Symantec 5000 Series Installation Manual

Page 1

Symantec™ Gateway Security 5000 Series v3.0.1

Installation Guide

Supported hardware platforms:

Symantec Gateway Security 5600 Series, Symantec Gateway Security 5400 Series, and Symantec Clientless VPN Gateway 4400 Series

Page 2

Symantec™ Gateway Security 5000 Series v.3.0.1 Installation Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Documentation version 1.0 March 17, 2006

of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec

Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.

No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

Trademarks

Symantec, the Symantec logo, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. LiveUpdate, LiveUpdate Administration Utility, Symantec AntiVirus, and Symantec Security Response are trademarks of Symantec Corporation.

Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

Printed in the United States of America. 10987654321

Technical support

As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.

Symantec technical support offerings include:

■ A range of support options that give you the flexibility to select the right amount of service for any

size organization

■ Telephone and Web support components that provide rapid response and up-to-the-minute

information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Content Updates for virus definitions and security signatures that ensure the highest level of

protection

■ Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days

a week worldwide in a variety of languages for those customers enrolled in the Platinum Support program

■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role,

offer enhanced response and proactive security support

Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.

Page 3

Licensing and registration

This product requires a license file. The fastest and easiest way to register your service is to access the Symantec licensing and registration site at https://licensing.symantec.com.

Contacting Technical Support

Customers with a current maintenance agreement may contact the Technical Support group by phone or online at www.symantec.com/techsupp.

Customers with Platinum support agreements may contact Platinum Technical Support by the Platinum Web site at https://www-secure.symantec.com/platinum. When contacting the Technical Support group, please have the following:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec

■ Recent software configuration changes and/or network changes

Customer Service

To contact Enterprise Customer Service online, go to www.symantec.com/techsupp, select the appropriate Global Site for your country, then select the enterprise Continue link. Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts

■ Information on Symantec Value License Program

■ Advice on Symantec’s technical support options

■ Nontechnical presales questions

■ Missing or defective CD-ROMs or manuals

Page 4

Page 5

Chapter 1 Installing the appliance

About the Symantec Gateway Security 5000 Series ..............................................................................................9

Optional and replaceable parts ..........................................................................................................................9

Hard drives .........................................................................................................................................................10

Intended audience .............................................................................................................................................10

Planning for installation ..........................................................................................................................................10

Installing the Symantec Gateway Security 5600 Series appliance ....................................................................11

Installing a free-standing appliance ...............................................................................................................11

Installing a rack-mounted appliance ..............................................................................................................11

Installing a slide rack-mounted appliance .....................................................................................................12

Front panel layout .....................................................................................................................................................13

Front panel status indicators ...........................................................................................................................13

Using the LCD system menu ....................................................................................................................................14

Using front panel controls ...............................................................................................................................14

Using the system menu ....................................................................................................................................16

Locking front LCD panel controls ...................................................................................................................16

Unlocking the front LCD panel controls ........................................................................................................16

Viewing system information on the LCD ...............................................................................................................16

RAID status messages .......................................................................................................................................17

Symantec Gateway Security 5600 Series back panel features ...........................................................................18

Model 5620 back panel features ..............................................................................................................................18

Connecting model 5620 to the network .........................................................................................................19

Connecting the power cord to model 5620 ....................................................................................................19

Turning on the power for model 5620 ............................................................................................................20

Model 5640 back panel features ..............................................................................................................................20

Model 5660 back panel features ..............................................................................................................................21

Connecting models 5640 and 5660 to the network ......................................................................................23

Connecting the power cord to models 5640 and 5660 ................................................................................23

Connecting an Uninterruptible Power Supply (UPS) ...........................................................................................23

Updating or restoring the appliance firmware with the

Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM ...........24

Contents

Chapter 2 Setting up the appliance and configuring the system

Installing and setting up the appliance ..................................................................................................................27

5620 back panel layout .....................................................................................................................................27

5640 back panel layout .....................................................................................................................................28

5660 back panel layout .....................................................................................................................................28

Shutting down the appliance ...................................................................................................................................31

Configuring the appliance with the System Setup Wizard .................................................................................31

Logging on to the SGMI for the first time .....................................................................................................31

Running the System Setup Wizard .................................................................................................................31

Running application LiveUpdate during initial logon .................................................................................37

Integrating the SGMI to the desktop ..............................................................................................................37

Chapter 3 Upgrading appliance software and migrating configurations

About upgrading or updating to Symantec Gateway Security 5000 Series v3.0.1 ..........................................39

Upgrade and update methods ..........................................................................................................................40

Page 6

6 Contents

Upgrade and update requirements .................................................................................................................41

Requirements for the local upgrade and update ..................................................................................41

Requirements for remote upgrade or update ........................................................................................42

Patches and hotfixes .................................................................................................................................42

Upgrade and update preparation ............................................................................................................................42

General planning for on site upgrades and updates ....................................................................................42

Planning for remote upgrades or updates .....................................................................................................43

Remote access to the appliance .......................................................................................................................43

Licensing your Symantec Gateway Security 5000 Series v3.0.1 software ................................................44

Backing up your Symantec Gateway Security 5000 Series license files ...................................................44

Backing up security gateway configurations and data files .......................................................................45

Backing up Symantec Gateway Security 5000 Series v3.0 configurations .......................................45

Backing up Symantec Gateway Security 5000 Series v2.0.1 configurations ....................................46

Backing up Symantec Clientless VPN Gateway 4400 Series v5.0 configurations and data files ... 46

Manual backups .................................................................................................................................................47

Backing up cluster information .......................................................................................................................49

Performing remote upgrades and updates ............................................................................................................49

Uploading the Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM

to an FTP server .........................................................................................................................................49

Downloading the upgrade or update files to the Symantec Gateway Security 5000 Series v2.0.1

or Symantec Gateway Security 5000 Series v3.0 appliance ................................................................50

Verify the amount of free disk space on the appliance ........................................................................50

Downloading the entire or split kit .........................................................................................................50

Running the upgrade or update .......................................................................................................................51

Post-upgrade or update restoration .......................................................................................................................52

SGMI access after upgrading or updating .....................................................................................................52

Factory reset .......................................................................................................................................................53

Restoring configurations ..................................................................................................................................53

Restoring license files .......................................................................................................................................54

About Symantec Gateway Security 5000 Series v2.0.1 upgrade reports ..................................................55

Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations ............. 55

LiveUpdate ..........................................................................................................................................................55

Authentication methods ...................................................................................................................................56

Authentication sequences ................................................................................................................................56

Dynamic authentication sequences ........................................................................................................56

Dynamic authentication group names ...................................................................................................56

Authentication using multiple servers ...................................................................................................56

Bellcore S/Key authentication .........................................................................................................................57

gwpassword authentication .............................................................................................................................57

PassGo Defender authentication .....................................................................................................................57

SecurID authentication .....................................................................................................................................58

Entrust authentication .....................................................................................................................................58

TACACS authentication ....................................................................................................................................58

External LDAP ....................................................................................................................................................58

IDS ........................................................................................................................................................................58

Content security .................................................................................................................................................59

Antivirus comforting ........................................................................................................................................59

Antivirus scanning off-box ..............................................................................................................................59

Antivirus response messages ...........................................................................................................................59

Antivirus X-Virus header .................................................................................................................................60

Antispam mail sender (bad senders list) ........................................................................................................60

Content filtering ................................................................................................................................................60

URL whitelist/blacklist .............................................................................................................................62

MIME types whitelist/blacklist ................................................................................................................63

File Extensions whitelist/blacklist ..........................................................................................................63

Page 7

Dynamic Document Review .............................................................................................................................63

Log files ...............................................................................................................................................................63

loglevel.cf ............................................................................................................................................................63

SYN flood protection settings ..........................................................................................................................64

Network interfaces ............................................................................................................................................64

SRL .......................................................................................................................................................................64

Cron jobs ..............................................................................................................................................................64

RemPass ..............................................................................................................................................................64

Post-upgrade tasks for upgraded Symantec Clientless VPN Gateway 4400 Series v5.0 configurations ..... 64

Access control ....................................................................................................................................................64

SecurID authentication .....................................................................................................................................65

Windows NT Domain authentication .............................................................................................................65

Logging ................................................................................................................................................................65

Service redirect IP address conflicts ..............................................................................................................65

Object name modification ................................................................................................................................65

Network interfaces ............................................................................................................................................66

Reserved object names ......................................................................................................................................66

Migrating configurations from Symantec Enterprise Firewall ..........................................................................68

Migrating Symantec Enterprise Firewall v8.0 configurations to

Symantec Gateway Security 5000 Series v3.01 ....................................................................................68

Mismatched Symantec Enterprise Firewall v8.0 network interfaces ................................................68

Migrating Symantec Enterprise Firewall v7.0.4 configurations to

Symantec Gateway Security 5000 Series v3.0.1 ...................................................................................68

Backing up Symantec Enterprise Firewall v8.0 configurations .................................................................69

Assigning network interfaces ..........................................................................................................................69

Migrating Symantec Enterprise Firewall v8.0 configuration files ............................................................69

7Contents

Chapter 4 Obtaining and installing licenses

Getting started with your 30-day grace period .....................................................................................................71

Preparing to obtain license files ..............................................................................................................................72

Gather your serial number certificates ..........................................................................................................72

Sort your license serial numbers for each appliance ...................................................................................72

Collect product and contact information .......................................................................................................73

The Symantec System ID ..........................................................................................................................73

Appliance serial number ...........................................................................................................................74

License serial number ...............................................................................................................................74

Contact Information ..................................................................................................................................74

Complete the license file organization worksheet .......................................................................................74

Obtaining license files ...............................................................................................................................................76

Preparing to install license files ..............................................................................................................................76

Valid license combinations ......................................................................................................................................76

Installing license files ...............................................................................................................................................77

Viewing licensed features .........................................................................................................................................78

Removing all license files .........................................................................................................................................78

Appendix A Developing a security plan

Defining your security policy ..................................................................................................................................79

Before writing your security plan ...................................................................................................................79

Becoming security-conscious ...........................................................................................................................80

Formulate goals ..........................................................................................................................................80

Review issues ..............................................................................................................................................80

Educating users ..........................................................................................................................................................80

Involving the user community ........................................................................................................................80

Notifying affected users ............................................................................................................................80

Page 8

8 Contents

Taking a pro-active stance .......................................................................................................................81

Security policy worksheets ......................................................................................................................................81

Defining your organization ..............................................................................................................................81

Collecting hardware information .................................................................................................................... 83

Collecting your TCP/IP address .......................................................................................................................84

Defining your allowed TCP/IP services ..........................................................................................................85

Collecting email information for security gateway notifications ..............................................................86

Defining your Web services .............................................................................................................................87

Access lists ..................................................................................................................................................88

Defining your network architecture ...............................................................................................................89

Page 9

Installing the appliance

This chapter includes the following topics:

■ About the Symantec Gateway Security 5000 Series

■ Planning for installation

■ Installing the Symantec Gateway Security 5600 Series appliance

■ Front panel layout

■ Model 5620 back panel features

■ Model 5640 back panel features

■ Model 5660 back panel features

Chapter

■ Connecting an Uninterruptible Power Supply (UPS)

■ Updating or restoring the appliance firmware with the Symantec Gateway Security 5000 Series

Software and Restore Image Version 3.0.1 CD-ROM

About the Symantec Gateway Security 5000 Series

The Symantec™ Gateway Security 5000 Series is a comprehensive network security device that integrates firewall, VPN, antivirus, intrusion detection and prevention, content filtering, and high availability/load balancing components into an appliance that protects networks at the gateway to the Internet or subnets of larger WANs and LANs.

See the Symantec™ Gateway Security 5000 Series Getting Started Guide, Safety and System Specifications section for more information about the Symantec™ Gateway Security 5600 Series appliances.

Optional and replaceable parts

Field replaceable units (FRUs) are parts of the appliance that can be quickly and easily removed and replaced by users or by a technician without having to send the entire appliance to a repair facility. Symantec Gateway Security 5600 Series models 5640 and 5660 appliances have the following FRUs and optional components:

■ Power Supply

■ Disk Assembly

■ Fan Assembly

■ Small Formfactor Pluggable - SX and LX Fiber

Small Formfactor Pluggables (SFPs) are plug-in devices that vary the physical network with which a single NIC can communicate (copper or fiber: SX fiber, CX fiber, and TX copper).

■ Small Formfactor Pluggable - TX Copper

Page 10

10 Installing the appliance

Planning for installation

Hard drives

■ Bezel Assembly

■ Rack Mount Slide Assembly

■ Cable Management Bracket

■ Mounting Brackets

All components for the Symantec Gateway Security 5600 Series model 5620 are fixed components.

See the information on optional and replaceable parts. See the

Getting Started Guide

Symantec Gateway Security 5600 Series models with two hard drives installed run Redundant Array of Inexpensive Disks software (RAID). Table 1-1 describes the Symantec Gateway Security 5000 Series hard disk configurations.

Table 1-1 5000 series hard disk configurations

Symantec™ Gateway Security 5600 Series Field Replaceable Units Guide for more

Symantec™ Gateway Security 5000 Series v3.0

for more information on software features.

5000 models Hard disk configurations

5620 Comes with one hard drive. Does not have a slot for a

second hard drive and never runs RAID.

5640 Comes with one hard drive and a slot for adding a second

optional, hard disk with RAID. Runs RAID automatically when the second hard disk is installed.

5660 Comes with two disks installed already running RAID.

All upgraded 5400 series models

Upgraded 4400 appliance

Come with one hard drive. Does not have a slot for a second hard drive and never runs RAID.

Comes with one hard drive. Does not have a slot for a second hard drive and never runs RAID.

Intended audience

This manual is intended for system managers or system administrators responsible for installing and administering the Symantec Gateway Security 5000 Series.

Warning: This is an electrically powered device. You must adhere to warnings and cautions when installing or working with the Symantec Gateway Security 5600 Series appliance. Read the installation instructions and heed all warnings before connecting the appliance to its power source. See the Symantec™ Gateway Security 5600 Series Safety and System Specifications for all warning information about the Symantec Gateway Security 5600 Series appliances.

Planning for installation

Before you install and activate your Symantec Gateway Security 5600 Series appliance you should review your security plan. See “Developing a security plan” on page 79.

Page 11

Installing the Symantec Gateway Security 5600 Series appliance

You can install the Symantec Gateway Security 5600 Series appliance as a free-standing unit, or as a rack-mounted unit using mounting brackets or slides. When preparing to install your appliance, refer to the following guidelines:

■ Smooth and level surface

Place the appliance on a smooth and level surface, such as the top of a computer table or in a rack. Make sure that the area is clear of dust and debris.

■ Plenty of ventilation

The installation site must meet minimum environmental specifications. Ensure that there is adequate space (at least 1 inch) on all sides of the appliance to allow air circulation to cool the machine.

Caution: Never place objects or paper on top of the appliance.

■ Proper power source

Install the appliance near a power source that is adequate and near enough to the appliance so that the power cord is not strained, stretched, or in danger of coming unplugged.

Caution: Do not use an extension cord to supply power to this unit.

■ Appliance and cables away from high-traffic areas

Install the appliance in an area that is out of the way of foot traffic.

■ Access to this area only by authorized security personnel.

11Installing the appliance

Installing the Symantec Gateway Security 5600 Series appliance

You can install the Symantec Gateway Security 5600 Series appliance as a free-standing unit or in a rack-mounted, or slide rack-mounted configuration.

Installing a free-standing appliance

The Symantec Gateway Security 5600 Series can be installed as a free-standing appliance. Install the Symantec Gateway Security 5600 Series appliance at a location that meets the pre-installation requirements.

See “Planning for installation” on page 10.

Installing a rack-mounted appliance

The following rack-mounting instructions apply to all appliance models. Because rack hardware can differ between sites, rack-mounting screws are not shipped with the unit. Before installing your appliance, obtain the proper size screws for mounting the appliance in your specific rack.

This section describes how to install the appliance in a standard 19-inch equipment rack.

Page 12

12 Installing the appliance

Installing the Symantec Gateway Security 5600 Series appliance

To install a rack-mounted appliance

1 Connect the mounting brackets to the sides of the appliance using the supplied bracket screws.

2 Secure the mounting brackets to the equipment rack.

Installing a slide rack-mounted appliance

The Symantec Gateway Security 5600 Series has mounting holes on the chassis for use with rack mount slides. The Symantec Gateway Security 5600 Series model 5660 comes with a rack mount slide kit.

Page 13

Front panel layout

The Symantec Gateway Security 5600 Series front panel, shown in Figure 1-1, contains six data entry and navigation buttons, a two-line by 16 character liquid crystal display (LCD) area, and status indicators. The front panel looks the same on all models, except the model 5620 which has a narrower profile.

The initial setup of the Symantec Gateway Security 5600 Series takes place at the appliance front panel, where you enter and modify parameters, such as system and network IP addresses. See “Installing and setting up the appliance” on page 27.

Figure 1-1 Symantec Gateway Security 5600 Series front panel

Table 1-2 describes the elements of the front panel and how they work.

Table 1-2 Front panel descriptions

Front panel layout

13Installing the appliance

Location Feature Description

1Status

indicators

2 LCD Displays the Symantec Gateway Security 5600 Series software version number, the

3Front

panel controls

Front panel status indicators

The front panel status indicators are the same on all models. Use these indicators for a quick visual status of the appliance.

Display a status of the basic appliance condition.

See “Front panel status indicators” on page 13.

System ID and system monitoring information.

You can monitor appliance status, modify interface parameters, and reinitialize the appliance. The options you can access on the LCD screen include:

■ System startup self-tests

■ Performance monitoring

■ System menu

See “Using the LCD system menu” on page 14.

Let you enter network information directly into the appliance.

See “Using the LCD system menu” on page 14.

Page 14

14 Installing the appliance

Using the LCD system menu

Figure 1-2 Front panel status indicators

Table 1-3 Front panel status indicators

Location Feature Description

1 Power Glows green steadily to indicate the power is on.

2 Disk activity Blinks green when there is activity on the hard disk drive.

3 Attention Glows orange when the appliance needs attention. Check log messages for more

information. Also glows orange during the power on process. There is also an attention status indicator on the back panel of the appliance.

4 Network activity Blinks green when there is network traffic.

5 Temperature Glows red to indicate high temperature status. A log message is sent to the

appliance log file.

Using the LCD system menu

When your appliance is running, you can access the LCD system menu by pressing any button on the appliance’s front panel. You can then select the system menu by pressing the menu button. By using the arrow buttons, you can view the various system menu options. The LCD can be locked to prevent unauthorized access. See “Locking front LCD panel controls” on page 16.

Using front panel controls

The front panel controls are the same on all models. The front panel controls perform dual functions. These functions depend upon whether the Symantec Gateway Security 5600 Series is in initial setup mode or if you are using the system menu to change setup information. The front panel controls

Page 15

Using the LCD system menu

consist of four navigation buttons, a menu button, and an enter button. Figure 1-3 shows the front panel controls.

Figure 1-3 Front panel controls

Table 1-4 describes the function of the front panel controls. Use these controls to enter your system

information. The up, down, left, and right buttons do not physically have arrows on the buttons: these symbols are used here to describe how the buttons work.

Table 1-4 Front panel controls

Button Name Function

15Installing the appliance

Up Increase the current number displayed on the LCD or move to the previous menu item.

Pressing and holding the up button will rapidly increase the value displayed.

Down Decrease the current number displayed on the LCD or move the next menu item.

Pressing and holding the down button will rapidly decrease the value displayed.

Left Move to the left fields on the LCD to enter IP addresses or to move to the previous menu

item.

Right Move to the right fields on the LCD to enter IP addresses or to move to the next menu

item.

Menu Launch the System Menu when the appliance is in monitoring mode. Also use this button

to cancel the current option without completing it.

On upgraded Symantec Gateway Security 5400 Series or Symantec Clientless VPN Gateway 4400 Series appliances use the S (Select) button.

Enter Accept the current value displayed in the LCD when entering information.

On upgraded Symantec Gateway Security 5400 Series or Symantec Clientless VPN Gateway 4400 Series appliances use the E (Enter) button.

Page 16

16 Installing the appliance

Viewing system information on the LCD

Using the system menu

The system menu provides five options that you perform from the front panel. See “System Menu

options” on page 16. For descriptions of the buttons on the appliance front panel and the functions

they perform see “Using the LCD system menu” on page 14.

Table 1-5 System Menu options

Option Description

1. Network Setup The system prompts you to reenter or change network settings configured during the

2. Reboot The system prompts you to select [OK] or [Cancel]. [Cancel] is selected by default. To

3. Shutdown The system prompts you to confirm system shutdown. Select [OK] or [Cancel]. Press the

4. System ID Displays the appliance’s Symantec System ID. The Symantec System ID is required to

initial setup process. To continue to the next system menu entry, press either the down button or the right button.

reboot, use the right or left button to move the cursor to [OK] and press the Enter button.

Enter button again to enter your selection.

obtain the appliance’s product license.

Press the Enter button to return to the system menu once the Symantec System ID is displayed on the LCD screen. Press either the down button or the right button to move to the next menu item.

5. Factory reset If you select this menu item, you are prompted to confirm with [OK] or [Cancel].

Note: If you select [OK], the appliance returns to its default state and loses any software patches that have been applied. This is the state (Symantec Gateway Security 5000 Series v3.0.1) it was in when you first received the appliance. All network information and configuration data you have entered is lost. Only licensing information, if entered, is retained.

Locking front LCD panel controls

You can lock the appliance front LCD panel controls to provide additional security against personnel who should not have access privileges using the System Setup Wizard. For more information about locking the front LCD panel controls, see the

Started Guide

or the Symantec Gateway Security 5000 Series v3.0 Administration Guide.

Symantec Gateway Security 5000 Series v3.0 Getting

Unlocking the front LCD panel controls

You can unlock the LCD panel and associated navigation buttons with your appliance password, but it relocks after 60 seconds of inactivity. To unlock the front LCD panel controls for a longer period of time, you must rerun the System Setup Wizard to uncheck the box that you checked to lock the front panel. Running the System Setup Wizard requires you to reboot your appliance. See the

Gateway Security 5000 Series v3.0 Getting Started Guide Series v3.0 Administration Guide

for more information about locking the front LCD panel controls.

Viewing system information on the LCD

Symantec

or the Symantec Gateway Security 5000

Once you complete the initial network appliance setup and restart the appliance, the LCD screen enters a monitoring mode that it remains in during normal system operations. When the appliance is running, the LCD displays four different parameters of information about the status of the appliance. The system updates approximately every second. Each parameter is displayed in one of four individual fields on the LCD.

Page 17

Table 1-6 describes the system fields on the LCD screen. The system fields on your LCD screen appear

as follows:

CPU XX% RAID: XXX

log XX% xxx Mb/s

Table 1-6 LCD system fields

Field Description

CPU XX% Shows the percentage of CPU usage.

RAID XXX Displays status of the hard drives.

log XX% Shows the Log file size as compared with the free disk space.

xxxxMb/s Shows the throughput rate for the security gateway (Mbps).

RAID status messages

Symantec Gateway Security 5600 Series models with two hard drives installed run Redundant Array of Inexpensive Disks software (RAID). The LCD displays messages about the RAID status of the appliance’s hard drives. RAID software maintains mirrored images on both hard drives to provide uninterrupted operation in the event of disk failure on one of the hard drives. The appliance continues to operate normally as long as one of the hard disks is working.

Table 1-7 describes the RAID messages displayed on the LCD.

Viewing system information on the LCD

17Installing the appliance

See “RAID status messages” on page 17.

When the security gateway is stopped, this field alternates between the throughput rate and the LCD indicator (stopped).

Table 1-7 RAID status messages

Message Description

OK Both hard drives are mirrored and working correctly.

XX% Displays when mirroring is taking place. Shows the current percentage of completion of the

mirroring process.

RDY A model 5640 is ready for addition of a second hard drive or a model 5660 is ready for a

replacement of a missing second hard drive.

N/A RAID does not run on the appliance.

Applies only to the following:

■ Symantec Gateway Security model 5620

■ Upgraded Symantec Gateway Security 5400 series models

■ Upgraded Symantec Clientless VPN Gateway 4400 appliances.

F 2

F 1

M 2

M 1

One or both of the hard drives has failed:

■ 2 is the top hard drive

■ 1 is the bottom hard drive

If one of your hard drives has failed, see the SGMI Event logs for more information.

One of the hard drives is missing from a previously mirrored system:

■ 2 is the top hard drive

■ 1 is the bottom hard drive

Page 18

18 Installing the appliance

Symantec Gateway Security 5600 Series back panel features

The back panels of the model 5640 and 5660 are different from model 5620 due to the larger size of the appliance and additional Ethernet ports.

All models of the Symantec Gateway Security 5600 Series appliances have ethernet ports which can connect to 10/100/1000Base-T network networks. Some of the Symantec Gateway Security 5600 Series Ethernet ports have higher transmission rates than the normal Ethernet ports. For information about Ethernet port transmission rates see Table 1-8.

Table 1-8 Ethernet port transmission rates

Model Higher transmission rate ports Normal transmission rate

5620 eth0 and eth1 eth2, eth3, eth4 and eth5

5640 eth0, eth1 and eth6 eth2, eth3, eth4, eth5, eth7

5660 All ports none

We recommend that you connect your high throughput network segments to the faster ethernet ports and your less busy network segments to the normal ports. The total throughput depends on the model of the appliance that you are using and the types of traffic scanning that are enabled using the SGMI.

Model 5620 back panel features

This section describes the back panel features of the Symantec Gateway Security model 5620. Model 5620 offers six 10/100/1000 Fast Ethernet ports.

Figure 1-4 and Table 1-9 describe the back panel features for the model 5620.

Figure 1-4 Model 5620 back panel

Table 1-9 Model 5620 back panel features

Location Feature Description

1 Cooling fan Maintains proper operating temperature. Ensure that the ventilation holes

in the front and back are not blocked.

2 Power socket Connection for AC power cord.

3 Master power

switch

Turns the power to the power supply on or off.

4 Serial console port Provides a connection for a terminal emulator to access the appliance’s Linux

5 Attention indicator Glows solid red if the appliance needs attention. Check log messages for

6 Power button Turns the power to the appliance on or off.

operating system locally. Only make changes using the serial console port when instructed by Symantec Technical Support. Making changes to the operating system is not supported.

more information about why the appliance needs attention.

Page 19

Model 5620 back panel features

Table 1-9 Model 5620 back panel features (Continued)

Location Feature Description

7USB ports■ Provides a modem connection for dialing pager phone numbers for

delivering notifications. Supports (but does not include) USB modems that use standard AT command set for notifications. Complies with the USB CDC ACM specification.

■ Lets you connect an Uninterruptible Power Supply (UPS) to the USB

port for smart UPS support. See “Connecting an Uninterruptible Power Supply (UPS)” on page 23.

Note: Any USB port can be used for either task.

8 eth4 Normal transmission rate port. Accepts a 10/100/1000 Base-T network cable,

that allows Ethernet network connection.

9 eth5 Normal transmission rate port. Accepts a 10/100/1000 Base-T network cable,

that allows Ethernet network connection.

10 eth2 Normal transmission rate port. Accepts a 10/100/1000 Base-T network cable,

that allows Ethernet network connection.

11 eth3 Normal transmission rate port. Accepts a 10/100/1000 Base-T network cable,

that allows Ethernet network connection.

19Installing the appliance

12 eth0 Higher transmission rate port. Accepts a 10/100/1000 Base-T network cable,

that allows Ethernet network connection.

13 eth1 Higher transmission rate port. Accepts a 10/100/1000 Base-T network cable,

that allows Ethernet network connection.

Connecting model 5620 to the network

The Symantec Gateway Security 5600 Series model 5620 back panel provides a total of six 10/100/ 1000 Base-T network connections. Your network connection requirements are based on your site’s network configuration. As you connect model 5620 to the network, see the location numbers from

Figure 1-4 to refer to the back panel features mentioned in each step.

To connect model 5620 to the network

1 Plug the RJ-45 connector from the Internet or router into the interface (8 through 13) you want to

configure as the outside interface.

2 Plug the RJ-45 connectors from any other networks (if present) into any of the remaining network

connections.

Connecting the power cord to model 5620

Use the location numbers from Figure 1-4 to refer to the back panel features mentioned in each of the following steps.

To connect the power cord to model 5620

1 Plug the power cord into the power socket on the rear panel (2).

2 Connect the power supply cord from the appliance to an electrical outlet or UPS supply unit.

See “Connecting an Uninterruptible Power Supply (UPS)” on page 23.

Page 20

20 Installing the appliance

Model 5640 back panel features

Turning on the power for model 5620

Turn on the power by pressing the master power switch (3) on the back of model 5620. The appliance has powered up properly when the following occurs:

■ The fans turn on, and the LEDs and LCD screen on the appliance light up.

■ A number of system status messages are displayed on the LCD screen as the appliance completes

its start process.

Model 5640 back panel features

This section describes the back panel features of the Symantec Gateway Security 5600 Series for appliance model 5640. The back panels of the model 5640 and 5660 are different from model 5620 due to the larger size of the appliance and additional, gigabit Ethernet ports.

Figure 1-5 and Table 1-10 describe the back panel features for the model 5640.

Figure 1-5 Model 5640 back panel

Table 1-10 Model 5640 back panel features

Location Feature Description

1 Power supply Removable power supply unit. The model 5640 comes with one power

supply.

2 Power supply place

holder

3 and 4 Power sockets Connection for AC power cord. The model 5640 uses one power socket and

5 Serial console port Provides a connection for a terminal emulator to access the appliance’s

6 Power button Turns the power to the appliance on or off.

7 Attention indicator Lights solid red if the appliance needs attention. Check log messages for

8 USB ports

Slot for a second, optional redundant power supply.

has a second for use with an additional, optional redundant power supply.

Linux operating system locally. Only make changes using the serial console port when instructed by Symantec Technical Support. Making changes to the operating system is not supported.

more information.

■ Provides a modem connection for dialing pager phone numbers for

delivering notifications. Supports (but does not include) USB modems that use standard AT command set for notifications. Complies with the USB CDC ACM specification.

■ Lets you connect an Uninterruptible Power Supply (UPS) to the USB

port for smart UPS support. See “Connecting an Uninterruptible Power Supply (UPS)” on page 23.

Note: Any USB port can be used for either task.

Page 21

Model 5660 back panel features

Table 1-10 Model 5640 back panel features (Continued)

Location Feature Description

9 eth6 Higher transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

10 eth7 Normal transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

11 eth4 Normal transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

12 eth5 Normal transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

13 eth2 Normal transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

14 eth3 Normal transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

15 eth0 Higher transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

16 eth1 Higher transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

21Installing the appliance

17 Cable management

system

Accepts the cable management system guide studs and screw.

Model 5660 back panel features

This section describes the back panel features of the Symantec Gateway Security 5600 Series for appliance model 5660. The back panel of the model 5660 is different from model 5640 due to the additional slots for Small Formfactor Plugables (SFPs).

Figure 1-6 and Table 1-11 describe the back panel features for the model 5660.

Figure 1-6 Model 5660 back panel

Table 1-11 Model 5660 back panel features

Location Feature Description

1 and 2 Power supplies Removable power supply units. The model 5660 has two power supplies.

3 and 4 Power sockets Connections for AC power cords. The model 5660 has two power sockets.

Page 22

22 Installing the appliance

Model 5660 back panel features

Table 1-11 Model 5660 back panel features (Continued)

Location Feature Description

5 Serial console port Provides a connection for a terminal emulator to access the appliance’s

Linux operating system locally. Only make changes using the serial console port when instructed by Symantec Technical Support. Making changes to the operating system is not supported.

6 Attention indicator Lights solid red if the appliance needs attention. Check log messages for

more information.

7 USB ports

■ Provides a modem connection for dialing pager phone numbers for

delivering notifications. Supports (but does not include) USB modems that use standard AT command set for notifications. Complies with the USB CDC ACM specification.

■ Lets you connect an Uninterruptible Power Supply (UPS) to the USB

port for smart UPS support. See “Connecting an Uninterruptible Power Supply (UPS)” on page 23.

Note: Any USB port can be used for either task.

8 eth4 Higher transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

9 eth5 Higher transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

10 eth2 Higher transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

11 eth3 Higher transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

12 eth0 Higher transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

13 eth1 Higher transmission rate port. Accepts a 10/100/1000 Base-T network

cable, that allows Ethernet network connection.

14 eth9 Slot for SFP for additional copper, fiber or multimode fiber network

connections. Higher transmission rate port. Accepts a 10/100/1000 Base-T network cable, that allows Ethernet network connection.

15 eth8 Slot for SFP for additional copper, fiber or multimode fiber network

16 eth7 Slot for SFP for additional copper, fiber or multimode fiber network

17 eth6 Slot for SFP for additional copper, fiber or multimode fiber network

18 Power button Turns the appliance on or off.

19 Cable management

system

connections. Higher transmission rate port. Accepts a 10/100/1000 Base-T network cable, that allows Ethernet network connection.

Accepts the cable management system guide studs and screw.

Page 23

Connecting models 5640 and 5660 to the network

The Symantec Gateway Security 5600 Series model 5640 offers eight gigabit Ethernet connections and model 5660 offers six along with four slots for SFPs. See the Symantec Gateway Security 5600 Series Connecting and Configuring for information about configuring the management interface from the appliance front panel LCD. As you connect model 5620 to the network, see the location numbers from

Figure 1-5 or Figure 1-6 to refer to the back panel features mentioned in each step.

To connect models 5640 and 5660 to the network

1 Plug the RJ-45 or MMF connector from the Internet into the outside interface eth1 network

connection (9 through 15).

2 Plug the RJ-45 connector from any other service networks (if present) into any of the remaining

network connections (9 through 15).

Connecting the power cord to models 5640 and 5660

The following procedure describes how to connect the power cord. Use the location numbers from

Figure 1-5 or Figure 1-6 to refer to the back panel features mentioned in each step.

To connect the power cord to models 5640 and 5660

1 Plug the power supply cord into the power socket on the rear panel (1).

Connecting an Uninterruptible Power Supply (UPS)

23Installing the appliance

2 Connect the power supply cord from the appliance to an electrical outlet or UPS supply unit.

See “Connecting an Uninterruptible Power Supply (UPS)” on page 23.

The appliance has powered up properly when the following occurs:

■ The fans turn on, and the LEDs and LCD screen on the appliance light up.

■ A number of status messages are displayed on the LCD screen as the appliance completes its start

process.

Connecting an Uninterruptible Power Supply (UPS)

In the event of a power failure, using a UPS lets you turn off the appliance in an orderly manner. The appliance communicates directly to the UPS unit through a USB port.

The recommended supplier for UPS units is American Power Conversion (www.apcc.com). The UPS unit must support USB ports. Units that support only serial ports do not work with Symantec Gateway Security 5600 series.

To connect an Uninterruptible Power Supply (UPS)

1 Plug the UPS into the wall socket.

2 Turn on the UPS.

3 Plug the Symantec Gateway Security 5600 Series power cord into the UPS power socket.

4 Connect the UPS USB cable to the UPS unit and the appliance.

Once you have connected your UPS to the appliance you can configure UPS support from the Security Gateway Management Interface (SGMI) using the System > Configuration > Features > enable Uninterruptible power supply check box.

Page 24

24 Installing the appliance

Updating or restoring the appliance firmware with the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM

The Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM contains a Symantec Gateway Security 5000 Series version 3.0 restore program. The restore program returns the appliance to its original factory condition. You boot the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM in a computer connected directly or by a network to the appliance.

Caution: The OS restore operation results in the complete overwriting of your existing appliance configuration. All configuration and license data is lost. You will need to reinstall your licenses. For information on preserving your configuration settings, see the Symantec Gateway Security 5000 Series Administration Guide.

The requirements for the computer running the operating system restore program are as follows:

■ An industry-standard computer with a BIOS that lets you start from a IDE (ATAPI) CD-ROM.

■ One of the following installed 10/100 or 10/100/1000 MB network interface cards:

■ Intel PRO/100+ SGS Adapter (PILA8470B)

■ Linksys EtherFast 10/100 LAN Card (LNE100TX)

■ Netgear Fast Ethernet PCI Adapter (FA312TX)

■ 3Com OfficeConnect Fast Ethernet NIC (3CSOHO100-TX)

■ 3Com Fast EtherLink XL PCI NIC (3C905B-TX)

When you receive your Symantec Gateway Security OS Restore CD ROM, place it in the computer that you would use in the event you needed to restore your software. Once the Symantec Gateway Security OS Restore CD ROM boots, it will tell you whether or not it found the appropriate hardware to continue the process. If it cannot use your network card, please locate another computer with a different network interface type.

■ Either a crossover cable (supplied) to connect the appliance directly to the eth0 network interface

on the computer or a connection to a switch or hub to which the appliance is attached.

Note: Power off the appliance before moving the cable.

During the restore process, the appliance automatically reboots and performs other installation tasks. You must allow this process to complete without interruption for a successful restore of the appliance software to its original factory condition. This process may take 15 minutes.

To restore the appliance’s firmware

1 Press any button on the front panel of the appliance until the System Menu displays on the LCD

screen.

2 Press the down button until the Shutdown option appears.

3 Press the Enter button.

4 When prompted, turn off the power of the appliance using the power switch.

5 Ensure the PC that you use to restore the system is set to boot from the CD-ROM drive.

6 Insert the OS Restore CD-ROM into the CD-ROM drive of the PC and then reboot the PC.

7 When the PC reboots, the OS restore program runs, you are prompted to accept the Symantec

Software License Agreement and directions for the procedure also display.

Page 25

Updating or restoring the appliance firmware with the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM

8 While pressing and holding down the Enter button on the front panel do the following:

■ Press the power switch on the appliance to turn on the power.

■ Continue holding down the Enter button until the LCD displays:

Network Boot?.

9 Carefully release and press the Enter button again to begin booting the appliance from the CD-

ROM. When the process is complete, the LCD displays the following message:

Network Boot? Setup System

Note that this step may take 15 - 20 minutes, which includes the appliance rebooting itself. The appliance reboots automatically after the restore process is complete.

10 Remove the CD-ROM and restart your computer to return it to normal service.

11 On the appliance, perform the initial setup process again.

25Installing the appliance

Page 26

26 Installing the appliance

Updating or restoring the appliance firmware with the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM

Page 27

Chapter

Setting up the appliance and configuring the system

This chapter includes the following topics:

■ Installing and setting up the appliance

■ Shutting down the appliance

■ Configuring the appliance with the System Setup Wizard

Installing and setting up the appliance

The following instructions describe how to install and set up the Symantec Gateway Security 5600 Series appliance for SGMI management from an internal or external network. You can only configure one interface for management from the front panel of the appliance. For instructions on configuring additional interfaces using the System Setup Wizard, see the Symantec Gateway Security 5000 Series Administration Guide.

If you are configuring an interface for an internal (inside) network, you need to know the following before you start:

■ The inside static IP address and subnetmask addresses.

■ If you are connecting through a VLAN, you need the VLAN identification number. The VLAN

identification number is a digit between 1 and 4094.

If you are configuring an interface for an external (outside) network, you need to know the following before you start:

■ The outside static IP address, gateway and subnetmask addresses.

■ If you are connecting through a VLAN, you need the VLAN identification number.

■ DHCP is only available when eth1 is configured as an outside interface.

Use the following figures to refer to the back panel features mentioned in these instructions:

■ See Figure 2-1, “5620 back panel layout,” on page 28.

■ See Figure 2-2, “5640 back panel layout,” on page 28.

■ See Figure 2-3, “5660 back panel layout,” on page 28.

5620 back panel layout

Figure 2-1 shows the model 5620 back panel features which are required for the initial setup. The back

panel layout is different for all 5600 models.

Page 28

28 Setting up the appliance and configuring the system

Installing and setting up the appliance

Figure 2-1 5620 back panel layout

Table 2-1 Model 5620 back panel description

Elements Feature Description

1 Power socket Connection for AC power cord.

2 Master power

3 Network

5640 back panel layout

Figure 2-2 shows the model 5640 back panel features which are required for the initial setup. The back

panel layout is different for all 5600 models.

Figure 2-2 5640 back panel layout

5660 back panel layout

Figure 2-3 shows the model 5660 back panel features required for initial setup. The back panel layout is

different for all 5600 models.

switch

interfaces

Turns the appliance on or off.

Accepts a 10/100/1000 Base-T network cable, that allows Ethernet network connection.

Figure 2-3 5660 back panel layout

Page 29

Table 2-2 Models 5640 and 5660 back panel description

Elements Feature Description

1 Power socket Connection for AC power cord.

Installing and setting up the appliance

29Setting up the appliance and configuring the system

2Network

interface

Accepts a 10/100/1000 Base-T network cable, that allows Ethernet network connection.

To install and set up the 5600 series appliance

1 Attach the bezel to the front of the model 5640 or 5660 appliance.

The model 5620 comes with the bezel installed.

2 Mount the appliance in the appropriate rack or place it on a stable, level surface.

3 Plug the Ethernet cable from the network segment through which you will connect to the appliance

for management, into one of the ethernet ports. This is the interface you configure using the front panel.

4 Plug the power cord into the power socket (See element 1 in Figure 2-1, Figure 2-2, and Figure 2-3),

and then plug it into a power supply. An uninterruptible power supply (UPS) is recommended. Do not use an extension cord.

On the model 5620, use the master power switch to turn on the power. The models 5640 and 5660 do not have a master power switch. The models 5640 and 5660 will power on when you connect the power cord.

Wait a few moments for the power to turn on and the boot process to finish. The LCD panel will display various messages as it boots up.

Do not turn off the appliance using the power switch. To turn off the appliance without starting the set up, press the Down button on the front panel to see “SGS 3.0 Shutdown” on the LCD screen. Press the Enter button to confirm shutdown. This ensures that the appliance is shut down properly.

5 On the front panel of the appliance, press the Enter button.

6 When Setup System displays, press the Enter button again.

If you pause after turning on the power and “ *** ” displays on the LCD, press the Enter button to restart the initial setup.

7 When Setup eth0 displays, press the Up or Down buttons to see the available interfaces, choose the

interface you connected the Ethernet cable to and then press the Enter button.

8 When Setup (and the interface you selected) displays, press the Up or Down buttons to choose

Inside or Outside, and then press the Enter button.

9 When VLAN Id: displays, and you want to configure a virtual local area network (VLAN) on the

interface, do the following:

■ Press the Right button.

Page 30

30 Setting up the appliance and configuring the system

Installing and setting up the appliance

■ Press the Up or Down buttons to select a specific VLAN identification number between 1 -

4094.

■ Press the Enter button.

If you do not want to configure a VLAN, do the following:

■ Press the Enter button.

10 Under eth (the interface you selected) IP Address, enter the interface IP address.

Each octet of the IP address is a separate field in the display. Use the Left and Right buttons to move between the fields of the IP address. The selected field is surrounded by brackets ( [ ] ). Use the Up and Down buttons to change the number in the selected field.

11 Press the Enter button.

12 Under Netmask, enter the netmask address for the IP address you just entered.

Each octet of the netmask address is a separate field in the display. Use the Left and Right buttons to move between the fields of the netmask address. The selected field is surrounded by brackets ( [ ] ). Use the Up and Down buttons to change the number in the field that is selected.

13 Press the Enter button.

14 If you are configuring an outside interface, under Gateway, enter the gateway address for the

outside interface. Each octet of the netmask address is a separate field in the display. Use the Left and Right buttons

to move between the fields of the netmask address. The selected field is surrounded by brackets ( [ ] ). Use the Up and Down buttons to change the number in the field that is selected.

15 Press the Enter button.

16 Under Save Setup, use the Left or Right buttons to select one of the following:

[OK] The configuration is saved and the new password displays when you press the Enter

button.

This is the administrator and root password. A new password is generated each time you save this setup from the front panel. Use this password to log in to the SGMI and for the root password. You can also change the passwords in the SGMI if you are logged in as the administrator.

[Cancel] The configuration is not saved, the system restarts, and all your information is lost.

The default selection is [Cancel]. If you select [Cancel], you exit the setup when you press the Enter button.

17 Press the Enter button.

The password displays. Carefully record it ( because it does not display again) and store in a secure location because you will use it to log on to the SGMI.

Note that this password is always lowercase and alphabetic.

18 Press the Enter button.

The following message displays on the LCD screen:

Setting password Press any key to reboot system.

Page 31

Shutting down the appliance

19 Press any button on the front panel to reboot the appliance.

Rebooting takes a few minutes. The following messages display on the LCD screen:

Rebooting System Symantec v 1.03 Diagnostics... Symantec Gateway Starting

Once the system is rebooted, the following system items display on the LCD screen: percent CPU usage, percent log, time, and throughput rate.

You can now configure the appliance using the SGMI.

Shutting down the appliance

Do not use the power switch to shut down the appliance before or during appliance setup.

To turn off the appliance without starting the set up

1 On the front panel press the Down button until you see “SGS 3.0 Shutdown” on the LCD screen.

2 Press the Enter button to confirm the shutdown.

This ensures that the appliance is shut down properly.

Configuring the appliance with the System Setup Wizard

31Setting up the appliance and configuring the system

After you complete the initial installation and setup, you are ready to connect to the appliance and configure it using the SGMI’s System Setup Wizard. For optimal screen resolution, set your display settings to a minimum of 1024 x 768.

Logging on to the SGMI for the first time

The first time that you log on to the SGMI, you initiate the logon from a browser window. The System Setup Wizard detects if you do not have the correct JRE installed. You cannot continue without the Java plug-in. If you do not have Java Runtime Environment (JRE) 1.5 or later, it is downloaded to your computer during the log on procedure.

JRE includes Java Web Start, which lets you install a Web Start icon for the SGMI during your initial logon. When you click this icon, you can run the SGMI from the desktop instead of a browser window for future log ons. If you choose not to install the SGMI icon, you can continue to log on from a browser.

Running the System Setup Wizard

When you connect to the SGMI for the first time, the System Setup Wizard starts automatically. You use the System Setup Wizard to configure the appliance for basic operation. This ensures that you configure at least one inside and outside interface. Using the System Setup Wizard, you also have the option to create basic rules for SMTP, POP3, HTTP, and FTP traffic. When you complete the System Setup Wizard, the rules are configured to allow and control these kinds of traffic.

If your corporate DNS is set up to access the security gateway through a resolvable name, using the System setup Wizard, change the host and domain names to this name. If DNS is not set up to allow name resolution, changing the default host name and domain name will result in host mismatch messages when you log on using the IP address of this security gateway. While accepting these messages during log on does not cause a problem; using the defaults prevents the mismatch.

If you chose not to configure the SMTP, POP3, HTTP, and FTP traffic options, you must either use the Firewall Rule Wizard or configure them manually from the SGMI Policy > Rules tab. For detailed instructions about how to configure these policies, see the Symantec Gateway Security 5000 Administration Guide.

Page 32

32 Setting up the appliance and configuring the system

Configuring the appliance with the System Setup Wizard

You can run the System Setup Wizard after the initial setup to change system settings and add or change network interfaces. For detailed instructions about using the System Setup Wizard after the initial setup see the Symantec Gateway Security 5000 Administration Guide.

Note: If you cancel out of this wizard without completing it, your security gateway will not be ready to operate and you will have to run the System Setup Wizard again. You can use the System Setup Wizard at any time after the initial setup to edit system information.

To log on to the SGMI for the first time and run the System Setup Wizard

1 In a browser window, enter the URL of the appliance that you want to manage, in the following

format:

https://<URL>:2456

For example:

https://10.161.140.10:2456

2 If you do not have JRE 1.5 (J2SE Runtime Environment 5.0) installed, do the following:

■ In the browser window, allow the JRE installer to use ActiveX.

■ Install JRE 1.5 with the J2SE Runtime Environment 5.0 Wizard.

When installation is complete, a security alert dialog box is displayed for a temporary certificate that is generated by the appliance.

3 In the Warning- Security dialog box, verify the certificate, and then click Yes .

4 In the next Warning- Security dialog box, verify the certificate, and then click Yes .

5 In the Password Needed - Networking dialog box, do the following:

■ In the User name text box, type admin.

■ In the Password text box, type the password that you received on the LCD panel during

appliance setup.

■ Click Yes.

A Java Web Start progress box shows files being downloaded to your computer, followed by a security warning for a certificate that is signed by Symantec.

6 In the Warning - Security dialog box, click Yes .

7 In a final Warning - Security dialog box from Sun Microsystems, Inc., click Ye s .

8 In the Desktop Integration dialog box, you can choose how you access the SGMI from your

computer. Do one of the following:

■ To place a shortcut to the application on the desktop, click Yes.

The next time you want to connect to the SGMI, you click this icon and respond to the

certification messages and logon prompts.

This option is highly recommended because you will have faster and easier access to the

SGMI.

■ To launch the SGMI without placing an icon on the desktop, click No.

To start the SGMI again, you must use a browser to enter the appliance’s URL, as described in

step 1.

■ To configure Web Start, click Configure.

A Web Start configuration dialog is displayed. Unless you are familiar with Web Start, you

should not attempt to configure it.

For information on Java Web Start, view the Readme.html file that was installed when the JRE

was downloaded. If you took the defaults for the installation, it is located in C:\Program

Files\Java\j2re1.5. If the SGMI does not display, double-click the SGMI icon on your desktop and use the procedure for logging on to SGMI from the desktop, or contact your security gateway administrator.

Page 33

Configuring the appliance with the System Setup Wizard

9 In the License and Warranty Agreement window, read the agreement and then do one of the

following:

■ To accept the license and warranty agreement, and to proceed with the System Setup Wizard,

click Accept.

■ To decline the agreement and return to the log on screen, click Do Not Accept.

Clicking Do Not Accept prevents you from connecting to the appliance.

10 On the System Setup Wizard panel, do the following:

■ Select Standalone gateway if the appliance is not going to be a member of a cluster.

■ Select Cluster member if the appliance is going to be a member of a cluster.

11 Click Next.

12 On the Optional Features panel, do the following:

■ Verify that each of the features that you want is enabled.

■ Uncheck any features that you do not want to use.

■ To configure the appliance as a cluster member, check High Availability/Load Balancing

(HA/LB). You can run the System Setup Wizard at a later time to enable any feature, or from the SGMI, select

System > Configuration tab to turn features on or off. If you run the System Setup Wizard and change interface or domain, information the appliance reboots.

13 Click Next.

33Setting up the appliance and configuring the system

14 On the Setup Options panel, to apply configuration information from a previouly backed up image

to your appliance, check Restore from a backup image.

15 Click Next.

16 On the Machine Settings panel, to change the time zone, time, or date, to the right of the date and

time field, click the calendar icon.

17 In the Select Time Zone / Time /Date dialog box, do the following:

Time Zone Use the drop-down list to select the time zone.

Time Use the drop-down lists to select the hour, minute, and second.

Click either AM or PM.

To return the time to the original time, click Reset Time.

Date In the calendar, select the date.

Use the icons at the top of the calendar to navigate.

18 Click OK.

19 On the Machine Settings panel, do the following:

Host name Type the host name of the security gateway.

Domain name Type the domain name of the security gateway.

Default gateway Type the IP address of the default gateway.

In most cases, the default gateway is the router or connection you have to your ISP.

20 To provide additional security against personnel who should not have access to the front panel

controls, check Lock LCD panel. Use your root password to unlock the LCD panel and associated navigation buttons from the appliance. The LCD panel relocks again after 60 seconds of inactivity.

Page 34

34 Setting up the appliance and configuring the system

Configuring the appliance with the System Setup Wizard

For instructions on how to permanently unlock the LCD panel, see the Symantec Gateway Security 5000 Series Administration Guide.

21 To change the administrator password, do the following:

Change administrator

To enable changing the administrator password, check this option.

password

Current password Type the current administrator password, the one you received

during the front panel LCD setup.

New password Type a new administrator password.

The administrator password should be at least 10 characters long and should not contain digits.

You can still change the password if you do not meet these conditions, but you will receive a warning message.

The password is encrypted and appears as a string of asterisk (*) characters.

Verify password Retype the new password to verify the change.

22 Under Internationalization, check Allow internationalized domain names (IDN) to permit domain

names or Web addresses represented by local language characters.

23 Click Next.

24 On the Network Interface Connections panel, select the interface that you want to configure, and

then do the following:

Interface Displays the selected interface.

Type Select the interface type: Inside, Outside or Not Used.

Name Type the logical network interface name.

IP address Edit the IP address. You must use an IP address that is unique to

the subnet to which the interface connects.

Netmask Edit the netmask address.

MAC address Displays the MAC address of the selected interface. This is not

an editable field.

MTU Type the number of bytes to limit the size of physical packets

transmitted through the security gateway. Maximum Transmission Unit (MTU) is available on outside interfaces only.

The following list shows the defaults and ranges for each connection type:

■ Static IP

The default is 1500. The range is 68 - 1500.

■ DHCP

The default is 1500. The range is 576 - 1500.

Page 35

Configuring the appliance with the System Setup Wizard

35Setting up the appliance and configuring the system

DHCP Client check box

To enable DHCP on the outside interface, check DHCP Client.

DHCP is only available when eth1 is configured as an outside interface.

If HA/LB is enabled, you cannot enable DHCP.

To use DHCP, there must be a DHCP server running on the outside network. When you enable DHCP, the IP address of eth1 is displayed as DHCP Client in IP address and netmask fields.

Enable external ping check box

If you want your security gateway to respond to an external ping command on your security gateway, check Enable external ping.

By default, ping on the external interface is disabled as a security measure. You can enable or disable the ping command after the initial configuration on the Ping Proxy properties dialog box.

Add VLANs Click to configure Virtual Local Area Networks (VLANs) on the

interface. In the Add VLANs dialog box, do the following:

■ From the Interface drop-down list, select the network

interface that serves as the trunk port for the VLANs.

■ In the Starting VLAN ID text box, type the ID of the first

VLAN.

■ In the Number of VLANs text box, type the number of

VLANs being added.

■ Click OK.

Software is optimized to support 48 VLANs, however, more are possible.

Remove VLAN Click to delete any previously configured VLANs on the

interface.

25 Click Next.

26 To configure mail, Web, and FTP services, in the Optional Security Gateway Configuration panel,

select the following:

■ SMTP mail services

■ POP3 mail services

■ HTTP services

■ FTP services

These options are only available the first time you run the System Setup Wizard. If you choose not to configure these options now, you can configure them later with the Policy Wizard or manually use the SGMI Policy > Rules tab. If you do not want to configure these options now, click Next, and continue with step 35.

27 Click Next.

28 If you selected to configure SMTP mail services, in the SMTP Options panel do the following:

Mail server IP address or domain

Type the fully qualified domain name or the IP address of the mail server.

name

Accept mail for the following list of

Check to enable accepting email from the domains that are listed in the following text box.

domains

Page 36

36 Setting up the appliance and configuring the system

Configuring the appliance with the System Setup Wizard

Text box Type the domain names of the email sources, separated by

commas.

Apply antivirus

Check to scan SMTP mail for viruses.

scanning

Apply Antispam

Check to filter SMTP mail for spam.

filtering

Outside interface If your security gateway is configured with more than one

outside interface, you are prompted for an outside interface selection. In the Outside interface drop-down list, select the dedicated outside interface for this service.

29 Click Next.

30 If you selected to configure POP3 mail services, in the POP3 Options panel, do the following:

Mail server IP address or domain name

Apply antivirus

Type the fully qualified domain name or the IP address of the mail server.

Check to scan POP3 mail for viruses.

scanning

Apply Antispam

Check to filter POP3 mail for spam.

filtering

Outside interface If your security gateway is configured with more than one

outside interface, you are prompted for an outside interface selection. In the Outside interface drop-down list, select the dedicated outside interface for this service.

31 Click Next.

32 If you selected to configure HTTP services, in the HTTP Options panel, do the following:

Apply Antivirus

Check to scan web traffic for viruses.

scanning

Allow Upload Check to enable HTTP to post and put requests.

Allow HTTPS

Check to allow HTTPS only on ports 443 or 563. only on standard ports

Allow FTP through HTTP

Check to enable FTP URLs through HTTP. The same authentication

that can occur in normal HTTP requests can occur here, but file

name extensions, Java, and allowed URL filtering have no effect on

these connections.

Inside interface If your security gateway is configured with more than one inside

interface, you are prompted for an inside interface selection. In the

Inside interface drop-down list, select the dedicated inside interface

for this service.

33 Click Next.

34 If you selected to configure FTP services, in the FTP Options panel, do the following:

Apply antivirus

Check to scan FTP traffic for viruses.

scanning

Page 37

Configuring the appliance with the System Setup Wizard

Allow puts Check to enable FTP put operations.

Allow gets Check to enable FTP get operations.

Inside interface If your security gateway is configured with more than one inside

interface, you are prompted for an inside interface selection. In the Inside interface drop-down list, select the dedicated inside interface for this service.

35 Click Next.

36 On the Confirmation panel, review the summary of your configuration. If you want to modify the

configuration, click Back to go to the appropriate panel, and make the changes.

37 Click Finish.

When you finish the System Setup Wizard, the security gateway reboots. The next time you log on to the appliance, you can run or schedule an application LiveUpdate.

Once you have completed the Symantec Gateway Security 5600 Series System Setup Wizard the first time, you can access it again from the SGMI Tools menu option and edit any system information.

If you created rules for SMTP, POP3, HTTP, and FTP, this traffic is now being allowed through the security gateway. If you chose not to configure the SMTP, POP3, HTTP, and FTP traffic options, you can either use the Firewall Rule Wizard or configure it manually from the SGMI Policy > Rules tab. For detailed instructions about how to configure these policies, see the Symantec Gateway Security 5000 Series Administration Guide.

37Setting up the appliance and configuring the system

Running application LiveUpdate during initial logon

After you have completed the System Setup Wizard, the security gateway reboots and you must log on again. The first time you log on after completing system setup, you can manually run an application LiveUpdate or schedule recurring application LiveUpdates. After you have established a schedule, updates take place automatically. Unless you configure a local LiveUpdate server, you download updates from the Symantec LiveUpdate servers.

Running application LiveUpdate immediately ensures that your application files are current when you initially configure the security gateway. Scheduling application updates with application LiveUpdate ensures that your security gateway application files are always current.

For detailed instructions about how to configure application LiveUpdate and content LiveUpdate, including configuring local LiveUpdate servers, see the Symantec Gateway Security 5000 Series v3.0 Administration Guide.

To run application LiveUpdate during initial logon

◆ On the Application LiveUpdate dialog box, do one of the following:

■ Click Create Schedule.

■ Click Run Application LiveUpdate now.

Integrating the SGMI to the desktop

Because the SGMI is a Java application, you can use Java Web Start to integrate it to your desktop. You can then use the icon to begin the logon procedure, instead of the browser.

To integrate the SGMI to the desktop

1 On the Start menu, click Control Panel.

2 In the Control Panel window, click Java.

3 In the Java Control Panel dialog box, under Temporary Internet Files, click Settings.

Page 38

38 Setting up the appliance and configuring the system

Configuring the appliance with the System Setup Wizard

4 In the Temporary Files Settings dialog box, click View Applications.

5 In the Java Application Cache Viewer, on the User tab, highlight the application that is identified by

the URL that you used to connect to the appliance.

6 On the Application menu, click Install Shortcuts.

The SGMI icon is installed to your desktop.

7 On the File menu, click Exit.

8 In the Temporary Files Settings dialog box, click OK.

9 In the Java Control Panel dialog box, click OK.

10 Close the Control Panel.

Page 39

Chapter

Upgrading appliance software and migrating configurations

This chapter includes the following topics:

■ About upgrading or updating to Symantec Gateway Security 5000 Series v3.0.1

■ Upgrade and update preparation

■ Performing remote upgrades and updates

■ Post-upgrade or update restoration

■ Migrating configurations from Symantec Enterprise Firewall

About upgrading or updating to Symantec Gateway Security 5000 Series v3.0.1

Symantec Gateway Security 5000 Series v3.0.1 is available as the following:

■ An upgrade from Symantec Gateway Security 5000 Series v2.0.1

■ An upgrade from Symantec Clientless VPN Gateway 4400 Series v5.0

■ An update from Symantec Gateway Security 5000 Series v3.0.

Symantec Enterprise Firewall configurations can be migrated to an appliance that is running Symantec Gateway Security 5000 Series v3.0.1.

Note: If your security gateway is already at the latest software version, Symantec Gateway Security 5000 Series v3.0.1, then no action is necessary.

With the release of Symantec Gateway Security 5000 Series v3.0.1, you now have the choice to upgrade or update your Symantec Gateway Security 5000 Series v2.0.1 or Symantec Gateway Security 5000 Series v3.0 appliances while on site, or to do so remotely. If you are on site, the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM lets you upgrade or update the security gateway using a computer connected directly to the appliance. If you want to perform the process from another location, you can use a remote computer and the Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM.

For Symantec Clientless VPN Gateway 4400 Series v5.0 appliances, you must locally update Symantec Clientless VPN Gateway 4400 Series v5.0 appliance using the Symantec Gateway Security 5000 Series

Page 40

40 Upgrading appliance software and migrating configurations

About upgrading or updating to Symantec Gateway Security 5000 Series v3.0.1

Software and Restore Image Version 3.0.1 CD-ROM. A remote upgrade using the Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM is not supported.

Note: A separate remote update utility is available from the Symantec Technical Support Web site to let you update Symantec Gateway Security 5000 Series v3.0 to Symantec Gateway Security 5000 Series v3.0.1. You cannot use this utility to upgrade from Symantec Security Gateway 5000 Series v2.0.1, or Symantec Clientless VPN Gateway 4400 Series v5.0.

If you have already updated your security gateway with this utility, there is no need to do so again.

Upgrade and update methods

Symantec provides the following media to upgrade or update to Symantec Gateway Security 5000 Series v3.0.1:

■ Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM

■ Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD_ROM

You can use this media to upgrade from Symantec Gateway Security 5000 Series v2.0.1, or to update from Symantec Gateway Security 5000 Series v3.0. You can upgrade from Symantec Clientless VPN Gateway 4400 Series v5.0 to Symantec Gateway Security 5000 Series v3.0.1 using the Symantec Gateway Security 5000 Series v3.0.1 Software and Restore Image Version 3.0.1 CD-ROM only. You cannot upgrade Symantec Clientless VPN Gateway 4400 Series v5.0 remotely.

The Symantec Gateway Security 5000 Series v3.0.1 Software and Restore Image Version 3.0.1 CD-ROM contains a program that upgrades or updates a security gateway to Symantec Gateway Security 5000 Series v3.0.1. You can use this program at any subsequent time to restore the security gateway to the factory defaults. Upgrading, updating or restoring factory defaults using this CD-ROM removes all configurations, as well as logs, patches, hotfixes, and licenses. Using this CD-ROM requires that you be physically present at the appliance.

See “Updating or restoring the appliance firmware with the Symantec Gateway Security 5000 Series

Software and Restore Image Version 3.0.1 CD-ROM” on page 24.

The Symantec Gateway Security 5000 Series v3.0.1 Software Update Version 3.0.1 CD-ROM lets you use a remote computer to upgrade from Symantec Gateway Security 5000 Series v2.0.1 to Symantec Gateway Security 5000 Series v3.0.1. You can also use this CD-ROM to update Symantec Gateway Security 5000 Series v3.0 to Symantec Gateway Security 5000 Series v3.0.1. The remote utility lets you upgrade or update multiple security gateways from a single location, without the need to be physically present at each security gateway installation. It is designed to accommodate either high-speed network or low bandwidth connections.

See “Performing remote upgrades and updates” on page 49.

You can migrate backup configuration files from Symantec Enterprise Firewall v7.0.4 or Symantec Enterprise Firewall v8.0 to an appliance running Symantec Gateway Security 5000 Series v3.0.1. Symantec provides a separate utility for migrating backed up configurations from Symantec Enterprise Firewall v7.0.4 to Symantec Gateway Security 5000 Series v3.0. You can also be use this utility to migrate to Symantec Gateway Security 5000 Series v3.0.1.

For more information regarding migration from Symantec Enterprise Firewall v8.0, see “Migrating

Symantec Enterprise Firewall v8.0 configurations to Symantec Gateway Security 5000 Series v3.01” on

page 68.

For more information regarding migration from Symantec Enterprise Firewall v7.0.4, see “Migrating

Symantec Enterprise Firewall v8.0 configuration files” on page 69.

Page 41

About upgrading or updating to Symantec Gateway Security 5000 Series v3.0.1

All upgrades and updates require that you apply the latest patches and hotfixes before you perform a configuration back up and begin the upgrade or update process. Table 3-1 lists the various ways you can upgrade or update to Symantec Gateway Security 5000 Series v3.0.1.

Table 3-1 Upgrade and update paths to Symantec Gateway Security 5000 Series v3.0.1

Your current version Available upgrade and update methods

Symantec Gateway Security 5000 Series v3.0 Symantec Gateway Security 5000 Series Software and

Restore Image Version 3.0.1 CD-ROM

Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM

A remote update utility is available from the Symantec Technical Support Web site to update to Symantec Gateway Security 5000 Series v3.0.1. If you have already used this utility to perform the update on your security gateway, no further action is necessary.

Symantec Gateway Security 5000 Series v2.0.1 Symantec Gateway Security 5000 Series Software and

Restore Image Version 3.0.1 CD-ROM

Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM

41Upgrading appliance software and migrating configurations

Symantec Clientless VPN Gateway 4400 Series v5.0 Symantec Gateway Security 5000 Series v3.0.1 Software

Symantec Enterprise Firewall v8.0 Migrate backed up configurations to an appliance running

Symantec Enterprise Firewall v7.0.4 Migrate backed up configurations to an appliance running

Upgrade and update requirements

You must satisfy the requirements described in the following sections to upgrade or update to Symantec Gateway Security 5000 Series v3.0.1:

■ “Requirements for the local upgrade and update” on page 41.

■ “Requirements for remote upgrade or update” on page 42.

■ “Patches and hotfixes” on page 42.

Requirements for the local upgrade and update

If you plan to upgrade or update on site using the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM, the requirements for the computer running the OS restore

program are as follows:

■ An industry-standard computer with a BIOS that lets you boot from a IDE CD-ROM.

■ An installed 10/100 or 10/100/1000 MB network interface card.

Verify that your interface card is compatible with your Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM by inserting it into the computer that you plan

to use when restoring your software. When the CD-ROM boots, it will indicate whether or not it

and Restore Image Version 3.0.1 CD-ROM

Symantec Gateway Security 5000 Series v3.0.1

Symantec Gateway Security 5000 Series v3.0.1.

Symantec provides a separate utility to convert configurations from Symantec Enterprise Firewall v7.0.4 that can be used for this migration.

Page 42

42 Upgrading appliance software and migrating configurations

Upgrade and update preparation

found the appropriate hardware to continue the process. If the CD-ROM is not compatible with your network card, locate another computer with a different type of network interface.

■ Either a crossover cable (supplied with the appliance) to connect the appliance directly to the eth0

network interface on the computer, or a connection to a switch or hub to which the appliance is attached.

Requirements for remote upgrade or update

To perform a remote upgrade or update, the security gateway must be connected to a network through any interface with a static IP address. When upgrading from Symantec Gateway Security 5000 Series v2.0.1, you access the security gateway using Secure Remote Login (SRL). When updating from Symantec Gateway Security 5000 Series v3.0, you access the security gateway using a Secure Shell (SSH) account.

The remote upgrade or update process using the Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM involves putting files on an FTP server. If you plan to perform a remote upgrade or update using this CD-ROM, you must provide at least 1 GB of storage space on the FTP server that you plan to use to store the files that will be downloaded to the appliance.

Note: This requirement applies only when using the Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM to perform a remote upgrade or update.

Patches and hotfixes

When upgrading or updating to Symantec Gateway Security 5000 Series v3.0.1, you must install all hotfixes and patches recommended by Symantec before initiating backups to preserve configurations. Refer to the Symantec Technical Support Web site to ensure that you have the latest downloads.

Upgrade and update preparation

How you plan for the upgrade or update to Symantec Gateway Security 5000 Series v3.0.1 depends on whether you plan to upgrade or update locally using the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM, or if you want upgrade or update remotely using the Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM. Planning recommendations for on site upgrade or update also apply to remote upgrades or updates. Remote upgrades or updates require several additional considerations.

Note: These preparations apply if you are using either the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM or the Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM. If you are using the remote utility that is available from the

Symantec Technical Support Web site, see the instructions provided on the Symantec Technical Support Web site.

General planning for on site upgrades and updates

Upgrading or updating to Symantec Gateway Security 5000 Series v3.0.1 replaces information currently stored on the security gateway, including certificates, configurations, licenses, and log files. To preserve current settings, you must perform thorough backups before starting the process.

Your planning must also consider when you can schedule the upgrade or update to cause minimal service interruption and how you allocate administrative personnel. The upgrade or update requires a brief service interruption and significant interaction with the appliance by a system administrator.

Page 43

Upgrade and update preparation

General planning considerations should include the following:

■ Back up all configurations, log files, license files, certificates, and any other current data files you

want to retain. Rollover your current logfiles before you back them up.

■ Remove the security gateway from all clusters. Security gateways are upgraded or updated

individually.

■ Schedule the upgrade or update for a period when you can remove the security gateway from

service with minimal service interruption.

■ Allocate a system administrator for the entire duration of the process. Administrator response is

required at various points.

■ If the security gateway is under remote management using Symantec Gateway Security Advanced

Manager, you must unjoin the security gateway from the advanced manager before starting the process.

■ Install all available patches and hotfixes before you restore configurations and begin the upgrade

or update.

■ On Symantec Gateway Security 5000 Series v2.0.1 appliances, back up the Entrust certificate.

■ If you manually modified the Symantec Gateway Security 5000 Series v2.0.1 configuration settings

in the loglevel.cf file, manually back up the file, and then review the settings.

■ When restoring from a Symantec Clientless VPN Gateway 4400 Series v5.0 configuration file, note

the network interface information, and use the System Setup Wizard to restore it.

43Upgrading appliance software and migrating configurations

Planning for remote upgrades or updates

Upgrading or updating to Symantec Gateway Security 5000 Series v3.0.1 using the Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM requires several additional preparations,

due to the need to access the security gateway remotely.

Be certain that all of your preparations are complete before starting the upgrade or update. After you start the remote upgrade or update process to Symantec Gateway Security 5000 Series v3.0.1, you cannot remotely revert to a previous version.

Planning considerations for remote upgrades and updates include the following:

■ Complete all preparations required for on site upgrade or update

■ Establish remote access to each appliance you want to upgrade or update.

For more information, see “Remote access to the appliance” on page 43.

■ Verify access to the FTP server that you plan to use to store the files that will be downloaded to the

appliance.

■ Verify that the FTP server has enough storage to accept the files.

See “Requirements for remote upgrade or update” on page 42.

Remote access to the appliance

If you plan to upgrade or update to Symantec Gateway Security 5000 Series v3.0.1 without physically interacting with the appliance, you must establish secure network access to the security gateway through a command line interface. To log on to the security gateway, you use either Secure Remote Login (SRL), or Secure Shell (SSH). The method you use depends on the software currently running on the security gateway.

To remotely upgrade a security gateway currently running Symantec Gateway Security 5000 Series v2.0.1 to Symantec Gateway Security 5000 Series v3.0.1, you must be able to connect to the security gateway using SRL. To log on to the gateway using SRL, you must supply the shared secret configured on the security gateway you want to upgrade.

Page 44

44 Upgrading appliance software and migrating configurations

Upgrade and update preparation

To remotely update a security gateway currently running Symantec Gateway Security 5000 Series v3.0, you must connect using SSH. You must use a third-party SSH client for this type of connection.

For more information regarding how to enable SSH for command line access to the security gateway, see the Symantec Gateway Security 5000 Series v3.0.1 Administration Guide.

Licensing your Symantec Gateway Security 5000 Series v3.0.1 software

You can use Symantec Security Gateway 5000 Series v3.0.1 software if your Maintenance Agreement for your Symantec Gateway Security 5000 Series v2.0 or Symantec Gateway Security 5000 Series v3.0 base license or activation pack is still current. You can also use any other Symantec Gateway Security 5000 Series v2.0 or Symantec Gateway Security 5000 Series v3.0 or Symantec Clientless VPN Gateway 4400 Series v5.0 licenses for your Symantec security gateway (such as additional firewall or VPN licenses) that are still covered by an active Maintenance Agreement. For additional Symantec Gateway Security 5000 Series v3.0 licenses, or to replace any prior version licenses you own that are not covered by an active Maintenance Agreement, contact your local reseller.

When you upgrade or update your existing Symantec Gateway Security 5000 Series to the new Symantec Gateway Security 5000 Series v3.0.1 software, you automatically receive a 30-day grace period to use all features of the new Symantec Gateway Security 5000 Series v3.0.1 software, including content updates.

Before you upgrade or update your software, you should ensure that you are prepared to restore your Symantec Security Gateway 5000 Series v2.0 or Symantec Gateway Security 5000 Series v3.0 licenses to your environment, using one of the following methods:

■ If you have saved the license files that you generated for your current system, you can simply

reinstall those license files on your system once you have completed the upgrade or update to Symantec Security Gateway 5000 Series v3.0.1.

See “Restoring license files” on page 54.

■ If you did not save your license files, you must use the serial numbers delivered with your original

Serial Number Certificates for your licenses, and go back to the Symantec licensing Web site,

https://licensing.symantec.com to generate new license files and then install those license files on

your system once you have completed the upgrade or update to Symantec Security Gateway 5000 Series v3.0.1.

See “Obtaining license files” on page 76. See “Restoring license files” on page 54.

■ If you did not save your license files on backup media or another system, and do not have access to

your Serial Number Certificates, you can manually back up your Symantec Gateway Security 5000 Series license files.

See “Backing up your Symantec Gateway Security 5000 Series license files” on page 44. You can reinstall your license files on your Symantec Gateway Security 5000 Series v3.0.1 system. See “Restoring license files” on page 54.

Backing up your Symantec Gateway Security 5000 Series license files

Back up all of the license files on your appliance except for 10284.11.slf to a secure location off your security gateway so that you can restore them after upgrading to Symantec Gateway Security 5000 Series v3.0.1. To back up the license files from an Symantec Gateway Security 5000 Series v2.0.1, you must connect to the security gateway using an SRL client. To back up the license files from an Symantec Gateway Security 5000 Series v3.0, you must connect to the security gateway with an SSH client.

To back up your Symantec Gateway Security 5000 series license files

1 Connect to your appliance using the SRL client or the SSH client.

Page 45

2 To back up the license files, at the command prompt, type the following:

cd /opt/Symantec/Licenses

3 To see a list of all your license files (files with an .slf extension), at the command prompt, type the

following:

ls *.slf

4 Copy all of the license files, except for 10284.11.slf, to a secure location off your appliance.

Backing up security gateway configurations and data files

The procedure used to perform the backup is specific to the system where the information exists before the upgrade or update, as described in the following sections:

■ “Backing up Symantec Gateway Security 5000 Series v3.0 configurations” on page 45.

■ “Backing up Symantec Gateway Security 5000 Series v2.0.1 configurations” on page 46.

■ “Backing up Symantec Clientless VPN Gateway 4400 Series v5.0 configurations and data files” on

page 46.

Backing up Symantec Gateway Security 5000 Series v3.0 configurations

Before you back up your configuration, save and activate your changes.

The following parts of the security gateway configuration are not restored as part of the restore operation. You need to recreate these items following a backup and restore operation:

■ Administrator password

Upgrade and update preparation

45Upgrading appliance software and migrating configurations

■ Cluster associations

These are the cluster name, heartbeat interface, and member information.

Note: In a clustered environment, backing up and restoring a cluster node’s configuration does not restore the cluster associations. You must run the Cluster Wizard following the restore to reestablish the cluster association.

■ License installations

Back up your license files separately so that you can reinstall them after restoring your configuration. You cannot reinstall the licenses from one security gateway on another security gateway.

For a list of the configurations and data files you should consider backing up, see “Manual backups” on page 47.

To back up configuration files from the SGMI

1 In the Symantec Gateway Security 5000 Series v3.0 SGMI, on the File menu, click Backup.

2 In the Backup dialog box, in the Password text box, type a backup/restore password.

3 In the Verify password text box, retype the password, and then click OK.

4 In the Save dialog box, navigate to the location where you want to save the backup file.

5 In the File name field, type a name for the backup file.

The default file type is .bk.

6 Click Save.

7 When you are notified that the backup has completed successfully, click OK.

For more information regarding how to performing backups in Symantec Gateway Security 5000 Series v3.0, refer to the Symantec Gateway Security 5000 Series v3.0 Administration Guide.

Page 46

46 Upgrading appliance software and migrating configurations

Upgrade and update preparation

Backing up Symantec Gateway Security 5000 Series v2.0.1 configurations

To back up Symantec Gateway Security 5000 Series v2.0.1 configurations, you use the Symantec Gateway Security 5000 Series v2.0.1 SGMI to save the configurations to a location off the security gateway, such as the hard drive of the computer you use to access the SGMI. After upgrading the security gateway, you can restore these configurations to the security gateway. Upgrading Symantec Gateway Security 5000 Series v2.0.1 removes all previous configuration information. If you do not back up the Symantec Gateway Security 5000 Series v2.0.1 configuration before you upgrade, all your configurations are lost.

For a list of the configurations and data files you should consider backing up, see “Manual backups” on page 47.

If your Symantec Gateway Security 5000 Series v2.0.1 security gateway is joined to Symantec Gateway Security Advanced Manager, you must unjoin from the advanced manager before backing up the Symantec Gateway Security 5000 Series v2.0.1 configuration.

There are Symantec Gateway Security 5000 Series v2.0.1 features that are no longer available, or that are replaced with similar functionality in Symantec Gateway Security 5000 Series v3.0.1. For more information, see the Symantec Gateway Security 5000 Series Getting Started Guide. Some Symantec Gateway Security 5000 Series v2.0.1 configuration information that was manually configured using Secure Remote Login (SRL) may require manual backup.

Review the information in “About Symantec Gateway Security 5000 Series v2.0.1 upgrade reports” on page 55 to determine what tasks you may need to perform after the upgrade.

To back up Symantec Gateway Security 5000 Series v2.0.1 configurations

1 In the Symantec Gateway Security 5000 Series v2.0.1 SGMI, on the Action menu, click Backup.

2 In the Backup Configuration window, in the Password text box, type a backup/restore password.

This password is required to restore the configuration.

3 Click Backup.

You are prompted to select a location in which to store the backup and a file name for the backup file. The default name is configs.bk.

4 Click Close.

For more information regarding how to perform backups in Symantec Gateway Security 5000 Series v2.0.1, see the Symantec Gateway Security 5400 Series Administrator’s Guide.

Backing up Symantec Clientless VPN Gateway 4400 Series v5.0 configurations and data files

You must back up your Symantec Clientless VPN Gateway 4400 Series v5.0 configuration before you upgrade the security gateway. Upgrading the security gateway removes all previous configuration information. You back up configurations and data files using the Symantec Clientless VPN Gateway 4400 Series v5.0 SGMI. Save the file in a secure location because it contains sensitive information.

To back up the current configuration

1 In the SGMI, on the Server tab, in the left pane, under Save Configuration, click Download.

2 In the right pane, under Save Configuration To Local File, click Download.

3 Click Save this file to disk.

4 Click OK.

Page 47

Upgrade and update preparation

5 In the dialog box, browse to the location where you want to save the file.

6 Select the file.

7 Click OK.

If you are using the Symantec Clientless VPN Gateway 4400 Series v5.0 internal database (LDAP data file), you must back up and restore the LDAP data file separately. It is not considered part of your clientless VPN gateway configuration. Save the file in a secure location, because it contains sensitive information.

To back up the LDAP data file

1 In the SGMI, on the User Database tab, in the left pane, under Save Configuration, click Download.

2 In the right pane, under Save Configuration To Local File, click Download.

3 Click Save this file to disk.

4 Click OK.

5 In the dialog box, browse to the location where you want to save the file.

You can type a new file name so that you do not overwrite a previous backup file.

6 Click OK.

47Upgrading appliance software and migrating configurations

Manual backups

This section lists critical items that you preserve by running a manual backup. Depending on how you have managed your security gateway, your configuration can include some or all of these items. You must complete all backups before starting the process.

Only configurations and licenses can be restored using the SGMI in Symantec Gateway Security 5000 Series v3.0.1. The manually configured and backed up items listed in Table 3-2 and in Table 3-3 cannot be restored or reinstalled directly in Symantec Gateway Security 5000 Series v3.0.1. However, the backup files can serve as a reference when recreating the settings in Symantec Gateway Security 5000 Series v3.0.1.

See “Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations” on page 55.

Caution: The upgrade or update process permanently removes all security gateway files. Any configurations or files not backed up and saved in a secure location are lost.

After you complete the process, you can restore your configuration files, and reapply the licenses that you backed up.

Table 3-2 lists items that you must back up manually cannot be restored or reinstalled directly in

Symantec Gateway Security 5000 Series v3.0.1.

Table 3-2 Manually configured Symantec Gateway Security 5000 Series v2.0.1 information that

requires manual backup

Files Content Backup technique/path

Logs Logged events FTP from security gateway

Certificate Authentication information FTP from security gateway

/var/log/sg/oldlogs

Rollover your current logfile before backing up.

/var/lib/sg

Page 48

48 Upgrading appliance software and migrating configurations

Upgrade and update preparation

Table 3-2 Manually configured Symantec Gateway Security 5000 Series v2.0.1 information that

requires manual backup (Continued)

Files Content Backup technique/path

loglevel.cf Customized notifyd logging

information

cron jobs Configuration information for

periodic automatic actions, such as backing up log files

RemPass RemLog password FTP from security gateway

Entrust Certificate

startgw Startup scripts run on the gateway FTP from security gateway

Routes Changes made using the OS, and

zebra.conf, ospfd.conf, ripd.conf, igp.conf

Certificate generated from an external Entrust authentication server

not the SGMI

Dynamic routing configuration files FTP from security gateway

FTP from security gateway

Replaced by notifysingle.cf

FTP from security gateway

/usr/raptor/bin/rempass

FTP from security gateway

/var/lib/sg

/usr/raptor/bin/startgw

Changes must be added using the console, to SGMI managed dynamic routes, or from console start up scripts.

/var/lib/sg/zebra/zebra.conf

/var/lib/sg/management/edit/zebra/zebra.conf

/var/lib/sg/backup/zebra/zebra.conf

/var/lib/sg/zebra/ospfd.conf

/var/lib/sg/management/edit/zebra/ospfd.conf

/var/lib/sg/backup/zebra/ospfd.conf

/var/lib/sg/zebra/ripd.conf

/var/lib/sg/management/edit/zebra/ripd.conf

/var/lib/sg/backup/zebra/ripd.conf

cman.ora Oracle connection manager

Other Symantec Gateway Security 5000 Series v2.0.1 manually configured information is automatically backed up and restored.

configuration file. Used to configure SQL traffic.

FTP from security gateway

/usr/raptor/oracle_netprxy/network/admin

Page 49

Table 3-3 shows manually configured Symantec Gateway Security 5000 Series information

automatically backed up and restored.

Table 3-3 Manually configured Symantec Gateway Security 5000 Series v2.0.1information

automatically backed up and restored

Files Content Backup technique/path

sdconf.rec SecurID configuration information automatic

httpurlpattern.cf cf file with URL deny list automatic

httpcaps.cf cf file with browser configuration automatic

dhcprelay.conf DHCP relay/forwarding configuration automatic

For information about restoring your configurations, see “Restoring configurations” on page 53.

For information about restoring your licenses, see “Restoring license files” on page 54.

Backing up cluster information

Security gateways that are members of a cluster cannot be upgraded or updated to Symantec Gateway Security 5000 Series v3.0.1 while they are members of the cluster. You must remove the security gateway from the cluster before performing the upgrade or update. Before you remove the security gateway from the cluster, you must backup the cluster configuration information.

For information regarding how to back up cluster configuration information, see the Symantec Gateway Security 5000 Series v3.0.1 Administration Guide.

Performing remote upgrades and updates

49Upgrading appliance software and migrating configurations

Performing remote upgrades and updates

You can remotely upgrade a Symantec Gateway Security 5000 Series v2.0.1 appliance or update a Symantec Gateway Security 5000 Series v3.0 appliance to Symantec Gateway Security 5000 Series v3.0.1. Remote upgrades or updates do not require using the Symantec Gateway Security Software and Restore Image Version 3.0.1 CD-ROM or having physical access to the appliance. You must have an FTP server that is accessible from the Symantec Gateway Security 5000 Series v2.0.1 or Symantec Gateway Security 5000 Series v3.0 security gateway to use this method.

For Symantec Gateway Security 5000 Series v2.0.1 appliances, use SRL to access the appliance’s command line interface for the following procedures.

For Symantec Gateway Security 5000 Series v3.0 appliances, use SSH to access the appliance’s command line interface for the following procedures.

You cannot remotely upgrade Symantec Clientless VPN Gateway 4400 Series v5.0 to Symantec Gateway Security 5000 Series v3.0.1. You must use the Symantec Gateway Security Software and Restore Image Version 3.0.1 CD-ROM.

Uploading the Symantec Gateway Security 5000 Series Software Update Version

3.0.1 CD-ROM to an FTP server

The Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM media is made up of a single 650MB file that contains all files needed to upgrade your Symantec Gateway Security 5000 Series v2.0.1, or update your Symantec Gateway Security 5000 Series v3.0 appliance to Symantec Gateway Security 5000 Series v3.0.1. You must have an FTP server to use this procedure.

To use this procedure, you must copy the contents of the Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM to your FTP server and then download the upgrade files to your

Page 50

50 Upgrading appliance software and migrating configurations

Performing remote upgrades and updates

Symantec Gateway Security 5000 Series v2.0.1 or Symantec Gateway Security 5000 Series v3.0 appliance.

Downloading the upgrade or update files to the Symantec Gateway Security 5000 Series v2.0.1 or Symantec Gateway Security 5000 Series v3.0 appliance

You copy the Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM to the appliance’s root directory using the appliance’s command-line FTP client. You can download the entire kit at one time, or download the kit as split parts. The split kit divides the kit into twelve parts to accomodate high latency connections with slow download speeds. Once you have all the parts of the kit loaded on the appliance, the utility reassembles them when it starts the upgrade or update.

Verify the amount of free disk space on the appliance before starting the download.

Verify the amount of free disk space on the appliance

You will need 1 GB of free disk space on the appliance.

To verify the amount of free disk space on the appliance

1 Do one of the following:

■ Log in to the Symantec Gateway Security 5000 Series v2.0.1 appliance using SRL.

■ Log in to the Symantec Gateway Security 5000 Series v 3.0 appliance using SSH.

2 Do one of the following:

■ On the v3.0 command line, type df -h | grep /dev/system/root | awk '{print $2}'

■ On the v2.0.1 command line, type df -h | grep /dev/hd | awk '{print $2}'

3 Press Enter.

Downloading the entire or split kit

You can download the entire kit at one time, or download the kit as split parts. You can split the kit into twelve parts if you have high latency connections with slow download speeds. Once you have all the parts of the kit on the appliance, the utility reassembles them when you start the upgrade or update.

To download the entire kit to the Symantec Gateway Security 5000 Series v2.0.1 or Symantec Gateway Security 5000 Series v3.0 appliance

1 Log on to the Symantec Gateway Security v2.0.1 or Symantec Gateway Security 5000 Series v 3.0

appliance command-line interface as the root user.

2 Using the command-line FTP program on the appliance, copy the entire kit from your FTP server to

the appliance.

To split a kit on the FTP server

1 Log on to the FTP server.

2 Do one of the following:

■ On a Linux system, on the command-line, type the following command tar -xvzf

update.tar.gz.

■ On a Windows system, use a tool such as WinRAR.

To download the split kit to the Symantec Gateway Security 5000 Series v3.0 appliance

1 Do one of the following:

■ Log in to the Symantec Gateway Security 5000 Series v2.0.1 appliance using SRL.

■ Log in to the Symantec Gateway Security 5000 Series v 3.0 appliance using SSH.

Page 51

2 Using the command -line FTP program on the appliance, copy each of the 12 parts of the split kit

individually from your FTP server to the appliance.

3 Copy the script sgs301_upgrade.sh from your FTP server to the appliance.

Running the upgrade or update

Once the kit is completely downloaded to the Symantec Gateway Security 5000 Series v2.0.1, or Symantec Gateway Security 5000 Series v3.0 appliance, you can run the utility. In this procedure, you select one configured interface on the Symantec Gateway Security 5000 Series v2.0.1 or Symantec Gateway Security 5000 Series v3.0 appliance to access the appliance after completing the upgrade or update. This can be any interface configured with a static IP address. In most cases, this will be the interface to which you are currently connected.

When the upgrade or update completes, the security gateway is ready to be configured using the System Setup Wizard. You can access the security gateway and use the SGMI through the default interface you specified. To access the security gateway, you must enter the default password you specified during the upgrade or update process.

When accessing the security gateway after the upgrade or update, you can complete the tasks to restore your configuration, license files, and certificates.

See “Post-upgrade or update restoration” on page 52.

Performing remote upgrades and updates

51Upgrading appliance software and migrating configurations

To run the upgrade or update

1 Do one of the following:

■ Log on to the Symantec Gateway Security 5000 Series v 2.0.1 appliance using SRL.

■ Log on to the Symantec Gateway Security 5000 Series v 3.0 appliance using SSH.

2 On the command-line, type the following command:

sh sgs301_upgrade.sh

3 Press Enter.

4 When prompted by the following message, type Y to indicate yes, or type N to indicate no.

Have you followed the upgrade preparations described in the Symantec Gateway Security 5000 Series Installation Guide? [N]:

5 Press Enter.

6 When prompted, type the name of the interface to use to connect to Symantec Gateway Security

5000 Series v3.0.1 appliance after the upgrade or update. This can be an inside or outside interface. Outside interfaces must be configured with a static IP

address. The default is interface eth0.

7 Press Enter.

8 When the settings for the interface you selected display and you are prompted to confirm the

interface information, type y to confirm the selection.

9 Press Enter.

10 When prompted by the following message, type a password to use to access the security gateway

after the upgrade.

Please enter a password

The admin and root passwords are set to the password you type.

11 Press Enter.

12 When prompted by the following message, type the password again.

Confirm password

Page 52

52 Upgrading appliance software and migrating configurations

Post-upgrade or update restoration

13 Press Enter.

14 When you are prompted to begin by the following message, type Y to began the upgrade, type N to

stop.

Ready to begin Symantec Gateway Security 5000 Series V 3.0 to V 3.0.1 Upgrade? [Y]es or [N]o:

If you typed y, the upgrade or update begins. The appliance starts the process, and then reboots when it is finished.

When the upgrade or update is complete, the LCD displays the following:

cpu **% Raid(**) log **% Stopped

You can now access the appliance using the SGMI with the password you created in this process.

See “Post-upgrade or update restoration” on page 52.

Post-upgrade or update restoration

After the upgrade or update process finishes, you must do the following:

■ Access the SGMI.

See “SGMI access after upgrading or updating” on page 52.

■ Install your licenses from the file where you saved them.

See “Restoring license files” on page 54.

■ Restore your configurations from your backup file.

See “Restoring configurations” on page 53.

■ View the upgrade reports.

See “About Symantec Gateway Security 5000 Series v2.0.1 upgrade reports” on page 55.

After upgrading or updating to Symantec Gateway Security 5000 Series v3.0.1, you restore only your previous configurations and licenses. Symantec Gateway Security 5000 Series v3.0.1 does not support restoring data files other than configuration files and licenses. However, you can use the other information you backed up as a reference when modifying the configuration of the security gateway after the upgrade or update.

For more information on how to configure the security gateway, see the Symantec Gateway Security 5000 Series v3.0.1 Administration Guide.

When upgrading from Symantec Gateway Security 5000 Series v2.0.1, the security gateway automatically generates reports that provide details about the upgrade. These reports are not generated automatically when updating from Symantec Gateway Security 5000 Series v3.0, but are available through the SGMI.

See “About Symantec Gateway Security 5000 Series v2.0.1 upgrade reports” on page 55.

Upgrading from Symantec Clientless VPN Gateway 4400 Series v5.0 to Symantec Gateway Security 5000 Series v3.0.1 requires reviewing certain aspects of your configuration after the upgrade.

See “Post-upgrade tasks for upgraded Symantec Clientless VPN Gateway 4400 Series v5.0

configurations” on page 64.

SGMI access after upgrading or updating

After upgrading or updating to Symantec Gateway Security 5000 Series v3.0.1, you access the SGMI by performing a password-controlled logon as admin. If you upgraded or updated locally, you access the SGMI after completing the OS restore and initial setup process. You use the default password.

Page 53

See “Restoring the appliance firmware with the Symantec Gateway Security OS Restore CD ROM” on page 24.

If you upgraded or updated remotely, you access the SGMI using the management interface and password you specified during the process.

After upgrading or updating, the first time you connect to the Symantec Gateway Security 5000 Series v3.0.1 SGMI, the System Setup Wizard starts automatically. The System Setup Wizard lets you restore your configurations.

See“Running the System Setup Wizard” on page 31.

Factory reset

If you perform a factory reset of the appliance after the upgrade or update, it returns to Symantec Gateway Security 5000 Series v3.0.1.

See “Using the LCD system menu” on page 14.

Restoring configurations

The System Setup Wizard displays automatically the first time you access the SGMI to let you restore the backed-up configurations. The wizard provides options for restoring Symantec Gateway Security 5000 Series v2.0.1, Symantec Gateway Security 5000 Series v3.0, or Symantec Clientless VPN Gateway 4400 Series v5.0 images.

Post-upgrade or update restoration

53Upgrading appliance software and migrating configurations

Note: In a clustered environment, backup and restore do not restore the cluster association. You need to run the Cluster Wizard following the restore to reestablish the cluster association. You cannot reestablish the cluster until all members are upgraded or updated to the same version.

For more information on how to configure the security gateway after restoring your previous configurations, including a description of the System Setup Wizard, see the Symantec Gateway Security 5000 Series v3.0.1 Administration Guide.

To restore configurations

1 In the SGMI, on the File menu, click Restore.

2 In the Restore Wizard panel, click Standalone gateway.

3 Click Next.

4 In the Setup Options panel, click Merge backup configuration’s network interfaces data.

5 Click Next.

6 To restore a Symantec Gateway Security 5000 Series v2.0.1 or Symantec Gateway Security 5000

Series v3.0 image, in the Restore Settings panel, do the following:

■ Click Restore from a Symantec Gateway Security backup image.

■ Next to the Backup file text box, click Browse.

■ In the Open dialog box, navigate to the location of the backup file.

■ Select the backup file, and then click Open.

■ In the Password text box, type the password that was used to back up the security gateway

configuration.

■ Optionally, to restore the local administrator accounts that are defined in the backup file,

check Restore administrator accounts.

7 To restore a Symantec Clientless VPN Gateway 4400 Series v5.0 image, in the Restore Settings

panel, do the following:

■ Click Restore from a Symantec Clientless VPN Gateway backup image.

Page 54

54 Upgrading appliance software and migrating configurations

Post-upgrade or update restoration

■ Next to the backup file text box, click Browse.

■ In the Open dialog box, navigate to the location of the backup file.

■ Select the backup file, and then click Open.

■ If you backed up LDAP data, next to the LDAP data file text box, click Browse.

■ In the Open dialog box, navigate to the location of the LDAP data file.

■ Select the LDAP data file, and then click Open.

8 Click Next.

One of two things happens:

■ If the restore is successful, the Machine Settings panel is displayed.

■ If the restore is unsuccessful, an error message informs you that the restore has been rolled

back, meaning that the security gateway remains in the state that it was in when you began the restore operation. Click OK to clear the message, and then click Cance l to exit the wizard.

9 In the Machine Settings panel, do one of the following:

■ Make changes to machine and system settings, and then click Next.

■ To proceed without making changes, click Next.

10 In the Network Interfaces panel, do one of the following:

■ Make changes to network interfaces, and then click Next.

■ To proceed without making changes, click Next.

11 In the Confirmation panel, review the summary of your configuration.

12 Click Finish.

After the restored configurations have been validated, a message tells you that the security gateway will be rebooted in 30 seconds, and asks if you want to reboot immediately.

13 If you do not want to wait for the reboot to start, click OK.

The Symantec Gateway Security 5000 Series v3.0.1 logon dialog box displays and the security gateway reboots.

14 When the reboot has completed, log on to the SGMI again.

Restoring license files

After you upgrade or update to Symantec Gateway Security 5000 Series v3.0.1, you must restore the license files. The license files must be present on your management computer.

To restore license files

1 In the SGMI, in the left pane, under System, click Licensing.

2 In the right pane, on the Installed Licenses tab, click Install.

3 In the License Installation Wizard panel, click Next.

4 In the Obtain License Files panel, click Next.

5 In the Upload License Files panel, click Upload File.

6 Navigate to the folder in which you stored your license files.

7 Select the license file, and then click Open.

8 Click Next.

9 When the wizard completes, click Finish.

Page 55

Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations

About Symantec Gateway Security 5000 Series v2.0.1 upgrade reports

When you upgrade from Symantec Gateway Security 5000 Series v2.0.1 to Symantec Gateway Security 5000 Series v3.0.1 and then restore your Symantec Gateway Security 5000 Series v2.0.1 configurations, the security gateway automatically creates two upgrade reports based on your restored configurations: an upgrade summary report and an upgrade detail report. The summary report displays automatically once the restoration and validation is complete. The detail report is a complete list of all actions taken during the restoration. It contains detailed information that may assist Symantec Technical Support.

Note: Upgrade reports are not generated when you restore Symantec Gateway Security 5000 Series v3.0 configurations to a Symantec Gateway Security 5000 Series v3.0.1

The upgrade summary report contains messages for all Symantec Gateway Security 5000 Series v2.0.1 to Symantec Gateway Security 5000 Series v3.0.1 configuration modifications made during the restoration. The following types of upgrade messages are generated:

Action Describes configurations that you must modify to ensure proper security gateway

functionality.

Warning Describes configurations that you may want to view and test.

Information Describes configurations that you might be interested in, but will not likely be required to act

upon.

55Upgrading appliance software and migrating configurations

Support Support messages are only included in the detail upgrade report.

Both reports are available in the Symantec Gateway Security 5000 Series v3.0.1 SGMI, and as an HTML file which you can retrieve from the appliance using FTP or SSH. You have access to these reports until the next upgrade, or until you do a factory reset or OS restore.

Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series

LiveUpdate

v2.0.1 configurations

There are features of Symantec Gateway Security 5000 Series v2.0.1 and Symantec Enterprise Firewall v8.0 that are no longer available, or that are replaced with similar functionality on Symantec Gateway Security 5000 Series v3.0.1. Review the upgrade summary report, and perform all necessary postupgrade tasks listed in this section.

For more information on unavailable or replaced features, see the Symantec Gateway Security 5000

Series v3.0.1 Release Notes.

There are some post-upgrade tasks that you must perform after upgrading from Symantec Clientless VPN Gateway 4400 Series v5.0.

See “Post-upgrade tasks for upgraded Symantec Clientless VPN Gateway 4400 Series v5.0

configurations” on page 64.

The Symantec Gateway Security 5000 Series v3.0.1 LiveUpdate server is configured separately from the individual components that use it. This lets multiple components update from the same LiveUpdate server without having to retype the server URL and credentials for each component.

Upgrading addresses each LiveUpdate component configuration, consolidating references to LiveUpdate servers. If a server URL is http://liveupdate.symantecliveupdate.com, then the upgrade references the component to the default Symantec LiveUpdate server that was created during the

Page 56

56 Upgrading appliance software and migrating configurations

Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations

installation. Otherwise, the upgrade creates a new LiveUpdate server entry. The name of this entry is the URL, and the user name and password are blank.

After upgrading, check the URL, user names, and passwords.

Authentication methods

Symantec Gateway Security 5000 Series v2.0.1 uses authentication methods to define authentication for end users using different types of on-box and off-box authentication servers. Symantec Gateway Security 5000 Series v3.0.1 uses schemes to define authentication of end users. All existing authentication methods are converted to schemes. All references to authentication methods by other objects in the configuration are converted to equivalent references to schemes.

After upgrading, check all authentication schemes.

Authentication sequences

Authentication sequences are also replaced by authentication schemes in Symantec Gateway Security 5000 Series v3.0.1. An authentication sequence is a specific type of authentication method in Symantec Gateway Security 5000 Series v2.0.1. An authentication sequence combines any number of other authentication methods. An end user using an authentication sequence needed to authenticate successfully to any method in the sequence to gain access.

Schemes can contain multiple authentication methods, referencing the authentication servers that perform the authentication. An end user using a scheme must successfully authenticate to all servers in the scheme.

For more information about authentication sequences, see Symantec Gateway Security 5000 Series v3.0.1 Administration Guide.

After upgrading, review new schemes and adjust if necessary.

Dynamic authentication sequences

All dynamic authentication sequence names began with the text dynamic. You can have only one authentication sequence named dynamic. In Symantec Gateway Security 5000 Series v2.0.1, for specific authentication methods, a dynamic authentication sequence provides off-box end user authentication without having to configure authentication server users on the security gateway. Upgrading converts Symantec Gateway Security 5000 Series v2.0.1 dynamic authentication sequences to Symantec Gateway Security 5000 Series v3.0.1 dynamic authentication schemes.

Dynamic authentication group names

Group names in Symantec Gateway Security 5000 Series v2.0.1 that are in the format <servername><group> are retained. In authentication schemes, the Group Information check box is checked so that when the group name is used in a rule, the group information is looked up.

Group names in the format <servername>-<none> are changed to dynamic-none. To have rules authenticate all users, regardless of their group membership, after upgrading, the Group Information check box must be unchecked. If you do not uncheck the Group Information check box, rules will authenticate only users with no group.

Authentication using multiple servers

Upgrade converts all authentication sequences to schemes. Authentication sequences containing multiple authentication methods, are upgraded according to Symantec Gateway Security 5000 Series v3.0.1 rules. The authentication performed using the newly created scheme is different from previous versions.

Page 57

Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations

For more information about authentication using multiple servers, see Symantec Gateway Security 5000 Series v3.0.1 Administration Guide.

Bellcore S/Key authentication

S/Key authentication methods in Symantec Gateway Security 5000 Series v2.0.1 are replaced by new internal authentication in Symantec Gateway Security 5000 Series v3.0.1.

The upgrade report states that users are migrated from Bellcore S/Key to the new internal authentication. All rules that have previously used Bellcore S/Key authentication are migrated to the new internal authentication.

After upgrading, reset former Bellcore S/Key user passwords.

gwpassword authentication

gwpassword authentication methods in Symantec Gateway Security 5000 Series v2.0.1 are replaced by new internal authentication in Symantec Gateway Security 5000 Series v3.0.1.

The upgrade report states that users are transferred from gwpassword to the new internal authentication. All user passwords are upgraded automatically. All rules previously using gwpassword authentication are migrated to rules that use the new internal authentication.

The new internal authentication maintains separate fields for the user first name and last name. The upgrade splits the full name of each user into these separate name fields and lists the modified names in the upgrade report.

57Upgrading appliance software and migrating configurations

PassGo Defender authentication

RADIUS replaces PassGo native Defender authentication in Symantec Gateway Security 5000 Series v3.0.1. It is compatible with external PassGo Defender authentication servers. Upgrading converts any configured PassGo Defender authentication method to a RADIUS method. By default, the new RADIUS method uses the RADIUS port (1812).

If you use a newer PassGo Defender server that handles RADIUS, then after upgrading, do the following:

■ Configure a shared secret on both the PassGo Defender server and Symantec Gateway Security

5000 Series v3.0.1.

■ Check, and if necessary, adjust any rules using the new RADIUS authentication.

If you use a PassGo Defender server that cannot handle the RADIUS protocol, then after upgrading, do the following:

■ Upgrade the PassGo Defender server to a version that supports the RADIUS protocol.

■ Configure a shared secret on both the PassGo Defender server and Symantec Gateway Security

5000 Series v3.0.1.

■ Check, and if necessary, adjust any rules using the new RADIUS authentication.

If you cannot upgrade the PassGo Defender server, then after upgrading, do the following:

■ Set up a RADIUS server to act as a proxy.

■ Direct the RADIUS server to the PassGo Defender server for authentication.

■ Modify the RADIUS server object configured on Symantec Gateway Security 5000 Series v3.0.1 to

direct authentication to the new RADIUS server.

Page 58

58 Upgrading appliance software and migrating configurations

Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations

SecurID authentication

If you use SecurID authentication with Symantec Gateway Security 5000 Series v2.0.1, you must replace the SecurID node secret in Symantec Gateway Security 5000 Series v3.0.1. The first time the security gateway contacts the SecurID server, the server responds with a hashed client authentication file named SecurID. The security gateway stores this file in the /var/lib/sg.

After upgrading, on the SecurID/ACE server, uncheck the Sent Node Secret check box.

Entrust authentication

A security gateway configured to use external Entrust authentication must have the Entrust server’s certificate installed. You must either back up the Symantec Gateway Security 5000 Series v2.0.1 certificate manually or regenerate it from the Entrust server before you upgrade.

Before upgrading, do the following:

■ In Symantec Gateway Security 5000 Series v2.0.1, using SRL, back up the Entrust certificate.

■ If you cannot back up the Entrust certificate, regenerate an Entrust certificate.

After upgrading, reinstall the Entrust certificate using the console.

TACACS authentication

Upgrading removes Terminal Access Controller Access Control System (TACACS) authentication methods from the configuration. Any traffic requiring TACACS authentication will not pass through the security gateway.

After upgrading, do the following:

■ Add a new authentication server, such as RADIUS or the Symantec Gateway Security 5000 Series

v.3.0.1 internal authentication to the empty TACACS scheme created by the upgrade.

External LDAP

IDS

■ Configure the necessary off-box authentication servers or the Symantec Gateway Security 5000

Series v.3.0.1 internal authentication.

■ Optionally, rename the TACACS authentication scheme in Symantec Gateway Security 5000 Series

v3.0.1 to reflect the new method of authentication.

In previous Symantec Gateway Security versions, you configure external Lightweight Directory Access Protocol (LDAP) so that clear-text passwords are sent to the authentication server. Symantec Gateway Security 5000 Series v3.0.1 includes LDAP, which creates an SSL channel between the security gateway and the LDAP server. You can now send passwords securely over SSL.

Optionally, after upgrading, do the following:

■ Configure LDAP using the Symantec Gateway Security 5000 Series v3.0.1 SGMI.

■ Turn on SSL on your LDAP server.

■ Convert any existing LDAP configuration to use SSL, specifying the default port 636.

All IDS-protected network interfaces in Symantec Gateway Security 5000 Series v2.0.1 are converted in Symantec Gateway Security 5000 Series v3.0.1 to the default IDS policy, high. While Symantec Gateway Security 5000 Series v3.0.1 IDS continues to protect the configured network interfaces, the actions that are taken when a particular signature is matched are different.

Page 59

After upgrading, adjust IDS polices, if necessary.

Content security

The Symantec Gateway Security 5000 Series v2.0.1 content security settings configured in the service group are migrated to Symantec Gateway Security 5000 Series v3.0.1 firewall rules. Upgrading copies the values from Symantec Gateway Security 5000 Series v2.0.1 service group properties to each rule that references the service group.

Antivirus comforting

In previous product versions, antivirus comforting is based on the size of the scanned file. In Symantec Gateway Security 5000 Series v3.0.1, comforting is based on the amount of time required to download the scanned file.

After upgrading, adjust the antivirus default comforting time values, as necessary.

Antivirus scanning off-box

Both Symantec Gateway Security 5000 Series v2.0.1 and Symantec Enterprise Firewall v8.0 provide off-box (remote) antivirus scanning capability. In Symantec Gateway Security 5000 Series v3.0.1, all antivirus scanning uses on-box scanning. Off-box scanning is not available in Symantec Gateway Security 5000 Series v3.0.1.

When migrating a configuration that used off-box scanning, upgrading configures the security gateway to use on-box antivirus scanning using the settings that were configured on Symantec Gateway Security 5000 Series v2.0.1 or Symantec Enterprise Firewall v8.0. Upgraded settings include file types to scan and the action to take when a virus is found.

Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations

59Upgrading appliance software and migrating configurations

Settings that were configured on the off-box antivirus server are not migrated. Settings that are not upgraded include the frequency that LiveUpdate runs. The defaults are used for these settings.

After upgrading, verify that the upgrade default values for antivirus scanning and antivirus LiveUpdate match those used by the off-box scanner, and adjust as necessary.

Antivirus response messages

In Symantec Gateway Security 5000 Series v3.0.1, you can configure the following messages to include in an email in which a virus is found:

■ The first message is appended to the email itself.

■ The second message is inserted into a file that replaces the one containing the virus.

In Symantec Gateway Security 5000 Series v2.0.1, if you did not want to include either message, you could replace all text in the message field with space characters.

In Symantec Gateway Security 5000 Series v3.0.1, you can turn off the antivirus response messages without requiring you to delete the message text. If upgrading finds an antivirus message response field to be empty or to contain nothing but space characters, then it does the following:

■ Turns off that type of antivirus message response in every rule in which mail antivirus is enabled.

■ Leaves the default message in the message field.

■ Includes an informational message in the upgrade report.

Page 60

60 Upgrading appliance software and migrating configurations

Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations

After upgrading, verify that the new default settings are appropriate.

Antivirus X-Virus header

If in Symantec Gateway Security 5000 Series v2.0.1 you set the advanced option antivirus.config.MIMEHeaderInfectionFlag to either 1 or 2, then upgrading sets both SMTP and POP3 response actions to Insert X-Virus Header.

After upgrading, verify that the new response actions are appropriate.

Antispam mail sender (bad senders list)

In Symantec Gateway Security 5000 Series v2.0.1, the mail sender line pattern matching configured in the SMTP proxy uses a regular expression. Symantec Gateway Security 5000 Series v3.0.1 uses wildcard expressions.

After upgrading, convert the regular expression in the bad senders list to wildcards where possible.

Content filtering

The list of content filtering categories is expanded in Symantec Gateway Security 5000 Series v3.0.1. Some categories in previous product versions have been moved into multiple subcategories. Your configured content profiles that use the Symantec Gateway Security 5000 Series v2.0.1 and Symantec Enterprise Firewall v8.0 categories are upgraded to use the appropriate new categories, as described in

Table 3-4.

Table 3-4 Content filtering categories

Symantec Gateway Security 5000 Series v2.0.1 categories

Alcohol Alcohol-Tobacco Sites that sell, promote, or advocate the use of alcoholic

Symantec Gateway

Description Security 5000 Series v3.0.1 categories

Adult Humor Sites that are dedicated to comedians, jokes, comic strips, email

jokes, and other humorous material intended for an adult

audience.

beverages (including beer, wine, and hard liquors) and tobacco

products (including cigarettes, cigars, and pipe and chewing

tobacco).

Anonymous Proxies Sites that allow Internet content to be retrieved on behalf of a

user with the intent of obscuring the user’s identity from the

content server or obscuring the source of the content from

content filtering software, or both.

Crime Sites that provide instructions on performing criminal activities

or acquiring illegal items, including defeating security, disabling,

or otherwise interfering with computer systems (hacking or

cracking); unauthorized use of telephone or communications

equipment to place free calls or charge another's account for

calls (phreaking); deactivating copy protection or registration

schemes of software or hardware systems (pirating and warez);

construction and usage of munitions such as pipe bombs, letter

bombs, and land mines; and lock picking, spying, or general

subterfuge and defeating of security measures.

Drugs Drugs/Advocacy Sites that advocate the use of illegal drugs for medical and

personal use.

Page 61

Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations

Table 3-4 Content filtering categories (Continued)

61Upgrading appliance software and migrating configurations

Symantec Gateway Security 5000 Series v2.0.1 categories

Drugs Drugs/Non-medical Sites that provide information on growth, distribution, and

Sports Entertainment/Sports Sites that are dedicated to professional and amateur sports and

Gambling Gambling Sites that are dedicated to the promotion of, or participation in,

Racist Intolerance Sites that advocate intolerance or hatred of a person or group of

Symantec Gateway

Description Security 5000 Series v3.0.1 categories

advocacy of drugs for nonmedical use (typically mood-altering).

Does not include alcohol or tobacco products.

Entertainment/Games Sites that are dedicated to games, gaming, game tips, game

downloads, interactive games, and multiplayer games.

sporting events.

Finance Sites that are dedicated to personal finance, banking, stock

trading, and wealth accumulation.

wagering, gambling, casinos, or lotteries.

Humor Sites that are dedicated to jokes, comic strips, stupid news, email

jokes, other humorous material, and comedians.

Interactive/Chat Sites that are providing interactive communication services,

such as Webchat, bulletin boards, and IRC.

Interactive/Mail Sites that provide interactive electronic-mail services.

people.

Job Search Sites dedicated to job searching, job listings, resume exchanges,

and head-hunting.

News Sites providing news coverage of regional and international

events and weather services.

Satanic Occult/New Age Sites dedicated to occult and New Age topics including, but not

limited to, astrology, crystals, fortune-telling, psychic powers,

tarot cards, palm reading, numerology, UF Os, witchcraft, and

satanism.

Prescription Medicine Sites dedicated to providing information on prescription drugs

that are used for medical purposes. These sites deal with side

effects issues, prescription drug manufacturing, prescription

filling, and common treatment issues.

Real Estate Sites dedicated to providing information on buying and selling

properties, property listings, commercial property listings, and

real estate agents.

Religion Sites dedicated to or describing one of the 12 classical world

religions: Babi & Baha’i, Buddhism, Christianity, Confucianism,

Islam, Jainism, Judaism, Hinduism, Shinto, Sikhism, Taoism, and

Zoroastrianism.

Sex Sex/Acts Sites depicting or implying sex acts, including pictures of

masturbation not categorized under sexual education. Also

includes sites selling sexual or adult products.

Sex Sex/Attire Sites featuring pictures that include alluring or revealing attire,

lingerie and swimsuit shopping, or super model photo

collections but do not involve nudity.

Page 62

62 Upgrading appliance software and migrating configurations

Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations

Table 3-4 Content filtering categories (Continued)

Symantec Gateway Security 5000 Series v2.0.1 categories

Sex, nudity, full nudity Sex/Nudity Sites featuring pictures of exposed breasts or genitalia that do

Sex Sex/Personals Sites dedicated to personals, dating, escort services, or mail-

Sex, Sex Education/ Advanced

Symantec Gateway Security 5000 Series v3.0.1 categories

Sex Education/ Advanced

Description

not include or imply sex acts. Includes sites featuring nudity

that is artistic in nature or intended to be artistic, including

photograph galleries, paintings that may be displayed in

museums, and other readily identifiable art forms. Includes

nudist and naturist sites that contain pictures of nude

individuals.

order marriages.

Sites providing medical discussions of sexually transmitted

diseases such as syphilis, gonorrhea, and HIV/AIDS. May include

medical pictures of a graphic nature. Includes sites providing

information of an educational nature on pregnancy and family

planning, including abortion and adoption issues. Also includes

sites providing information on sexual assault, including support

sites for victims of rape, child molestation, and sexual abuse.

Includes sites providing information and instructions on the use

of birth control devices. May include some explicit pictures or

illustrations intended for instructional purposes only. May

include slang names for reproductive organs or clinical

discussions of reproduction.

Sex Sex Education/Basic Sites that provide information at the elementary level about

puberty and reproduction. Includes clinical names for

reproductive organs.

Sex Sex Education/

Sexuality

Travel Sites that are dedicated to facilitating personal travel planning,

Vehicles Sites that are dedicated to personal transportation vehicles,

Violence Sites that depict or advocate violence, including sites promoting

Militant Weapons Sites that display, sell, or advocate the use of weapons, including

Sites that deal with topics in human sexuality. Includes sexual

technique, sexual orientation, cross-dressing, transvestites,

transgenders, multiple-partner relationships, and other related

issues.

vacations, car rental, lodging, cruises, and tour guides.

dealers, vehicle reviews, buying information, and vehicle

accessories.

violent terrorist acts against others that do not fall under the

Intolerance category.

guns, knives, and martial-arts weaponry.

URL whitelist/blacklist

In Symantec Gateway Security 5000 Series v2.0.1, you can configure the URL whitelist to act as a blacklist through an advanced option, httpd.urlblacklist. If you use this advanced option, upgrading sets the Allow/Deny URL list setting based on the option’s value:

■ Allow for 0

■ Deny for 1

After upgrading, verify that the new option values are appropriate.

Page 63

MIME types whitelist/blacklist

In Symantec Gateway Security 5000 Series v2.0.1, you can configure the MIME types blacklist to act as a whitelist through an advanced option, httpd.mimeblacklist. If you use this advanced option, then upgrading sets the Allow/Deny MIME types list setting based on the option’s value:

■ Allow for 0

■ Deny for 1

After upgrading, verify that the new option values are appropriate.

File Extensions whitelist/blacklist

In Symantec Gateway Security 5000 Series v2.0.1, you can configure the file extensions whitelist to act as a blacklist through an advanced option, httpd.extensionblacklist. If you use this advanced option, then upgrading sets the Allow/Deny File Extensions list setting based on the option’s value:

■ Allow for 0

■ Deny for 1

After upgrading, verify that the new option values are appropriate.

Dynamic Document Review

Dynamic Document Review (DDR) is a new Symantec Gateway Security 5000 Series v3.0.1 feature. When a Symantec Gateway Security 5000 Series v3.0.1 user attempts to access a Web site, the security gateway performs a dynamic document review of the content of the Web site before the information is passed to the user. Each page and header is scanned to evaluate the information in real time against dictionaries that contain trigger words and phrases.

For a full description of DDR, see Symantec Gateway Security 5000 Series v3.0.1 Administration Guide.

After upgrading, if you do not want to use DDR, adjust your content filtering policies, and disable Dynamic Document Review.

Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations

63Upgrading appliance software and migrating configurations

Log files

loglevel.cf

You must back up all Symantec Gateway Security 5000 Series v2.0.1 log files before you upgrade, or they will be erased. The Symantec Gateway Security 5000 Series v3.0.1 log viewer does not show logs from previous product versions. To view Symantec Gateway Security 5000 Series v2.0.1 log files, you must either maintain a Symantec Gateway Security 5000 Series v2.0.1 appliance for the purposes of log viewing, or flatten the logs to view them in another application. Remote logfile utility and flatten (shipped with Symantec Gateway Security 5000 Series v3.0.1) are backwards-compatible, working on both Symantec Gateway Security 5000 Series v2.0.1 and Symantec Gateway Security 5000 Series v3.0.1 log files.

Before upgrading, use FTP or the Symantec Gateway Security 5000 Series v2.0.1 remote logfile utility to back up all log files.

After upgrading, if you need to view old Symantec Gateway Security 5000 Series v2.0.1 log files, use remote logfile utility or flatten.

In Symantec Gateway Security 5000 Series v2.0.1, the loglevel.cf file is used to customize notifyd logging. The settings in this file are not configurable using the SGMI, and are not included in the backup or upgrade. In Symantec Gateway Security 5000 Series v3.0, loglevel.cf is replaced by notifysingle.cf. Upgrading does not convert loglevel.cf to notifysingle.cf.

Page 64

64 Upgrading appliance software and migrating configurations

Post-upgrade tasks for upgraded Symantec Clientless VPN Gateway 4400 Series v5.0 configurations

Before upgrading, if you manually modified the Symantec Gateway Security 5000 Series v2.0.1 configuration settings in the loglevel.cf file, manually back up the file, and then review the settings.

After upgrading, configure the desired settings in the new notifysingle.cf file, using the new file format.

SYN flood protection settings

In Symantec Gateway Security 5000 Series v2.0.1, SYN flood was enabled or disabled for each interface. Symantec Gateway Security 5000 Series v3.0.1 offers a new method of SYN flood protection with three protection levels. The adaptive SYN flood handling algorithm is active all of the time, and offers continuous, low-overhead protection. The other two methods, algorithm 1 and algorithm 2, employ different methods to handle large numbers of SYN packets.

For more information about configuring SYN flood protection, see the Symantec Gateway Security 5000 Series v3.0.1 Administration Guide.

Network interfaces

When you upgrade, the Symantec Gateway Security 5000 Series v2.0.1 interfaces generally map directly to Symantec Gateway Security 5000 Series v3.0.1 interfaces.

After upgrading, check your upgraded interfaces.

SRL

SRL is no longer supported for remote administration. Symantec Gateway Security 5000 Series v3.0.1 now supports use of standard SSH clients to establish a connection to the security gateway.

For information about SSH, see the Symantec Gateway Security 5000 Series v3.0 Administration Guide.

Cron jobs

If you have set up cron jobs on Symantec Gateway Security 5000 Series v2.0.1 to automatically back up log files periodically, you must reconfigure these cron jobs manually after the upgrade is complete.

RemPass

If you configured the RemLog password using the RemPass command line utility, they are not automatically restored by the upgrade. If you set passwords using RemPass, you must reset them after the upgrade.

Post-upgrade tasks for upgraded Symantec Clientless VPN Gateway 4400 Series v5.0 configurations

Review your restored configurations, and update them in Symantec Gateway Security 5000 Series v3.0.1, as necessary.

Access control

The access control provided by Symantec Clientless VPN Gateway 4400 Series v5.0 is maintained in Symantec Gateway Security 5000 Series v3.0.1. All traffic going through clientless VPN will not use the firewall proxies by default. To use the new features (for example, content security) that are available in Symantec Gateway Security 5000 Series v3.0.1, then configure clientless VPN traffic to go through the firewall proxies. You will also need to add firewall rules to allow clientless VPN traffic.

Page 65

Post-upgrade tasks for upgraded Symantec Clientless VPN Gateway 4400 Series v5.0 configurations

SecurID authentication

In Symantec Clientless VPN Gateway 4400 Series v5.0, you can configure the network interface from which the security gateway contacted the SecurID server. If this setting was unconfigured, then Symantec Clientless VPN Gateway 4400 Series v5.0 uses network interface eth0.

Upgrading configures the Symantec Gateway Security 5000 Series v3.0.1 ACE Server Interface setting to the logical interface name associated with the interface that was used in the Symantec Clientless VPN Gateway 4400 Series v5.0 backup file. If none is set, then the upgrading uses the logical interface name that was associated with network interface eth0.

After upgrading, check SecurID authentication settings.

Windows NT Domain authentication

If a Symantec Clientless VPN Gateway 4400 Series v5.0 configuration was for Active Directory deployments, all configuration information is upgraded, and continues to function properly. If Symantec Clientless VPN Gateway 4400 Series v5.0 deployments contained Windows NT Domain controllers, then authentication may no longer work after upgrading. You must upgrade Windows NT authentication servers to Active Directory.

Logging

To retain Symantec Clientless VPN Gateway 4400 Series v5.0 log files, you must back them up before you upgrade. The Symantec Gateway Security 5000 Series v3.0.1 log viewer does not show logs from previous product versions. To view Symantec Clientless VPN Gateway 4400 Series v5.0 log files, you must either maintain a Symantec Clientless VPN Gateway 4400 Series v5.0 appliance to use the log viewer or view the backed-up logs in a text editor or exportable into a third-party application such as Microsoft Excel. The downloaded Symantec Clientless VPN Gateway 4400 Series v5.0 logs are in text/ csv format. Symantec Gateway Security 5000 Series v3.0.1 supports Syslog and Syslog-ng.

65Upgrading appliance software and migrating configurations

Service redirect IP address conflicts

If the clientless VPN component is enabled on Symantec Gateway Security 5000 Series v3.0.1, then Symantec Gateway Security 5000 Series v3.0.1 acts as an HTTPS server for clientless VPN users. If Secure Desktop Mail Access is enabled for SMTP, then the Symantec Gateway Security 5000 Series v3.0.1 security gateway acts as an SMTP server for clientless VPN users. If you configure any service redirects for these protocols that use the IP addresses configured for the Symantec Gateway Security 5000 Series v3.0.1 interfaces, they conflict with these features. Upgrading from Symantec Clientless VPN Gateway 4400 Series v5.0 does not contain any service redirects.

Caution: An IP address conflict does not occur due to upgrading. However, after the upgrade, you must not create any HTTPS or SMTP service redirects, or you will have IP address conflicts.

Object name modification

In Symantec Clientless VPN Gateway 4400 Series v5.0, valid object names could contain most characters. In Symantec Gateway Security 5000 Series v3.0.1, object names are limited to alphanumeric characters and underscores. Upgrading removes any illegal characters found in Symantec Clientless VPN Gateway 4400 Series v5.0 object names, and then renames them. In the case of renaming conflicts due to similar object names, upgrade appends a different number to the end of each object names. For example, Symantec Clientless VPN Gateway 4400 Series v5.0 objects named Role& and Role# are upgraded in Symantec Gateway Security 5000 Series v3.0.1 to Role_1 and Role_2.

Page 66

66 Upgrading appliance software and migrating configurations

Post-upgrade tasks for upgraded Symantec Clientless VPN Gateway 4400 Series v5.0 configurations

After upgrading, check all object names and rules.

Network interfaces

Upgrading maps interface 0 to the interface named Inside and interface 1 to the interface named Outside. If your Symantec Clientless VPN Gateway 4400 Series v5.0 profile uses interface 1, and during upgrade, you name the eth1 interface Inside and the eth2 interface Outside, then Secure Network Connector does not work. Do not change the naming scheme while upgrading. If you need to change the naming of the network interfaces, you may also need to change your network cabling.

When upgrading from Symantec Clientless VPN Gateway 4400 Series v5.0, network interface data cannot be restored. Although the System Setup Wizard lets you choose what to do with the network interface information from the backup file, this option has no effect when restoring from an Symantec Clientless VPN Gateway 4400 Series v5.0 configuration file. Before upgrading, note the network interface information and use the System Setup Wizard to restore it.

Reserved object names

Symantec Gateway Security 5000 Series v3.0.1 reserves some object names. If a Symantec Clientless VPN Gateway 4400 Series v5.0 object is named with a Symantec Gateway Security 5000 Series v3.0.1 reserved name, then SCVG_ is prepended to the name. For example, RADIUS is converted to SCVG_RADIUS.

After upgrading, check all object names and rules.

Table 3-5 lists the reserved object names.

Table 3-5 Reserved object names

Object Reserved name

user DefaultIKEuser

group [server_name]-[group_name]

IDS portmap discard

IDS portmap badservice

auth server *previous* (case-insensitive)

auth server gwpasswd (case-insensitive)

auth server Tacacsp (case-insensitive)

auth server Tacacs+ (case-insensitive)

auth server radius (case-insensitive)

auth server ldap (case-insensitive)

auth server Defender (case-insensitive)

auth server cryptocard (case-insensitive)

auth server cache (case-insensitive)

auth server skey (case-insensitive)

auth server entrust (case-insensitive)

auth server ntdomain (case-insensitive)

auth server ace (case-insensitive)

auth server securid (case-insensitive)

Page 67

Post-upgrade tasks for upgraded Symantec Clientless VPN Gateway 4400 Series v5.0 configurations

Table 3-5 Reserved object names (Continued)

Object Reserved name

auth server pamproxy (case-insensitive)

auth server sequence (case-insensitive)

auth sequence / scheme dynamic (case-insensitive)

67Upgrading appliance software and migrating configurations

Page 68

68 Upgrading appliance software and migrating configurations

Migrating configurations from Symantec Enterprise Firewall

You can migrate your Symantec Enterprise Firewall configurations to an appliance that you have already upgraded or updated to Symantec Gateway Security 5000 Series v3.0.1.You cannot use the

Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM or the Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD-ROM to upgrade Symantec

Enterprise Firewall v7.0.4 or Symantec Enterprise Firewall v8.0 directly to Symantec Gateway Security 5000 Series v3.0.1.

Migrating Symantec Enterprise Firewall v8.0 configurations to Symantec Gateway Security 5000 Series v3.01

You can migrate a configuration from a Symantec Enterprise Firewall v8.0 running on Windows or Solaris platforms to a Symantec Gateway Security 5000 Series v.3.0.1 appliance. All applicable configurations are restored in Symantec Gateway Security 5000 Series v3.0.1. For all features that do not exist in Symantec Enterprise Firewall v8.0, default configurations are created.

Migrating existing Symantec Enterprise Firewall v8.0 configurations to a new appliance is a special restore procedure. The restore code detects the backup file format and processes the files accordingly.

For directions on how to restore a system to a previous configuration at any point after an initial setup, see the Symantec Gateway Security 5000 Series v3.0.1 Administration Guide.

Mismatched Symantec Enterprise Firewall v8.0 network interfaces

When you migrate to a Symantec Enterprise Firewall v8.0 configuration to Symantec Gateway Security 5000 Series v3.0.1, do the following before the migration:

■ Check the number of network interfaces that are configured in Symantec Enterprise Firewall v8.0

and the number of network interfaces that are available in Symantec Gateway Security 5000 Series v3.0.1. If you have more interfaces configured in Symantec Enterprise Firewall v8.0 than are available in Symantec Gateway Security 5000 Series v3.0.1, you must consolidate interfaces or configure VLANs in Symantec Gateway Security 5000 Series v3.0.1.

You must determine this before you start the upgrade, and before you cable and configure the Symantec Gateway Security 5000 Series v3.0.1 appliance.

■ Using the System Setup Wizard in Symantec Gateway Security 5000 Series v3.0.1, reassign the

interfaces names and IP addresses to match the Symantec Enterprise Firewall v8.0 configuration.

■ Using the System Setup Wizard, configure VLANs in Symantec Gateway Security 5000 Series

v3.0.1 if you need more network interfaces.

When you migrate a Symantec Enterprise Firewall v8.0 configuration to Symantec Gateway Security 5000 Series v3.0.1, after the migration you should make adjustments to your rules if you changed interface names or IP addresses.

You must run the System Setup Wizard to completion before you upgrade. On the network interfaces page of the System Setup Wizard, you must add enough VLAN interfaces such that the number of interfaces on the old gateway match the number of interfaces on the new.

Migrating Symantec Enterprise Firewall v7.0.4 configurations to Symantec Gateway Security 5000 Series v3.0.1

Symantec provides the Symantec Upgrade Utility for Symantec Enterprise Firewall v7.0.4 to Symantec Gateway Security 5000 v3.0 to let you migrate Symantec Enterprise Firewall v7.0.4 to Symantec Gateway Security 5000 Series v3.0.1. This utility is available on the Symantec Technical Support Web site.

Page 69

Migrating configurations from Symantec Enterprise Firewall

Backing up Symantec Enterprise Firewall v8.0 configurations

You back up Symantec Enterprise Firewall v8.0 configurations using the Symantec Enterprise Firewall v8.0 SGMI to a location such as your computer’s hard drive. You migrate (restore) these configurations to the new appliance.

Note: In a clustered environment, backup and restore do not restore the cluster association. You need to run the Cluster Wizard following the restore to reestablish the cluster association.

To back up Symantec Enterprise Firewall v8.0 configurations

1 In the Symantec Enterprise Firewall v8.0 SGMI, on the Action menu, click Backup.

2 In the Backup Configuration window, in the Password text box, type a backup/restore password.

This password is required to restore the configuration.

3 Click Backup.

You are prompted to select a location in which to store the backup and a file name for the backup file. The default name is configs.bk.

4 Click Close.

Assigning network interfaces

Before you restore a Symantec Enterprise Firewall v8.0 backup file to Symantec Gateway Security 5000 Series v3.0.1, you may need to first run the System Setup Wizard configure the network interface IP addresses in Symantec Gateway Security 5000 Series v3.0.1. The upgrade can now map the network interfaces configured in the Symantec Enterprise Firewall v8.0 backup file to the new Symantec Gateway Security 5000 Series v3.0.1 network interfaces, based on the IP address.

If you attempt to restore a Symantec Enterprise Firewall v8.0 backup file to Symantec Gateway Security 5000 Series v3.0.1 without first configuring the network interfaces, then the upgrade randomly assigns the new network interface definitions.

69Upgrading appliance software and migrating configurations

To assign network interfaces

1 Set up the new Symantec Gateway Security 5000 Series v3.0.1 appliance, and then run the System

Setup Wizard. Do not select the restore option in the System Setup Wizard.

2 Decide which Symantec Enterprise Firewall v8.0 interfaces should correspond to which Symantec

Gateway Security 5000 Series v3.0.1 interfaces. On the Network Interfaces panel of the System Setup Wizard, configure the appliance interfaces accordingly.

3 Complete the System Setup Wizard.

The upgrade can now restore the network interfaces that were configured in the Symantec Enterprise Firewall v8.0 backup file to the new Symantec Gateway Security 5000 Series v3.0.1 interfaces, based on the IP address.

Migrating Symantec Enterprise Firewall v8.0 configuration files

Before you migrate Symantec Enterprise Firewall v8.0 configuration files to Symantec Gateway Security 5000 Series v3.0.1, do the following:

■ Check the location of your backed-up configuration.

■ Ensure that you set the password.

■ Keep a copy of the configuration on a remote machine.

For complete information regarding backing up your configuration, see the Symantec Enterprise Firewall Administrator's Guide.

Page 70

70 Upgrading appliance software and migrating configurations

Migrating configurations from Symantec Enterprise Firewall

When you connect to the SGMI for the first time, the System Setup Wizard starts automatically. It prompts you for required Symantec Gateway Security 5000 Series v3.0.1 configuration setup information. You must complete this wizard before you can begin managing your appliance.

Before you begin the wizard, you need the following information:

■ User name (admin) and password you received when you set up the appliance.

■ List of all the required IP addresses.

Ensure the mapped interfaces are correct, so you can log on to your appliance with the SGMI after it reboots.

To migrate Symantec Enterprise Firewall v8.0 configuration files

1 In the Symantec Gateway Security 5000 Series v3.0.1 SGMI, on the File menu, click Restore.

2 In the Restore Wizard panel, click Standalone gateway.

3 Click Next.

4 In the Setup Options panel, click Merge backup configuration’s network interfaces data.

5 Click Next.

6 In the Restore Settings panel, do the following:

■ Click Restore from a Symantec Gateway Security backup image.

■ Next to the Backup File text box, click Browse.

■ In the Open dialog box, navigate to the location of the back up file.

■ Select the backup file, and then click Open.

■ In the Password text box, type the password that was used to backup the security gateway

configuration.

■ Optionally, to restore the local administrator accounts that are defined in the backup file,

check Restore administrator accounts.

7 Click Next.

8 Do one of the following:

■ If the restore is successful, the status message disappears. Click Next again.

■ If the restore is unsuccessful, an error message informs you that the restore has been rolled

back, meaning that the security gateway remains in the state that it was in when you began the restore operation. Click OK to clear the message, and then click Cance l to exit the wizard.

9 In the Machine Settings panel, do one of the following:

■ Make changes to machine and system settings and then click Next.

■ To proceed without making changes, click Next

10 In the Network Interfaces panel, do one of the following:

■ Make changes to network interfaces, and then click Next.

■ To proceed without making changes, click Next.

11 In the Confirmation panel, review the summary of your configuration.

12 Click Finish.

If you made interface changes on the Network Interfaces panel, the security gateway reboots when you complete the Restore Wizard.

Page 71

Chapter

Obtaining and installing licenses

This chapter includes the following topics:

■ Getting started with your 30-day grace period

■ Preparing to obtain license files

■ Obtaining license files

■ Preparing to install license files

■ Valid license combinations

■ Installing license files

■ Viewing licensed features

■ Removing all license files

Getting started with your 30-day grace period

All features included with Symantec Gateway Security 5000 Series are enabled for a 30-day grace period to give you time to obtain and install the necessary license files. The 30-day grace period begins when you initially install and startup the appliance.

Features that use Symantec’s LiveUpdate technology to update content such as antivirus and intrusion detection and prevention, are also covered by the 30-day grace period. This provides additional content, such as new virus definitions created after the ship date of your appliance.

Page 72

72 Obtaining and installing licenses

Preparing to obtain license files

Figure 4-1 shows a License Summary view in the SGMI of the features covered by the 30-day grace

period.

See “Viewing licensed features” on page 78 for more information on viewing licensed features.

Figure 4-1 License Summary view using the 30-day Grace period

Preparing to obtain license files

Follow these steps to prepare to obtain license files:

■ Gather your serial number certificates

■ Sort your license serial numbers for each appliance

■ Collect product and contact information

■ Complete the license file organization worksheet

Gather your serial number certificates

The first step in the process is to gather all your serial number certificates. Symantec provides evidence of your purchase using a serial number certificate. Check with your sales representative to understand how your certificates are sent. Each serial number certificate may contain several unique serial numbers, one or more for each feature ordered.

Sort your license serial numbers for each appliance

The license serial numbers on serial number certificates correspond to a particular order that you have placed. If you ordered one product, the serial number certificate contains the license serial number for that product. If you ordered more than one product, the serial number certificate has license serial numbers for all of the products and features in that order.

If you ordered more than one product, you should separate and organize the license serial numbers on the serial number certificate before requesting license files. Figure 4-2 shows serial numbers for features ordered for two different appliances, A and B, on the same certificate. If you ordered only one appliance, you do not have to separate license serial numbers.

Page 73

Preparing to obtain license files

The license file organization worksheet helps to identify which license serial numbers are used for each security gateway. Make a copy of this worksheet for each security gateway you ordered, and complete each worksheet before requesting license files.

See “Symantec license file organization worksheet” on page 75.

Figure 4-2 Sample serial number certificate

Appliance A

73Obtaining and installing licenses

Collect product and contact information

Gather the following information before completing the license file organization worksheet:

■ The Symantec System ID

■ The appliance serial number

■ License serial numbers

■ Contact information:

■ The email address of the person to whom your license files will be sent.

■ The names, phone and FAX numbers, and email addresses of two technical representatives

who will be authorized to contact Symantec for support.

■ Your full company name.

The Symantec System ID

The Symantec System ID is an alphanumeric string with parenthesis that identifies your appliance to the licensing system. The license file will only activate the product’s features on the machine with the same Symantec System ID provided during registration.

Note: The Symantec System ID is case sensitive. All letters in the Symantec System ID must be capitalized.

Appliance B

Page 74

74 Obtaining and installing licenses

Preparing to obtain license files

Obtaining the Symantec System ID

You can obtain the Symantec System ID from the system menu on the LCD screen of the appliance or from the SGMI.

To obtain the Symantec System ID from the appliance’s LCD

1 On the front panel of the appliance, press the Enter button to select the LCD system menu.

2 Press the down arrow button until you see 4. System ID.

3 To view the Symantec System ID, press the Enter button.

To obtain the Symantec System ID from the SGMI

1 In the SGMI, on the System folder, select the System Information tab.

2 On the System Information tab, scroll down to the bottom of the page to view the Symantec System

Appliance serial number

The appliance serial number is a unique identification located on a label on the underside of the appliance and also on a label on the appliance shipping carton adjacent to the S/N barcode.

ID.

License serial number

The registration process begins with a license serial number that has been delivered to you on a Serial Number Certificate. The format of the License Serial Number is a letter followed by 10 digits. Example: F2430482013.

Contact Information

Your technical contact information (names, phone and FAX numbers) is required as only these people can contact Symantec for technical support. Later, if you need to change technical support contact information, contact Symantec Technical Support. Once the technical support contacts have been entered on the licensing Web site they cannot be changed. You must register for technical support and software update (maintenance) services at the same time you request your license file.

Complete the license file organization worksheet

Complete the license file organization worksheet by recording the license serial numbers and the number of nodes licensed for each licensed option.

Page 75

Preparing to obtain license files

Fill out the worksheet in Table 4-1 for each appliance before you apply for your license file.

Table 4-1 Symantec license file organization worksheet

Symantec License File Organization Worksheet

Appliance name (host name): First contact name:

Certificate number: Email:

Appliance serial number: Phone:

Symantec System ID number: FAX:

Email licenses to: Second contact name:

Your company name: Email:

Phone:

FAX:

Symantec Gateway Security 5000 Series products

Part code: Product description: License serial number:

75Obtaining and installing licenses

Page 76

76 Obtaining and installing licenses

Obtaining license files

The Symantec Licensing and Registration Web site lets you enter serial numbers and contact information to request and obtain license files. It is also used to register technical contacts that are entitled to contact Symantec for support. After entering all the requested registration information on the licensing Web site, Symantec sends an email with a license file attachment.

Before using the Symantec Licensing and Registration Web site, make sure you understand what information you need and fill out a license file organization worksheet for each appliance.

See “Preparing to obtain license files” on page 72.

See “Complete the license file organization worksheet” on page 74.

To obtain license files

1 Open a Web browser and connect to Symantec’s Licensing and Registration Web site at https://

licensing.symantec.com.

2 In the Licensing and Registration page, follow all the on-line instructions and complete all the

required registration screens.

The person you specified receives an email from Symantec with an attached license file, which must be installed on the appliance to enable the licensed features. The subject line of that email contains a serial number for one of the licensed products contained within the order. Once you receive your license files, unzip them to a location on your network accessible to your appliance.

Caution: Once you receive and store your license files, keep a back up of these files in a secure location.

If you purchase additional licenses for this appliance in the future, you should follow these same steps for the new licenses and associated serial numbers.

Preparing to install license files

When your license files are emailed to you, the subject line of the email shows the serial number used to request the license file. The message in the email shows the Symantec System ID of the appliance to which the license belongs. You should create a separate folder for each appliance, in an accessible location on your network, with the folder name based on the Symantec System ID of the appliance. You should save license files to these folders when you receive them from Symantec.

The license file is attached to your email in a .zip file. Open this file using a decompression utility, such as WinZip or WinRAR.

The .slf file contained within the .zip file is the actual license file that you must install on your appliance to enable the features.

Note: Do not attempt to edit the .slf file as this will corrupt your license file and prevent your product from working properly.

If you need additional support, contact the Customer Service team for your region at http://

www.symantec.com/licensing/els/help/en/help.html

You must install your license files before the 30-day grace period ends.

Valid license combinations

Symantec Gateway Security 5000 Series software offers great flexibility and variety in its licenses. There are simple rules that define a valid combination of available licenses. A valid combination of licenses, loaded on a single appliance with one or more license files, consists of:

Page 77

Installing license files

■ Any one, but at least one, activation pack.

■ Optionally, combine licenses to allow any number of client-to-gateway VPN sessions.

■ Optionally, combine licenses to protect any number of nodes using the firewall functions.

■ Optionally, a license to enable support for High-Availability and Load Balancing (each appliance in

a cluster would be required to have an HA/LB license).

■ Licenses that enable the antivirus & antispam, intrusion detection and prevention, and/or content

filtering features can also be combined with the licenses listed above by observing the following additional rules:

■ If the activation pack you purchased does not include a feature you are interested in adding,

you must first include one (1) 50-node add-on license.

■ Any number of additional additive licenses can also be included by observing the next rule.

■ The total number of licensed nodes for any of these features must exactly match the number

of nodes licensed for firewall protection. In all cases, the total number of nodes licensed for antivirus and antispam, intrusion detection and prevention, and/or content filtering, must exactly match the total number of nodes licensed and protected by the firewall feature.

■ There are feature licenses that provide LiveUpdate access to the most up-to-date information for

antivirus and antispam, intrusion detection and prevention, and/or content filtering features. These licenses are provided as a component of the maintenance agreements associated with these features. To be valid, the number of nodes covered by maintenance, must match or exceed the number of nodes that are currently protected for each of the related features.

77Obtaining and installing licenses

Installing license files

You install your license files using the License Installation Wizard. The License Installation Wizard is only accessed from the SGMI Welcome screen until you install your licenses. After you install your initial set of licenses, the License Installation Wizard is only available on the SGMI System folder > Licensing tab > Installed Licenses window.

To install license files

1 In the SGMI, on the home page, in the right pane, under Quick Status click License Installation

Wiz ard.

2 On the License Installation Wizard panel, click Next.

3 On the Obtain License Files panel, if you have the license files ready to upload, click Next.

If you do not have files ready to upload you must obtain them. Click Visit Licensing Web Site. See “Obtaining license files” on page 76.

4 On the Upload License Files panel, click Upload File.

5 On the Upload License File panel, to find where you saved your license files click Browse, and then

do the following:

■ Select a license file, and then click Upload File.

■ Repeat this process for each license file.

■ When finished, click Close Window.

6 Click Next.

7 On the License Error Check panel, read the message, and then do the following:

■ If there were no errors found, click Next.

■ If there were errors found, you must click Close.

■ Please call Symantec Technical Support for assistance.

8 On the Confirm License Installation panel, verify that all of the features and node limits you want

are uploaded, and to install them on the appliance, click Next. Otherwise, click Back and install any missing license files.

Page 78

78 Obtaining and installing licenses

Viewing licensed features

9 On the License Installation Complete panel, click Close.

10 Reboot the appliance for licenses to take affect.

Viewing licensed features

You can view the installed licensed features or the 30-day grace period status of your appliance using the SGMI System > Licensing > License Summary feature.

To view licensed features

1 In the SGMI, in the left pane, under System, click Licensing.

2 In the right pane, on the License Summary tab, you can view the licensed feature, status (Licensed

or Not licensed), Starting Date, Expiration Date, and Limit (node or session count) are displayed in the right pane. Licensed features that do not have a Starting Date or Expiration Date are licensed indefinitely. The License Summary table is read only.

3 To view your actual usage of protected nodes and Client VPN sessions, click License Usage.

The License Usage table is read only.

Removing all license files

You can remove licenses from the security gateway using the SGMI. The remove licenses button removes all installed licenses. You cannot remove individual feature or node limit licenses. Your security gateway is not operational after removing licenses until you install new licenses, unless you are still within the 30-day grace period. If it has been less than thirty days since you installed the appliance, you still have the remainder of the 30-day grace period to install new licenses.

See “Getting started with your 30-day grace period” on page 71.

To remove all license files

1 In the SGMI, in the left pane, under System, click Licensing.

2 In the right pane, on the Installed Licenses tab, under the Installed Licenses table, click Remove

All.

3 Reboot the security gateway.

Page 79

Developing a security plan

This chapter includes the following topics:

■ Defining your security policy

■ Educating users

■ Security policy worksheets

Defining your security policy

Ideally, your security policy should be captured in a document that describes your organization’s network security needs and concerns. Creating this document is the first step in building an effective overall network security system and should be done prior to installation.

Appendix

Developing a security plan helps you collect the information needed to install and configure your Symantec security gateway.

Your security plan details the implementation of your security policy. Based upon the security concerns and trade-offs of your overall policy, your security plan should contain a set of tasks. One of these tasks should consist of establishing procedures and rules for access to resources located on your network. These resources include:

■ Host computers and servers

■ Wo rk s ta t io n s

■ Connection devices (gateways, routers, bridges, and repeaters)

■ Terminal servers and remote access servers

■ Networking and applications software

■ Information in files and databases

The firewall component of Symantec Gateway Security 5000 Series is the main tool for enforcing access security gateway access, allowing you to define a set of rules that allow or deny access to specific resources throughout your network.

Before writing your security plan

Before you begin writing rules to implement your plan, you need to answer the following questions:

■ How many points of entry exist on your network?

A security gateway defends a single point of entry. Every point of entry should be protected by a security gateway. A Virtual Private Network (VPN) server also defends a single point of entry. You must decide what access the VPN server is going to provide for resources that exist behind the security gateway.

■ What types of services, such as Web or FTP, do you want to allow for internal users?

■ To what hosts, subnets, and users do you want to allow these services?

Page 80

80 Developing a security plan

Educating users

■ What external users will have access to your network? Where will they come from and where do

you want to allow them to go? During what hours? For what period of time?

■ Do you intend to implement a service network?

■ Do you intend to implement a de-militarized zone (DMZ)?

■ What types of services do you want to allow for external users and hosts?

■ What type of authentication will you require for external users? (Strong authentication is

recommended for any access from public networks.)

■ If you are implementing VPN tunnels between any internal and external hosts, what types of

traffic will be allowed over these tunnels?

■ Will you place your Web server inside or outside of your protected network, or on a service

network?

Becoming security-conscious

Developing and implementing a security plan for the security gateway that you are installing should be only one part of your overall security policy. The security gateway offers the best protection against uninvited entry into your network. However, the security gateway cannot guard against entry by people who obtain valid authentication credentials, any more than a sophisticated lock can stop a thief in possession of the right key.

Formulate goals

Take the time to formulate the specific goals of your security plan. Identify the resources you are protecting and all possible threats. Protecting your resources from unauthorized external users may be only one of your goals. You may also need to limit internal access to certain systems to specific users and groups, within specific time periods. Define these users and groups for the security gateway and how to configure special services to be passed through these systems.

Review issues

Review your organization’s specific issues in detail before you begin configuring the security gateway. Your network’s security depends on planning sound policies, implementing them carefully, and confirming that they work as intended.

Educating users

Your overall security policy involves a numbers of tasks. Of these, user education is most important. Publish your company’s security policy. Make sure your users are informed of the determination of would-be invaders and the sophistication of available password-guessing programs. Make sure they understand how common security breaches are and how costly they can be. These facts alone dictate that users should be encouraged to select passwords that are difficult to crack, and to change passwords regularly.

Involving the user community

When developing the details of your security plan, solicit the input of group managers or leaders on what services they require, for what users, and so on. Explain to users the need for network security to protect private information, intellectual property, and your business plans.

Notifying affected users

Before implementing policies, notify the user community of your proposed policies. Doing so in advance can prevent unnecessary frustration on the part of your users.

Page 81

For instance, if you plan to limit Web services to a single server during specific hours, let this be known to the affected groups and users. If you plan to pass all email through a dedicated server, or if external users will be disallowed from accessing certain systems by Telnet, consider passing these changes along before implementation. Consulting users prior to implementation may save you the time needed to fine-tune those policies later.

Taking a pro-active stance

Again, keep in mind that configuring a set of authorization rules on the security gateway is just one piece of your overall security plan. To be effective, this plan should also include the following:

■ Physical security of key systems (especially the security gateway)

■ Security risk training for users

■ Guidelines on passwords

■ Proprietary information policies

■ Network planning

Security policy worksheets

These policy planning worksheets aid you in the planning process. Use these worksheets to help implement the specific tasks of your security plan and to assist you during the installation process.

Security policy worksheets

81Developing a security plan

Defining your organization

Begin by defining your organization. Explore your existing security policy, if any; notate who will be assigned as administrators, the types of authentication that you will use, and how your administrators will be contacted.

To define your organization

1 Does your organization have a security policy?

_____ Yes _____ No

If you checked No, refer to “Defining your security policy” on page 79 for information relating to the development of a security policy.

2 Number of users behind your security gateway: _____

3 Do you plan to establish special groups or users with different levels of access or control that other

groups and users will not have?

_____ Yes _____ No

4 Do you plan to establish subnets, users by subnet, or users by authentication?

_____ Yes _____ No

5 What are your network access points?

______________________________________________________________________

Page 82

82 Developing a security plan

Security policy worksheets

6 Name of the primary administrator:

____________________________________

7 Use Table A-1 to list all persons involved in administering the system.

Table A-1 Administrator names

Name Email Phone Mobile phone

______________________ ______________________ ______________________ ______________________

8 Are organization computer resources accessible by remote dial-in?

_____ Yes _____ No

9 Are organization computer resources accessible by an internal network?

_____ Yes _____ No

10 What communications servers (e-mail) are used? (such as SMTP or Microsoft Exchange)

______________________________________________________________________

11 What form of authentication will be used for remote access to company resources?

_____ User name/password _____ Entrust

_____ LDAP _____ SecurID

_____ RADIUS _____ Other

12 Will there be different authentication and group servers?

_____ Yes _____ No

13 What kind of security certificate will you use?

_____ Self-signed Secure Socket Layer (SSL) certificate generated by the security gateway

_____ SSL certificate purchased from a third-part Certificate Authority

14 What mechanism will be used for suspicious activity alerts?

_____ Blacklist _____ Email

_____ Pager _____ Client program

_____ SNMP V1 _____ SNMP V2

Page 83

15 Do you have other Symantec security gateways on your network now?

_____ Yes _____ No

16 If Yes, what version? ________________________________

17 Do you plan to combine security gateways in clusters for high availability and load balancing?

_____ Yes _____ No

18 Do you have third-party (non-Symantec) firewalls on your network now?

_____ Yes _____ No

19 If Yes, which one and version? ________________________________

20 Have you created a network diagram? If so, print and attach to this worksheet.

_____ Yes _____ No

Collecting hardware information

Before you begin the installation process, collect some basic hardware information. Before installation, ensure that the host network connections are configured and tested properly. Verify that you can ping the network interfaces of the server from clients on the same network.

Security policy worksheets

83Developing a security plan

To collect hardware information

1 Record the number of host computers of each type that compose your network.

_____ UNIX _____ Windows

_____ Other (type) ______

2 What kind of Internet access do you have? What speed?

______________________________________________________________________

3 Record the name of your Internet Service Provider (ISP).

______________________________

4 Does your site have, or plan to have, more than one Internet access point?

_____ Yes _____ No

5 Are there any other Internet connections besides the security gateway (such as modems connected

to workstations)? If yes, list them.

_____ Yes _____ No

______________________________________________________________________

Page 84

84 Developing a security plan

Security policy worksheets

6 Will you be using Symantec Client VPN?

_____ Yes _____ No

Collecting your TCP/IP address

It is important to think about the TCP/IP requirements for your site. This includes information about running Domain Name Services (DNS), types and names of domains on your network, and making a list of protocols used that need to pass through your security gateway.

To collect your TCP/IP address information

1 How is your Domain Name Service (DNS) provided?

_____ On your corporate network

_____ Through your Internet Service Provider (ISP)

2 What type of domain structure is in use at your site?

_____ Single domain _____ Multiple domains

_____ Subdomains

3 What type of name service do you provide?

_____ Primary name services _____ Secondary name services

_____ Internal/private

4 Do you have an internal name server?

_____ Yes _____ No

5 Do you have WINS configured?

_____ Yes _____ No

6 Do you have someone at your site who is knowledgeable about, and comfortable working with DNS

and how to configure it properly?

_____ Yes _____ No

7 If yes, who?

______________________________________________________________________

8 Check the address types being used at your site.

_____ Registered IP address _____ Private IP address (RFC 1918)

_____ Unregistered IP address

Your connection to the Internet must have at least one public network address. You should use private, RFC 1918-compliant addresses internally or publicly registered IP addresses.

Page 85

Security policy worksheets

9 Do you use DHCP to dynamically obtain network addresses?

_____ Yes _____ No

10 List the address ranges you currently use in your network.

____________________________________________________________

11 List the protocols you use in your network.

____________________________________________________________

12 Will you be using network news services (NNTP)?

_____ Yes _____ No

13 If yes, and you have your own internal NNTP server, record its IP address and the address of the

server that will be supplying you with news feeds.

_____ Internal server: _____________________

85Developing a security plan

_____ External news server: ________________

Note: Only IP can be directly handled by the security gateway. Other protocols such as IPX cannot be serviced or passed through the security gateway.

Defining your allowed TCP/IP services

Use the following tables to define all the allowed TCP/IP services in your network.

To define your allowed TCP/IP services

1 Use Table A-2 and check the access type (if any) you will allow for the following services.

Table A-2 Allowed TCP/IP access type

Access group

Te ln et

All users

All internal users

Selected group

No access

SMTP

HTTPS

CIFS

HTTP

NNTP

RealAudio

RTSP

PING

Other

Use Table A-3 to list your TCP/IP services. Over time, you will likely refine these permissions. You should make periodic updates to this list.

Table A-3 TCP/IP services

Group Authentication Access times

FTP

Page 86

86 Developing a security plan

Security policy worksheets

Table A-3 TCP/IP services (Continued)

Group Authentication Access times

______________________ __ _ _ _________________ _______________________ _______________________

______________________ _______________________ _______________________ _______________________

Teln et

______________________ _______________________ _______________________ _______________________

HTTP

______________________ _______________________ _______________________ _______________________

Other

______________________ _______________________ _______________________ _______________________

2 Do you need transparent inbound access from the Internet (VPN)?

_____ Yes _____ No

Collecting email information for security gateway notifications

You need to know information about email notifications. Use this section to collect data such as type of mail server, mail server IP address, and mail transport protocol.

To collect email information for security gateway notifications

1 Record the name and IP address of your mail server.

Name: __________________________________

IP address:_______________________________

2 Select the transport protocol being used for email.

_____ Third-party provided _____ POP3 mail

_____ SMTP mail

3 Does your internet service provider provide a mail relay host?

_____ Yes _____ No

Page 87

4 If yes, list its name and IP address.

_____ Mail relay host: ________________

_____ IP address: ______________________

5 List any mail programs that you use internal to your network (for example, Microsoft Outlook):

___________________________________________________________________

Defining your Web services

Use the following section to define information about your Web services.

To define your Web services

1 Will you be using a Web server?

_____ Yes _____ No

2 If yes, select the location of the Web server.

Security policy worksheets

87Developing a security plan

_____ Internal to the security gateway

_____ External to the security gateway

_____ Service network

3 Record the Web server name and IP address.

Name:_________________ Address:____________________

4 Will you be using an external caching/proxy server? If Yes, record the server name and IP address.

_____ Yes _____ No

Proxy server name:___________ Address:______________

5 Do you plan to use the content filtering service for security gateway?

_____ Yes _____ No

6 Do you plan to restrict access to any specific URLs?

_____ Yes _____ No

7 If yes, list the URLs to be restricted, and print and attach your list of restricted URLs.

8 Use Table A-4 to list the names of any special services you want to pass through the security

gateway.

Table A-4 Special services names

Service name Service port

_______________________ _______________________

number

Service type (UDP/TCP)

Server name

Page 88

88 Developing a security plan

Security policy worksheets

Table A-4 Special services names (Continued)

Service name Service port

number

_______________________ _______________________

Service type (UDP/TCP)

Server name

Access lists

Use Table A-5 to list those entities and users to which you plan to write rules to allow access through the security gateway.

Table A-5 Entity identification

IP address/Fully Qualified Domain Name name

Entity type Internal/external

_______________________

Use Table A-6 to list all allowed user identities.

Table A-6 User identification

User name Group name Client VPN Clientless VPN

________________________________ _______________________ _____________

__________

_______________________ _______________________ _____________

__________

_______________________ _______________________ _____________

__________

_______________________ _______________________ _____________

__________

_______________________ _______________________ _____________

__________

Page 89

Table A-6 User identification (Continued)

User name Group name Client VPN Clientless VPN

_______________________ _______________________ _____________

9 Do you want the security gateway to keep a record of user passwords for protected resources (single

sign-on)?

_____ Yes _____ No

Defining your network architecture

In the following section, list all of the entities that comprise your network. Show all routers and computers systems that will be directly affected by, or connected to, the security gateway and its directly connected networks. Label each network component with its IP address and netmask.

Use Table A-7 to create a list of all internal servers. Your internal network consists of at least the security gateway host and a router.

Security policy worksheets

89Developing a security plan

__________

Table A-7 Internal network servers

DNS name services Mail server Web server Other server

Service

Host name

IP address

Netmask

Use Table A-8 to list your security gateway host system addresses.

Table A-8 Security gateway host internal and external IP addresses

Host Internal/external IP addresses Netmask

______________________ ______________________ ______________________

Page 90

90 Developing a security plan

Security policy worksheets

If your network includes VLANs, use Table A-9 to list the IP addresses to which they are routed.

Table A-9 Security gateway host internal and external IP addresses

VLAN IP address

______________________ ______________________

Use Table A-10 to list your router IP addresses.

Table A-10 Router IP addresses

Router IP addresses

______________________________________ _______________________________________

Your external network can also include external servers, such as an external Web server. Use Table A-

11 to list all external network servers.

Table A-11 External network servers

DNS name services Mail server Web server Other server

Service

Host name

IP address

Netmask

Use Table A-12 to describe your default gateway.

Table A-12 Default gateway

Host name

IP address

Netmask

________________________________________

Page 91

Index

Numerics

30-day grace period 71

activating, license files 76 antispam 60 Antivirus 59 antivirus

comforting 59 response messages 59

scanning off-box 59 appliance 11 authentication method, checklist 82

back panel features

models 5640 20, 21 back up

from Symantec Gateway Security v3.0 45 back up the LDAP data file 47 Backing up configurations

v2.0.1 45 backing up Symantec Enterprise Firewall v8.0

configurations 69

configuration

System Setup Wizard 32 configuration files

backing up from Symantec Gateway Security v3.0 45 connecting

model 5620 to network 19

model 5620 uninteruptible power supply (UPS) 20

models 5640/5660 to network 23

models 5640/5660 uninterruptible power supply (UPS) 23

Symantec Gateway Security 5600 Series SGMI 31 content categories predefined list 60 content filtering 60

content categories

predefine list 60 content security 59 cooling fan 18 Cron jobs 64

displaying, system information 16 Dynamic Document Review 63

enable

DHCP 35 external Ping 35

factory reset 16 File Extensions White/Black List 63 front panel controls

description 13 locking 16

front panel layout 13

IDS 58 If 32 installing

model 5620 power cord 19 models 5640/5660 power cord 23 rack mount 11 stand-alone appliance 11

IP addresses checklist 84

LCD panel

display 13 locking 33

unlocking 33 LDAP 58 LEDs. See status indicators. license files

activating 76

obtaining 76

removing 77, 78

uploading 77

viewing 78 license serial number

obtaining 72

organizing 72 locking front panel controls 16 Log files 63 Loglevel.cf 63

MAC address 34 MIME Types White/Black List 63 models

5620 18

5640 20, 21 monitoring mode 16

navigation buttons 13 network

setup 16

status indicators 14 network architecture, checklist 89 network connections

Page 92

2 Index

model 5620 19

models 5640/5660 23 network interfaces 64 news service, checklist 87

obtaining, license file 16 of 84

password

LCD 30

logon 70 power

cord installation model 5620 19

cord installation models 5640/5660 23

reset switch 20

socket 18, 20, 21, 28, 29

switch 18, 28 proxies checklist 85

rack 11 removing license files 77, 78 RemPass 64 reports

upgrade 55 reset 16 rules planning, access lists 88

security plan

checklist 79

worksheets 81 See 52 serial console port 18, 20, 22 shutdown 16 site hardware information, checklist 83 SRL 64 status indicators

active connection 14

disk 14

Ethernet connection 14 hard disk drive 14 receive 14 temp 14 traffic 14 transmit 14 Web activity 14

Symantec Clientless VPN Gateway v5.0, upgrading to Symantec

Gateway Security v3.0.1 40 Symantec System ID 73 Syn flood protection 64 system information 16 system menu 14

factory reset 16 network setup 16 shutdown 16 system ID 16

System Setup Wizard 32

TCP/IP checklist 84 temperature 14 To 33 turning on model 5620 20

unlocking front panel controls 16 upgrade reports 55 UPS, suppliers 23 URL White/Black List 62 USB port

connecting UPS power supply 23 modem connection 19, 20, 22 smart UPS support 19, 20, 22

viewing license file 78

Web service, checklist 87 wizards System Setup Wizard 32 worksheets security planning 81