Sophos SG 550 operation manual

Page 1
Operating Instructions
SG 550/650 Rev. 2
Page 2
Operating Instructions
Foreword
We are pleased to welcome you as a new customer of our Sophos SG appliances.
To install and configure the hardware appliance you can use the following documents:
system peripherals in a few steps
Ì Operating Instructions: Notes on the security and
commissioning of the hardware appliance
Ì Administration Guide: Installing and configuring the software appliance
The Hardware Quick Start Guide and the Safety Instructions are also delivered in printed form together with the hardware appliance. The instructions must be read carefully prior to using the hardware and should be kept in a safe place.
You may download all user manuals and additional documentation from the support webpage at: sophos.com/support
Security Symbols
The following symbol and its meaning appears in the Hardware Quick Start Guide, Safety Instructions and in these Operating Instructions.
Caution and Important Note. If these notes are not correctly observed:
Ì This is dangerous to life and the environment
Ì The appliance may be damaged
Ì The functions of the appliance will be no longer guaranteed
Ì Sophos shall not be liable for damages arising from a
failure to comply with the Safety Instructions
Designed Use
The hardware appliances are developed for use in networks. The SG 550/650 models may be operated as a standalone appliance. The hardware appliance can be used in commercial, industrial and residential environments.
The SG 550/650 models belong to the appliance group A.
The hardware appliance must be installed pursuant to the current installation notes. Otherwise failure-free and safe operation cannot be guaranteed. The EU declaration of conformity is available at the following address:
Sophos Technology GmbH Amalienbadstr. 41/Bau 52 76227 Karlsruhe Germany
1SG 550/650 Rev. 2
Page 3
Operating Instructions
CE Labeling, FCC and Approvals
The SG 550/650 appliances comply with FCC Class A, CE, C-Tick, VCCI and UL.
Important Note: For computer systems to remain CE and FCC compliant, only CE and FCC compliant parts may be used. Maintaining CE and FCC compliance also requires proper cable and cabling techniques.
Operating Elements and Connections
SG 550 Rev. 2
2 x hot-swap
SSD (RAID-1)
2 x management port
2 x USB 2.0
Navigation
for LCD
1 x COM (RJ45)
Multi-function LCD display
SG 650 Rev. 2
2 x hot-swap
SSD (RAID-1)
Navigation
for LCD
2 x management port
2 x USB 2.0
1 x COM (RJ45)
Multi-function LCD display
SG 550/650 Rev. 2
1 x USB 3.0 1 x VGA port Power switch
4 x swappable fan
4 expansion bays for Flexi Port modules. 1 x 8 port GbE copper module supplied as default (removable)
6 expansion bays for Flexi Port modules. 1 x 8 port GbE copper module supplied as default (removable)
2 x hot swappable
power supply
2SG 550/650 Rev. 2
Page 4
Operating Instructions
LED Status
Power (LED Display)
Power Supply Red
Power Green
SSD ACT Yellow
SSD Active Red
LEDs on each RJ45 Ethernet connector
ACT/LNK (Left LED)
Green Constantly 1. The Ethernet port is receiving power.
Flashing The adapter is sending or receiving network data. The
Off 1. The adapter and switch are not receiving power.
2. Good connection between the Ethernet port and hub.
frequency of the flashes varies with the amount of traffic.
2. No connection between both ends of network.
3. Network drivers have not been loaded or do not function correctly.
SOPHOS
Protection
UTM 9.xxx
10 days 01:43:17
CPU xx%
xx% yy% zz%
RAM x% y GB
SWAP x% y GB
all in x kbits/sec
out y kbits/sec
Speed (Right LED)
Back side
Power Supply Green Constantly Power
Amber On The Ethernet port is operating at 1,000 Mbps.
Green On The Ethernet port is operating at 100 Mbps.
Off The Ethernet port is operating at 10 Mbps.
Off No power
LCD and Control Keys
The Sophos SG 430/450 units have an LCD and an operating unit with four membrane keys. In the LCD, 16 characters per line can be displayed. The display contains in four cycling views information on the hardware and specific system states.
After the security appliance has booted this message is displayed.
Sophos UTM version and Appliance Uptime
CPU load information and Average Load in the last 1, 5 and 15 minutes
Memory usage
Traffic on interface
3SG 550/650 Rev. 2
Page 5
Operating Instructions
Executable Actions
Ì Change IP Address: This option enables the user to change the interface’s IP
address and netmask. All available and enabled IP addresses can be changed.
Ì Reboot machine: The security appliance is rebooted. The reboot
action will shut down the system completely and reboot.
Ì Shut down: The security appliance is shut down. The shut down action allows
you to turn off the system, and allows you to cleanly stop all running services.
Ì Factory reset: All settings are reset to the factory settings. The factory
reset function sets all of the configuration settings and options to their original state. All data entered after the initial installation will be deleted, including the HTTP proxy cache, the entire email queue, accounting and reporting data, passwords, and uninstalled Up2Date packages. The version of the software will not change. That is, all firmware and pattern updates that have been installed will be retained.
Ì Disable OTP (One Time Password) authentication: The OTP
authentication will be disabled for the selected options. This feature only handles webadmin and shell access options if they are enabled.
Control Key Functions
The current menu is left. When the key is pressed a couple of times, the modifications are discarded and the initial state will be displayed.
These keys are used to switch between the different menus and/or characters.
Pressing executes the configured action.
Change IP Address
S.NO. Action Item/press What you see on the LCD What it means
1.
2.
3.
4.
5.
6.
or
7.
8.
9. Saves changed IP address
Config menu
1. Change IP addr
Interface eth0
192.168.0.1/24
IP address (Eth0)
192.168.0.1
IP address (Eth0)
192.168.0.1
eth0 Netmask
24
Selects interface
Edit IP address
Changes digit at cursor position
Moves cursor to the next right position
Exits edit mode without saving
Displays netmask value after the last IP address digit
Change netmask value
and netmask
4SG 550/650 Rev. 2
Page 6
Operating Instructions
Reboot Machine
S.NO. Action Item/press What you see on the LCD What it means
1.
Config menu
1. Change IP addr
2.
x1
3.
4.
5.
Config menu
2. Reboot Machine
Shutting down
Are you sure? n
Toggles between “y“ and “n“
Selects choice
Shut Down
S.NO. Action Item/press What you see on the LCD What it means
1.
2.
x2
3.
4.
5.
Config menu
1. Change IP addr
Config menu
3. Shutdown
Rebooting
Are you sure? n
Toggles between “y“ and “n“
Selects choice
Shut Down
S.NO. Action Item/press What you see on the LCD What it means
1.
Config menu
1. Change IP addr
2.
x3
3.
4.
5.
Config menu
4. Factory Reset
All Data erased!
Are you sure? n
Toggles between “y“ and “n“
Selects choice
5SG 550/650 Rev. 2
Page 7
Operating Instructions
Disabling OTP (One Time Password) Authentication
S.NO. Action Item/press What you see on the LCD What it means
1.
Config menu
1. Change IP addr
2.
x4
3.
or
4. Selects feature to
5.
6.
7.
Config menu
5. OTP Recovery
Disable OTP
Not available
Disable OTP
xxxxxx
Disable xxxxxx
Are you sure? n
Displayed if no option to disable is available
disable (if enabled)
Toggles between “y“ and “n“
Selects choice
Putting into Operation
Caution: Risk of explosion if battery is replaced by an incorrect type. Dispose of
used batteries according to the instructions.
Scope of Supply
The supplied parts are indicated in the Hardware Quick Start Guide.
Mounting Instructions
The SG 550/650 appliances are designed for use in racks. Please consider the following security tips:
Important Note: Functional reliability outside of a rack cannot be guaranteed.
Warnings and Precautions
The appliance can be operated safely if you observe the following notes and the notes on the appliance itself.
6SG 550/650 Rev. 2
Page 8
Operating Instructions
Rack Precautions
Ì Ensure that the leveling jacks on the bottom of the rack are fully
extended to the floor with the full weight of the rack resting on them.
Ì In single rack installation, stabilizers should be attached to the rack.
Ì In multiple rack installations, the racks should be coupled together.
Ì Always make sure the rack is stable before
extending a component from the rack.
Ì You should extend only one component at a time—extending two or
more simultaneously may cause the rack to become unstable.
General Server Precautions
Ì Review the electrical and general safety precautions that came
with the components you are adding to your appliance.
Ì Determine the placement of each component in
the rack before you install the rails.
Ì Install the heaviest server components on the
bottom of the rack first, and then work up.
Ì Allow the hot plug hard drives and power supply
modules to cool before touching them.
Ì Always keep the rack‘s front door, all panels and server components
closed when not servicing to maintain proper cooling.
Rack Mounting Considerations
Ì Ambient operating temperature: If installed in a closed or multi-unit rack
assembly, the ambient operating temperature of the rack environment may be greater than the ambient temperature of the room. Therefore, you should install the equipment in an environment compatible with the manufacturer’s maximum rated ambient temperature.
Ì Reduced airflow: Equipment should be mounted into
a rack with sufficient airflow to allow cooling.
Ì Mechanical loading: Equipment should be mounted into a rack so that a
hazardous condition does not arise due to uneven mechanical loading.
Ì Circuit overloading: Consideration should be given to the connection
of the equipment to the power supply circuitry and the effect that any possible overloading of circuits might have on overcurrent protection and power supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.
Ì Reliable ground: Reliable grounding must be maintained at all times.
To ensure this, the rack itself should be grounded. Particular attention should be given to power supply connections other than the direct connections to the branch circuit (i.e., the use of power strips, etc.).
7SG 550/650 Rev. 2
Page 9
Operating Instructions
Rack Mounting Instructions
To mount the appliance to the rack you need the delivered rack-mount kits. There are a variety of rack units on the market, which may mean the assembly procedure will differ slightly. You should also refer to the installation instructions that came with the rack unit you are using.
Because of their dimension and weight the SG 550/650 models are delivered with a special rail kit.
Important Note: Make sure you use the screws supplied with the rack-mount kits. Using the wrong screws could damage the hardware appliance and would invalidate your warranty. Please observe the mounting instructions for your rack.
1. Attach the rack-mount kits to the appliance.
Place the appliance on a hard, flat surface with the front panel facing you.
Attach the rack–mount kits to the left and right side of the appliance with the supplied screws.
Make sure the kits are properly attached to the appliance.
Important note: The rails for SG 550/650 will fit a rack of 600 mm/23.6” deep.
2. Choose the rack location.
Leave enough clearance in front of the rack so that you can open the front door completely (~60 cm/25 inches).
Leave approximately 80 cm/30 inches of clearance in the back of the rack to allow for sufficient airflow and ease in servicing.
This product is for installation only in a restricted access location (dedicated equipment rooms, service closets and the like).
3. Slide the appliance into the rack.
Please refer to the dedicated sliding rails mounting instructions from the scop of supply.
Connection and Configuration
How to connect the appliance is described in the Hardware Quick Start Guide. For configuration you can follow the initial setup wizard described in the WebAdmin Quick Start Guide or cancel it and perform a manual setup (see the Sophos SG Firewall Administrator Guide).
8SG 550/650 Rev. 2
Page 10
Operating Instructions
RAID (SSD) System
The SG 550/650 model are equipped with a RAID system with two Solid State Drive. A RAID system (redundant array of independent disks) connects several physical Solid State Drive to one particularly performing logical drive. This type of Solid State Drive system enhances the transfer rate and data security. Additionally, a RAID system increases the availability of the security appliance since a defective Solid State Drive can easily and quickly be exchanged—it is not necessary to shut down the system.
Important note: If you need to change a Solid State Drive because of a defect, remember to remove the defective Solid State Drive from the RAID system, otherwise the complete security appliance will fail. Please note that the safe operation of the hardware appliance is only ensured in the long term if both Solid State Drive are working. Immediately exchange damaged Solid State Drive. Only use Solid State Drive which you purchased directly from Sophos or from a Sophos distribution partner. Please remember that any warranty claims are voided for the appliance if a defect has been caused by the use of Solid State Drive which are not suited for the system.
Exchanging the hard disk
1. Identify the defective Solid State Drive.
In the event of a hardware defect the FAIL LED of the respective Solid State Drive will turn on e.g., SSD 1 (upper Solid State Drive).
2. Open the Solid State Drive latch.
3. Unlock the Solid State Drive by pushing the latch to the left and pulling the lever in your direction.
4. Remove the Solid State Drive from the chassis.
5. Now, insert the new Solid State Drive into the chassis.
6. Lock the Solid State Drive by pushing the lever in the direction of the chassis. Lock the latch at the Solid State Drive.
Important note: Except for short periods of time (e.g., swapping Solid State Drives), do not operate the server with an empty Solid State Drive.
As soon as the security appliance detects the new Solid State Drive, the existing hard disk is mirrored to the new Solid State Drive. This process may take 30 minutes or more.
Redundant Power Supply
The SG 550/650 models are equipped with a redundant power supply. The power supply system consists of two separate power supply units. This power supply system increases the availability of the security appliance, since a defective power supply unit can be exchanged easily and quickly during operation.
When the system is running error-free, LED on the back of the appliance shows green. In the event of a hardware defect in one of the power supply units these LEDs will turn red and you will hear a continuous beeping sound. The warning sound can be reset by pressing the red buzzer reset switch on the system chassis. This buzzer reset switch is on the back of the appliance right beside the power supply system.
9SG 550/650 Rev. 2
Page 11
Operating Instructions
Important note: If you need to change a power unit because of a defect, remember to remove the defective power unit from the power supply system, otherwise the whole security appliance will fail.
Protect yourself from potential burns by wearing protective gloves when exchanging a power supply unit.
Only use power units which you purchased directly from Sophos or from a Sophos distribution partner. Please remember that any warranty claims are voided for the security appliance if a defect has been caused by the use of power units which are not suited for the system.
Exchanging a power supply unit
1. Identify the defective power supply unit.
Locate the defective power supply unit by examining the individual LEDs of each unit—no LED light indicates a failure of the unit.
2. On the right side, open the interlock of the power supply unit.
3. Use the special bracket to pull the power supply unit out of the chassis.
4. Now, insert the new power supply unit into the chassis.
5. Lock the new power supply unit.
Plug the power cable back into the connector of the new power supply unit and check the following LED displays: LED of the new power supply unit lights green. As soon as the new power supply unit is detected and functional, the beeping sound will disappear.
SFP GBIC Ports
The SG 550/650 models provide the option to add Sophos FleXi Port network modules with SFP (1 GbE) or SFP+ (1/10GbE) GBIC Ports. The abbreviation SFP GBIC stands for small form-factore plugable GigaBit interface converter, a flexible interface which changes electronic signals into optical signals. The converters used with the appliance are often also called Mini-GBIC or New GBIC.
To use SFP GBIC ports, you will need the appropriate SFP GBIC modules. These modules are not delivered with the appliance but available through your Sophos partner. There are different module types. The required type is determined by the existing network. The following SFP GBIC module types may be used:
SFP:
1000 Base-T IEEE 802.3 - 1 Gbit/s via Ethernet cable. An Ethernet cable category 5 covers a maximum distance about 100 meters.
1000 Base-SX IEEE 802.3 - 1 Gbit/s via fiberglass. Multi-mode fiberglass cables (MMF) cover a distance of 200 m to 550 m.
1000 Base-LX IEEE 802.3 - 1 Gbit/s via fiberglass. Here, exclusively singlemode-fiber glass is used. This transmission option covers approximately 10 km.
10SG 550/650 Rev. 2
Page 12
Operating Instructions
SFP+:
10GBase-SR IEEE 802.3 - 10 Gbit/s via fiberglass. Multi-mode fiberglas cables cover a distance of up to 400 m.
10GBase-LR IEEE 802.3 - 10 Gbit/s via fiberglass. Single-mode fiberglas cover a distance of approximately 10 km
Note: The SFP+ ports of the Sophos FleXi Port modules are dual-rate capable supporting both 1GbE and 10GbE speeds when using appropriate GBICs also supporting both rates.
Caution: The SFP GBIC and SFP+ ports use lasers to transmit signals over fiber optic cable. The lasers are compliant with the requirements of a Class 1 Laser equipment and are inherently eye-safe in normal operation. However, you should never look directly at a transmit port when it is powered on. Always install appropriate and UL approved Laser Class I Transceivers, rated 3.3Vdc, max. 1W, in the fiber ports before using the fiber ports.
Installing a SFP GBIC module:
Please read the operation manual to the SFP GBIC module. Carefully insert the SFP GBIC module into the port until it engages. The interface is immediately ready for use.
Removing a SFP GBIC module:
1. Remove the fiberglass cable from the module which you wish to remove.
2. Remove the module carefully from the port.
Depending on when you purchased your SFP GBIC module, it may have any of three different release mechanisms: a plastic tab on the bottom of the mini-GBIC, a wire bail, or a plastic collar around the mini-GBIC.
Please read the operation manual to the SFP GBIC module.
Serial Console
You can connect a serial console to the COM port of the Sophos SG Firewall hardware appliances. You can use, for instance, the Hyperterminal terminal program which is included with most versions of Microsoft Windows to log on to the appliance console. Use the provided RJ45 to DB9 adapter cable to connect the console to your hardware appliance.
The required connection settings are:
Ì Bits per second: 38,400
Ì Data bits: 8
Ì Parity: N (none)
Ì Stop bits: 1
Access via the serial console is activated by default on ttyS1. The connections of the appliances and the respective functionality are listed in chapter “Operating Elements and Connections.”
11SG 550/650 Rev. 2
Page 13
Operating Instructions
United Kingdom and Worldwide Sales Tel: +44 (0)8447 671131 Email: sales@sophos.com
© Copyright 2018. Sophos Ltd. All rights reserved. Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
18-03-09 OINA (DD-2965)
North American Sales Toll Free: 1-866-866-2802 Email: nasales@sophos.com
Australia and New Zealand Sales Tel: +61 2 9409 9100 Email: sales@sophos.com.au
Asia Sales Tel: +65 62244168 Email: salesasia@sophos.com
Loading...