sets the RIP version used to transmit RIP updates from this VLAN:
default: The version specified in the RIP Menu (/cfg/net/route/rip/ver-
sion) is used.
v1: RIP version 1 is used.
v2: RIP version 2 is used.
v1v2: Both RIP version 1 and RIP version 2 are used.
rxver default|v1|v2|v1v2
This command sets the RIP version accepted for RIP updates on this VLAN:
default: The version specified in the RIP Menu (/cfg/net/route/rip/ver-
sion) is accepted.
v1: RIP version 1 is accepted.
v2: RIP version 2 is accepted.
v1v2: Both RIP version 1 and RIP version 2 are accepted.
auth none|password|md5
This command sets the authentication type for this VLAN:
none turns off RIP authentication. This is the default value.
password turns on plain text password authentication. The passwords are set using
the key option.
md5 turns on MD5 (strong encryption) password authentication. For more informa-
tion, see “RIP Authentication” on page 278.
RIP Authentication
RIP protocol exchanges can be authenticated so that only trusted devices can participate. The
Alteon Switched Firewall 4.0.2 supports simple authentication (plain text passwords) and MD5
authentication (encrypted data and passwords) among neighboring routing devices in an area.
RIP simple passwords are enabled or disabled individually for each defined interface using the
following CLI commands:
RIP MD5 passwords use strong cryptographic to protect data and passwords.
MD5 passwords are enabled or disabled individually for each defined interface using the fol-
lowing CLI commands:
MD5 passwords up to 16 characters are defined using the following CLI command:
/cfg/net/route/rip/redist
Route Redistribution Menu
The Route Redistribution Menu is used to advertise routes from other protocols into RIP.
connected
The Connected Route Redistribution Menu is used for advertising connected routes via
RIP.
See page 281 for menu items.
static
The Static Route Redistribution Menu is used for advertising static routes via RIP.
See page 282 for menu items.
ospf
The OSPF Route Redistribution Menu is used for advertising OSPF routes via RIP.
See page 285 for menu items.
defaultgw
The Default Gateway Redistribution Menu is used for advertising default gateway routes
via RIP.
See page 284 for menu items.
fictitious
The Fictitious Route Redistribution Menu is used as a diagnostics tool to troubleshoot
routes that are not installed.
See page 285 for menu items.
/cfg/net/route/rip/redist/connected
RIP Connected Route Redistribution Menu
The RIP Connected Route Redistribution Menu is used to redistribute connected routes into
RIP. By default advertising of connected routes is disabled.
disable
Disables advertising of connected routes.
/cfg/net/route/rip/redist/static
RIP Static Route Redistribution Menu
The RIP Static Route Redistribution Menu is used to redistribute static routes into RIP. Adver-
tising static routes is disabled by default.
disable
Disables advertising static routes.
/cfg/net/route/rip/redist/ospf
RIP OSPF Route Redistribution Menu
The RIP OSPF Route Redistribution Menu is used to redistribute OSPF routes into RIP.
Advertising OSPF routes is disabled by default.
disable
Disables advertising of OSPF routes.
/cfg/net/route/rip/redist/defaultgw
RIP Default Gateway Route Redistribution Menu
The RIP Default Gateway Route Redistribution Menu is used to redistribute default gateway
routes into RIP. Advertising default gateway routes is disabled by default
metric
Uses the metric of the advertised default gateway routes. The metric for the default gateway
routes is defined under cfg/net/route/gate/metric. For more information on
the metric, see page 271.
enable
Enables advertising of default routes.
disable
Disables advertising of default routes.
/cfg/net/route/rip/redist/fictitious
RIP Fictitious Route Redistribution Menu
The RIP Fictitious Route Redistribution Menu is used as a diagnostic tool to troubleshoot
routes that are not installed into the RIP domain. Advertising fictitious routes is disabled by
default
networks
Lists fictitious networks that can be reached.
See page 286 for menu items.
enable
Enables advertising of fictitious routes.
disable
Disables advertising of fictitious routes.
/cfg/net/route/rip/redist/fictitious/networks
Fictitious RIP Reachable Networks Menu
The Fictitious RIP Reachable Networks Menu is used to add and delete fictitious networks to
the currently configured networks.
list
This command displays all currently configured networks.
del
This command deletes a configured network.
/cfg/net/route/ospf
OSPF Menu
[OSPF Menu]
aindex - OSPF Area (index) Menu
range - OSPF Summary Range Menu
if - OSPF Interface Menu
gre - OSPF GRE Tunnel Menu
virt - OSPF Virtual Link Menu
redist - Route Redistribution Menu
metric - Set default metric
rtrid - Set OSPF router ID
spf - Set time interval between two SPF calculations
ena - Enable OSPF
dis - Disable OSPF
The OSPF Menu is used to configure the ASF for use with Open Shortest Path First (OSPF)
routing protocol. OSPF uses flooding to exchange link state updates between routers. Any
change in routing information is flooded to all routers in the network in an area. The default
value for OSPF is disabled.
For more information on using OSPF, see Chapter 5, “Open Shortest Path First.”
redist
This command displays Route Redistribution menu.
See page 301 for menu items.
spf <spf calculation interval in seconds (0-65535) spf calculation hold time in seconds (0-65535)>
This command sets the time interval, in seconds, between each calculation of the shortest
path tree. The default for spf calculation interval is 5 seconds and the default for spf cal-
culation hold time is 10 seconds.
ena
This command globally turns on OSPF.
dis
This command globally turns off OSPF.
The OSPF Area Index Menu is used for defining OSPF area numbers and parameters. By
default the OSPF area is disabled.
For more information on using OSPF, see Chapter 5, “Open Shortest Path First.”
type transit|stub|nssa
This command sets the area type:
transit for the backbone or any area that contains a virtual link.
stub for any area that contains no external routes.
nssa for any area that can process external routes but does not advertise external
routes originating from outside its area.
The default type is transit.
metric <0-16777215>
This command sets the stub area metric. Other routing devices add this value to the cost
of routing to this stub area when building their SPF tree.
ena
This command enables this area.
dis
This command disables this area.
del
This command deletes this area index from the configuration.
/cfg/net/route/ospf/range <range
number>
OSPF Summary Range Menu
This menu is used for defining OSPF summary routes. Without summarization, each routing
device in an OSPF network would retain a route to every subnet in the network. With summa-
rization, routing devices can reduce some sets of routes to a single advertisement, reducing
both the load on the routing device and the perceived complexity of the network. The impor-
tance of route summarization increases with network size. The default value for OSPF sum-
mary range is disabled.
For more information on using OSPF, see Chapter 5, “Open Shortest Path First.”
hide y|n
When enabled, this command forces the address range to be removed from any other
summary ranges being injected into the defined area by the Firewall. This is useful for
removing sections from large summary ranges that are not fully contiguous or contain
gaps. This option is disabled by default.
ena
This command enables this range.
dis
This command disables this range.
del
This command removes this range from the configuration.
The OSPF Interface Menu is used for attaching IP interface networks to OSPF areas. The
default value for the OSPF area is disabled.
For more information on using OSPF, see Chapter 5, “Open Shortest Path First.”
NOTE – The hello interval (hello), dead interval (dead), transmit interval (trans) and
retransmit interval (retra) must be the same on all OSPF routing devices within an area.
Using incompatible values could keep adjacencies from forming and could stop or loop routing
updates.
auth none|password|md5
This command sets the authentication type for this interface:
none turns off OSPF authentication. This is the default value.
password turns on plain text password authentication. The password is set using the
key option.
md5 turns on MD5 (strong encryption) password authentication. The password is
defined using the md5key option.
For more information, see “Authentication” on page 72.
ena
This command enables this interface.
dis
This command disables this interface.
The OSPF GRE tunnel menu is used to attach the GRE tunnel interface to the OSPF areas. For
more information on using OSPF, see Chapter 5, “Open Shortest Path First.”
NOTE – The hello interval (hello), dead interval (dead), transmit delay (trans) and
retransmit delay (retra) must be the same on all OSPF routing devices within an area. Using
incompatible values could keep adjacencies from forming and may stop or loop routing
updates.
auth none|password|md5
This command sets the authentication type for this interface:
none turns off OSPF authentication.
password turns on plain text password authentication. The password is set using the
key option.
md5 turns on MD5 (strong encryption) password authentication. The password is
defined using the md5key option.
For more information, see “Authentication” on page 72.
ena
This command enables this interface.
dis
This command disables this interface.
Virtual links are typically created to connect one area to the backbone through another non-
backbone area. The virtual link must be configured at each endpoint of the virtual link, though
they may traverse multiple routing devices. The default value for this virtual link is disabled.
The minimum requirements for configuring a virtual link are the aindex and nbr options in
this menu and the rtrid option in the OSPF Menu (see page 286).
For more information on using OSPF, see Chapter 5, “Open Shortest Path First.”
NOTE – The hello interval (hello), dead interval (dead), transmit delay (trans) and
retransmit delay (retra) must be the same on all OSPF routing devices within an area. Using
incompatible values could keep adjacencies from forming and may stop or loop routing
updates.
auth none|password|md5
This command sets the authentication type for this interface:
none turns off OSPF authentication. This is the default value.
password turns on plain text password authentication. The password is set using the
key option.
md5 turns on MD5 (strong encryption) password authentication. The password is
defined using md5key option.
For more information, see “Authentication” on page 72.
ena
This command enables this virtual link.
dis
This command disables this virtual link.
del
This command deletes this virtual link from the configuration.
/cfg/net/route/ospf/redist
OSPF Route Redistribution Menu
The Route Redistribution Menu is used to redistribute static, RIP, and default gateway routes
via OSPF. If the routes are learned from a certain routing protocol, you have to enable that pro-
tocol for those routes to be redistributed into the network.
connected
The Connected Route Redistribution Menu is used for advertising connected routes via
OSPF.
See page 302 for menu items.
static
The Static Route Redistribution Menu is used for advertising static routes via OSPF.
See page 303 for menu items.
rip
The RIP Route Redistribution Menu is used for advertising RIP routes via OSPF.
See page 304 for menu items.
defaultgw
The Default Gateway Redistribution Menu is used for advertising default gateway routes
via OSPF.
See page 305 for menu items.
/cfg/net/route/ospf/redist/connected
OSPF Connected Route Redistribution Menu
The OSPF Connected Route Redistribution Menu is used to redistribute connected routes into
OSPF. By default the value for redistributing connected routes is disabled.
/cfg/net/route/ospf/redist/static
OSPF Static Route Redistribution Menu
The OSPF Static Route Redistribution Menu is used to redistribute static routes into OSPF. By
default the value for redistributing static routes is disabled.
/cfg/net/route/ospf/redist/rip
OSPF RIP Route Redistribution Menu
The OSPF RIP Route Redistribution Menu is used to redistribute RIP routes into OSPF. By
default the value for redistributing RIP routes is disabled.
/cfg/net/route/ospf/redist/defaultgw
OSPF Default Gateway Route Redistribution Menu
The OSPF Default Gateway Route Redistribution Menu is used to redistribute default gateway
routes into OSPF. By default the value for redistributing default gateway routes is disabled.
/cfg/net/dhcprl
DHCP Relay Menu
The DHCP Relay Menu is used to configure DHCP relay commands for ASF. The default
value for DHCP Relay is disabled.
if <value 1-255>
This command is used to specify the interface to allow DHCP requests to enter the net-
work.
See page 307 for menu items.
server <value 1-8>
This command is used to add the DHCP server information to the ASF configuration.
See page 308 for menu items.
ena
Enables the use of DHCP relaying globally.
dis
Disables the use of DHCP relaying globally.
clrlocsts
This commands clears DHCP statistics on the local Firewall Director.
clrmipsts
This commands clears DHCP statistics on the MIP. All DHCP statistics are sent to the
MIP.
/cfg/net/dhcprl/if <number>
DHCP Relay Interface <number> Menu
The DHCP Relay Interface Menu is used to configure DHCP Relay requests into the network.
The default value for DHCP Relay Interface is disabled.
ena
This command allows DHCP clients to enter the network through this interface.
dis
This command does not allow DHCP clients to enter the network through this interface.
/cfg/net/dhcprl/server <number>
DHCP Server <number> Menu
The DHCP Server Menu is used to add DHCP server information to the ASF configuration.
The DHCP server is disabled by default.
ena
This command enables the use of this DHCP server.
dis
This command disables the use of this DHCP server.
del
This command removes this DHCP server from being used by ASF.
/cfg/net/mirr
Port Mirroring Menu
ena
This command enables port mirroring.
dis
This command disables port mirroring.
monport <port number>
The Monitoring port-based menu is used to configure ports for monitoring. The <port
number> must be a network port on the Firewall accelerator.
See page 310 for menu items.
/cfg/net/mirr/monport
Monitoring Port <number> Menu
The Monitoring Port Menu is used to configure the ports that you want to monitor.
edit
This command adds and deletes ports to be mirrored.
See page 311 for menu items.
del
This command removes the monitoring port.
/cfg/net/mirr/monport/edit
Mirrored Ports Menu
The Mirrored Ports Menu is used to configure the mirrored ports that you want to monitor.
list
This command lists the mirrored ports.
del
This command deletes the mirrored port.
add
This command adds ports to be monitored.
/cfg/net/idslb
IDS Load Balancing Menu
The IDS Load Balancing Menu is used to load balance IDS servers connected to the Firewall
Accelerators.
The IDS Group Menu is used to configure the ports for load balancing IDS servers.
port
This command lists the ports in the IDS group <number>.
See page 314 for menu items.
ena
This command enables the IDS group.
dis
This command disables the IDS group.
/cfg/net/idslb/group <number>/port
IDS Group <number> Ports Menu
The IDS Group Ports Menu is used to define IDS ports for the IDS group.
list
This command lists the current IDS ports in the IDS group <number>.
del
This command removes IDS ports from the IDS group <number>.
add
This command allows you to add ports to the IDS group <number>. In High Availability
scenarios, when you add a port to an IDS group, the same port number is configured as
an IDS ports on both accelerators. An IDS port can be a member of a single IDS group
only. You can configure a maximum of 10 IDS ports in a single group.
A NAAP or enforcement port or a monitor port cannot be configured as an IDS port.
/cfg/net/adv
Advanced Settings Menu
The Advanced Settings Menu is used to configure the domain name, port traffic filters, proxy
ARP options, and high availability settings.
domain <domain_name>
This command is used to set the NIS domain name that is used by Check Point SMTP
server.
filt <filter number (1-2048)>
This menu is used to create or modify port traffic filters. Port traffic filtering is a feature
of the Firewall Accelerator and occurs prior to inspection by the Check Point FireWall-1
NG software.
See page 316 for menu items.
parp
This command is used to configure IP addresses which the cluster should respond to on
behalf of Network Address Translation (NAT) features.
See page 320 for menu items.
vrrp
This menu allows you to set the group ID for the virtual router and the time interval
between VRRP advertisements broadcast.
See page 322 for menu items.
The Filter Definition Menu is used to create or modify port traffic filters. The Alteon Switched
Firewall supports up to 2048 port traffic filters. Each filter can be configured to allow or deny
traffic according to a variety of address and protocol specifications, and each physical Firewall
Accelerator port can be configured to use any combination of filters. The filter is disabled by
default.
Port traffic filtering is a feature of the Firewall Accelerator and occurs prior to inspection by
the Check Point FireWall-1 NG software. Traffic that has been dropped by a port traffic filter
will not be forwarded to the firewall. Traffic that has been allowed by a port traffic filter will
be sent though the firewall, bypassing Check Point FireWall-1 NG inspection. Only traffic
which is not matched by any port traffic filter will be passed to the firewall for Check Point
FireWall-1 NG inspection.
Set the address, masks, and/or protocol that will be affected by the filter
Set the filter action (allow or deny)
Enable the filter
Add the filter to a Firewall Accelerator port
Enable filtering on the Firewall Accelerator port
NOTE – Filtering criteria options can be used in combination. If criteria is left to default set-
tings, the filter will be broad and will affect more traffic. The more criteria which is specifi-
cally set, the narrower the filter becomes, affecting a smaller portion of the traffic.
dport any|<name>|<port>|<port>-<port>
If defined, traffic with the specified real server TCP or UDP destination port will be
affected by this filter. Specify the port number, range, name, or any. The default is any.
action allow|deny
This specify the action this filter takes when traffic matched the specified criteria:
allow Allow the frame to pass through the firewall with no further inspection.
deny Discard the frame before it can be inspected by the firewall (default).
inv e|d
This command lets you enable or disable inverting the filter logic. When disabled (the
default), the filter behaves normally. When enabled, if the conditions of the filter are
met, the filter takes no action. Otherwise, if the conditions for the filter are not met, the
filter performs the assigned action.
log e|d
This command enables or disables logging for this filter. If enabled, each time the filter
action is taken, a message is sent to the system log. By default, this is disabled.
cache
This command allows you to disable session table caching for the specified filter. Use
this option to prevent the session table from being swamped with entries. The default
cache option is enabled for all filters.
ena
This command enables this filter.
dis
This command disables this filter.
del
This command removes this filter from the cluster configuration.
For example, to determine if a client request’s destination IP address should be allowed, the
destination IP address is masked (bitwise AND) with the dmask and then compared to the
dip.
As another example, you could configure two filters so that each would handle traffic filtering
for one half of the Internet. To do this, you could define the following parameters:
/cfg/net/adv/parp
Proxy ARP Menu
The Proxy ARP Menu is used to configure IP addresses which the cluster should respond to on
behalf of Network Address Translation (NAT) features configured in the Check Point Fire-
Wall-1 NG software.
parp
The Proxy ARP List Menu is used to add, delete, or list proxied addresses.
See page 321 for menu items.
sfd e|d
This command enables or disables whether the cluster will respond to Address Resolu-
tion Protocol (ARP) requests for the cluster Firewall Director and Management IP (MIP)
addresses. The default value is disabled.
/cfg/net/adv/parp/parp
Proxy ARP List Menu
The Proxy ARP List Menu is used to add, delete, or list IP addresses which the cluster should
serve as proxy.
list
This command displays all proxy ARP addresses by their index number.
del <index number>
This command lets you remove a proxy ARP address by specifying its index number.
Use the list command to display the proxy ARP index numbers.
add <IP address>
This command lets you add the specified proxy ARP address. The IP address should be
specified in dotted decimal notation. The maximum number of entries is 2,000 minus
one for each Firewall Director and Firewall Accelerator in the cluster.
/cfg/net/adv/vrrp
Advanced VRRP Configuration Menu
The Advanced VRRP Configuration Menu is used to configure advanced VRRP settings.
/cfg/fw
Firewall Configuration Menu
[Firewall Configuration Menu]
ena - Enable firewall
dis - Disable firewall
sic - Reset Check Point SIC
accel - Set automatic acceleration restart
sync - Sync Configuration Menu
software - Firewall Software Menu
smart - SmartUpdate Configuration Menu
sxl - SecureXL Configuration Menu
The Firewall Configuration Menu is used to configure firewall related options such as enabling
firewall or resetting the Check Point Secure Internal Communications (SIC). The firewall is
disabled by default.
ena
Enable the Check Point FireWall-1 NG processing on all healthy Firewall Directors in
the cluster.
dis
Disable the Check Point FireWall-1 NG processing on the cluster and mark all Firewall
Directors as down. The Check Point management server cannot be used to manage clus-
ter firewall policies in the disabled state.
sic
This command is used to reset the Check Point Secure Internal Communication (SIC)
state for a specific Firewall Director in the cluster. You will be prompted to enter the IP
address of the target Firewall Director in dotted decimal notation.
accel y|n
This command is used to enable or disable the automatic restart feature for Firewall
Accelerators. This is disabled by default.
sync
The Synchronization Configuration Menu is used to configure stateful failover of ses-
sions among Firewall Director in the cluster. With synchronization, if a Firewall Director
fails, its open sessions will be transparently reassigned to a healthy Firewall Director.
See page 325 for menu items.
software
Use the Firewall Software Menu to update the built-in Check Point FireWall-1 NG soft-
ware.
See page 328 for menu items.
smart
This command enables you to use the Check Point SmartUpdate tool on the management
station.
See page 329 for menu items.
sxl
Use the Firewall Software Menu to update the built-in Check Point FireWall-1 NG software.
See page 330 for menu items.
/cfg/fw/sync
Synchronization Menu
The Synchronization Configuration Menu is used to configure sync devices and stateful
failover of sessions among Firewall Director in the cluster. The Firewall Director 5014 has 2
onboard 10/100/1000 interfaces, so this menu allows you configure the Sync device. This
capability allows you to configure the speed, auto-negotiation features of the Sync device.
With synchronization, if a Firewall Director fails, its open sessions is transparently reassigned
to a healthy Firewall Director. Stateful failover may require additional hardware and Check
Point software configuration. See “Synchronizing Firewall Directors” on page 122 for details.
ena
This command is used to enable synchronization for stateful failover among multiple
Firewall Directors in the cluster.
dis
This command is used to disable synchronization for stateful failover. This is the default.
net <base IP address>
This command is used to configure the base IP address of the Firewall Director synchroni-
zation network. This command is used in conjunction with the /cfg/sys/netmask
option (see page 205) to define the synchronization network range. The default value for
firewall synchronization network is set to 0.0.0.0.
host <host_number>
This command is used to specify the synchronization parameters for the Firewall Direc-
tor.
See page 326 for menu items.
The Host Sync Settings Menu is used to specify synchronization parameters for the Firewall
Director.
speed 10|100|1000
When autonegotiation (autoneg) is disabled, this command specifies the link speed. The
choices include:
10: 10 Mbps
100: 100 Mbps (default)
1000: 1000 Mbps
mode full|half
When autonegotiation (autoneg) is disabled, this command specifies the duplex operat-
ing mode. The choices include:
full: Full-duplex (default)
half: Half-duplex
/cfg/fw/software
Firewall Software Menu
The Firewall Software Menu is used to update the built-in Check Point FireWall-1 NG soft-
ware.
cur
This command displays the current settings for items in the Firewall Software Menu.
/cfg/fw/smart
SmartUpdate Configuration Menu
The Firewall SmartUpdate Menu allows you to use the Check Point SmartUpdate tool on the
management station. This command is disabled by default.
ena
This command enables you to use the SmartUpdate tool on the management station.
dis
This command prevents you from using the SmartUpdate tool on the management sta-
tion.
/cfg/fw/sxl
SecureXL Configuration Menu
The SecureXL Menu allows you to set the connection table size for each Director.
conns <0-1000000>
Specify a value less than 250,000 for ASF 6614 or 6414. The default value is dependant
on the Firewall Accelerator and Firewall Director.
/cfg/apps
Application Configuration Menu
[Application Configuration Menu]
Securid - SecurID configuration
Securid
This command is used to configure secure servers for third party applications.
/cfg/apps/securid
SecurID Configuration Menu
Servers
This command is used to configure a secure route for the SecureID servers.
/cfg/apps/securid/servers
SecurID Configuration Menu
The SecurID Server Configuration Menu is used to configure the SecurID servers.
list
This command lists the SecurID servers.
del <index number>
This command lets you remove a securID server by specifying its index number. Use the
list command to display the SecurID index numbers.
add <IP address>
This command lets you add the specified securID server. The IP address should be spec-
ified in dotted decimal notation. The maximum number of entries is 2,000 minus one for
each Firewall Director and Firewall Accelerator in the cluster.
/cfg/misc
Miscellaneous Settings Menu
[Miscellaneous Settings Menu]
warn - Set warnings when configuration is applied
The Miscellaneous Settings Menu is used to turn on or off configuration warning messages.
warn y|n
This command is used to turn on or off warning messages. When enabled (the default),
whenever the global apply command is issued, applicable warning are displayed if
problems are found in the pending configuration changes. Warnings will not cause the
apply command to fail, but can be helpful for managing configuration issues.
334 Appendices
217014-A, November 2004
APPENDIX A
Event Logging API
The Alteon Switched Firewall Event Logging API (ELA) is an OPSEC™ application that
allows system log messages to be sent to a Check Point management station for display
through the Check Point SmartView Tracker. Log messages are transported to the management
server through a secure, encrypted channel.
For information on configuring and administering OPSEC applications in Check Point, please
refer to your complete Check Point FireWall-1 NG documentation at http://www.check-
point.com/support/technical/documents/index.html (ID and password required).
ELA configuration requires steps at both the Check Point management server and at the Alteon
Switched Firewall. For each Firewall Director in the cluster, you must create a new OPSEC
application at the Check Point management server, and initialize Secure Internal Communica-
tion (SIC). For each Firewall Director, the certificate associated with the SIC must be pulled to
the Firewall Director before the ELA will operate.
The following sections in this chapter details the steps required to use ELA:
335
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
The Name field should be given an appropriate identifier. You will need to use this name
when pulling the certificate to the Firewall Director.
The Host field should refer to the management station.
The Vendor should be “User defined.”
“ELA” should be checked in the Client Entries box.
Secure Internal Communication needs to be initialized (see next step).
NOTE – When initialized, the trust state will be displayed as “Initialized but trust not estab-
lished.” This is normal and will not change even after an SIC certificate is pulled from the
Check Point management server (see Step 5 on page 342).
When the Install Policy window appears, select the cluster object and click on the OK button.
NOTE – If the Check Point antispoofing feature is not enabled, a warning message will appear.
See your Check Point documentation at http://www.checkpoint.com/support/technical/docu-
ments/index.html (ID and password required) to determine whether antispoofing is necessary
for your firewall.
2. Select the Cluster / ELA form and define the general settings.
4. In the BBI Cluster / ELA form, save and apply the settings.
Click on the Update button to submit your changes. Then use the global apply button to make
your changes take effect.
In the Pull SIC Certificate section of the Cluster / ELA form, set the following parameters:
Set the Host IP to the IP address of the individual Firewall Director being updated (not the
MIP address).
Set the Client SIC Name to match the name specified when creating an OPSEC applica-
tion in the Check Point SmartDashboard management tool. Each host should map to a
unique OPSEC application. In the example, we set host 10.10.1.1 to the OPSEC applica-
tion “ela1.”
Set the Password to match that specified when configuring SIC for the OPSEC application.
In this release of Check Point FireWall-1 NG, the “Origin” of the logs may be incorrect in the
SmartView Tracker tool. The text of the log messages themselves (which contains the source
Firewall Director) may be more reliable in determining from which Firewall Director the log
message originated.
The logging will not occur unless the firewall and registry are up and running on the Firewall
Director. This happens late in the booting process. Messages are cached locally until they can
be sent to the ELA logging server. It therefore may take a few moments before messages begin
appearing after a reboot.
345
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Use the following procedure to install a central license onto the Firewall Director. Steps 1-5 is
used to create a new Gateway object. If you have already created a Gateway object, then go to
Step 5 to install a central license:
1. Launch the SmartDashboard management tool on the management client Start menu.
2. Create a new gateway object for the Firewall Director.
Select Network Objects | New | Gateway and assign and assign its IP address.
The backup and restore feature is for a Director only and not the cluster. To backup an entire
cluster, you must login to each Director and create backups separately. You cannot create a
backup from one member of the cluster and use it to restore another member. A backup taken
from a Director can be used only to restore that same Director or a replacement for that Direc-
tor.
Creating a Backup
To create a backup of a Director, do the following using the Command Line Interface (CLI):
2. Disconnect the Director from the cluster if your Director is already part of a cluster.
If you /boot/delete the Director while it is still connected to the cluster, it cannot be
restored since the cluster will no longer consider that Director as part of the cluster.
3. Restore the Director to its factory default configuration with the command
/boot/delete.
This is mandatory as restore can be done only on a Director in factory default configuration.
8. Login again as admin and you will see the Configuration menu instead of the Setup
menu.
This feature must be used cautiously, because it provides users with the ability to login
remotely using SSH and access the Linux shell. Remote users with root password can use the
the Linux utility, su and run “su root”.
To log in, the user has to authenticate using the public key/private key mechanism. DSA
or RSA key pairs can be used but has to be in OpenSSH format version 2 format only.
Password based authentication is not allowed.
The IP address of the remote user must be part of the access list.
The Check Point policy must allow the SSH connection between the remote user and
the ASF.
2. Login as root.
root
# mount /mnt/floppy
4. Copy files (if you need the log files). For example:
# cp /var/log/message /mnt/floppy
# sync
# umount /mnt/floppy
6. Remove the floppy disk from the Firewall Director by pressing the eject button.
2. Login as root.
root
# mount /mnt/cdrom
# sync
# umount /mnt/cdrom
Parameter Value
2. Turn off the Firewall Accelerator and then turn it back on.
3. Press <Shift-F> while the Firewall Accelerator is attempting to boot (while the
“AceSwitch BootMon...” message is displayed).
5. Transfer the binary upgrade image from the terminal to the Firewall Accelerator using
Xmodem protocol.
For example, if using Hyperterminal, select the Transfer | Send File command and select Xmo-
dem or 1K-Xmodem (faster) as the protocol.
6. When the transfer is complete, return your terminal to a baud rate of 9600.
7. Turn off the Firewall Accelerator and then turn it back on.
connections_limit
connections_hashsize
If a NAT policy is being used by a large number of concurrent sessions, then the following two
parameters should be modified:
Edit the gateway cluster object property to increase connection limit on the Application Intelli-
gence management server. To edit the gateway cluster object representing the ASF cluster, do
the following:
1. Go to the “Capacity Optimization” tab and increase the “Maximum concurrent connec-
tions” parameter.
2. Set the “Calculate connections hash size and memory pool” parameter to “Automati-
cally.”
2. Run dbedit on the Check Point management station at the MS DOS prompt:
c:\> dbedit
Enter Server name:<IP address of the Check Point host>
Enter User name:<login using admin account>
Enter User password:
dbedit> modify properties firewall_properties nat_limit 180000
dbedit> modify properties firewall_properties nat_hashsize 1048576
dbedit> update properties firewall_properties
dbedit> quit <Do not enter Ctrl-c or the changes will be aborted>
NOTE – You may set the nat_limit parameter to be less than the connection_limit.
Make sure the nat_hashsize value is close to the nat_limit and a power of 2. For
example, if nat_limit is 50000, nat_hashsize should be 65535.
lsmod
NG memory information:
fw ctl pstat
/opt/tng/bin/vnic dump
/opt/tng/bin/vnic info v1
When the reinstallation is performed, the Firewall Director is reset to its factory default config-
uration. All previous configuration data and software are erased, including old software image
versions or upgrade packages.
NOTE – Because a reinstallation erases all configuration data (including network settings), it is
recommended that you first save all configuration data to a file on an FTP server.
Access to the target Firewall Director through a direct connection to its serial port. Remote
Telnet or SSH connections cannot be used for reinstalling software.
An install image must be loaded on an FTP server on your network.
The host name or IP address of the FTP server. If you choose to specify the host name,
please note that the DNS parameters must have been configured. For more information,
see the “DNS Servers Menu” on page 204.
The name of a valid .img Firewall Director installation image.
Software reinstallation is performed using the following procedure.
2. After a successful login, follow the onscreen prompts and provide the required informa-
tion.
If the Firewall Director has not been configured for network access previously, you must pro-
vide information about network settings such as IP address, network mask, and gateway IP
address. After the new boot image has been installed, the Firewall Director will reboot and you
can log in again using default passwords when the login prompt appears.
The new Firewall Director is now ready to be installed as part of a new cluster (see Chapter 2,
“Initial Setup,” on page 25) or added to an existing cluster (see Chapter 7, “Expanding the
Cluster,” on page 105).
357
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Actions
Power on the Firewall Accelerator.
Make sure the Firewall Accelerator has the Firewall Accelerator software installed.
Make sure the Firewall Accelerator boots with the factory default settings.
Connect the Firewall Director to one of the NAAP ports on the Firewall Accelerator.
Enable the NAAP ports to which the Firewall Director is connected. The link and active
indicator lights on the Firewall Accelerator should be on and not blinking.
Connect the Firewall Accelerator NAAP ports to the 1st Gig port on the Firewall Director.
See the Alteon Switched Firewall Hardware Installation Guide for more information on
the Firewall Director ports.
Switch the power off and on, on both the Firewall Director and the Firewall Accelerator.
Actions
Use the following procedure to verify the trust status:
>> # /cfg/fw/cur
>> # /cfg/fw/ena
>> # apply
NOTE – After enabling the firewall, it may take several minutes before it is fully operational.
Once the firewall is operational, recheck the communication status and SIC status in the
SmartDashboard management tool.
Verify that theFirewall Director is not too busy to process the SIC request from the man-
agement station (SmartCenter).
If traffic is under excessive load, decrease the traffic and try to establish trust again.
Verify the interface updates
If you updated your topology or modified IP interfaces, then “Get Interfaces” for the
updated topology and verify your configuration. Make sure the link is up to see the
updated interfaces.
Verify whether the Firewall Director is dropping the traffic from the management station.
Log in to the Firewall Director using the root account. From the root account, run the fol-
lowing command:
# fw monitor
If the packets from the management station are being dropped, log in as admin and unload
the firewall policy using the following CLI command:
>> # /maint/diag/unldplcy
>> # /cfg/fw/sic
Enter the host IP address:10.10.1.1
Enter the new Check Point SIC Password:
Confirm password:
Reboot the Firewall Director, the Check Point SmartCenter, and the Check Point Smart-
Client. When all systems have rebooted, unload the firewall policy again. Wait for a
minute and then try to establish trust again.
Actions
Verify the link between the Firewall Director and the Check Point management server is
up.
Verify the IP address on the Check Point management server
Make sure the management server object has the correct IP address. If the management
server has multiple NIC adapters, then make sure the IP address is of the one connected to
the Firewall Director.
Log in to the Firewall Director using the admin account and use the following CLI com-
mand to delete the existing policy on the firewall:
>> # /maint/diag/unldplcy
NOTE – Often, users forget to update the SmartDashboard management tool after
add/delete interfaces from Firewall Director console. As a result, anti-spoofing blocks the
traffic because incorrect interfaces were used.
Actions
Do the following from the Firewall Accelerator console,
Manually configure the link parameters for the ports that connect to the other devices.
Turn auto negotiation off.
Set the right speed (10, 100, 1000) and set to duplex mode (full, half).
Do the same on the other router/Firewall Accelerator.
Reboot the Firewall Accelerators.
Actions
If the management client and SmartCenter station are not in the same network, add a rule
to allow Check Point Management Interface (CPMI) to go through these two networks.
Enter the cpconfig command on the SmartCenter station to see if the management cli-
ent IP address is on the approved list.
Action
Increase the session limit on the SmartCenter station and reduce the TCP end timeout (15 sec-
onds) limit in the Policy | Global Properties menu, under the Stateful Inspection tab. To edit the
gateway cluster object property and increase connection limit on the Application Intelligence
management server, see “Tuning Check Point NG Performance” on page 352.
Make sure the SmartCenter station is configured as explained in “Tuning Check Point NG
Performance” on page 352.
Log in using the administrator account and run the command from the CLI:
/info/clu. If the firewall status of the Firewall Director is not accelerating, run the
command: /cfg/fw/accel y. Once enabled, firewall acceleration will automatically
restart without user intervention.
Actions
Set the health check type to ARP on the Firewall Director using the
/cfg/net/route/gate/gw <gateway_number>/ arp y.
Verify if the gateway is up using the command /info/acc.
Verify from another Firewall Director that when you ping the next hop you get a valid
ARP response in the host ARP cache. If you get a ARP response back and your gateway is
still down, then make sure you haven’t configured duplicate IP addresses on the ASF.
Enter the additional addresses using /cfg/net/if x/addr n or /cfg/net/if x
vrrp/ip1 (ip2).
Actions
Verify SIC communication between the Management Server and the Firewall Director. If
the verification fails, unload the Director by entering the following commands:
Login as admin and enter
/cfg/fw/accel/n
Login as root and enter
fw unloadlocal
Ping the management interface. If ping works and SIC fails, then reset SIC on all devices
and verify that there are no ACLs or firewall rules blocking communication in the logical
data path. If SIC still fails then delete the object out of the Management Server, recreate
the object and attempt to establish SIC.
If SIC is working, then do the following:
(i) Run cpstop and then cpstart on the management server.
(ii) Log in to the CLI and disable and enable the Firewall.
(iii) Log in as root on each firewall and fetch the policy from the management server as
follows:
fw fetch ip <ip_address_of_the_management_server>
(iv) Perform Step (iii) on each Firewall Director.
Actions
Verify that the gateway or next hop between the ASF and the requesting hop are up and
active. This can be done by pinging the next hop interface from another device or by using
the /info/ip command on the Firewall Accelerator. If you do not receive a reply, then
go to the section, “Cannot Contact to Default Gateway” on page 363.
Attempt to contact the management interface again by entering the following commands:
Login as admin and enter
/cfg/fw/accel/n
Login as root and enter
fw unloadlocal
Verify that there are no ACLs, filters or firewall rules in the logical data path that may be
preventing communication.
2. Network diagram
This must encompass both logical and physical architecture. If necessary two diagrams can be
used to meet this requirement. To minimize the size of the file, the preferred format is .jpg or
.gif.
5. (optional) Export the Check Point log during the time of the problem
Collect the log from the Check Point Log Viewer.
After you gather all of the above information, call 1-800-4NORTEL, press option 1 and use
ERC 343. Create a new ticket and email your information to alteon-support@nortelnet-
works.com referencing your case number in the subject heading.
Copyright (c) 2000 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the follow-
ing disclaimer in the documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must include the following acknowledg-
ment:
“This product includes software developed by the Apache Software Foundation (http://www.apache.org/).”
Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowl-
edgments normally appear.
4. The names “Apache” and “Apache Software Foundation” must not be used to endorse or promote products
derived from this software without prior written permission. For written permission, please contact
apache@apache.org.
5. Products derived from this software may not be called “Apache”, nor may “Apache” appear in their name, with-
out prior written permission of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PAR-
TICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION
OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEM-
PLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABIL-
ITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foun-
dation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.
Portions of this software are based upon public domain software originally written at the National Center for Super-
computing Applications, University of Illinois, Urbana-Champaign.
367
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
mod_ssl License
LICENSE
The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license.
The detailed license information follows.
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the follow-
ing disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledg-
ment:
“This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/).”
4. The names “mod_ssl” must not be used to endorse or promote products derived from this software without prior
written permission. For written permission, please contact rse@engelschall.com.
5. Products derived from this software may not be called “mod_ssl” nor may “mod_ssl” appear in their names with-
out prior written permission of Ralf S. Engelschall.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/).”
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL “AS IS” AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABIL-
ITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S.
ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPE-
CIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCURE-
MENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original
SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open
Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
OpenSSL License
Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the follow-
ing disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledg-
ment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(http://www.openssl.org/)”
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived
from this software without prior written permission. For written permission, please contact openssl-
core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names
without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)”
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABIL-
ITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPE-
CIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCURE-
MENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes soft-
ware written by Tim Hudson (tjh@cryptsoft.com).
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The
following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just
the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except
that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library
used.
This can be in the form of a textual message at program startup or in documentation (online or textual) provided with
the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the follow-
ing disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledge-
ment:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”
The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code)
you must include an acknowledgement:
“This product includes software written by Tim Hudson (tjh@cryptsoft.com)”
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRAN-
TIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFT-
WARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e.
this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]
PHP License
The PHP License, version 2.02
Copyright (c) 1999, 2000 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the follow-
ing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the follow-
ing disclaimer in the documentation and/or other materials provided with the distribution.
3. The name “PHP” must not be used to endorse or promote products derived from this software without prior per-
mission from the PHP Group. This does not apply to add-on libraries or tools that work in conjunction with PHP.
In such a case the PHP name may be used to indicate that the product supports PHP.
4. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be
given a distinguishing version number.
Once covered code has been published under a particular version of the license, you may always continue to use
it under the terms of that version. You may also choose to use such covered code under the terms of any subse-
quent version of the license published by the PHP Group. No one other than the PHP Group has the right to mod-
ify the terms applicable to covered code created under this License.
5. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes PHP, freely available from http://www.php.net/”.
6. The software incorporates the Zend Engine, a product of Zend Technologies, Ltd. (“Zend”). The Zend Engine is
licensed to the PHP Association (pursuant to a grant from Zend that can be found at
http://www.php.net/license/ZendGrant/) for distribution to you under this license agreement, only as a part of
PHP. In the event that you separate the Zend Engine (or any portion thereof) from the rest of the software, or
modify the Zend Engine, or any portion thereof, your use of the separated or modified Zend Engine software
shall not be governed by this license, and instead shall be governed by the license set forth at
http://www.zend.com/license/ZendLicense/.
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIM-
ITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group.
For more information on the PHP Group and the PHP project, please see <http://www.php.net>.
SMTPclient License
LICENSE
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later
version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.
You should have received a copy of the GNU General Public License in the file COPYING along with this program; if
not, write to:
The author reserves the right to distribute following releases of this program under different conditions or license
agreements.
Ralf S. Engelschall
rse@engelschall.com
www.engelschall.com
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU
General Public License is intended to guarantee your freedom to share and change free software--to make sure the
software is free for all its users. This General Public License applies to most of the Free Software Foundation's soft-
ware and to any other program whose authors commit to using it. (Some other Free Software Foundation software is
covered by the GNU Library General Public License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to
make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that
you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free pro-
grams; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surren-
der the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or
if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the
rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them
these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal
permission to copy, distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that there is no war-
ranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know
that what they have is not the original, so that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors
of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we
have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.
0. This License applies to any program or other work which contains a notice placed by the copyright holder saying
it may be distributed under the terms of this General Public License. The “Program”, below, refers to any such
program or work, and a “work based on the Program” means either the Program or any derivative work under
copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifica-
tions and/or translated into another language. (Hereinafter, translation is included without limitation in the term
“modification”.) Each licensee is addressed as “you”.
Activities other than copying, distribution and modification are not covered by this License; they are outside its
scope. The act of running the Program is not restricted, and the output from the Program is covered only if its
contents constitute a work based on the Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, pro-
vided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and dis-
claimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and
give any other recipients of the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty pro-
tection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Pro-
gram, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you
also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the files and the date
of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from
the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of
this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started
running for such interactive use in the most ordinary way, to print or display an announcement including an
appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a war-
ranty) and that users may redistribute the program under these conditions, and telling the user how to view
a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an
announcement, your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived
from the Program, and can be reasonably considered independent and separate works in themselves, then this
License, and its terms, do not apply to those sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based on the Program, the distribution of the
whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and
thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you;
rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the
Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based
on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope
of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable
form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed
under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more
than your cost of physically performing source distribution, a complete machine-readable copy of the cor-
responding source code, to be distributed under the terms of Sections 1 and 2 above on a medium custom-
arily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code.
(This alternative is allowed only for noncommercial distribution and only if you received the program in
object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an execut-
able work, complete source code means all the source code for all modules it contains, plus any associated inter-
face definition files, plus the scripts used to control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include anything that is normally distributed (in either
source or binary form) with the major components (compiler, kernel, and so on) of the operating system on
which the executable runs, unless that component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then
offering equivalent access to copy the source code from the same place counts as distribution of the source code,
even though third parties are not compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License.
Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically ter-
minate your rights under this License. However, parties who have received copies, or rights, from you under this
License will not have their licenses terminated so long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you per-
mission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do
not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Pro-
gram), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distrib-
uting or modifying the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives
a license from the original licensor to copy, distribute or modify the Program subject to these terms and condi-
tions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are
not responsible for enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited
to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict
the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distrib-
ute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then
as a consequence you may not distribute the Program at all. For example, if a patent license would not permit
royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Pro-
gram.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of
the section is intended to apply and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to con-
test validity of any such claims; this section has the sole purpose of protecting the integrity of the free software
distribution system, which is implemented by public license practices. Many people have made generous contri-
butions to the wide range of software distributed through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing to distribute software through any other sys-
tem and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted
interfaces, the original copyright holder who places the Program under this License may add an explicit geo-
graphical distribution limitation excluding those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this
License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time
to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new
problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this License
which applies to it and “any later version”, you have the option of following the terms and conditions either of
that version or of any later version published by the Free Software Foundation. If the Program does not specify a
version number of this License, you may choose any version ever published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are differ-
ent, write to the author to ask for permission. For software which is copyrighted by the Free Software Founda-
tion, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided
by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing
and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE
PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE
STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PRO-
GRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUD-
ING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF
THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE
COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE
PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GEN-
ERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAIL-
URE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR
OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve
this is to make it free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most
effectively convey the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to
where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Pub-
lic License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any
later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the
Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this when it starts in an interactive mode:
You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright dis-
claimer” for the program, if necessary. Here is a sample; alter the names:
Symbols B
/ 155 Browser-Based Interface 73
? (help) 155
[ ] 13 C
central licensing 51
A certificate authority 43
abbreviating commands (CLI) 158 Check Point
accessing the CLI 146 management tools 35
actio (SLB filtering option) 318 Check Point components
activate management clients 21
software upgrade package 135 SmartCenter 21
software version 135 cluster
add adding Firewall Director 106
Firewall Accelerator 107 configuring 112
Firewall Director 106, 111 properties 112
RADIUS Audit Server menu command 230 Command-Line Interface (CLI) 145
Address Resolution Protocol (ARP) commands
interval 245 abbreviations 158
Alteon Switched Firewall install 137
basics 20 main menu 159
configuration requirements 26 shortcuts 158
expanding the cluster 106 stacking 158
features 17 tab completion 158
IDS servers 100 using CLI 158
models supported 17 configuration
sample network 27 basic 28
setting up 28 firewall policies 45
upgrading 128 flow control 258, 259
using the CLI 153 GRE tunneling example 80
area ID 75 licenses and interfaces 32
area index, assigning 74 operating mode 257
ARP. See Address Resolution Protocol. OSPF examples 83
auto-negotiation port link speed 257
enable/disable on port 258, 259 route redistribution, OSPF 91
autonomous systems (AS) 72 route redistribution, RIP 63
configuration menu 197
379
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
configuring G
command reference 197
DHCP relay 58 global commands
Firewall Accelerator 109 commands
licenses 32 global 155
load balancing IDS servers 96 nslookup 155
cryptographic seed 43 GRE tunnel
configuration example 80
GRE tunnels 79
D
del H
RADIUS Audit Server menu command 230
DHCP Relay 58 help 155
configuring 58
dip (destination IP address for filtering) 319 I
disconnect idle timeout 154
idle timeout
dmask
overview 154
destination mask for filtering 319
IDS servers
DNS servers
load balancing 96
add to configuration 204
sample configuration 96, 100
list configured 204
installing 28
remove configured 204
commands 137
licenses 32
E upgrading to a minor or major release 133
establish trust 115 installing Firewall Accelerator 107
establishing trust 49 install-tng command 137
EtherChannel inter-accelerator port 125
as used with port trunking 256 internal routing 72
expanding the cluster 106 Intrusion Detection System (IDS) 95
external routing 72 IP address
filter ranges 319
management IP 26
F
factory default configuration L
after reinstalling software 137, 355
feature string 32 licenses 32, 51
filters lines (display option) 155
IP address ranges 319 link
Firewall Accelerator speed, configuring 257
configuring 109 link settings 125
installing 107 link state database 71
Firewall Director list
adding 111 RADIUS Audit Server menu command 230
synchronizing 122 load balancing
firewall policies 114 IDS traffic 95
creating 53 load balancing IDS servers 96
firewall policies, installing 45 login 141
flow control
configuring 258, 259
380 Index
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
M pwd 156
main menu 154, 159
management Q
passwords 141 quiet (screen display option) 156
remote 146
users 141 R
management IP (MIP) 26, 113
management tools 140 receive flow control 258, 259
installing 35 Redistributing routes, OSPF 63
redistributing routes, OSPF 91
redistributing routes, RIP 63
N reinstalling software 137
NAAP remote access list 146
ports 126 RIP (Routing Information Protocol)
network ports 126 advertisements 62
NTP servers distance vector protocol 61
add to configuration 203, 217, 218 hop count 61
list configured 203, 217, 218 metric 61
remove configured 203, 217, 218 route redistribution 63
NTP setting menu 203 routing table 62
UDP 62
O version 1 61
root login 141
online help 155 router ID 77
operating mode, configuring 257 routers
OSPF border 72
authenticating 78 peer 72
configuration examples 83 routes, advertising 72
creating a virtual link 85 routing
creating virtual links 77 internal and external 72
database 71 Routing Information Protocol. See RIP
defining an OSPF domain 83
route redistribution 63, 91
router ID 77 S
router types 69 serial port 146
summarizing routes 76, 89 Server Load Balancing
IDS 95
P servers
Audit menu command 228
passwords 141 shortcuts (CLI) 158
ping 156 SIP (source IP address for filtering) 319
port trunking SmartCenter 27, 35, 44
description 256 smask
ports source mask for filtering 319
inter-accelerator 125 SNMP
NAAP 126 menu options 214, 217, 218, 219, 220
network 126
physical. See switch ports.
serial 146
Index 381
217014-A, November 2004
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
software U
activate downloaded upgrade package 135
reinstall 137 UDP
version handling when upgrading 135 RIP 62
SSH 146 source and destination ports 318
stacking commands (CLI) 158 upgrade
summarizing routes 76 activate software package 135
example 89 handling software versions 135
switch ports VLANs membership 261 upgrading the software 128
synchronizing Firewall Directors 122 upgrading to a minor or major release 133
user names 141
using the CLI 153
T
tab completion (CLI) 158 V
TCP
source and destination ports 318 vendorid
Telnet 146, 148 Audit menu command 228
timeouts vendortype
idle connection 154 Audit menu command 229
traceroute 156 verbose 156
transmit flow control 258, 259 virtual link 77
Tunneling, GRE 79 configuration example 85
VLAN tagging
port restrictions 263
VLANs
port members 261
tagging 261, 263
382 Index
217014-A, November 2004