Nortel 5109, 5111, 5100, 5111-NE1, 5114-NE1 Owner's Manual

...

Download

4655 Great America Parkway Santa Clara, CA 95054 Phone 1-800-4Nortel http://www.nortel.com

Nortel Switched Firewall 5100 Series Release 2.3.3

User’s Guide and Command Reference

part number: 213455-L, October 2005

213455-L

This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without warranty of any kind, either express or implied, including any kind of implied or express warranty of noninfringement or the implied warranties of merchantability or fitness for a particular purpose.

U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR

2.101 (Oct 1995) and contains “commercial technical data” and “commercial software documentation” as those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS

252.227-7015 (Nov 1995).

Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc.

Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

Check Point, OPSEC, and SmartUpdate are trademarks of Check Point Software Technologies Ltd. Firewall-1 and VPN-1 are registered trademarks of Check Point Software Technologies Ltd.

Any other trademarks appearing in this manual are owned by their respective companies.

Export

This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or reexport may be required by the U.S. Department of Commerce.

Licensing

This product includes software developed by Check Point Software Technologies (http://www.checkpoint.com). This product also contains software developed by other parties.

See Appendix E, “Software licenses”, on page 419 for more information.

213455-L, October 2005

Contents

Preface 13

Who should use this book 13 How this book is organized 13

Part 1: Getting started 13 Part 2: Command reference 14

Part 3: Appendices 14 Related documentation 15 Typographic conventions 15 How to get help 16

Getting help from the Nortel web site 16

Getting help over the telephone from a Nortel Solutions Center 17

Using an Express Routing Code to get help from a specialist 17

Getting help through a Nortel distributor or reseller 17

Chapter 1: Introduction 21

Feature summary 22

What’s new in NSF 2.3.3? 22

Software support 22 Reliability and redundancy 22 Management 22

Usability enhancements 23 Supported hardware 24 Performance 25

Nortel Switched Firewall basics 25

Network Elements 25

The networks 26

The Firewall 26

The management interfaces 26

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

213455-L, October 2005

Chapter 2: Initial setup 29

Basic requirements 30 Example network 31

Firewall management network 31

SmartCenter Server 32

Smart Portal 32 Trusted network 36 Untrusted network (Internet) 36

Setting up the basic configuration 37

Installing the Firewall license 43

Example: 44 Configuring network interfaces and ports 44 Allowing SMART Client access to the Firewall 47

Installing Check Point management tools 48

Editing the Windows hosts file 48 Installing Check Point SmartCenter Server and SmartConsole 49 Defining a Firewall Object in the SmartDashboard 58 Creating a Firewall policy test rule 64 Creating and installing Firewall security rules 66

SecurID authentication 67

Topology of SecurID authentication 68 Configuring RSA authentication manager 70 Configuring SecurID on Nortel Switched Firewalls 79

Importing the agent configuration file to NSF 79

Generating the sdopts.rec file 79 Configuring partner RSA authentication agent 80

Enabling global SecurID authentication for Firewall clusters

or hosts on Check Point 80

Enabling SecurID authentication for Check Point FireWall-1 users 81

Rule base for user authentication with SecurID 81

Rule base for client authentication with SecurID 81

Rule base for session authentication with SecurID 82

VLAN tags 84

Layer 2 switch configuration 85 SmartDashboard configuration 85 Switched Firewall configuration 87

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

213455-L, October 2005

Chapter 3: Dynamic Host Configuration Protocol 91

DHCP relay agent 92 Configuring for DHCP relay agent 93

Chapter 4: Open Shortest Path First 95

OSPF overview 96

Types of OSPF areas 96 Types of OSPF routing devices 97 Neighbors and adjacencies 98 The Link-State database 99 The Shortest Path First tree 99 Authentication 100 Internal versus external routing 100

NSF 2.3.3 OSPF implementation 101

Configurable parameters 101 Defining areas 102

Assigning the area index 102 Using the area ID to assign the OSPF area number 103 Attaching an area to a network 103

Interface cost 104 Electing the designated router and backup 104 Router ID 104 Authentication 105

Simple authentication 105 MD5 authentication 105

GRE Tunnel support 106 OSPF features not supported in this release 106

OSPF configuration examples 107

Example 1: configuring a simple OSPF domain 107 Example 2: configuring GRE Tunnel 109

Avoiding loops in the GRE Tunnel 111

Example 3: configuring failover 113

Chapter 5: Redundant Firewalls 117

VRRP on the Switched Firewall 118

VRRP overview 118 Switched Firewall cluster 118 Active master determination 119

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

213455-L, October 2005

VRRP election 119

VRRP failover 120

VRRP failover-based on links 121

MAC address mapping 121

Stateful failover 122 VRRP router parameters 122

Active-standby and active-active 122

Advertisement interval 122

Gratuitous ARP (GARP) 123

VRRP interface 123

Advanced failover check 124

Preferred Master 124

Configuring VRRP active-standby failover 125

Configuration overview 126 Requirements 127 Installing the redundant Switched Firewall 128 Configuration check list 128 Configuring the redundant Switched Firewall 129 Configuring Check Point software for active-standby 133 Configuration dump for VRRP active-standby failover 139

Configuring VRRP active-active failover 145

Configuration overview 145 Requirements 147 Installing the redundant Switched Firewall 147 Configuration check list 147 Configuring the redundant Switched Firewall 148 Configuring Check Point software 148 Configuration dump for VRRP active-active failover 154

Configuring Check Point ClusterXL failover 160

Configuration check list on the management station 162 Step-by-step configuration procedure 163 Configuration dump for Check Point ClusterXL failover 179

Establishing trust on redundant Firewalls 185

Establishing trust from a management sation behind the Firewall 185 Managing through the VRRP interface 186

Synchronizing Nortel Switched Firewalls 186

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

213455-L, October 2005

Chapter 6: Layer 2 and Layer 3 Firewalls 189

Overview 190 Configuring Layer 2 bridge mode Firewall 191

Configuring the Firewall software 192 Configuring the Check Point software to support Layer 2 bridge mode 195

Configuring a Layer 3 Firewall 202

Configuring the Firewall software 202 Configuring the Check Point software to support a Layer 3 Firewall 206

Configuration issues 213

Chapter 7: Applications 215

Uninterruptible Power Supply 216

Configuring UPS support 216

Displaying UPS configuration 220 RADIUS authentication 221 VPN support 223 ISP redundancy 225 User Authority 226

Chapter 8: Upgrading and reinstalling the software 229

Compatibility 230 Types of upgrade 231

Nortel Switched Firewall SSI upgrades 231

Built-in Firewall software upgrades 231

Check Point Management Station upgrades 232 Upgrade and reinstall images 232 Upgrading to NSF 2.3.3 software 232

Loading the new software 233

Activating the software 235

Stand-alone upgrade 236 Cluster upgrade 237

Reinstalling software 240

Using the ISO image 240

Using the IMG image 241

Chapter 9: Basic system management 245

Management tools 245 Users and passwords 246

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

213455-L, October 2005

Chapter 10: The Command Line Interface 251

Accessing the Command Line Interface 252

Using the local serial port 252 Defining the remote access list 252

Displaying the access list 252 Adding items to the access list 253

Using Telnet 253

Enabling Telnet access 254 Starting the Telnet session 255

Using Secure Shell 255

Enabling SSH access on the Nortel Switched Firewall 255 Starting the SSH session 257

Using the Command Line Interface 258

Basic operation 258 The Main Menu 259 Idle time-out 259 Multiple administration sessions 260 Global commands 260 Command Line history and editing 262 Command Line shortcuts 263

Command stacking 263 Command abbreviation 263 Tab completion 263

Chapter 11: Command reference 265

Main Menu 265

Information Menu 269

Info_host Menu 273 /info/monitor 274 info_monitor Menu 274 Information Menu 274

Bridge 1 Information Menu 276 Route Information Menu 276

OSPF Router Information Menu 276

VRRP Information Menu 278

Configuration Menu 279

System Menu 281

Date and Time Menu 283

NTP Servers Menu 284

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

213455-L, October 2005

DNS Servers Menu 285 Cluster Menu 286

Cluster Host Menu 287 Access List Menu 289 Administrative Applications Menu 290

Telnet Administration Menu 292

SSH Administration Menu 293

SSH Host Keys Menu 294

SSH Known Host Keys Menu 295

Web Administration Menu 296

HTTP Configuration Menu 297

SSL Configuration Menu 298

Certificate Management Menu 299

Server Certificate Management Menu 300

CA Certificate Management Menu 301

SNMP Administration Menu 302

SNMP Users Menu 304

Trap Hosts Menu 305

SNMP System Information Menu 306

Advanced SNMP Settings Menu 307

Audit Menu 308

Radius Audit Servers Menu 310

Authentication Menu 311

Radius Authentication Servers Menu 312 Platform Logging Menu 313

System Logging Menu 314

ELA Logging Menu 315

Log Archiving Menu 317 User Menu 318

User user_name Menu 320

SSH Users Menu 320

SSH User Admin Menu 321

Groups Menu 322 APC UPS Menu 323

Network Configuration Menu 325

Port Menu 327

Physical Port Connector Characteristics 327 Interface Menu 328 VRRP Interface Menu 330 Bridge 1 Menu 332

Bridge 1 Ports Menu 333

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

213455-L, October 2005

VRRP Bridge 1 Menu 334 VRRP Settings Menu 335 Routes Menu 338 GRE Tunnel 1 Menu 339 OSPF Menu 340

OSPF Area Index Menu 342

OSPF Interface Menu 343

OSPF GRE Tunnel 1 Menu 346

Route Redistribution Menu 349

OSPF Connected Route Redistribution Menu 350

OSPF Static Route Redistribution Menu 351

OSPF Default Gateway Route Redistribution Menu 352

Proxy Arp Menu 353

Proxy Arp List Menu 354 DHCP Relay Menu 355

DHCP Relay Interface <number> Menu 356

DHCP Server <number> Menu 357

Firewall License Menu 358 Firewall Configuration Menu 359

Sync Configuration Menu 361 Portal Configuration Menu 362 SMART Clients Menu 363 SmartUpdate Configuration Menu 364

Miscellaneous Settings Menu 364

Boot Menu 365

Software Management Menu 366

Software Patches Menu 367

The Maintenance Menu 368

Firewall Maintenance Menu 369

Tech Support Dump Menu 371 Backup Menu 372 OSPF Debug Menu 373

Appendix A: Event Logging API 377

Configure the Check Point SmartCenter Server 378 Configure the Firewall 382 The Check Point SmartView Tracker 384

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

213455-L, October 2005

Appendix B: Backing Up and Cloning Configurations 385

Overview 386

Remote Backup 386 Clone Command 386 Local Backup 386

Backing Up and Cloning 387

Backing Up a Configuration 387 Troubleshooting for Backup 388 Cloning a Configuration 388

Appendix C: Common tasks 391

Installing a new image from CD-ROM 392 Enabling USB support 393

Verify USB support on the Firewall 393

Enabling the USB support in the BIOS 394 Mounting a floppy disk on the Firewall 397 Mounting a CD-ROM on the Firewall 398 Mounting the USB port 399 Tuning Check Point NGX performance 400

Connection parameters 400

NAT parameters 401 Reading system memory information 402 Generating public/private DSA key pair 402

Appendix D: Troubleshooting 407

Failed to establish trust between SmartCenter Server and Firewall 408

Actions 408 Managing licenses 409

Re-installing an existing license 409

Installing a license on an NT workstation 410 Re-establishing SIC 410 Cannot download policy on Firewall 411

Action 411 Poor performance with other devices 412

Actions 412 Cannot log in to the management station from the SMART Client 412

Actions 412

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

213455-L, October 2005

Check Point sends connection failed messages to Firewall 412

Action 413

Check Point synchronization 413

Message appears after checking synchronization status 413 Actions 413 Synchronization status check reveals an interface is down 414

Actions 414 VRRP configuration tips 415 VRRP: active master backup fails 416

Actions 416 VRRP: both masters are active 417

Actions 417 Poor performance under heavy traffic 417 Configure mandatory IP addresses 418

Appendix E: Software licenses 419

Apache software licence 420 mod_ssl license 421 OpenSSL and SSLeay licenses 422

OpenSSL license 422

Original SSLeay license 423 PHP license 424 SMTPclient license 425 GNU General Public License 426

213455-L, October 2005

Preface

The Nortel Switched Firewall 5100 Series User’s Guide and Command Reference (213455-L) describes the components and features of the Nortel Switched Firewall 5100 Series system and explains how to perform initial setup, configuration and maintenance when using Release 2.3.3 software.

Once you have completed network configuration using this guide, you must rely on the documentation from Check Point to develop and administer security policies.

Who should use this book

This User’s Guide and Command Reference is intended for network installers and system administrators engaged in configuring and maintaining a network. It is assumed that users of this guide are familiar with Ethernet concepts and IP addressing.

How this book is organized

The chapters in this book are organized as follows:

Part 1: Getting started

Chapter 1, Introduction, provides an overview of the major features of the Nortel Switched

Firewall, including the physical layout of its components and the basic concepts behind their operation.

Chapter 2, Initial setup, describes how to perform start-up configuration on the Nortel

Switched Firewall. An example network is shown, along with instructions on how to configure the firewall CLI and Check Point™ SmartCenter Server.

Chapter 3, Dynamic Host Configuration Protocol, describes how to configure the Nortel

Switched Firewall for Dynamic Host Configuration Protocol (DHCP) support.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

14  Preface

213455-L, October 2005

Chapter 4, Open Shortest Path First, provides an overview of the Open Shortest Path First

(OSPF) protocol, describes the implementation of OSPF on the Switched Firewall, and includes several OSPF configuration examples.

Chapter 5, Redundant Firewalls, provides configuration examples for clustering Switched

Firewalls in a redundant configuration for high availability or active-active using VRRP and synchronization for stateful failover. There is also an overview of the VRRP implementation.

Chapter 6, Layer 2 and Layer 3 Firewalls, describes how to configure a Layer 2 and Layer 3

firewall.

Chapter 7, Applications, describes applications that are supported by the Nortel Switched

Firewall.

Chapter 8, Upgrading and reinstalling the software, describes how to upgrade or reinstall the

Nortel Switched Firewall system component software.

Chapter 9, Basic system management, describes the various tools used for managing the

system, and explains basic management concepts.

Part 2: Command reference

Chapter 10, The Command Line Interface, describes how to access and use the text-based

management interface for collecting system information and performing configuration.

Chapter 11, Command reference, explains the menus, commands, and parameters of the text-

based management interface.

Part 3: Appendices

Appendix A, Event Logging API, describes how to view Nortel Switched Firewall log

messages with your Check Point SmartView Tracker.

Appendix B, Backing Up and Cloning Configurations, describes how to back up and clone

configurations.

Appendix C, Common tasks, describes routine management functions.

Appendix D, Troubleshooting, provides suggestions for troubleshooting basic problems.

Appendix E, Software licenses, provides licensing information for the software used in this

product.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Preface  15

213455-L, October 2005

Related documentation

For setup, configuration, software maintenance and release-specific information, see the following related documentation:

 Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-D)

 Nortel Switched Firewall 2.3.3 Browser-Based Users Guide (216383-D)

 Nortel Switched Firewall 5100 Series 2.3.3 Release Notes (213456-S)

The documents are available on the Nortel Technical Support web site at

www.nortel.com/support.

Typographic conventions

The following table describes the typographic styles used in this book.

Table 1 Typographic Conventions

Typeface or Symbol

Meaning Example

AaBbCc123 This fixed-width type is used for names of

commands, files, and directories used within the text.

View the readme.txt file.

It also depicts on-screen computer output and prompts.

Main#

AaBbCc123 This italicized type shows book titles, special

terms, or words to be emphasized.

Read your User’s Guide thoroughly.

AaBbCc123 This fixed-width, bold type appears in com-

mand examples. It shows text that must be typed in exactly as shown.

Main# sys

<AaBbCc123> Italicized type within angle-brackets appears

in command examples as a parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets.

To establish a Telnet session, enter:

host# telnet <IP address>

[ ] Command items shown inside square brack-

ets are optional and can be used or excluded as the situation demands. Do not type the brackets.

host# ls [-a]

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

16  Preface

213455-L, October 2005

How to get help

This section explains how to get help for Nortel products and services.

Getting help from the Nortel web site

The best way to get technical support for Nortel products is from the Nortel Technical Support web site at www.nortel.com/support.

This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.

Using the Nortel Technical Support web site enables you to do the following:

 download technical information, including the following items:

 software

 documentation

 product bulletins

 search the Technical Support web site and the Nortel Knowledge Base for answers to

technical questions

 sign up for automatic notification of new software and documentation for Nortel

equipment

 open and manage technical support cases

| Command items separated by the vertical bar

depict a list of possible values, only one of which should be entered. The vertical bar can be literally considered to mean “or.”

System# autoneg on|off

This can also be used to separate different selections within a window-based menu bar.

Select Edit | Copy from the window’s menu bar.

<Key> Non-alphanumeric keyboard items are shown

in regular type inside brackets. When directed, press the appropriate key. Do not type the brackets.

Press the <Enter> key.

Table 1 Typographic Conventions

Typeface or Symbol

Meaning Example

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Preface  17

213455-L, October 2005

Getting help over the telephone from a Nortel Solutions Center

If you do not find the information you require on the Nortel Technical Support web site, you can get help over the telephone from a Nortel Solutions Center. You must have a Nortel support contract to use the Nortel Solutions Center.

To reach a Nortel Solutions Center, do one of the following;

 In North America, call 1–800–4NORTEL (1–800–466–7835).

 Outside North America, go to the following web site to obtain the telephone number for

your region: www.nortel.com/callus.

Using an Express Routing Code to get help from a specialist

You can find Express Routing Codes (ERCs) for many Nortel products and services on the Nortel Technical Support web site. ERCs allow you to connect directly to service and support organizations based on specific products or services.

To locate the ERC for your product or service, go to www.nortel.com/erc.

Getting help through a Nortel distributor or reseller

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

18  Preface

213455-L, October 2005

Part 1: Getting started

This section discusses basic firewall functions, Nortel Switched Firewall components, and features. The following topics are included in this section:

 New features and basic functions

 Initial setup

 DHCP Relay and OSPF

 Layer 2 and Layer 3 firewall

 Redundant firewalls

 Firewall applications

 System management

 Software upgrade

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

20  Getting started

213455-L, October 2005

CHAPTER 1

Introduction

The Nortel Switched Firewall is a combination of dedicated hardware and software — hardened OS, security applications, and networking technology. It addresses the needs for security, performance and ease of use.

The software is a combination of NSF Single System Image (SSI) software and the Firewall-1

NGX software from Check Point™.

The following topics are covered in this chapter:

 Feature summary on page 22

 Nortel Switched Firewall basics on page 25

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

22  Introduction

213455-L, October 2005

Feature summary

The Nortel Switched Firewall (NSF) is a high-performance firewall system for network security. The system uses a versatile, multi-component approach to deliver unparalleled firewall processing power, reliability, and scalability.

What’s new in NSF 2.3.3?

The following features have been added to the Nortel Switched Firewall Release 2.3.3 since the last major release:

Software support

Supports Check Point™ FireWall-1® NGX with Application Intelligence R60 and Hotfix Accumulator 14 (HFA_14) software.

Reliability and redundancy

Nortel Switched Firewall Series 5100 Release 2.3.3 provides the following reliability and redundancy enhancements:

 SecurID configuration

Management

Nortel Switched Firewall Series 5100 Release 2.3.3 provides the following management enhancements:

 Smart Portal web-based management tool

Smart Portal is a web-based management tool that provides a centralized view of security

policies, network and security activity status, and administrator information. The access to

Smart Center also extends the visibility of security policies to groups outside the IT

security team and enables collaborative management of Smart Center administrators.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Introduction  23

213455-L, October 2005

Usability enhancements

Nortel Switched Firewall Series 5100 release 2.3.3 provides the following usability enhancements:

 Monitor history and current information from CLI

Current statistics and history are available for the following parameters:

 CPU use

 memory use

 disk use

 session statistics

 throughput statistics

Current statistics and historical data are available from the CLI using the following commands:

 /info/monitor/curdata for current data

 /info/monitor/histdata for historical data, based on the time interval specified by the user

Current statistics and historical data are also available from the tsdump utility. The following files can be retrieved from the system log files using the tsdump utility:

 /var/tmp/history.log* for cpu, memory, connections, and rate data

 /var/tmp/hdusage.log* for hard disk usage

 /var/log/sa/sar* for throughput information. TIP: Sar27 represents the throughput

information taken on the 27th day of the current month.

NOTE – Only the history information of the current day is provided by /info/monitor/histdata.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

24  Introduction

213455-L, October 2005

Supported hardware

Table 2 shows the model numbers of the hardware platforms supported for NSF 2.3.3. The

platforms differ with respect to hardware features and performance. But in all other operational aspects (software, certification, system management, logging and monitoring) the platforms are the same.

Table 2 Nortel Switched Firewall 5100 Series Hardware Platforms

Model Supported Ports RAM

5111-NE1

 Two embedded 10/100/1000 Mbps Copper Ethernet

ports.

 One quad Copper Ethernet (Four 10/100/1000 Mbps

Copper Ethernet ports.)

512 MB

5114-NE1

 Two embedded 10/100/1000 Mbps Copper Ethernet

ports.

 One dual fiber Ethernet (Two 1000 Mbps fiber ethernet

ports.)

1.0 GB

5106

 Two embedded 10/100 Mbps ethernet ports.  One dual Copper ethernet (Two 10/100/1000 Mbps

ports).

512 MB

5109

 Two embedded 10/100/1000 Mbps Copper ethernet

ports.

 One quad Copper ethernet (Four 10/100 Mbps Copper

ethernet ports.

512 MB

5114

 Two embedded 10/100/1000 Mbps Copper ethernet

ports.

 One dual fiber ethernet

(Two 1000 Base-SX multimode fiber with LC type connectors.)

1.0 GB

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Introduction  25

213455-L, October 2005

Performance

Table 3 compares the throughput, concurrent sessions, and new connections per second on

each of the 5100 Series model.

Nortel Switched Firewall basics

Network Elements

The following diagram shows a basic network using the Nortel Switched Firewall.

Figure 1 Nortel Switched Firewall network elements

Table 3 Nortel Switched Firewall 5100 Series Hardware Performance

Model Throughput Concurrent Sessions New Connections per Second

5114-NE1 1,600 Mbps 500,000 4,000

5111-NE1 1000 Mbps 300,000 4,000

5114 1,600 Mbps 500,000 4,000

5109 1000 Mbps 300,000 4,000

5106 300 Mbps 250,000 3200–3600

Internet

Nortel Switched Firewall with

Check Point SmartCenter Server

NSF Local Console

Intranet

Untrusted Network

NSF Remote Console/ Check Point SMART Clients

Trusted Network

Semi-trusted network (DMZ)

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

26  Introduction

213455-L, October 2005

The networks

 Trusted networks

These represent internal network resources that must be protected from unauthorized

access. Trusted networks usually provide internal services such as a company’s intranet,

as well as valued applications made available to external clients, such as public e-

commerce web sites.

 Semi-trusted networks

To increase security, services intended primarily for external clients are often placed on a

separate network so that a hostile intrusion would not affect the company’s internal

networks. A network isolated in this way is also known as a De-Militarized Zone (DMZ).

For more information, see your Check Point documentation.

 Untrusted networks

These are the external networks that are presumed to be potentially hostile, such as the

Internet.

The Firewall

 Nortel Switched Firewall

The Nortel Switched Firewall is placed in the path between your various trusted, semi-

trusted, and untrusted networks. It examines all traffic moving between the connected

networks and either allows or blocks that traffic, depending on the security policies

defined by the administrator.

The management interfaces

 NSF local console

A local console is used for entering basic network information during initial configuration.

Once the system is configured, the local console can be used to access the text-based

Command Line Interface (CLI) for collecting system information and performing

additional configuration. The NSF console is not used to manage or install firewall

policies.

 NSF remote console/Check Point SMART Clients

 For a list of trusted users, the administrator can separately allow or deny Telnet or

Secure Shell (SSH) access to the NSF CLI, and HTTP or SSL access to the NSF Browser-Based Interface. Remote access features can be used for collecting system information and performing additional configuration, but not to manage or install firewall policies.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Introduction  27

213455-L, October 2005

 Check Point SMART Client software, such as the SmartDashboard, can be installed

on one or more administrator workstations on your network. This software usually

provides a graphical user interface for creating, modifying, and monitoring firewall

policies. For security, SMART Clients do not interact directly with the firewalls.

Instead, any policy changes made in a SMART Client are forwarded to the

SmartCenter Server, which then loads them onto the firewalls. For convenience, a

SMART Client can be installed on the management station running the SmartCenter

Server (see Note – below).

 Check Point SmartCenter Server management station

The management station running the SmartCenter Server holds the master policy database for all the firewalls in your network. Its job is to establish Secure Internal Communications (SIC) with each valid firewall and load the firewall with the appropriate security policies. The SmartCenter Server may be enabled on the firewall in the CLI setup utility.

NOTE – If you have a second firewall in the cluster to implement an active-standby (high

availability) or active-active firewall configuration, you must install the SmartCenter Server on a management station. In this case do not enable the SmartCenter Server on the firewall when prompted in Step 12 of the initial setup routine which starts on page 37.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

28  Introduction

213455-L, October 2005

CHAPTER 2

Initial setup

This chapter describes how to perform initial setup for a single Firewall configuration. A basic configuration is performed on a Nortel Switched Firewall that allows remote access by Telnet or SMART Client. Then the Check Point management tools are installed on a workstation.

The information in this chapter is based on the assumption that you installed the Nortel Switched Firewall Series 5100 hardware as described in the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-D), including mounting the components, attaching network cables, turning on power, and connecting a console terminal.

The following topics are discussed in this chapter:

 Basic requirements on page 30

 Example network on page 31

 Setting up the basic configuration on page 37

 Allowing SMART Client access to the Firewall on page 47

 Editing the Windows hosts file on page 48

 Installing Check Point management tools on page 48

 VLAN tags on page 84

VLAN tagging allows the Switched Firewall to forward VLAN tagged packets to the appropriate workgroup.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

30  Initial setup

213455-L, October 2005

Basic requirements

The following are needed before you configure the Nortel Switched Firewall:

 Firewall hardware must be installed as described in the Nortel Switched Firewall 5100

Series Hardware Installation Guide (216382-D). Installation includes mounting the

components, attaching network cables, turning on power, and connecting a console

terminal.

 A Check Point license must exist for the Firewall.

 One subnet must be assigned for internal Nortel Switched Firewall use. This subnet must

consist of the following IP addresses:

 one Management IP (MIP) address

 an IP address for the Firewall host

NOTE – The highest IP address and lowest IP address in the subnet range are reserved for

broadcasts and should not be assigned to specific devices.

 A list of subnets that will be statically configured on the firewall for internal networks,

plus the IP address of the internal router that handles routes for these networks.

 The IP address of the default gateway for data moving through the firewall to the Internet.

 An IP address reserved for the Firewall on each trusted, untrusted, and semi-trusted subnet

that will connect directly to the Firewall.

 A SmartCenter Server and SMART Client on one of the networks attached to the Firewall.

You can install the SmartCenter Server on the Switched Firewall or on a remote

management station (Note – If you have two Switched Firewalls in the cluster, you must

implement the SmartCenter Server on the management station). You can install the

SMART Client on the same machine as the SmartCenter Server, or on a separate machine

that can be reached from the SmartCenter Server.

NOTE – This release of the Switched Firewall supports Check Point VPN-1 and FireWall-1

NGX with Application Intelligence (R60) and Hotfix Accumulator 14 (HFA_14) software.

 Nortel Switched Firewall installed running Firewall OS version 2.3.3 or higher.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  31

213455-L, October 2005

NOTE – Before upgrading the software on the Firewall, you must perform the initial setup

procedures as explained in this chapter. Once initial setup is complete, see Chapter 8,

Upgrading and reinstalling the software, on page 229 for more information.

Example network

The example network in Figure 2 illustrates the procedure that is described in this chapter. Once the network information is collected, you can use the Setup utility to begin basic system configuration as described in Setting up the basic configuration on page 37.

Figure 2 Example Network

The components used to create the example network is described in the following sections.

Firewall management network

The management network is automatically configured when you run Setting up the basic

configuration on page 37.

NOTE – The management network port is for administrative purposes such as the Browser-

Based Interface, Telnet, SSH and the Check Point management tools such as the SmartCenter Server and the SMART Client (see Installing Check Point management tools on page 48).

 The Host IP address in the example network is 192.168.1.2 and the Management IP (MIP)

address is 192.168.1.1.

Internet

Router Inside Interface

IP: 172.25.3.23

Untrusted Network Trusted Network

IP: 10.3.0.0/16

Gateway: 10.3.0.1

NSF 5106, 5109, 5114

5111-NE1, or 5114-NE1

Interface 1

IP: 10.3.0.1

Port 3 (eth2)

Interface 2

IP: 172.25.3.10

Port 4 (eth3)

Check Point SmartCenter Server

and SMART Client IP: 192.168.1.3

Port 1 (eth0)

Management

Network

Host IP: 192.168.1.2

MIP: 192.168.1.1

Gateway: 172.25.3.23

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

32  Initial setup

213455-L, October 2005

 The management network port in Figure 2 is configured on port 1.

NOTE – The MIP address supports firewall clustering with a redundant firewall in a high-

availability (active-standby) or active-active failover configuration. For more information, see

Chapter 5, Redundant Firewalls on page 117. Though you may have only one firewall in your

system, you must still configure the MIP address.

NOTE – To provide a secure remote access path for a secondary SmartCenter Server or

SMART Client, you can configure it on the Trusted Network.

SmartCenter Server

You can install the SmartCenter Server on the firewall host or on a Check Point management station. In this example, it is implemented on a Check Point management station. The Check Point management station IP address is 192.168.1.3.

Management of non-NGX modules—for example, NG AI, NG AI R55W, and Edge modules— is not supported by the SmartCenter server configuration.

NOTE – If you have a second firewall in the cluster to implement a high-availability or active-

active firewall configuration, you must install the SmartCenter Server on a management station. If this is your situation, do not enable the SmartCenter Server on the firewall when prompted in Step 12 of the initial setup routine which starts on page 37.

Smart Portal

Smart portal is a web-based management tool that is available only when the Firewall is configured as a SmartCenter Sever.

Smart Portal provides a read-only, centralized view of the following:

 security policies

 network and security activity status

 administrator information

The web-based access to SmartCenter extends the visibility of security policies to groups outside the IT security team and enables collaborative management of SmartCenter administrators.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  33

213455-L, October 2005

The following figure illustrates the Check Point window with Smart Portal option and user authentication.

Figure 3 Check Point Gateway with Smart Portal option

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

34  Initial setup

213455-L, October 2005

To register the Smart Portal user name and password, do the following:

1. From the Manage menu, select Users and Administrators as illustrated in Figure 4:

Figure 4 Check Point/Users and Administrators/Administrator Properties/General

NOTE – Add a new administrator for Smart portal.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  35

213455-L, October 2005

2. Select the Admin Auth tab as illustrated in Figure 5:

Figure 5 Administrator Properties - smart_portal

3. Click New.

4. Type the login name in the Login entry field.

5. Type password in the Password field and confirm.

6. Click OK.

7. Apply the necessary policies to allow remote users to log in through Smart Portal.

8. Open a web browser and log into the Smart Portal site with the SmartCenter Server IP

address—for example, https://10.10.1.3:4433.

NOTE – Smart Portal uses the default port number of 4433. You can use a different port num-

ber for Smart Portal, see /cfg/fw/portal/ on page 362.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

36  Initial setup

213455-L, October 2005

9. Type the registered login name and password as illustrated in the following figure:

Figure 6 Check Point SmartPortal login page

Trusted network

 The IP address range of the Trusted Network is 10.3.0.0/16.

 The trusted network connects to port 3, Interface 1 (NSF 5109 port 3, Interface 1). The

Interface address is 10.3.0.1.

Untrusted network (Internet)

 The IP address of the Firewall default gateway is 172.25.3.23. This is the internal interface

of the upstream router.

 The untrusted network connects to port 4, Interface 2 (NSF 5109 port 4, Interface 2). The

Interface address is 172.25.3.10.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  37

213455-L, October 2005

Setting up the basic configuration

The console connection is used to access the Nortel Switched Firewall for performing the initial configuration.

1. Connect the console cable and start a console terminal.

Connect the included console cable between the serial port on the Firewall to the serial port of a computer with terminal emulation software as described in the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-D).

Press <Enter> on the console terminal to establish the connection. The Nortel Switched Firewall login prompt will appear. Enter the default login name (admin) and the default password (admin). If the Nortel Switched Firewall is set to factory defaults, a special Setup utility menu appears.

Use the clone command to restore the full configuration of a previous setup. The new firewall is a clone of the original and can replace the original firewall in the network setup. For more information about cloning, see Appendix B, Backing Up and Cloning Configurations on

page 385.

2. Select a “new” installation.

-----------------------------------------------------------[Setup Menu] clone - Clone the configuration join - Join an existing SFD cluster new - Initialize host as a new installation boot - Boot Menu info - Information menu exit - Exit [global command, always available]

>> Setup# new

>> Setup# new Setup will guide you through the initial configuration of the iSD.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

38  Initial setup

213455-L, October 2005

3. Enter the port number to be used for the management network.

4. Enter the host IP address for this Firewall:

NOTE – The IP addresses shown here and in the following steps are taken from the example

network on page 31. Enter information for your specific network configuration.

5. Enter the network mask for the entire subnet:

In this example, the network spans 192.168.1.0/24.

6. Enter the VLAN tag ID information.

Specify a VLAN tag ID for SSI (management) traffic.

NOTE – NSF 2.3.3 does not support multiple interfaces on the SSI management port.

7. Enter the Management IP (MIP) address information.

This address must be in the same subnet as the firewall IP address specified in Step 4.

Enter port number for the management network [1-4]*: 1

Enter IP address for this machine: 192.168.1.2

Enter network mask [255.255.255.0]:

Enter VLAN tag id (or zero for no VLAN) [0]:0

Enter the Management IP (MIP) address: 192.168.1.1 Making sure the MIP does not exist...ok

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  39

213455-L, October 2005

8. Set your time zone by selecting continent or ocean, then country, then region.

For example:

Timezone setting 1 - Africa 2 - Americas 3 - Antarctica 4 - Arctic Ocean 5 - Asia 6 - Atlantic Ocean 7 - Australia 8 - Europe 9 - Indian Ocean 10 - Pacific Ocean Select a continent or an ocean, or enter a full timezone name: 2

Countries: 1 - Anguilla 18 - Ecuador 35 - Paraguay 2 - Antigua & Barbuda 19 - El Salvador 36 - Peru 3 - Argentina 20 - French Guiana 37 - Puerto Rico 4 - Aruba 21 - Greenland 38 - St Kitts & Nevis 5 - Bahamas 22 - Grenada 39 - St Lucia 6 - Barbados 23 - Guadeloupe 40 - St Pierre & Mique 7 - Belize 24 - Guatemala 41 - St Vincent 8 - Bolivia 25 - Guyana 42 - Suriname 9 - Brazil 26 - Haiti 43 - Trinidad & Tobago 10 - Canada 27 - Honduras 44 - Turks & Caicos Is 11 - Cayman Islands 28 - Jamaica 45 - United States 12 - Chile 29 - Martinique 46 - Uruguay 13 - Colombia 30 - Mexico 47 - Venezuela 14 - Costa Rica 31 - Montserrat 48 - Virgin Islands (U 15 - Cuba 32 - Netherlands Antil 49 - Virgin Islands (U 16 - Dominica 33 - Nicaragua 17 - Dominican Republic 34 - Panama Select a country: 45

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

40  Initial setup

213455-L, October 2005

9. Set the current date and time:

10. Generate a new Secure Shell (SSH) host key for use secure remote administration

sessions:

Nortel recommends that you generate a new SSH key in order to maintain a high level of security when connecting to the Nortel Switched Firewall using an SSH client.

Regions: 1 - Adak Aleutian Islands 2 - Anchorage Alaska Time 3 - Boise Mountain Time - south Idaho & east Oregon 4 - Chicago Central Time 5 - Denver Mountain Time 6 - Detroit Eastern Time - Michigan - most locations 7 - Honolulu Hawaii 8 - Indiana/Knox Eastern Standard Time - Indiana - Starke County 9 - Indiana/Marengo Eastern Standard Time - Indiana - Crawford County 10 - Indiana/Vevay Eastern Standard Time - Indiana - Switzerland Cnty 11 - Indianapolis Eastern Standard Time - Indiana - most locations 12 - Juneau Alaska Time - Alaska panhandle 13 - Kentucky/Monticello Eastern Time - Kentucky - Wayne County 14 - Los_Angeles Pacific Time 15 - Louisville Eastern Time - Kentucky - Louisville area 16 - Menominee Central Time - Michigan - Wisconsin border 17 - New_York Eastern Time 18 - Nome Alaska Time - west Alaska 19 - North_Dakota/Center Central Time - North Dakota - Oliver County 20 - Phoenix Mountain Standard Time - Arizona 21 - Shiprock Mountain Time - Navajo 22 - Yakutat Alaska Time - Alaska panhandle neck Select a region: 17

Enter the current date (YYYY-MM-DD) [2004-01-05]:<Enter to accept default> Enter the current time (HH:MM:SS) [13:14:09]:<Enter>

Generate new SSH host keys (yes/no) [yes]: y This may take a few seconds...ok

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  41

213455-L, October 2005

11. Set the new administrator password.

The current default administrator password is admin. Nortel recommends that you change the password.

12. Choose whether to enable the Check Point SmartCenter Server on the firewall.

Setup gives you the option of configuring your Nortel Switched Firewall with or without a collocated SmartCenter Server. Enabling the SmartCenter Server on the Switched Firewall lets you use the interface without requiring Secure Internal Communications. A second license is also not required for hosting the SmartCenter Server on the management station. However, you may not want to take advantage of this feature if you intend to install a second Switched Firewall in a cluster with this firewall. In that case, you must enter 1 or 3 at the prompt and install the SmartCenter Server on the management station.

See Check Point documentation for more information about Check Point Express.

NOTE – If you install the SmartCenter Server on the firewall now, but decide later to add a

second Switched Firewall to the cluster (to implement a active-standby (high-availability) or active-active firewall configuration), you must reimage your system and repeat Setup to uninstall the SmartCenter Server.

13. If you chose 2 or 4 in Step 12, enter the management server administrative password.

Enter a password for the "admin" user: <password> Re-enter to confirm: <password>

Select installation type:

1. Check Point Gateway

2. Check Point Gateway and SmartCenter Server

3. Check Point Express Gateway

4. Check Point Express Gateway and SmartCenter Server Enter your selection: (1/2/3/4) [1]:

Enter Check Point Primary SmartCenter Server admin password: <pass-

word> Re-enter to confirm: <password>

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

42  Initial setup

213455-L, October 2005

14. If you chose 1 or 3 in Step 12, you will be prompted to set the Check Point Secure

Internal Communication (SIC) one-time password.

The SIC password is required later when you establish Secure Internal Communications between an external Check Point SmartCenter server on NSF. Check Point documentation refers to this password as the “Authentication Key” (see page 410).

15. Allow self-configuration to complete.

Once the basic configuration information has been entered, the system begins a phase of selfconfiguration and initialization. During this phase, a series of messages are displayed. The

self-configuration phase is complete when the following message is displayed:

Once this Setup process is complete, you will need to log in and configure Check Point licenses as shown in the following section.

16. Install the firewall license.

See Installing the Firewall license on page 43.

17. Configure Network Interfaces and Ports.

See Configuring network interfaces and ports on page 44.

18. (optional) Allow SMART client access to the firewall.

See Allowing SMART Client access to the Firewall on page 47.

This concludes the firewall basic configuration.

You are now ready to proceed with the Check Point management station as described in

Installing Check Point management tools on page 48.

Enter Check Point SIC one-time password: <SIC password> Re-enter to confirm: <SIC password>

Applying Check Point firewall and SmartCenter Server settings...

Initializing system......ok

Configuring firewall...Done Setup successful. System will reboot shortly. After reboot relogin to configure.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  43

213455-L, October 2005

Installing the Firewall license

Once the Setup utility has been used for basic system configuration, the Setup menu is no longer displayed upon subsequent log-ins. Instead, the CLI Main Menu is displayed:

Use the following CLI commands to install your Check Point licenses on the Firewall host, and configure information about the network.

NOTE – The Switched Firewall ships with a 15-day trial license that auto-installs for a new or

join installation. After the trial period ends, a license error appears when you try to push

policies to the Switched Firewall. Additionally, each time you log into the SmartCenter server, it displays a notification of how many days are left before the trial period ends.

If local licensing is used, enter Check Point licensing information for the Firewall.

NOTE – If central licensing is used, skip this step. With central licensing, the license is pushed

from the Check Point SmartCenter Server in a later step.

The license information will be part of your Check Point package. The license(s) you received from Check Point should be specifically configured for your firewall Host IP address.

[Main Menu] info - Information Menu cfg - Configuration Menu boot - Boot Menu validate - Validate configuration security - Display security status maint - Maintenance Menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] revert - Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help [global command] exit - Exit [global command, always available]

>> Main#

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

44  Initial setup

213455-L, October 2005

Example:

 Expiry date: 01jan2005

 Feature string: CPSUITE-EVAL-3DES-NG CK-CHECK-POINT

 License string: aBXAVeTWHR-FyxKKcdej-QiiS89a6N-isMP6Ywnn

NOTE – Be sure to enter the information exactly as shown on your specific Check Point

license.

Configuring network interfaces and ports

Network interfaces and ports are configured in the following menu:

The rules for configuring networks and ports are as follows:

 The management network interface (not numbered) is reserved for the firewall’s host IP

address. The port that you assign to this interface may be used to attach network devices such as a management console, as long as the device is in the same IP network as the firewall’s host IP address.

 You can configure one address per interface, with one network address range.

>> # /cfg/lic/pastelic List of current hosts: 1: 192.168.1.2 2: 192.168.1.100 Choice: 1 Enter the entire license string :cplic put 192.168.1.2 10Mar2005

auZgS2cQ-wUKedwp5Z-8ZinqozZ3-oM4yzDkid cpmp-eval-1-3des-ng CKC40DE4D769CE

>> Main# /cfg/net

-----------------------------------------------------------[Network Configuration Menu] port - Port Menu if - Interface Menu bridge - Bridge Configuration Menu vrrp - VRRP Settings Menu gateway - Set default gateway address routes - Routes Menu gre - GRE Tunnel Menu ospf - Open Shortest Path First (OSPF) Menu parp - Proxy Arp Menu dhcprl - DHCP Relay Menu

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  45

213455-L, October 2005

 You can assign a port to multiple interfaces (up to 255).

 Interfaces on the same port cannot share the same network.

 A network device that is connected to an interface should use the interface IP address as

the default gateway. This will direct traffic through the firewall.

NOTE – The general guideline for port assignments is to reserve Gigabit Ethernet ports for

firewall traffic and Fast Ethernet ports for management traffic.

This example refers to the example illustrated in Figure 2 on page 31.

 The Switched Firewall management network is configured on port 1. The management

network is automatically configured when you ran the setup utility described in Setting up

the basic configuration on page 37.

 Interface 1 is for trusted (internal) network traffic and resides on port 3.

 Interface 2 is for untrusted (external) network traffic and resides on port 4.

1. (Optional) Reset the firewall to factory defaults.

If you are configuring the Switched Firewall for the first time, the unit is already set to factory defaults. Therefore you may skip this step. However, if you wish to override the previous configuration, then you should perform the following steps:

a. Enter

/boot/delete to reset the Switched Firewall to the factory default.

b. Reboot the machine.

c. Perform the initial setup procedure (see Setting up the basic configuration on page 37).

2. Configure the ports and interfaces for the attached networks.

NOTE – The port/interface assignments in the following commands refer to the Example

Network in Figure 2 on page 31.

Nortel recommends that you assign a descriptive name to each port so that it is easier to remember which port is assigned to a particular interface.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

46  Initial setup

213455-L, October 2005

When configuring interfaces, make sure that each interface IP address is within the same subnet as the network to which it is connected.

3. Configure a default gateway or static route for the external networks.

Traffic headed to the Internet needs to be directed to its next hop. In this example, a default gateway is used. The default gateway address is the same address as the router’s internal IP interface. Note that Interface 2 was configured to be on the same subnet as the default gateway:

4. Allow a client workstation remote access to the Firewall.

In this step, you add the IP address of a client for remote management access such as Telnet, Browser-Based Interface, or SSH (but not for SmartCenter Servers or SMART Clients). Entering a 32-bit mask limits access only to that particular IP address.

5. Apply the configuration changes:

This command applies the configuration changes on the Firewall.

>> Main# /cfg/net/port 3 (Select the Port 3 Menu) >> Port 3# name if_1 (Name this port for Interface 1) >> Port 3# apply (Apply the setting to the port) >> Interface 1#/cfg/net/if 1 (Select the Network Interface 1 Menu) >> Interface 1# addr1 10.3.0.1 (Set IP interface to Trusted Network) >> Interface 1# mask 16 (Set 16-bit Subnet mask) >> Interface 1# port 3 (Assign this interface to port 3) >> Interface 1# ena (Enable Interface 1)

>> /cfg/net/port 4 (Select the Port 4 Menu) >> Port 4# name if_2 (Name this port for Interface 2) >> Port 4# apply (Apply the setting to the port) >> Port 4# /cfg/net/if 2 (Select the Network Interface 2 Menu) >> Interface 2# addr1 172.25.3.10 (Set IP interface to

Untrusted network)

>> Interface 2# mask 24 (Set 24-bit Subnet mask) >> Interface 2# port 4 (Assign this interface to port 4) >> Interface 2# ena (Enable Interface 2)

>> /cfg/net/gateway 172.25.3.23 (Set gateway IP address) >> Gateway Settings# apply (Enable the gateway)

>> /cfg/sys/accesslist (Select the Access List menu) >> Access List# add 10.3.0.2 (Enter IP address of remote client) Enter netmask: 255.255.255.255 (Limit access only to client)

>> Access List# apply

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  47

213455-L, October 2005

6. Verify the interfaces are correctly configured:

Allowing SMART Client access to the Firewall

The following procedure gives firewall access to a Check Point SMART Client when the SmartCenter Server is enabled on the firewall.

1. At the firewall CLI, log in as admin and enter the following commands:

The command /cfg/fw/client/add adds a new member to the list of SMART Clients that can manage the firewall. SMART Clients interface directly with the Check Point SmartCenter Server, which interfaces with the firewall. SMART Clients can be implemented on a separate workstation or on the same workstation as the SmartCenter Server. For other commands that allow you to delete members or reorder the list, see /cfg/fw/client on page 363.

2. Enter the following command to allow traffic between the Firewall and recently added

SMART Clients.

Allow several minutes for Firewall-1 services to stop before entering the

/cfg/fw/ena.

3. Launch the Check Point SmartDashboard to connect to the SmartCenter Server.

>> Access List# /info/net/if Interface Information Id Port VLAN Address Status == ==== ==== ======= ====== 1 3 0 10.3.0.1/16 Enabled 2 4 0 172.25.3.10/24 Enabled

>> /cfg/fw/client/add 192.168.1.3 <Network Example SMART Client IP

address>

>> apply

>> Main# apply >> Main# /cfg/fw/dis >> Firewall Configuration# apply >> Firewall Configuration# /cfg/fw/ena >> Firewall Configuration# apply

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

48  Initial setup

213455-L, October 2005

Installing Check Point management tools

The Nortel Switched Firewall uses standard Check Point software tools to install, maintain, and monitor firewall policies. The following Check Point tools are required to be installed on appropriate administrator workstations in your network:

 Check Point SmartCenter Server—The SmartCenter Server is the central database for

your Switched Firewall system. The SmartCenter Server establishes secure communications with your firewalls, stores firewall policies, and uploads the policies to the firewalls as necessary. The SmartCenter Server may be enabled on the firewall during initial setup (see page 41).

 Check Point SMART Clients—SMART Clients interface with the SmartCenter Server to

provide a graphical user-interface for creating, editing, updating, and monitoring firewall security policies. The SMART Client software can be installed on administrative workstations in your network or on the same workstation as the SmartCenter Server.

NOTE – If you have already enabled the SmartCenter Server in the initial setup (Step 12 on

page 41), or if you have installed an appropriate SmartCenter Server and SmartDashboard on

workstations in your network, proceed to Defining a Firewall Object in the SmartDashboard

on page 58.”

Editing the Windows hosts file

The Windows hosts file should be edited to include the firewall information. This step allows the Check Point management station to recognize the firewall IP address and name. Nortel recommends that you edit the hosts file before you install the Check Point management station software.

Edit the c:\winnt\system32\drivers\etc\hosts file on the Check Point SmartCenter Server and add one line with the Firewall IP address and name. For example, to associate the Firewall “isd1” with its host IP address, enter the following:

192.168.1.2 isd1

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  49

213455-L, October 2005

Installing Check Point SmartCenter Server and SmartConsole

This procedure outlines how to install the Check Point management tools (SmartCenter Server and SmartConsole) for VPN-1 Pro NGX with Application Intelligence (R60).

Before you begin installation, make sure your management station meets or exceeds the minimum requirements listed below:

 Operating System: Refer to the Check Point Release Notes at http://www.checkpoint.com

 Processor: Intel Pentium II 300 MHz or better

 Disk space: 40 MB

 Memory: 256 MB

 Check Point Management Suite software (R60)

 Access to the management network on the Firewall

The following procedure describes the installation on a Windows management station:

1. Launch the Check Point Management Suite setup program on the management station.

The installation program begins with the screen prompt in Figure 7.

Figure 7 Check Point installation start page

2. Click Next to continue the installation.

3. Select the license agreement option.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

50  Initial setup

213455-L, October 2005

4. Click Next (see Figure 8).

Figure 8 Check Point installation accept terms page

5. Click I accept the terms of the license agreement.

You may choose either Check Point Enterprise/Pro or Check Point Express, but be sure you match the selection you made in Step 12 on page 41 during the initial setup procedure for the firewall host. For a description of the Check Point Enterprise/Pro and Express features, go to

http://www.checkpoint.com/products/smartcenter/index.html.

6. After choosing the installation option (see Figure 9), click Next.

Figure 9 Check Point installation choices page

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  51

213455-L, October 2005

7. When prompted, select New Installation, then click Next (see Figure 10).

Figure 10 Check Point Installation type page

8. When prompted, select SmartCenter (optional) and SmartConsole, then click Next (see

Figure 11).

Figure 11 Check Point three-tier architecture page

Check SmartCenter if you selected 1 or 3 in Step 12 on page 41; do not check SmartCenter if you selected 2 or 4. The SmartConsole selection includes all of the GUI Client tools you need for the SMART Client that administers the Check Point features on the firewall.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

52  Initial setup

213455-L, October 2005

NOTE – You can have multiple SMART Clients by installing the SmartConsole components

on additional workstations separate from the primary management workstation. For these instances, do not select SmartCenter.

9. When prompted, select Primary SmartCenter, then click Next (see Figure 12).

Figure 12 Check Point SmartCenter type selection page

OTE—This screen appears only if you checked the SmartCenter box in Step 8 on page 51.

10. The Information screen confirms the product choices you have made. If these are correct,

click Next (see Figure 13).

Figure 13 Check Point information page

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  53

213455-L, October 2005

At this point, the program installs the SVN Foundation software (standard), SmartCenter (if selected) and SmartConsole components. The installation status is displayed in the Installation Status box (see Figure 14).

Figure 14 Installation Status window

11. When prompted, click Next to continue (see Figure 15).

Figure 15 Check Point VPN-1 Pro NGX R60 installation page

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

54  Initial setup

213455-L, October 2005

12. When prompted, click Next to continue (see Figure 16).

Figure 16 Check Point SmartConsole NGX R60 installation page

13. When prompted, specify the SmartConsole components to be installed (see Figure 17).

Figure 17 Check Point SmartConsole component installation page

Check Point Enterprise/Pro preselects all of the SmartConsole components. Check Point Express preselects the top four components. See Step 1 on page 49.

NOTE – Backward compatibility is a standard feature installed in the background.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  55

213455-L, October 2005

14. When prompted, click the Add… button (see Figure 18).

Figure 18 Administrator’s Permissions page

15. Enter the login information for SmartCenter administrators (see Figure 19).

Figure 19 Add Administrator page

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

56  Initial setup

213455-L, October 2005

16. Click OK .

17. Click Next.

18. When prompted, add any remote GUI Clients—also known as SMART Clients (see

Figure 20).

Figure 20 GUI Clients page

19. Enter localhost, or the host IP address if the GUI client is on the same host as the Smart-

Center Server.

20. Specify the DNS hostname or IP address of other management clients to interface with

this management station.

21. Click Next to continue.

22. Initialize the Internal Certificate Authority (ICA).

This creates a Secure Internal Communication (SIC) certificate for the Management Server to use when authenticating communications between Check Point components.

23. Enter a name for the CA and click <Enter>.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  57

213455-L, October 2005

When the Internal CA Status changes to Initialized, click Next (see Figure 21).

Figure 21 Certificate Authority page

24. Record the SmartCenter Server fingerprint by clicking Export to file… (see Figure 22).

Figure 22 SmartCenter fingerprint page

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

58  Initial setup

213455-L, October 2005

As a security measure, this fingerprint is required in a subsequent step to ensure that no one can impersonate the administrator.

25. Click Finish to continue.

26. When prompted, reboot the management station (see Figure 23).

Figure 23 Check Point setup complete page

Once the station is rebooted, installation of the SmartCenter Server and SmartConsole are complete.

27. Use the SmartDashboard to define a firewall object.

See Defining a Firewall Object in the SmartDashboard on page 58.

28. Create a firewall policy test rule.

See Creating a Firewall policy test rule on page 64.

29. Install firewall security rules.

See Creating and installing Firewall security rules on page 66.

This concludes installing and configuring the Management station tools.

Defining a Firewall Object in the SmartDashboard

1. Launch the SmartDashboard software by clicking StartProgramsCheck Point

SmartConsole R60

SmartDashboard.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  59

213455-L, October 2005

2. Log in using an administrator account (see Figure 24).

Figure 24 Check Point log in page

Enter one of the user name/password combinations configured during the installation of the Management Server tools during Step 14 on page 55. Also specify the IP address of the SmartCenter Server and click OK. N

OTE—Be sure you have added this IP address in the client

access list to allow SMART Client access to the firewall (see Step 1 on page page 47).

3. Verify the Check Point fingerprint.

At this point, the SmartDashboard will contact the Management Server. Since this is the first contact, you will be prompted to verify the current fingerprint (see Figure 25).

Figure 25 Check Point fingerprint page

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

60  Initial setup

213455-L, October 2005

Click Approve to verify that the fingerprint is the same as the one obtained during installation of the Management Server tools during Step 24 on page 57.

4. Create a new Gateway object to represent the newly installed Firewall.

From the SmartDashboard Network Objects pane, right-click the Check Point object, then New Check Point | VPN-1 Pro/Express Gateway… Select Classic Mode when the Check Point installed Gateway creation window appears (see Figure 26).

Figure 26 Check Point installed gateway creation page

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  61

213455-L, October 2005

5. Define the Firewall object parameters (see Figure 27).

Figure 27 Check Point gateway general properties page

Enter the following information:

 Name: If this is a Windows machine, use the name you specified in Editing the Windows

hosts file on page 48. Otherwise, type a name (for example, isd1).

 IP Address: The address of the newly installed Firewall. In our example, the address is

192.168.1.2.

 Version: Select NGX R60.

 OS: Select an operating system from the list.

 Type: Select Check Point product from the list.

 Check Point Products:

 List Window: Check Firewall

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

62  Initial setup

213455-L, October 2005

6. Click the Communication button in the General Properties dialog (see Step 5 on

page 58). The Communications dialog box appears (see Figure 28).

Figure 28 Communications page—uninitialized

Enter the Activation Key (the SIC password) and click Initialize.The SmartCenter Server will contact the Firewall and exchange security information. When successful, the dialog box indicates “Trust established”. Press Close (see Figure 29).

Figure 29 Communications page—trust established

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  63

213455-L, October 2005

7. Get the interfaces for the Firewall object.

Select the the Check Point Topology dialog box (see Figure 30). Click Get all members’ topology to retrieve the interfaces you configured on the firewall and the topology information

(under the IP Addresses behind interfaces header).

OTE—The topology information is needed to install Check Point policies on the configured

firewall interfaces.

Figure 30 Gateway Cluster Properties—Topology page

8. Click OK to close the Check Point Gateway dialog box.

9. From the SmartDashboard menu bar, select File | Save.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

64  Initial setup

213455-L, October 2005

Creating a Firewall policy test rule

At this point in the initial setup, Nortel recommends a test to ensure that the system components are properly configured. For this test, create a policy rule that will allow any and all traffic to pass through the firewall. Later, once the firewall operation is confirmed, you can remove this test policy and create firewall security rules that will restrict undesirable traffic.

From the SmartDashboard menu bar, select Rules | Add Rule | Top (see Figure 31). A new rule will be added to the rulebase. The default action of the new rule is “drop,” indicating that all traffic from any source to any destination will not pass through the firewall.

Figure 31 Check Point SmartDashboard—Standard page

To change the action of the new rule to “accept” right-click the “drop” action icon and select “accept” as the new action from the pop-up list (see Figure 32) .

Figure 32 Check Point SmartDashboard accept page

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  65

213455-L, October 2005

Also change the Track setting to “log” by right-clicking on the “none” setting and selecting “log” as the new track setting from the pop-up list.

10. Push the policies to the Firewall.

From the menu bar, select Policy | Install. When the Install Policy dialog box appears, select the Firewall object and click OK.

NOTE – If your system has a active-standby (high-availability) or active-active configuration,

go to Policy

Global PropertiesNAT - Network Address Translation and deselect Automatic

ARP configuration before you push policies for the first time. Otherwise the Proxy ARP module will not work properly.

If the Check Point antispoofing feature is not enabled, a warning message will appear. See your Check Point documentation to determine whether antispoofing is necessary for your firewall.

11. If the effort to push policies fails, press Show Errors… (see Figure 33).

Figure 33 Installation process page—Show Errors

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

66  Initial setup

213455-L, October 2005

A common cause of errors is an expired license (see Figure 34). If this is the case, update the license on the SmartCenter Server using SmartUpdate and push policies again.

Figure 34 Verification and Installation Errors page

12. Use the SmartView Tracker program to confirm proper operation of the Firewall.

The SmartView Tracker lists all traffic being processed, accepted, dropped, and so on. To confirm that the Nortel Switched Firewall is properly configured, select the SmartView Tracker Active Mode. Use a client station to ping the firewall. If the SmartView Tracker displays an entry for the ping traffic, the configuration is good.

NOTE – The SmartView Tracker is an excellent tool for debugging and enhancing your

security rules. See your Check Point documentation for complete details.

13. Use the SmartDashboard to remove the test rule generated in Creating a Firewall policy

test rule on page 64.

Creating and installing Firewall security rules

The rules you apply to your security policy will depend on the security needs of your network. In general, you should drop all traffic that is not specifically required. See the Check Point documentation for more information about creating and maintaining effective security policies.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  67

213455-L, October 2005

SecurID authentication

NSF 5100 Series Release 2.3.3 supports configuration of the SecurID feature, which provides a two-factor form of centralized authentication and management from the Command Line Interface (CLI) or the Browser-Based Interface (BBI).

For more information about SecurID, see Nortel Switched Firewall Series 5100 Release 2.3.3 Browser-Based Interface User’s Guide, Part number 216383-D.

SecurID requires the following:

 token authenticator

 password

Token authenticators generate one-time passwords that are synchronized to an RSA ACE/Server. Token authenticators can be either hardware or software.

Hardware tokens are keyring or credit-card-sized devices. Software tokens reside on the PC or device from which the users wants to authenticate.

All tokens generate a random, one-time-use access code that changes at a designated frequency.

A one-time-use code must be validated by the ACE Server in order to authenticate to a protected resource.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

68  Initial setup

213455-L, October 2005

Topology of SecurID authentication

Figure 35 illustrates a SecurID authentication on a stand-alone system.

Figure 35 SecurID authentication on a stand-alone system

Following are the configuration details:

 iSD1 host IP address = 10.10.1.1

 interface 2 (port 2) address1 = 172.25.3.1 for Check Point management station

 interface3 (port3) address1 = 10.8.90.200 for external network

 interface4 (port4) address1 = 200.200.200.2 for internal network

 Check Point management station IP address = 172.25.3.38

 RSA ACE server IP address = 200.200.200.9

 Server IP address = 200.200.200.10

 Client IP address = 10.8.90.205

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  69

213455-L, October 2005

Figure 36 illustrates a SecurID authentication on a High Availability (HA) active-standby)

system.

Figure 36 SecurID authentication on an HA system

Following are the configuration details:

 iSD1 host IP address = 10.10.1.1

 iSD2 host IP address = 10.10.1.2

 Port 1 is used for synchronization

 Interface 2 (port 2) address1 = 172.25.3.2

 Interface2 (port 2) address2 = 172.25.3.3

 Interface2 vrip1 = 172.25.3.1 for Check Point management station

 Interface 3 (port 3) address1 = 10.8.90.201

 Interface 3 (port 3) address2 = 10.8.90.202

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

70  Initial setup

213455-L, October 2005

 Interface 3 (port 3) vrip1 = 10.9.90.200 for external network

 Interface 4 (port 4) address1 = 200.200.200.3

 Interface 4 (port 4) address2 = 200.200.200.4

 Interface 4 (port 4) vrip1 = 200.200.200.2 for internal network

 Check Point management station IP address = 172.25.3.38

 RSA ACE server IP address = 200.200.200.9

 Server IP address = 200.200.200.10

 Client IP address = 10.8.90.205

Configuring RSA authentication manager

Perform the following steps to configure the agent host on the ACE server:

1. Go to Start.

2. Select Program.

3. Select RSA ACE Server.

4. Select Database Administration.

5. Select Host Mode.

6. From the Agent Host menu, select Add Agent Host.

7. From the Add Agent Host dialog box, type in the following information:

 name of the agent

 network IP address—if the DNS environment is properly configured, the IP address of the

agent host device automatically populates the network IP address field.

8. In the Add Agent Host dialog box, make the following selections:

 agent type

 encryption type

 uncheck Node Secret Created

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  71

213455-L, October 2005

Figure 37 illustrates the Add Agent Host window.

Figure 37 Add Agent Host window

9. Resolve the host name and IP address by editing the hosts file in

C:\WINNT\system32\drivers\etc.

Following is an example of host name and IP address resolution:

Network Address Name

102.54.94.97 rhino.acme.com

38.25.63.10 x.acme.com

127.0.0.1 local host

200.200.200.2 firewall

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

72  Initial setup

213455-L, October 2005

The Assign Acting Servers dialog box is depicted in Figure 38.

Figure 38 Assign Acting Servers page

NOTE – All names must be resolved with their IP addresses.

10. From the User menu, select Add User.

11. In the Add User dialog box, enter the following:

 user’s name

 default login name—TIP: The default login name must be identical to the Check Point

user name.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  73

213455-L, October 2005

The Add User window is depicted in Figure 39.

Figure 39 Add User page

12. Click Agent Host Activations.

The Agent Hosts Activations window appears.

The Agent Hosts Activations window is depicted in Figure 40.

Figure 40 Agent Hosts Activations window

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

74  Initial setup

213455-L, October 2005

13. Perform the following steps to create a user group.

 From the Group menu, click Add Group.

The Add Group window appears (see Figure 41.

Figure 41 Add Group window

 Type the group name.

 Select the user name to add to the group.

NOTE – The user group must be identical to the user group specified in Check Point.

14. To activate users, return to the Add Agent Host window.

15. Click User Activations.

The User Activations window appears (see Figure 42).

Figure 42 User Activations window

16. To activate user groups, return to the Add Agent Host window.

17. Click Group Activations.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  75

213455-L, October 2005

The Group Activations window appears (see Figure 43).

Figure 43 Group Activations window

18. To import a token, go to the Token menu and import a token range number from the

floppy disk.

19. To edit a token, select Edit Token from the Token menu.

20. The Edit Token window appears (see Figure 44).

Figure 44 Edit Token window

21. Edit the imported token.

22. Check the Tokencode Only box for user authentication.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

76  Initial setup

213455-L, October 2005

23. To synchronize the Token, perform the following steps:

 Click Resynchronize Token.

The Resynchronize Token window appears (see Figure 45).

Figure 45 Resynchronize Token window

 In the entry field, type the code displayed on the token.

 Click OK.

The Resynchronize Token window re-appears (see Figure 46).

Figure 46 Resynchronize Token window

 Type the new code in the entry field.

 Click OK.

24. To assign a Token, perform the following steps:

 Return to the Add User dialog box.

 Click Assign Token to assign a new token to the existing user.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  77

213455-L, October 2005

The Select Token dialog box appears (see Figure 47).

Figure 47 Select Token dialog box

 Click Select Token from List.

 Click OK.

25. To generate a configuration file, perform the following steps:

 Open the Agent Host menu.

 Click Generate Configuration File to generate the sdconf.rec file.

The Generate Configuration File window appears (see Figure 48).

Figure 48 Generate Configuration File window

 Return to the Select Agent Host dialog box.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

78  Initial setup

213455-L, October 2005

 Select the agent host to generate the configuration file as depicted in Figure 49.

Figure 49 Select Agent Host window

26. Start the RSA ACE server by performing the following steps:

 Go to Start.

 Select Programs.

 Select Settings.

 Select Control Panel.

 Select RSA ACE Server.

 Check the Automatic RSA ACE Server Startup box.

 Click Start.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  79

213455-L, October 2005

Configuring SecurID on Nortel Switched Firewalls

To configure SecurID on NSF, perform the following steps:

 Import the agent configuration file to NSF.

 Create the sdopts.rec file.

Importing the agent configuration file to NSF

The generated configuration file is copied to the ace/data folder on the ACE server.

To import the generated file to the /var/ace folder on the Firewall, use the following CLI commands:

To import the generated file to the /var/ace folder on the Firewall using the Browser-Based Interface, perform the following steps:

1. Select Firewall.

2. Select SecurID.

3. Click Browse.

4. Select the filed named sdconf.rec.

5. Click import to copy the file to the /var/ace folder.

Generating the sdopts.rec file

To generate the sdopts.rec file to the /var/ace folder, use the following CLI command:

 /cfg/fw/securid/interface <IP>

To generate the sdopts.rec file to the /var/ace folder using the Browser-Based Interface, perform the following steps:

1. Select Firewall.

2. Select SecurID.

CLI command format Result

/cfg/fw/securid/remote import SecurID config file from a remote

server

/cfg/fw/securid/local import SecurID config file from a USB

memory device or floppy disk

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

80  Initial setup

213455-L, October 2005

3. Type the IP address of the SecurID interface in the entry field.

TIP: The IP address of the SecurID interface is the address of the interface that the ACE server

connects to. In an HA environment, the IP address of the SecurID interface is the address of the virtual IP of the interface.

4. Click Update.

NOTE – If changes are made to the sdconf.rec file, you must restart either the firewalls or the

Check Point service. TIP: To stop Check Point, use the command cpstop. To start Check Point, use the command cpstart.

Configuring partner RSA authentication agent

The RSA SecurID authentication is supported by the following three authentication methods on Check Point:

 user

 client

 session

Enabling global SecurID authentication for Firewall clusters or hosts on Check Point

To enable SecurID authentication for Firewall clusters or hosts globally on Check Point, do the following:

1. Go to the SmartDashboard.

2. Select Manage

3. Select Network Objects

4. Select Check Point Firewall-1 instance.

5. Click Edit.

6. Select the Authentication tab.

7. Check the SecurID check box.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  81

213455-L, October 2005

Enabling SecurID authentication for Check Point FireWall-1 users

To enable SecurID authentication for Check Point FireWall-1 users, perform the following steps:

1. Create a new user group.

2. Create a new user.

3. Add the new user to the new group.

4. From the Authentication tab, select SecurID for the authentication scheme.

The newly created user is authenticated using the ACE server through the Firewalls by user name and passcode from the token card.

Rule base for user authentication with SecurID

The following table is a rule base for user authentication with SecureID.

Rule 1 challenges users from any location trying to access any service.

Rule 2 is not required if the Firewall is configured to allow outgoing packets as part of the Global Policy Properties.

Rule 3 drops all other packets.

NOTE – The SecureID user name must exist on the web, FTP, or Telnet server.

Rule base for client authentication with SecurID

With client authentication, an administrator can grant access a specific source. For SecurID users, client authentication permits authentication to the Firewall once, through HTTP or Telnet, then opens any number of connections for any service, while the authentication is valid for any Administrator-defined duration.

Rule number

Source Destination VPN Service Action Track

1 kevlar@Any * Any Any Traffic Authenti-

cated

User Auth Log

2 ACE_Server

Cluster _HA

* Any Any Traffic Securid Accept Log

3 * Any * Any Any Traffic * Any Drop None

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

82  Initial setup

213455-L, October 2005

When Standard Sign-on is specified, depending on the rule, subsequent connections can be established without re-authentication.

Following is a simple rule set that challenges users by client authentication.

Client authentication is available by opening one of the following:

 a Telnet connection to port 259 of the Firewall

 an HTTP connection to port 900 of the Firewall

Rule base for session authentication with SecurID

Session authentication can be used to grant access on a per-session basis.

Check Point Firewall-1 session authentication support can be used instead of RSA SecurID. However, use of Firewall-1 session authentication support requires additional client software. If the additional software is loaded on the PC, transparent authentication through the Firewall is available.

The following table is an example of a simple rule set challenging users by session authentication.

Rule number

Source Destination VPN Service Action Track

1 Kevlar@Any * Any Any Traffic * Any Client

Auth

Log

2 ACE_Server

Cluster_HA

* any Any Traffic Securid Accept Log

3 * Any * Any Any Traffic * Any Drop None

Rule number

Source Destination VPN Service Action Track

1 kevlar@Any * Any Any Traffic Authenti-

cated

Session Auth

Log

2 ACE_Server

Cluster_HA

* Any Any Traffic Securid Accept Log

3 * Any * Any Any Traffic * Any Drop None

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  83

213455-L, October 2005

Users must run the Session Authentication Agent on each PC or workstation that requires access through this rule. With session authentication passwords can be cached. Authentication for every connection is not required when passwords are cached. TIP: Caching of passwords is not supported for one-time passwords like SecurID.

When SecurID is used, the session Authentication Agent must be configured using the Configuration dialog box depicted in Figure 50.

Figure 50 Authentication Agent Configuration dialog box

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

84  Initial setup

213455-L, October 2005

VLAN tags

Virtual LAN (VLAN) tags configured on a Switched Firewall interface allow the VLANconfigured hosts on that interface to participate as VLAN members.

This example describes an Switched Firewall configuration that includes VLANs on a DMZ network. Figure 51 shows Internet connectivity through a single gateway on port 4, an internal network on port 1 that uses public addresses, a trusted network that uses public addresses on port 3, and multiple DMZs using private IP addresses on port 2. The DMZs are connected to the Switched Firewall using a single 802.1Q VLAN Tagged Trunk.

The VLANs are used to isolate traffic from different security zones. A Layer 2 switch is configured with port-based VLAN access ports and VLAN Tagged Trunks that uplink to the Switched Firewall. The VLANs map directly to interfaces (which represent subnets) on the Switched Firewall. This allows you to apply policies on a per-VLAN basis. Multiple VLANs can be used on multiple tagged connections up to the number of available interfaces on the Switched Firewall (255). The vlanid (see the Interface Menu on page 328) must match the VLAN tag on the respective VLAN.

NOTE – If the vlanid is 0, VLAN tagging is disabled for that interface.

Figure 51 DMZ network with VLAN tagging

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  85

213455-L, October 2005

Layer 2 switch configuration

To ensure that each of the DMZ areas is privately and securely connected to the Switched Firewall, the following configuration steps must be taken on the layer 2 switches:

 Configure DMZ access ports on the layer 2 switch as members of the corresponding

VLAN. In this example, DMZ A is VLAN ID 10; DMZ B is VLAN ID 11. The switch must add a VLAN tag to untagged frames entering the port.

 Configure the trunk (uplink) port as a member of each DMZ VLAN and as a tagged trunk

port.

 Disable any unused ports and filter any tagged traffic on ports that are not VLAN

members.

 Ensure that auto-learning is disabled on the trunk port and the MAC address of the

Switched Firewall is configured on the switch.

If VLANs are configured on the interface, then TAG is always enabled. However, Windows PCs must be tagged if they are connected directly to the interface. Or, you can add a 802.1qcapable Layer 2 switch between the PC and the firewall.

SmartDashboard configuration

Prior to performing these steps, ensure that the Check Point SmartCenter Server is configured and trust is established between the SmartCenter Server and the firewall host.

You must configure the topology and define interface properties for the firewall. Ensure that the interface (47.133.63.99) facing the Internet is defined as “external.” Make sure that the other networks are defined as “internal”, with addresses behind the gateway defined by the interface IP and netmask. Also, name the networks for use in the SmartDashboard as follows:

 10.10.1.0: “NSF-Private”

 33.1.1.0: “Intranet”

 47.133.63.0 “Internet”

 192.168.0.0: “DMZ-1”

 192.168.2.0: “DMZ-2”

To create a network object for the public web server in DMZ-1, perform the following steps:

1. Right-click the Network Topology window.

The shortcut menu appears.

2. Select New Network Object > Workstation from the shortcut menu.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

86  Initial setup

213455-L, October 2005

3. Type DMZ1-WWW in the name box.

4. Type 192.168.0.1 in the IP address box.

To create a network object for the public web server in DMZ-2, perform the following steps:

1. Right-click the Network Topology window.

The shortcut menu appears.

2. Select New Network Object > Workstation from the shortcut menu.

3. Type DMZ2-WWW in the name box.

4. Type 192.168.2.1 in the IP address box.

The rules required for your application depend on specific application needs.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  87

213455-L, October 2005

Switched Firewall configuration

Below is a dump of the Switched Firewall configuration for the example in Figure 51 on page

84:

/cfg /cfg/sys /cfg/sys/time tzone "America/Montreal" /cfg/sys/time/ntp /cfg/sys/dns

/cfg/sys/cluster mip 10.10.1.10 /cfg/sys/cluster/host 1 ip 10.10.1.6

/cfg/sys/accesslist add 47.0.0.0 255.0.0.0 add 131.149.195.0 255.255.255.0 /cfg/sys/adm idle 10m /cfg/sys/adm/telnet ena n /cfg/sys/adm/ssh ena n /cfg/sys/adm/web /cfg/sys/adm/web/http port 80 ena y /cfg/sys/adm/web/ssl port 443 ena n tls y sslv2 y sslv3 y /cfg/sys/adm/web/ssl/certs /cfg/sys/adm/web/ssl/certs/serv /cfg/sys/adm/web/ssl/certs/ca /cfg/sys/adm/snmp ena n model v2c level auth access d events n alarms n rcomm public /cfg/sys/adm/snmp/users /cfg/sys/adm/snmp/hosts /cfg/sys/adm/snmp/system /cfg/sys/adm/snmp/adv trapsrcip auto /cfg/sys/log debug n srcip auto /cfg/sys/log/syslog /cfg/sys/log/ela ena n addr 0.0.0.0 sev err /cfg/sys/log/arch email none smtp 0.0.0.0 int "1, 0" size 0 /cfg/sys/user expire 0 /cfg/net

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

88  Initial setup

213455-L, October 2005

/cfg/net/port 1 name "Host Port" autoneg on speed 0 mode full /cfg/net/port 2 name none autoneg on speed 0 mode full /cfg/net/port 3 name none autoneg on speed 0 mode full /cfg/net/port 4 name none autoneg on speed 0 mode full

/cfg/net/if 1 addr1 47.133.63.99 addr2 0.0.0.0 mask 255.255.255.0 vlanid 0 port 4 ena y

/cfg/net/if 1/vrrp vrid 1 ip1 0.0.0.0 ip2 0.0.0.0

/cfg/net/if 2 addr1 192.168.0.1 addr2 0.0.0.0 mask 255.255.255.0 vlanid 10 port 2 ena y

/cfg/net/if 2/vrrp vrid 2 ip1 0.0.0.0 ip2 0.0.0.0

/cfg/net/if 3 addr1 192.168.2.1 addr2 0.0.0.0 mask 255.255.255.0 vlanid 11 port 2 ena y

/cfg/net/if 3/vrrp vrid 3 ip1 0.0.0.0 ip2 0.0.0.0

/cfg/net/if 33 addr1 33.1.1.10 addr2 0.0.0.0 mask 255.255.255.0 vlanid 0 port 3 ena y

/cfg/net/if 33/vrrp vrid 3 ip1 0.0.0.0 ip2 0.0.0.0 /cfg/net/vrrp ha n aa n adint 3 garp 1 gbcast 2

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Initial setup  89

213455-L, October 2005

/cfg/net/adv /cfg/net/adv/route gateway 0.0.0.0 /cfg/net/adv/route/ospf rtrid 0.0.0.0 spf “5, 10” ena n /cfg/net/adv/route/ospf/if 1 Identical /cfg/../../../ospf configurations for if 1, 2, 3, 33 aindex 0 prio none cost none hello 10 dead 40 trans 1 retra 5 auth none md5key “1, “ ena n /cfg/net/adv/route/routes /cfg/net/adv/parp enable n /cfg/net/adv/parp/list /cfg/pnp /cfg/fw ena y /cfg/fw/sync ena n /cfg/fw/client /cfg/misc warn y

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

90  Initial setup

213455-L, October 2005

CHAPTER 3

Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) is a transport protocol that provides a framework for automatically assigning IP addresses and configuration information to other IP hosts or clients in a large TCP/IP network. Without DHCP, the IP address must be entered manually for each network device. DHCP allows a network administrator to distribute IP addresses from a central point and automatically send a new IP address when a device is connected to a different place in the network.

DHCP is an extension of another network IP management protocol, Bootstrap Protocol (BOOTP), with an additional capability of being able to dynamically allocate reusable network addresses and configuration parameters for client operation.

Built on the client/server model, DHCP allows hosts or clients on an IP network to obtain their configurations from a DHCP server, thereby reducing network administration. The most significant configuration the client receives from the server is its required IP address; (other optional parameters include the “generic” file name to be booted, the address of the default gateway, and so forth).

Nortel DHCP relay agent eliminates the need to have DHCP/BOOTP servers on every subnet. It allows the administrator to reduce the number of DHCP servers deployed on the network and to centralize them. Without the DHCP relay agent, there must be at least one DHCP server deployed at each subnet that has hosts needing to perform the DHCP request.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

92  Dynamic Host Configuration Protocol

213455-L, October 2005

DHCP relay agent

DHCP is described in RFC 2131, and the DHCP relay agent supported on the Nortel Switched Firewall is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68.

DHCP defines the methods through which clients can be assigned an IP address for a finite lease period and allowing reassignment of the IP address to another client later. Additionally, DHCP provides the mechanism for a client to gather other IP configuration parameters it needs to operate in the TCP/IP network.

In the DHCP environment, the Nortel Switched Firewall acts as a relay agent. The DHCP relay feature (/cfg/net/dhcprl) enables the firewall to forward a client request for an IP address to DHCP servers with IP addresses that have been configured on the Nortel Switched Firewall.

When Nortel Switched Firewall receives a UDP broadcast on port 67 from a DHCP client requesting an IP address, the request is then forwarded as a UDP Unicast MAC layer message to DHCP servers whose IP addresses are configured on the firewall. The servers respond with a UDP Unicast message back to the firewall, with the default gateway and IP address for the client. The destination IP address in the server response represents the interface address on the Nortel Switched Firewall that received the client request. This interface address tells the Nortel Switched Firewall on which VLAN to send the server response to the client.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Dynamic Host Configuration Protocol  93

213455-L, October 2005

Configuring for DHCP relay agent

To enable the Nortel Switched Firewall to be the DHCP forwarder, you need to configure the DHCP server IP addresses on the firewall. You must enable DHCP relay on the interface connected to the client subnet.

Figure 52 shows a basic DHCP network example:

Figure 52 DHCP relay agent configuration

The client request is forwarded to all DHCP servers configured on the firewall. The use of two servers provides failover redundancy, but you can configure up to eight DHCP servers. However, no health checking is supported.

DHCP Relay functionality is assigned on a per-interface basis. At least one server and one interface must be enabled for DHCP, otherwise the configuration fails validation. Use the following commands to configure the Nortel Switched Firewall as a DHCP relay agent:

1. Enable DHCP Relay globally.

2. Configure DHCP requests to enter on this interface.

>> # /cfg/net/dhcprl >> DHCP Relay# ena

>> DHCP Relay# if 1 >> DHCP Relay Interface 1# ena (Allow DHCP requests)

DHCP Client

Nortel Switched Firewall

DHCP Relay Agent

DHCP Server

10.1.1.2

Boston Atlanta

20.1.1.1

10.1.1.0

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

94  Dynamic Host Configuration Protocol

213455-L, October 2005

3. Configure DHCP server information.

4. Display current configuration.

5. Apply and save the changes.

>> # /cfg/net/dhcprl/server 1 >> DHCP Server 1# addr 10.1.1.1 (Set IP address of 1st DHCP server) >> DHCP Server 1# ena (Enable the DHCP server) >> DHCP Server 1# ../server 2 (Set IP address of 2nd DHCP server) >> DHCP Server 2# addr 10.1.1.2 (Set IP address of 2nd DHCP server) >> DHCP Server 2# ena (Enable the DHCP server)

>> # /cfg/net/dhcprl/cur (Display current configuration)

>> DHCP Relay# apply

213455-L, October 2005

CHAPTER 4

Open Shortest Path First

The Nortel Switched Firewall 2.3.3 supports the Open Shortest Path First (OSPF) routing protocol. This implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. The following sections discuss current OSPF support:

 OSPF overview on page 96. This section provides information about OSPF concepts:

Types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database, authentication, and internal versus external routing.

 NSF 2.3.3 OSPF implementation on page 101. This section gives you information specific

to the Nortel Switched Firewall implementation of OSPF: Configuration parameters, electing the designated router, summarizing routes and so forth.

 OSPF configuration examples on page 107. This section provides detailed instructions for

configuring a simple OSPF domain.

 Example 1: configuring a simple OSPF domain on page 107

 Example 2: configuring GRE Tunnel on page 109

 Example 3: configuring failover on page 113

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

96  Open Shortest Path First

213455-L, October 2005

OSPF overview

OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas.

All routing devices maintain link information in their own Link State Database (LSDB). The LSDB for all routing devices within an area is identical but is not exchanged between different areas. Only routing updates are exchanged between areas, significantly reducing the overhead for maintaining routing information about a large, dynamic network. NSF 2.3.3 high availability solution is supported in an OSPF network.

The following sections describe key OSPF concepts.

Types of OSPF areas

An AS can be broken into logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone is the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed.

As shown in Figure 53 on page 97, OSPF defines the following types of areas:

 Stub Area—an area that is connected to only one other area. External route information is

not distributed into stub areas.

 Not-So-Stubby-Area (NSSA)—similar to a stub area with additional capabilities. Routes

originating from within the NSSA can be propagated to adjacent transit and backbone areas. External routes from outside the AS can be advertised within the NSSA but are not distributed into other areas.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Open Shortest Path First  97

213455-L, October 2005

 Transit Area—an area that allows area summary information to be exchanged between

routing devices. The backbone (area 0) and any area that is not a stub area or an NSSA are considered transit areas (see Figure 53).

Figure 53 OSPF area types

Types of OSPF routing devices

As shown in Figure 53, OSPF uses the following types of routing devices:

 Internal Router (IR)—a router that has all of its interfaces within the same area. IRs

maintain LSDBs identical to those of other routing devices within the local area.

 Area Border Router (ABR)—a router that has interfaces in multiple areas. ABRs maintain

one LSDB for each connected area and disseminate routing information between areas.

Backbone

Area 0

Stub Area

Not-So-Stubby Area

(NSSA)

Transit Area

No External Routes

from Backbone

Stub Area, NSSA,

or Transit Area

Connected to Backbone

via Virtual Link

(Also a Transit Area)

External LSA

Routes

Internal LSA

Routes

ABR

ASBR

Non-OSPF Area

RIP/BGP AS

Virtual

Link

ABR

ABR = Area Border Router ASBR = Autonomous System

Boundary Router

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

98  Open Shortest Path First

213455-L, October 2005

 Autonomous System Boundary Router (ASBR)—a router that acts as a gateway between

the OSPF domain and non-OSPF domains, such as RIP, BGP, and static routes (see Figure

54).

Figure 54 OSPF domain and an autonomous system

Neighbors and adjacencies

In areas with two or more routing devices, neighbors and adjacencies are formed.

Neighbors are routing devices that maintain information about each others’ health. To

establish neighbor relationships, routing devices periodically send hello packets on each of their interfaces. All routing devices that share a common network segment, appear in the same area, and have the same health parameters (hello and dead intervals) and authentication parameters respond to each other’s hello packets and become neighbors. Neighbors continue to send periodic hello packets to advertise their health to neighbors. In turn, they listen to hello packets to determine the health of their neighbors and to establish contact with new neighbors.

Adjacencies are neighbors that exchange OSPF database information. In order to limit the number of database exchanges, not all neighbors in an area (IP network) become adjacent to each other. Instead, the hello process is used for electing one of the neighbors as the area’s Designated Router (DR) and one as the area’s Backup Designated Router (BDR).

The DR is adjacent to all other neighbors and acts as the central contact for database exchanges. Each neighbor sends its database information to the DR, which relays the information to the other neighbors.

Backbone

Area 0

Area 3

Area 2

Area 1

Inter-Area Routes

(Summary Routes)

ABR

ASBR

Internal

Router

ASBR

External

Routes

BGP

RIP

OSPF Autonomous System

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

Open Shortest Path First  99

213455-L, October 2005

Because of the overhead required for establishing a new DR in case of failure, the hello process also elects a Backup Designated Router (BDR). The BDR is adjacent to all other neighbors (including the DR). Each neighbor sends its database information to the BDR just as with the DR, but the BDR merely stores this data and does not distribute it. If the DR fails, the BDR will take over the task of distributing database information to the other neighbors.

The Link-State database

OSPF is a link-state routing protocol. A link represents an interface (or routable path) from the routing device. By establishing an adjacency with the DR, each routing device in an OSPF area maintains an identical Link-State Database (LSDB) describing the network topology for its area.

Each routing device transmits a Link-State Advertisement (LSA) on each of its interfaces. LSAs are entered into the LSDB of each routing device. OSPF uses flooding to distribute LSAs between routing devices.

When LSAs result in changes to the routing device’s LSDB, the routing device forwards the changes to the adjacent neighbors (the DR and BDR) for distribution to the other neighbors.

OSPF routing updates occur only when changes occur, instead of periodically. For each new route, if an adjacency is interested in that route (for example, if configured to receive static routes and the new route is indeed static), an update message containing the new route is sent to the adjacency. For each route removed from the route table, if the route has already been sent to an adjacency, an update message containing the route to withdraw is sent.

The Shortest Path First tree

The routing devices use a link-state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination.

The cost of an individual interface in OSPF is an indication of the overhead required to send packets across it. The cost is inversely proportional to the bandwidth of the interface. A lower cost indicates a higher bandwidth.

Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference

100  Open Shortest Path First

213455-L, October 2005

Authentication

OSPF also allows packet authentication and uses IP multicast when sending and receiving packets. This ensures less processing on routing devices that are not listening to OSPF packets.

Internal versus external routing

To ensure effective processing of network traffic, every routing device on your network needs to know how to send a packet (directly or indirectly) to any other location/destination in your network. This is referred to as internal routing and can be done with static routes or using active internal routing protocols, such as OSPF, RIP, or RIPv2.

It is also useful to tell routers outside your network (upstream providers or peers) about the routes you have access to in your network. Sharing of routing information between autonomous systems is known as external routing.

Typically, an AS will have one or more border routers (peer routers that exchange routes with other OSPF networks) as well as an internal routing system enabling every router in that AS to reach every other router and destination within that AS.

When a routing device advertises routes to boundary routers on other autonomous systems, it is effectively committing to carry data to the IP space represented in the route being advertised. For example, if the routing device advertises 192.204.4.0/24, it is declaring that if another router sends data destined for any address in the 192.204.4.0/24 range, it will carry that data to its destination.

Nortel 5109, 5111, 5100, 5111-NE1, 5114-NE1 Owner's Manual

Specifications and Main Features

Frequently Asked Questions

User Manual