Stonesoft StoneGate FW-5105 Installation Manual

Appliance Installation Guide

FW-5105

Legal Information

Revision: SGAIG_FW-5105_20091214

End-User License Agreement

The use of the products described in these materials is subject to the then current end-user license
agreement, which can be found at the Stonesoft website:
www.stonesoft.com/en/support/eula.html

Third Party Licenses

The StoneGate software includes several open source or third-party software packages. The appropriate
software licensing information for those products at the Stonesoft website:
www.stonesoft.com/en/support/third_party_licenses.html

U.S. Government Acquisitions

If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S.
Government, the following provisions apply. If the Software is supplied to the Department of Defense
(“DoD”), the Software is subject to “Restricted Rights”, as that term is defined in the DOD Supplement to
the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is supplied
to any unit or agency of the United States Government other than DOD, the Government’s rights in the
Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”).
Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor
provisions.

Product Export Restrictions

The products described in this document are subject to export control under the laws of Finland and the
European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the
control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft
software in any manner is restricted and requires a license by the relevant authorities.

General Terms and Conditions of Support and Maintenance Services

The support and maintenance services for the products described in these materials are provided pursuant
to the general terms for support and maintenance services and the related service description, which can be
found at the Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/terms/

Replacement Service

The instructions for replacement service can be found at the Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/return_material_authorization/

Hardware Warranty

The appliances described in these materials have a limited hardware warranty. The terms of the hardware
warranty can be found at the Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/warranty_service/

Trademarks and Patents

The products described in these materials are protected by one or more of the following European and US
patents: European Patent Nos. 1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202,
1304849, 1313290, 1326393, 1379046, 1330095, 131711, 1317937 and 1443729 and US Patent
Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266;
7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525;
7,406,534; and 7,461,401 and may be protected by other EU, US, or other patents, or pending
applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of
Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective
owners.

Disclaimer

Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED
"AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility
for errors, omissions, or resulting damages from the use of the information contained herein. All IP
addresses in these materials were chosen at random and are used for illustrative purposes only.

Copyright © 2009 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

2

Introduction

Thank you for choosing Stonesoft’s StoneGate™ appliance. This guide
provides instructions for the initial hardware installation and the
maintenance of the FW-5105 appliances. See Product Documentation
(page 5) for information on other available documentation.

The use of the appliance is subject to the acceptance of the End User
License Agreement, which can be found at the Stonesoft website.

You must have a working Management Center on a separate server to
bring the appliance(s) operational. The system architecture is explained
on the next page. The installation of the Management Center is
explained in the StoneGate Management Center Installation Guide.

Contents

Getting Started ............................ 4

Safety Precautions ....................... 6

Unpacking the Appliance .............. 8

Front Panel .................................. 9

Rack-Mounting............................. 11

Connecting the Cables ................. 16

Initial Configuration ...................... 19

Command-Line Management......... 27

Maintenance Operations............... 27

Port Indicators ............................. 33

Disposal Instructions ................... 34

Caution – Read the Safety Precautions (page 6) before you conduct
any installation or maintenance operations on the appliance.

Introduction 3

Getting Started

StoneGate System Components

The illustration above shows all available StoneGate components. Out of
these, you need the following components to have an operational
Firewall/VPN system:

1. A Management Server, which stores the configuration of the
system. In most environments, it is best to have just one common
Management Server for all firewall and IPS engines.

2. At least one Log Server to handle and store logs and alerts (can
be installed simultaneously on the same machine with the
Management Server).

3. At least one Management Client that you use to connect to the
Management Server to change settings and monitor the system.

4. The Firewall Engines that handle the actual traffic processing (in
this case, the StoneGate appliance).

5. Licenses for each component except the Management Client(s).
Generate appliance licenses at the Stonesoft website with the
POS (proof-of-serial-number) code attached to the appliance.

The Web Portal Server is an optional component that can be ordered
separately.

StoneGate IPS engines can be added to the same system for unified
management and incident handling.

4 Getting Started

Installation Procedure

The appliance installation involves the following mandatory steps:

1. Configure the firewalls in the Management Center (see the
separate StoneGate Firewall/VPN Installation Guide or the Online
Help of the Management Client).

2. Save the initial configuration to receive a one-time password for
establishing a connection between the appliance and the
Management Server (see the Firewall/VPN Installation Guide).

3. Install the appliance into a rack and connect the cables as
instructed in this guide.

4. Perform the initial configuration and establish contact between the
appliance and the Management Server as instructed in this guide.

Product Documentation

The following documentation covers the StoneGate Firewall/VPN
products:

• The Management Center Installation Guide and the Firewall/VPN

Installation Guide explain how to install the Management Center and
how to configure your firewalls’ basic settings.

• The Online Help of the Management Client contains the step-by-step

instructions for the daily configuration and management of your
system.

• The Administrator’s Guide contains the same information as the

Online Help, but in PDF form.

• The Management Center Reference Guide and Firewall/VPN

Reference Guide contain background and reference information that
helps you to plan and understand your system.

Finding the Documentation

Press F1 in any Management Client window to view the Online Help.
All PDF guides are available:

• On the Management Center CD-ROM (in the Documentation folder)

• At the Stonesoft website at http://www.stonesoft.com/en/support/

technical_support_and_documents/manuals/current/

Install the free Adobe Reader program to view the PDF documents
(available at www.adobe.com/reader/).

Getting Started 5

Safety Precautions

The following safety information and procedures should be followed
whenever working with electronic equipment.

Electrical Safety Precautions

Basic electrical safety precautions should be followed to protect yourself
from harm and the appliance from damage:

• Be aware of the location of the power on/off switch as well as the
room's emergency power-off switch, disconnection switch, or
electrical outlet. If an electrical accident occurs, you can then quickly
cut power to the system.

• Do not work alone when working with high-voltage components.

• Before removing or installing main system components, be sure to
disconnect the power first. Turn off the system before you disconnect
the power cord.

• Use only one hand when working with powered-on electrical
equipment. This is to avoid making a complete circuit, which will
cause electrical shock. Use extreme caution when using metal tools,
which can easily damage any electrical components or circuit boards
they come into contact with.

• Do not use mats designed to decrease electrostatic discharge as
protection from electrical shock. Instead, use rubber mats that have
been specifically designed as electrical insulators.

• The power supply cord must include a grounding plug and must be
plugged into a grounded electrical outlet. Use only the cord supplied
with the appliance.

• The power cord plug cap that plugs into the AC receptacle on the
power supply must be an IEC 320, sheet C13, type female connector.

• If you have to replace the motherboard battery, install it the same way
as the original battery. Make sure that the positive side faces up on
the motherboard. This battery must be replaced only with the same
or an equivalent type recommended by the manufacturer. Dispose of
used batteries according to the manufacturer's instructions.

• Do not open the enclosures of power supplies or CD-ROM to avoid
injury.

6 Safety Precautions

General Safety Precautions

Follow these rules to ensure general safety:

• Keep the area around the appliance clean and free of clutter.

• The appliance weighs approximately 33 kg (72 lbs.) when fully
loaded. When lifting the appliance, two people at either end should
lift slowly with their feet spread out to distribute the weight. Always
keep your back straight and lift with your legs.

• We recommend using a regulating uninterruptible power supply (UPS)
to protect the appliance from power surges, voltage spikes and to
keep your system operating in case of a power failure.

ESD Precautions

Electrostatic discharge (ESD) is generated by two objects with different
electrical charges coming into contact with each other. An electrical
discharge is created to neutralize this difference, which can damage
electronic components and printed circuit boards. Use a grounded wrist
strap designed to prevent static discharge.

Note – Use a UPS (Uninterruptible Power Supply) in critical
environments with your StoneGate appliance. If after a brief power
outage your StoneGate appliance only partially starts up (for example,
the power light is on, but the NIC LEDs are off and the appliance does
not connect) turn the appliance off for five seconds and then back on.

Laser Precautions

Class 1 Laser Product.

Caution – Class 3B visible and invisible laser radiation when CD-ROM
drive is open. Avoid exposure to the beam.

Caution – Invisible laser radiation is emitted from the end of fiber
cable and from aperture of the port when no fiber cable is connected.
Do not stare into the beam and avoid direct exposure to the beam.

Operating Precautions

Care must be taken to assure that the appliance cover is in place when
the appliance is operating to ensure proper cooling. If this rule is not
strictly followed, the warranty may become void. Do not open the power
supply casing. Power supplies can only be accessed and serviced by a
qualified technician of the manufacturer.

Safety Precautions 7

Operating and Storage Temperatures

The allowed operating temperature of the appliance is +10...+35ºC. The
allowed storage temperature is -40...+70ºC. Do not operate or store the
appliance in temperatures outside these limits.

Lithium Battery Precautions

Caution – The battery must be replaced by authorized service
personnel only. Danger of explosion if battery is incorrectly replaced.
Replacement battery must be same or equivalent type recommended
by the manufacturer. Used batteries must be discarded according to
the manufacturer’s instructions. Short-circuiting the battery may heat
the battery and cause severe injuries.

Unpacking the Appliance

Inspect the box the appliance was shipped in and note if it was
damaged in any way. If the appliance itself shows damage, file a damage
claim with the carrier who delivered it.

Do not remove the anti-tamper tapes on any part of the appliance.

8 Unpacking the Appliance

Front Panel

Power Indicator

ButtonsLED Indicators

USB PortsCD-ROM DriveHard Drives

Front Panel With Cover

Front Panel Under the Cover

Under the front panel cover, there are hard drives, a CD-ROM drive, and
two USB ports. There are two more USB ports on the back of the
appliance. See Connecting the Cables (page 16). The front panel also
has six LED indicators and two buttons, which are explained below.

Front Panel Indicators

The front panel has six LED indicators in the upper right corner. The
LEDs provide you with critical information related to different parts of the
system. For information on the port indicators, see Port Indicators
(page 33).

Table 1 Front Panel LEDs

Indicates a power failure in the power supply when
flashing.

Front Panel 9

Table 1 Front Panel LEDs (Continued)

When flashing, indicates a fan failure.
When continuously on, indicates an overheat condition,
which may be caused by cables obstructing the airflow in
the system or the ambient room temperature being too
warm.

Indicates network activity on the onboard LAN2 Ethernet
interface when flashing (check the port number on the
back panel).

Indicates network activity on the onboard LAN1 Ethernet
interface when flashing (check the port number on the
back panel).

Indicates hard drive or CD-ROM drive activity when
flashing.

Indicates power is being supplied to the system's power
supply units. This LED is illuminated when the system is
operating normally.

Front Panel Buttons

There are two push-buttons in the upper right corner of the front panel.
Do not press them if the appliance is online (processing traffic) and
operating normally.

Table 2 Front Panel Buttons

This button is not currently used.

This is the main power button, which is used to turn
on/off the main system power. Turning off the
appliance keeps standby power supplied to the
system.

10 Front Panel

Rack-Mounting

There are a variety of rack units on the market, so the assembly
procedure may differ slightly from what is instructed in this guide. Refer
to the instructions that came with the rack unit you are using.

The rail assemblies supplied with the appliance are designed for rack
depths from 30 to 33 inches.

Caution – Do not install the appliance into a Telco rack, as this may
damage the appliance.

Caution – Read the Safety Precautions (page 6) before proceeding.

Preparing for Rack-Mounting

The appliance delivery includes the rail assemblies and the mounting
screws you need to install the system into the rack.

Read the sections below before you begin the installation.

Choosing a setup location

Decide on a suitable location for the rack unit that will hold the
appliance:

• The appliance must be situated in a clean, dust-free area that is well
ventilated.

• Avoid areas where heat, electrical noise and electromagnetic fields
are generated.

• Leave enough clearance in front of the rack to enable you to open the
front door completely (~63 cm/25 inches).

• Leave enough clearance in the back of the rack to allow for sufficient
airflow and ease in servicing (~76 cm/30 inches).

Rack-Mounting 11

Rack precautions

• Ensure that the leveling jacks on the bottom of the rack are fully
extended to the floor with the full weight of the rack resting on them.

• In single rack installation, stabilizers should be attached to the rack.

• In multiple rack installations, the racks should be coupled together.

• Always make sure the rack is stable before extending a component
from the rack.

• Extend only one component at a time—extending two or more
simultaneously may cause the rack to become unstable.

Appliance precautions

• Determine the placement of each component in the rack before you
install the rails.

• Install the heaviest components on the bottom of the rack first, and
then work up.

• The appliance must be connected to grounded power outlets.

• Use a regulating uninterruptible power supply (UPS) to protect the
appliance from power surges, voltage spikes and to keep your system
operating in case of a power failure.

• Always keep the rack's front door and all panels and components on
the appliances closed when not servicing to maintain proper cooling.

Before installing the appliance into a rack

1. Make sure that the rack is securely anchored onto an unmovable

surface or structure before installing the appliance into the rack.

2. Unplug the power cord(s) of the rack before installing the

appliance into the rack.

3. Make sure that the system is adequately supported. Make sure

that all the components are securely fastened to the appliance to
prevent components falling off from the appliance.

4. Be sure to install an AC power disconnect for the entire rack

assembly. This power disconnect must be clearly marked.

5. The rack assembly shall be properly grounded to avoid electric

shock.

6. The rack assembly must provide sufficient airflow to the appliance

for proper cooling.

12 Rack-Mounting

Installing the Appliance into a Rack

Screw Holes

Follow the instructions in this section and the precautions laid out in the
previous sections above to install the StoneGate appliance into a rack.
Also, refer to the documentation that came with the rack.

The appliance package includes one set of rail assemblies (two inner
and two outer). The inner rails secure to the appliance and the outer
rails secure directly to the rack. You must first install the inner rails to
the appliance.

T To install the inner rails

1. Place the inner rail on the side of the appliance and align the

hooks on the appliance cover with the rail extension holes.

2. Slide the rail toward the front of the appliance.

3. Attach the rail to the appliance with four screws.

4. Repeat steps 1-3 for the other inner rail.

After you have installed the inner rails on the appliance, you are ready to
install the outer rails of the rail assemblies to the rack.

Rack-Mounting 13

T To attach the outer rails to the rack

Front Outer Rail

Rear Outer Rail

1. Find the front and the rear outer rails in the package. The front

outer rails are marked with R for “right” and L for “left” to show on
which side of the rack you must secure them.

2. Locate the button on the side of the front outer rail and attach the

rear rail to the front rail by sliding the opening of the rear rail
through the button.

3. Measure the depth of your rack and adjust the length of the front

and rear rails accordingly.

4. Secure the front outer rail to the front of the rack with three

screws.

5. Secure the rear rail to the back of the rack with three screws.

6. Secure the rear rail from the outside to the front rail with at least

one screw depending on the size of the rack.

7. Repeat steps 2-6 for the other side.

14 Rack-Mounting

T To install the appliance into the rack

1. Line up the rear of the inner rails with the front of the outer rails.

2. Slide the inner rails into the outer rails, keeping the pressure even

on both sides (you may have to depress the locking tabs when
inserting). When the appliance has been pushed completely into
the rack, you should hear the locking tabs "click" as the rails lock.

3. Insert and tighten the thumbscrews that hold the front of the

appliance to the rack.

Proceed to Connecting the Cables (page 16).

Rack-Mounting 15

Connecting the Cables

Ethernet PortsVGA Por t

Two USB Ports

Serial Port

AC Power
Connectors

PS/2 Mouse
and Keyboard

Connect the cables after installing the appliance into the rack.

Connecting Management Cables

T To connect management cables

¬ Choose one of the following:

• Connect a monitor to the VGA and a keyboard to the PS/2

keyboard port.

• Or connect a monitor to the VGA and a keyboard to a USB port.

• Or connect the supplied null-modem cable to the serial port and

to another computer that you will use for a terminal connection.

16 Connecting the Cables

Connecting Network Cables

T To connect network cables

¬ Connect the network cables to the ethernet ports.

• The ethernet ports are mapped to Interface IDs during the initial

configuration.

• See the numbering of the ports on the back panel and in the

table below.

Table 3 Port Numbers

Mother-

board

Eth
0

The indicators for the Ethernet ports are explained in Port Indicators
(page 33).

Eth
1

Slot 7Slot 6Slot 5Slot 4Slot 3Slot 2Slot

1

Eth
20

Eth
21

Eth
10

Eth
11

Eth
12

Eth
13

Eth
14

Eth
15

Eth
16

Eth
17

Eth
2

Eth
3

Eth
4

Eth
5

Eth
6

Eth
7

Eth
8

Eth
9

Eth
18

Eth
19

Cable Types

Make sure that the cables you use are correctly rated (CAT 5e or CAT 6
in gigabit networks).

Speed/Duplex Settings

Network cards at both ends of each cable must have identical speed/
duplex settings. This also applies to the automatic negotiation setting: if
one end of the cable is set to autonegotiate, the other end must also be
set to autonegotiate. Gigabit standards require interfaces to use
autonegotiation—fixed settings are not allowed at gigabit speeds.

Connecting the Cables 17

Connecting the Appliance to the Power Supply

T To connect the appliance to the power supply

1. Connect the power cables to the AC power connectors on the back

of the appliance.

• It is recommended to connect both power connectors to a power

source to guarantee that the appliance can function even if one
of the power connectors fails.

2. Plug the power cords into grounded, high-quality power strips that

offer protection from electrical noise and power surges.

• We highly recommend using an uninterruptible power supply

(UPS) to ensure continuous operation and minimize the risk of
damage to the appliance in case of sudden loss of power.

• For a truly redundant power supply, connect each AC power

connector on the appliance to a different UPS, so that the failure
of one UPS will not cut off the power to both power supplies.

18 Connecting the Cables

Initial Configuration

Your StoneGate appliance comes pre-loaded with StoneGate engine
software. However, before a policy can be loaded on the appliance, you
must configure some permanent and some temporary network settings.
To successfully complete the configuration:

• The Firewall element must be defined in the Management Center.

• You must have the following engine-specific information from the
Management Server: a one-time password or a saved initial
configuration file on a USB stick.

See the Firewall/VPN Installation Guide for details.

Note – The appliance must contact the Management Server before it
can be operational.

Connecting to the Appliance

You do not need to connect to the appliance at this point if you want to
configure the engine automatically with a USB stick (as explained in
Configuring the Engine Automatically (page 20)), and you are not
interested in the console messages that are displayed during this
process.

In other cases, you need a physical connection to the appliance using a
monitor and keyboard or a serial cable connection from a computer with
a terminal program. By default, the monitor and keyboard connection is
enabled and the serial console is inactive. If you want to use a serial
connection, follow the instructions directly below. To use a monitor and
keyboard, just boot up the appliance.

T To connect using a serial cable

1. Connect the serial cable supplied with the appliance to the serial

port on the appliance and to a computer.

2. On the computer, open a terminal with settings 9600bps, 8

databits, 1 stopbit, no parity.

3. Power on the appliance.

4. Press a key on your keyboard when you see “Press any key”. The

message is shown four times. If you do not press a key within this
time, the serial console remains inactive and you must reboot the
appliance to try again.

5. A boot menu is shown. Select the Switch to serial console option.

The firewall boots up with the serial console activated.

Initial Configuration 19

• The keyboard and display console is now inactive and must be

activated in a similar way before you can use it.

• To define two active consoles, use the command

sg-bootconfig. For usage, see “Command Line Tools” in the

Firewall/VPN Reference Guide, Administrator’s Guide or Online
Help of the Management Client.

There are two ways to configure the engine software.

• You can configure the engine automatically with a USB stick. See
Configuring the Engine Automatically below.

• If the automatic configuration is not possible or desired, you can use
the engine configuration wizard. See Configuring the Engine with
Configuration Wizard (page 21).

Configuring the Engine Automatically

The automatic configuration requires that you have a suitable
configuration saved on a USB memory stick. See the Firewall/VPN
Installation Guide or the Online Help of the Management Client for
details.

If you want to check the configuration before it is activated, follow the
instructions in Configuring the Engine with Configuration Wizard
(page 21), and import the configuration manually.

T To import and activate a configuration from a USB

stick

1. Insert the USB stick that contains the configuration saved in your

Management Client in one of the USB ports on the appliance.

2. Power on the appliance. The appliance automatically imports the

configuration from the USB stick and then tries to make the initial
contact to the Management Server.

• If the connection is successful, the appliance automatically

reboots itself and the engine configuration is finished.

If you configure the engine with a USB stick, you must set a password
for the root account in the Management Client to enable command line
access to the engine. If you want to allow remote access to the engine
using SSH, enable the SSH daemon for the engine in the Management
Client. See the Administrator’s Guide for more information.

Proceed to After Successful Management Server Contact (page 26).

20 Initial Configuration

If the Automatic Configuration Fails

1

• If the automatic configuration fails, and you do not have a display
connected, you can check for the reason in the log
(sg_autoconfig.log) written on the USB stick.

• If you see a “connection refused” error message, ensure that the
Management Server IP address is reachable from the engine and
check the IP addresses you have defined in the Management Client.

• If the configuration with the USB stick still does not succeed, follow
the instructions for the manual configuration, see Configuring the
Engine with Configuration Wizard below.

Configuring the Engine with Configuration Wizard

T To start the configuration wizard

¬ Turn on the appliance using the power on/off button. The engine

bootup process is shown in the console and, after some time,
the engine configuration wizard starts.

Note – You can (re)start the engine configuration wizard at any time
using the sg-reconfigure command on the engine command line.

T To select the configuration method

1. Do one of the following:

• To import a saved configuration, highlight Import using the arrow

keys and press E

NTER.

• To skip the import, highlight Next and press ENTER.

2. If you selected the Import option, select the configuration file.

T To set the keyboard layout

1. Highlight the entry field for Keyboard Layout using the arrow keys

and press E

NTER. The Select Keyboard Layout dialog opens.

2. Highlight the correct layout and press E

NTER.

Initial Configuration 21

Tip: Type in the first letter to move forward more quickly in the list of keyboard

2

1

layouts.

Note – If the desired keyboard layout is not available, use the best­matching available layout, or select US_English.

T To set the engine’s timezone

1. Highlight the entry field for Local Timezone using the arrow keys

and press E

NTER.

2. Select the correct timezone in the dialog that opens.

Note – The timezone setting affects only the way the time is displayed

on the engine command line. The actual operation always uses UTC
time.

Note – The appliance’s clock is automatically synchronized with the
Management Server’s clock.

22 Initial Configuration

T To set the rest of the OS settings

2

1

1

1. Type in the name of the firewall.

2. Type in the password for the user root. This is the only account for

engine command line access.

3. (Optional) Highlight Enable SSH Daemon and press the spacebar

on your keyboard to select the option and allow remote access to
engine command line using SSH.

Note – It is not necessary to enable the SSH daemon now for ongoing
management, as this option can also be set through the Management
Client. We recommend that you enable the SSH access in the
Management Client when needed and then disable the access again
when you are done.

4. Highlight Next and press E

NTER. The Configure Network Interfaces

window is displayed.

Configuring the Network Interfaces

The configuration utility can automatically detect which network cards
are in use. You can also add interfaces manually, if necessary.

T To add the network interfaces

1. Highlight Autodetect and press ENTER.

Initial Configuration 23

2. Check that the automatically detected drivers are correct and that

1

2

all interfaces have been detected. To add interfaces manually,
click Add and select a device driver.

T To map the physical interfaces to interface IDs

1. Type in the Interface IDs to define how physical interfaces are

mapped to the Interface IDs you defined in the Firewall element.
Ethernet ports are detailed in Connecting the Cables (page 16).

2. Highlight the Media column and press E

NTER to match the speed/

duplex settings to those used in each network.

• Make sure that the speed/duplex settings of network cards are

identical at both ends of each cable.

3. Highlight the Mgmt column and press the spacebar on your

keyboard to select the correct interface for contact with the
Management Server.

Note – The Management interface must be the same that you
configured as the Primary Control Interface for the corresponding
Firewall element in the Management Center.

4. Highlight Next and press ENTER to continue.

Contacting the Management Server

The Prepare for Management Contact window opens. If the initial
configuration was imported in the configuration wizard, most of this
information is filled in.

This task has three parts. First, you activate an initial configuration on
the firewall.

• The initial configuration contains the information that the engine

needs to connect to the Management Server for the first time.

• The initial configuration is replaced with a working configuration when

you install a Firewall Policy from the Management Server on this
engine using the Management Client.

24 Initial Configuration

T To activate the initial configuration

1

2

1

2

3

1. Highlight Switch Firewall Node to Initial Configuration and press

spacebar to activate.

2. Fill in according to your environment. The information must match

what you defined for the Firewall element (Primary Control IP
Address).

• If the engine and the Management Server are on the same

network, you can leave the Gateway to management field empty.

The initial configuration contains a simple firewall policy that allows only
administration-related connections and blocks everything else.

In the second part of the configuration, you define the information
needed for establishing a connection between the engine and the
Management Server.

T To fill in the Management Server information

1. Highlight Contact Management Server and press spacebar to

activate.

2. Fill in the Management Server IP address and the one-time

password that was created for this engine when you saved the
initial configuration.

• If you do not have a one-time password for this firewall, see the

Firewall/VPN Installation Guide for instructions on how to save an
initial configuration.

Initial Configuration 25

3. (Optional) Fill in the Key fingerprint (also shown when you saved the

initial configuration). Filling it in increases the security of the
communications.

4. Highlight Finish and press ENTER.

The engine now tries to make initial Management Server contact.

• If you see a “connection refused” error message, ensure that the
one-time password is correct and the Management Server IP address
is reachable from the node. Save a new initial configuration if unsure
about the password.

• If the engine is unable to contact the Management Server, make sure
there are no networking problems, that all information defined in the
Firewall element corresponds to what you entered in the
Configuration wizard and, if NAT is in use, that you have configured
contact addresses for NAT as explained in the Firewall/VPN
Installation Guide.

Note – Once initial contact has been made, the engine receives a
certificate from the Management Center for authentication. If the
certificate is deleted or expires, you must repeat the initial contact
using a new one-time password.

After Successful Management Server Contact

After you see a notification that Management Server contact has
succeeded or the appliance has rebooted itself after configuration with a
USB stick, the firewall engine installation is complete and the firewall is
ready to receive a policy. In a while, the firewall’s status changes in the
Management Client from Unknown to No Policy Installed, and the
connection state is Connected indicating that the Management Server
can connect to the node.

The next step is creating a security policy and installing it on the engine.
See the Online Help of the Management Client for detailed instructions.

Caution – When using the command prompt, use the reboot
command to reboot and halt command to shut down the node. Do
not use the init command. You can also reboot the node using the
Management Client.

26 Initial Configuration

Command-Line Management

T To permanently activate the serial console

1. Login to the command line (using SSH, keyboard and display) as

user Root with the password you have set for the appliance.

2. Run the command sg-bootconfig --secondary-console

Maintenance Operations

Common maintenance operations for this StoneGate appliance are
described below.

Note – The only user-serviceable units are fans and power supply
modules. Any other changes can void the hardware warranty.

Caution – Read Safety Precautions (page 6), before proceeding.

Before accessing the appliance

1. Press the power button to power off the system.

2. Unplug all power cords from the system or the wall outlets.

3. Disconnect all the cables and label the cables for easy
identification.

4. Use a grounded wrist strap designed to prevent static discharge
when handling components.

Command-Line Management 27

Replacing Power Supply Modules

Release Tab

Handle

Caution – Unplug the power cord from the power supply module
before removing the power supply module from the appliance.

T To replace power supply modules

1. Locate the release tab on the left side of the power supply.

2. Push the release tab to the right to release the power supply from

its locking position.

3. Pull out the power supply using the handle provided.

4. Replace the power supply with a new one of the same model.

5. Push the power supply into the power bay until you hear a click.

Caution – Do not open the casing of a power supply. Power supplies

can only be accessed and serviced by a qualified technician from the
manufacturer.

28 Maintenance Operations

Replacing Appliance Fans

Release Tabs

There are three front fans and two rear fans on the appliance. Before
replacing appliance fans, you must first open the appliance’s top cover.

T To replace appliance fans

1. Remove the screw that secures the cover to the appliance, and

press the release tabs to release the cover from its locking
position.

2. Push the cover toward the rear of the appliance and slide it out

from the appliance.

Maintenance Operations 29

3. Press the release tab located on the side of the appliance fan to

Fan 3

Fan 2

Fan 5

Fan 4

Fan 1

Release tab
on front fan

Release tab
on rear fan

release the fan from its locking position.

4. Remove the fan from the appliance and slide the new fan into the

fan housing.

Note – It is recommended that you replace all the appliance fans at
the same time. If one of the fans fails, the other fans may also need
to be replaced soon.

30 Maintenance Operations

Reverting to Previously Installed Software Version

This procedure allows you to undo a software upgrade.
The appliance has two working partitions. One is designated as active

and the other as inactive. The inactive partition is used for upgrades and
the status is switched between the partitions when the upgrade is ready
to be activated. If the appliance does not start up with the new version,
it automatically switches to the previous configuration at the next
reboot. You can also switch back to the previously installed software
version manually as instructed here whenever necessary.

T To switch back to the previously active version

1. Connect the serial cable supplied with the appliance to the serial

port on the appliance and to a computer.

2. On the computer, open a terminal with settings 9600bps, 8

databits, 1 stopbit, no parity.

3. (Re)start the appliance:

• If the appliance is powered on, press Enter, log in, and issue

command reboot.

Note – When the appliance is powered and you need to unplug it,
always wait at least five (5) seconds before plugging in the appliance
again. Otherwise, the appliance may not have time to clear properly
and fails to start.

4. Wait until a boot menu is shown.

5. Select Switch to previously installed software version. Note the

indicated partition (A or B). The appliance switches partitions and
boots up.

6. Refresh the policy on the engine to synchronize the policy and

other configuration data between components.

Note – If the certificate for system communications on the previously
used partition is not valid anymore, see the Troubleshooting section in
the Management Client’s Online Help for renewal instructions.

If you want to undo this operation, repeat the steps exactly as above.

Maintenance Operations 31

Resetting the Appliance to Factory Settings

The primary way to reset the appliance’s settings is to run the
configuration wizard (sg-reconfigure command line tool) and to
select the Switch Firewall Node to Initial Configuration option.

Note – Perform a factory reset only if you have a specific need to do
so. Consult Stonesoft Support before performing this operation if you
are unsure of whether this operation is necessary or not.

T To reset to factory settings

1. Connect the serial cable supplied with the appliance to the serial

port on the appliance and to a computer.

2. On the computer, open a terminal with settings 9600bps, 8

databits, 1 stopbit, no parity.

3. (Re)start the appliance:

• If the appliance is powered on and accessible, press Enter, log

in and issue command reboot.

• Otherwise, cycle the power off and on as appropriate.

Note – When the appliance is powered and you need to unplug it,

always wait at least five (5) seconds before plugging in the appliance
again. Otherwise, the appliance may not have time to clear properly
and fails to start.

4. Wait until a boot menu is shown.

5. Select System Restore Options from the boot menu.

6. Type 1 and press Enter to clear the settings. A confirmation

prompt is shown.

7. Type YES and press Enter to perform the reset. If you decide to

cancel the operation, type NO and press Enter.

Caution – Do not unplug the power from the appliance or interrupt the
reset in any way. If the reset is interrupted, the appliance may
become unusable until serviced.

To use the appliance after a factory reset, you must configure it as
explained in Initial Configuration (page 19).

32 Maintenance Operations

Port Indicators

Activity

Link

The port indicators provide information on the activity and link status of
the ports.

Motherboard Ports

Table 4 Motherboard Port Indicators

Indicator Color Explanation

Activity Amber Link ok, blinks on activity.

Unlit No link or the speed is 10 Mbps.

Link

Green Speed is 100 Mbps.

Amber Speed is 1 Gbps.

Port Indicators 33

10 Gigabit Fiber NIC

ACT/LINK

Table 5 Indicators in 10 Gigabit Fiber NIC

Indicator Status Explanation

ACT/LINK Lit Link ok. Blinks on activity.

Disposal Instructions

Dispose of the appliance separately from household waste at an
appropriate waste disposal facility at the end of its useful service life.

34 Disposal Instructions

StoneGate Appliance Installation Guide

This booklet covers the initial installation and configuration tasks

specific to your StoneGate Appliance.

For information on how to prepare the Management Center for a new

engine installation, see the other available documentation. See inside

for further details.

All documentation and our technical knowledge base is available at:

www.stonesoft.com/support.

Copyright 2009 Stonesoft Corporation. All rights reserved. All specications are subject to change.

Stonesoft Inc.
Americas Headquarters

1050 Crown Pointe Parkway
Suite 900
Atlanta, GA 30338, USA
tel. +1 866 869 4075
fax. +1 770 668 1131

Stonesoft Corporation

International Headquarters

Itälahdenkatu 22 A

Fl-0021O Helsinki, Finland

tel. +358 9 4767 11

fax. +358 9 4767 1234

www.stonesoft.com