CyberGuard 5.2 Installation Guide

Transcription

1 CyberGuard 5.2 Installation Guide IN December 2003

2 Copyright 2003 by CyberGuard Corporation. All rights reserved. This publication or any part thereof may not be reproduced for any reason in any form without the written permission of the publisher. This publication or any part thereof is intended solely for use with CyberGuard Corporation products by CyberGuard Corporation personnel, customers, and end users. The information contained in this document is believed to be correct at the time of publication. It is subject to change without notice. CyberGuard Corporation makes no warranties, express or implied, concerning the information contained in this document. To report an error or comment on a specific portion of the manual, photocopy the page in question and mark the correction or comment on the copy. Mail the photocopied page (and any additional comments) to CyberGuard Corporation, 2000 West Commercial Boulevard, Suite 200, Fort Lauderdale, FL Mark the envelope Attention: Publications Department. Adaptec, ANA, Quartet, and Quartet64 are trademarks of Adaptec, Inc., which may be registered in some jurisdictions. CyberGuard is a registered trademark of CyberGuard Corporation. DEC is a trademark of Digital Equipment Corporation. Ethernet is a registered trademark of Xerox Corporation. Ghost is a trademark of Symantec Corporation. Microsoft and Windows are registered trademarks of Microsoft Corporation. UnixWare is a registered trademark of Caldera International, Inc. Printed in the U. S. A. Revision History: Level: Effective With: Original Release -- June CyberGuard Firewall Release 3.1 Previous Release -- October CyberGuard Firewall Release 5.1 Current Release -- December CyberGuard Firewall Release 5.2

3 Preface Scope of Manual This manual explains the procedures for setting up CyberGuard s appliance firewalls. Structure of Manual This manual consists of four chapters and three appendixes. A brief description of the chapters and appendixes is presented as follows. Chapter 1 explains the procedures for preparation and initial setup of CyberGuard s appliance firewalls. It describes the software and procedures for installing, upgrading, and configuring an appliance firewall system. Chapter 2 explains the procedures for setting up and configuring FS appliance firewalls. Chapter 3 explains the procedures for setting up and configuring KS appliance firewalls. Chapter 4 explains the procedures for setting up and configuring SL appliance firewalls. Appendix A provides information needed to use the getmib and resmgr utilities to identify ports and interface unit number assignments. Appendix B describes the system backup and restore procedures for the appliance firewalls. Appendix C provides information needed to use the privadm command. This command allows you to set up an administrative network at the SYS_PRIVATE level. iii

4 CyberGuard 5.2 Installation Guide Syntax Notation The following notation is used throughout this manual: italic Books, reference cards, and items that the user must specify appear in italic type. Special terms may also appear in italics. list bold User input appears in list bold type and must be entered exactly as shown. Names of directories, files, commands, options and system manual page references also appear in list bold type. list Operating system and program output such as prompts and messages and listings of files and programs appear in list type. [ ] Brackets enclose command options and arguments that are optional. You do not type the brackets if you choose to specify such options or arguments iv

5 Contents Chapter 1 Installing and Configuring Appliances Before You Begin Appliance Firewall Software Licensing Upgrading an Existing Firewall System Upgrading an Appliance Firewall System Upgrading a Standard Firewall System to an Appliance Using the Initial Configuration Utility Setting Up the Hardware Appliance Firewall Autoconfiguration Logging Into the Appliance Firewall Chapter 2 FS Systems Hardware Ethernet Port Ordering Setup Firmware for ISP1100 Systems Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Firmware for FS Systems with Bonham Motherboard Setting the BIOS Setting Up Boot Devices Saving Changes Firmware for FS250 and FS500 Systems Setting the BIOS Setting Up Boot Devices Saving Changes FS Initial Configuration Chapter 3 KS Systems KS 1U and 2U Systems Hardware Ethernet Port Ordering Setup Firmware for KS 2U with Lancewood Motherboard Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Setting the SCSI BIOS Firmware for KS 2U with Tupelo Motherboard v

6 CyberGuard 5.2 Installation Guide Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Setting the SCSI BIOS Firmware for KS1000 Systems Setting the BIOS Setting Up Advanced Features Setting Up Security Setting Up the Server Setting Up Boot Devices Saving Changes Setting the SCSI BIOS Firmware for KS1500 Systems Setting the BIOS Setting Up Advanced Features Setting Up Security Setting Up the Server Setting Up Boot Devices Saving Changes Setting the SCSI BIOS KS Initial Configuration KS 5U Systems Hardware PCI Slot Ordering Setup Firmware for KS 5U with Lancewood Motherboard Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Setting the SCSI BIOS Firmware for KS 5U with Tupelo Motherboard Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Setting the SCSI BIOS Firmware for KS 5U with Tupelo Motherboard and RAID Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Setting up the RAID Array Firmware for KS1500R with Hodges Motherboard Setting the BIOS Setting Up Advanced Features Setting Up the Server Setting Up Boot Devices Saving Changes Setting up the RAID Array Firmware for KS1500R with Bryson Motherboard Setting the BIOS Setting Up Advanced Features vi

7 Contents Setting Up Security Setting Up the Server Setting Up Boot Devices Saving Changes Setting up the RAID Array KS [5U] Initial Configuration Chapter 4 SL Systems Hardware PCI Slot and Port Ordering Setup Firmware for SL 4U with KOA Motherboard Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Setting Up the RAID Array Firmware for SL2000 Systems Setting the BIOS Setting Up Advanced Features Setting Up Security Setting Up the Server Setting Up Boot Devices Saving Changes Setting Up the RAID Array Firmware for SL3200 Systems Setting the BIOS Setting Up Advanced Features Setting Up Security Setting Up the Server Setting Up Boot Devices Saving Changes Setting Up the RAID Array SL Initial Configuration Appendix A Identifying Ports and Unit Numbers Appendix B Backup and Restore Procedures Backing Up an Appliance Firewall Configuration B-1 Restoring an Appliance Firewall Configuration B-2 Restoring a Configuration B-3 Restoring a Configuration After a System Failure B-4 Appendix C privadm Command vii

8 CyberGuard 5.2 Installation Guide Illustrations Figure 1-1. Initial Configuration Window for Appliance Firewalls Figure 1-2. Stand-Alone KS System Figure 1-3. Sample Initial Configuration Data for Stand-Alone System Figure 1-4. KS High Availability Pair Figure 1-5. Sample Configuration Data for HA Primary System Figure 1-6. Sample Configuration Data for HA Secondary System Figure 2-1. ISP1100 Back Panel Figure 2-2. ISP1100 Front Panel Figure 2-3. FS with Bonham Motherboard Back Panel Figure 2-4. FS250 Back Panel Figure 2-5. FS500 Back Panel Figure 2-6. Initial Configuration Window for FS Platform Figure 3-1. Port Ordering for First-Generation Systems Top Slot Empty Figure 3-2. Port Ordering for Other First-Generation Systems Figure 3-3. Port Ordering for Second-Generation Systems Figure 3-4. Port Ordering for KS 2U with Tupelo Motherboard Figure 3-5. Port Ordering for KS1000 Systems Figure 3-6. Port Ordering for KS1500 Systems Figure 3-7. KS 2U with Lancewood Motherboard Back Panel Figure 3-8. KS 2U with Tupelo Motherboard Back Panel Figure 3-9. KS1000 Back Panel Figure KS1500 Back Panel Figure Initial Configuration Window for KS Platform Figure Lancewood Motherboard PCI Slot Ordering Figure Tupelo Motherboard PCI Slot Ordering Figure KS1500R PCI Slot Ordering Figure Back Panel of KS 5U with Lancewood Motherboard Figure Back Panel of KS 5U with Tupelo Motherboard Figure Back Panel of KS1500R Figure Initial Configuration Window for KS 5U Platform Figure 4-1. PCI Slot Ordering on SL 4U Systems Figure 4-2. PCI Slot Ordering on SL2000 Systems Figure 4-3. PCI Slot Ordering on SL3200 Systems Figure 4-4. SL 4U with KOA Motherboard Back Panel Figure 4-5. SL2000 Back Panel Figure 4-6. SL3200 Back Panel Figure 4-7. Initial Configuration Window for SL Platform Figure C-1. Firewall Administered by a Private Administrative Network C-1 viii

9 1 Installing and Configuring Appliances Before You Begin Appliance Firewall Software Licensing Upgrading an Existing Firewall System Upgrading an Appliance Firewall System Upgrading a Standard Firewall System to an Appliance Using the Initial Configuration Utility Setting Up the Hardware Appliance Firewall Autoconfiguration Logging Into the Appliance Firewall

10 CyberGuard 5.2 Installation Guide

11 1 Chapter 1 Installing and Configuring Appliances 1 This chapter describes CyberGuard appliance firewall software for FS, KS, and SL appliances and explains the procedures for setting up, installing, and configuring these types of systems. It also explains the procedures for upgrading FS, KS, and SL appliance firewall systems to Release Before You Begin 1 This section provides an overview of the appliance firewall software and licensing. Appliance Firewall Software 1 The appliance firewall software consists of one CD-ROM for each type of FS, KS, and SL appliance. The CD-ROM provides a complete image of an installed appliance firewall system. This image is created using Symantec Corporation s Norton Ghost TM. The CD-ROM is bootable; consequently, the appliance firewall has the CD-ROM device as the first boot device. The appliance firewall image is loaded onto the system s hard drive prior to shipment from the factory. It is ready when you first power up the system. In addition to the firewall image, the CD-ROM contains the following important directory: ksinit. This directory contains the browser-based CyberGuard Firewall Appliance Initial Configuration utility, ksinit.htm, and associated files: mssave.htm, shieldwm.jpg, fshelp.htm, kshelp.htm, ks5uhelp.htm, slhelp.htm, FSBack.jpg, FSBackS.jpg, FSBBack.jpg, FSBBackS.jpg, KSLBack.jpg, KSLBackS.jpg, KSTBack.jpg, KSTBackS.jpg. This utility allows you to create a configuration file that can be used for autoconfiguration of the basic components of the firewall during initial boot. These components include the following: High Availability Administrative user Licensing Firewall host name Remote management Central authentication Domain name System mouse type Restore firewall configuration Network interfaces System time and time synchronization Default route 1-1

12 CyberGuard 5.2 Installation Guide The ksinit utility can be run on a remote workstation that runs Microsoft Internet Explorer 4.x or higher or Netscape Navigator 4.x. The configuration file that you create is saved as a text file and stored on a diskette. The diskette can then be inserted in the floppy drive of the firewall for which the configuration is intended. During initial boot, the firewall will read the configuration file from the diskette, load the initial configuration, and reboot. Procedures for using the CyberGuard Firewall Appliance Initial Configuration utility are explained in Using the Initial Configuration Utility, page The appliance firewall software also consists of one additional CD-ROM that contains CyberGuard Supplemental Products and CyberGuard Firewall Release 5.2 manuals in PDF format. These manuals are the Release Notes, Installation Guide, and the Cyber- Guard Firewall Manual, a 3-volume set that includes Administering the CyberGuard Firewall, Configuring the CyberGuard Firewall, and Configuring SmartProxies on the CyberGuard Firewall. Licensing 1 To use the features of the appliance firewall, you must have one of the following types of licenses: 30-day trial license System license obtained from the CyberGuard Corporation Web site The type of license that you have affects the information that you must enter on the Initial Configuration window (see Using the Initial Configuration Utility, page 1-11, and Figure 1-1 for a picture of this window). Information required with each type of license is outlined as follows. 30-Day Trial License Allows you to leave the following fields blank: Onboard MAC Address Hardware ID Serial Number License Key 1-2

13 Installing and Configuring Appliances System License Requires that you enter information in the following fields: Onboard MAC Address Hardware ID (read-only field completed by clicking the Generate button) Serial Number License Key NOTE If you are upgrading an existing FS, KS, or SL appliance firewall system to Release 5.2, you may choose to use your current hardware ID to obtain a system license. In this case, you must enter only the Serial Number and License Key on the Initial Configuration window. Upgrading an Existing Firewall System 1 If you wish to upgrade an existing firewall system to Release 5.2, you must complete the following procedures. Otherwise, proceed to Using the Initial Configuration Utility on page To upgrade an appliance firewall, follow the procedures presented on page 1-3. To upgrade a standard firewall system to an appliance, follow the procedures presented on page 1-7. Upgrading an Appliance Firewall System 1 If you wish to upgrade an existing FS, KS, or SL appliance firewall system to Release 5.2, complete the following procedures. NOTE Currently, on FS250 and FS500 models only, the PS/2 mouse must be plugged in when the system is booted. Be sure that you have a box of blank diskettes available for backing up the system. Label each diskette as appropriate so that you will be able to restore your configuration successfully. 1-3

14 CyberGuard 5.2 Installation Guide NOTE Some of the procedures can be performed by accessing the appliance from a remote workstation; some of the procedures must be performed on the appliance. Follow the procedures described in Using the Initial Configuration Utility on page 1-11 to create a Release 5.2 configuration file that can be used for autoconfiguration of the basic components of the firewall during initial boot. On the appliance firewall system, insert a blank, writable diskette into the floppy drive to prepare for backing up your system. On the appliance or a remote workstation: Select System from the firewall Control Panel, and then select Software Update. When the Software Update window is displayed, enter the following in the Remote Host field: ftp.cybg.com Enter the following in the Remote Directory field: /Unix/5.2/Optional_pkgs Enter the following in the Remote File Name field: backupconfig_orders Enter the login name to be used on the Remote Host in the Remote User Name field (anonymous login is allowed). Enter the password associated with the Remote User Name in the Remote Password field. Check the Use Encryption check box. Enter the string required to decrypt the file in the Encryption Password field. Click on Invoke. The following message will be displayed when the process has been completed: Software Update has been invoked. The system will be restarted to perform upgrade maintenance in a few minutes. Please wait. See /var/adm/log/cg_getorders.log for details. 1-4

15 Installing and Configuring Appliances The system will not be restarted. NOTE Click on OK. On the appliance firewall system: Remove the diskette from the drive, and label it Firewall Recovery Diskette n, where n represents the sequence number of the recovery diskette. Continue to insert, remove, and label recovery diskettes until you have completed backing up your system. Insert the FS, KS, or SL appliance firewall Release 5.2 bootable CD in the CD-ROM drive. Press <Reset> to reboot the system. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, set System Time and System Date to appropriate values for Greenwich Mean Time (GMT). Use the right arrow key to select Exit. Select Exit Saving Changes, and press <Enter>. A window displays the following message: Save configuration changes and exit now? Select Yes, and press <Enter>. A system reboot occurs. Following installation of several drivers, the following message is displayed on the appliance firewall: IMPORTANT: This program is about to overwrite your hard drive! All existing data will be lost! Do you want to continue (you have 20 seconds to respond) [Y,N]? If you do not wish to proceed, press <N>. Otherwise, press <Y> or wait 20 seconds for the program to continue. The system runs Norton Ghost TM. As the image is loaded, the Progress Indicator window is displayed. Loading the image requires approximately 20 minutes. 1-5

16 CyberGuard 5.2 Installation Guide When the image has been loaded, the computer beeps, and the following messages and prompt are displayed on the appliance firewall: Image loaded successfully... Batch File Finished D:\ Remove the appliance firewall CD from the CD-ROM drive. Proceed with autoconfiguration as explained in Appliance Firewall Autoconfiguration on page After the firewall system reboots (requires approximately four minutes), remove the Initial Configuration diskette from the floppy drive. Insert Firewall Recovery Diskette n, where n is a sequence number ranging from one to the total number of recovery diskettes, into the drive. NOTE You must continue to remove and insert recovery diskettes into the drive until you have completed recovery of your firewall configuration. On the appliance or a remote workstation: As applicable, use an attached monitor or Remote Web Administration to log in to the appliance firewall system. Select Tools from the firewall Control Panel, and then select Shell Window. When the Shell Window is displayed, enter the following to become root: /sbin/tfadmin newlvl SYS_PRIVATE su Enter the corresponding password, and press <Enter>. Enter the following to change level to network: newlvl network Enter the following to execute cginstall: cginstall 1-6

17 Installing and Configuring Appliances Enter 4 to select Restore Configuration Files. The following message is displayed: Select source device: (t)ape, (f)loppy, (d)isk Enter f. When the configuration files have been restored, you are returned to the menu. Enter q to quit. Enter exit to exit the root shell. Enter exit to return to the previous level. Enter exit to close the Shell Window. Select System from the firewall Control Panel, and then select System Shutdown. When the System Shutdown window is displayed, select Reinitialize Network. On the appliance firewall system, remove the last Firewall Recovery Diskette from the drive. Upgrading a Standard Firewall System to an Appliance 1 If you wish to upgrade an existing standard firewall system to a Release 5.2 appliance firewall, you must complete the following procedures. NOTE Currently, on FS250 and FS500 models only, the PS/2 mouse must be plugged in when the system is booted. Be sure that you have a box of blank diskettes available for backing up the system. Label each diskette as appropriate so that you will be able to restore your configuration successfully. Follow the procedures described in Using the Initial Configuration Utility on page 1-11 to create a Release 5.2 configuration file that can be used for autoconfiguration of the basic components of the appliance firewall during initial boot. On the standard firewall system, insert a blank, writable diskette into the floppy drive to prepare for backing up your system. 1-7

18 CyberGuard 5.2 Installation Guide Select System from the firewall Control Panel, and then select Software Update. When the Software Update window is displayed, enter the following in the Remote Host field: ftp.cybg.com Enter the following in the Remote Directory field: /Unix/5.2/Optional_pkgs Enter the following in the Remote File Name field: backupconfig_orders Enter the login name to be used on the Remote Host in the Remote User Name field (anonymous login is allowed). Enter the password associated with the Remote User Name in the Remote Password field. Check the Use Encryption check box. Enter the string required to decrypt the file in the Encryption Password field. Click on Invoke. The following message will be displayed when the process has been completed: Software Update has been invoked. The system will be restarted to perform upgrade maintenance in a few minutes. Please wait. See /var/adm/log/cg_getorders.log for details. The system will not be restarted. NOTE Click on OK. Remove the diskette from the drive, and label it Firewall Recovery Diskette n, where n represents the sequence number of the recovery diskette. Continue to insert, remove, and label recovery diskettes until you have completed backing up your standard firewall system. Move to the new appliance firewall system. Proceed with hardware and firmware setup procedures as explained in Setting Up the Hardware on page

19 Installing and Configuring Appliances Proceed with autoconfiguration as explained in Appliance Firewall Autoconfiguration on page After the appliance firewall system reboots (requires approximately four minutes), remove the Initial Configuration diskette from the floppy drive. Now that you have installed and configured the appliance firewall, you can access it via an attached monitor or via a remote management service (i.e., Remote Web Administration or SSH-Secure Shell). On the appliance or a remote workstation, complete the following steps: When the CyberGuard Firewall login window is displayed with your system name, log in as the FSO user that you specified on the appliance firewall Initial Configuration window. When prompted, enter the FSO password, and press <Enter>. The CyberGuard Firewall Control Panel is displayed. Change the root password by completing the following steps. Select the Configuration menu, and then select Users. When the Users window appears, click on Show Editor. Select the root user, and click on the Authentication tab. Click on the Password tab. Click on Generate, or enter a new password in the Password field. Click on Save. Set up your security policy by restoring the configuration that you backed up to diskettes on the standard firewall system. Complete the following steps: On the appliance firewall system: Insert Firewall Recovery Diskette n, where n is a sequence number ranging from one to the total number of recovery diskettes, into the drive. NOTE You must continue to remove and insert recovery diskettes into the drive until you have completed recovery of your firewall configuration. On the appliance or a remote workstation: Select Tools from the firewall Control Panel, and then select Shell Window. 1-9

20 CyberGuard 5.2 Installation Guide When the Shell Window is displayed, enter the following to become root: /sbin/tfadmin newlvl SYS_PRIVATE su Enter the corresponding password, and press <Enter>. Enter the following to change level to network: newlvl network Enter the following to execute cginstall: cginstall Enter 4 to select Restore Configuration Files. The following message is displayed: Select source device: (t)ape, (f)loppy, (d)isk Enter f. When the configuration files have been restored, you are returned to the menu. Enter q to quit. Enter exit to exit the root shell. Enter exit to return to the previous level. Enter exit to close the Shell Window. Select System from the firewall Control Panel, and then select System Shutdown. When the System Shutdown window is displayed, select Reinitialize Network. On the appliance firewall system, remove the last Firewall Recovery Diskette from the drive. 1-10

21 Installing and Configuring Appliances Using the Initial Configuration Utility 1 This section explains the procedures for extracting the appliance firewall Initial Configuration utility, ksinit.htm, from the FS, KS, or SL Appliance Firewall Release 5.2 CD and for using it to create a configuration file that can be used to configure an appliance firewall automatically on first boot. The onboard MAC address is used to generate the hardware ID that is required for obtaining a system license. It may be used in forming the name of the configuration file (otherwise, the name is generic.txt). If the configuration file names are based on the MAC address, they are unique, and multiple configuration files can be stored on a single diskette; the firewall will be able to select the appropriate one when the diskette is inserted in its floppy drive. If you are upgrading an appliance firewall system to Release 5.2, you already have your MAC address and your hardware ID. It is recommended that you make a note of both before proceeding. The MAC address appears on a label on the front panel of the machine. The hardware ID is displayed in the Hardware Number field on the License Keys window of the CyberGuard Firewall GUI. If you have a newly-shipped FS, SL, or KS appliance system other than the KS1000 model, the MAC address appears on a label on the front panel of the machine. If you have a KS1000 system, the MAC address appears on a label on the top of the front right-hand corner of the machine. It is recommended that you make a note of the MAC address before proceeding. NOTE If you are upgrading an existing FS, KS, or SL appliance and you wish to use the MAC address to form the name of your configuration file, you must enter the MAC address in the Onboard MAC Address field on the CyberGuard Firewall Appliance Initial Configuration window. You must also generate a new hardware ID to use in obtaining a system license. If you are upgrading an existing FS, KS, or SL appliance firewall system to Release 5.2 and you do not wish to base the initial configuration file name on the MAC address, you may use your current hardware ID to obtain a system license. Proceed as follows to use the appliance firewall Initial Configuration utility. Insert the FS, KS, or SL Appliance Firewall 5.2 bootable CD in the CD- ROM drive on a remote workstation that runs Microsoft Internet Explorer 4.x or higher or Netscape Navigator 4.x. Open the Windows Explorer, and use the scroll bars to locate the CD- ROM drive in the left pane. Click on the drive to display the contents of the appliance firewall 5.2 CD in the right pane. Locate the ksinit folder, and copy it onto your hard drive. 1-11

22 CyberGuard 5.2 Installation Guide Be sure that you have one or more diskettes available for creating the initial configuration file(s) for your appliance firewall system(s). Insert a blank diskette in the floppy drive on the remote workstation. Open a browser, and in the Location or Address field, enter the following: file://c:/ksinit/ksinit.htm where c represents the hard drive to which you copied the ksinit folder. The screen shown in Figure 1-1 is displayed: 1-12

23 Installing and Configuring Appliances Figure 1-1. Initial Configuration Window for Appliance Firewalls The CyberGuard Firewall Appliance Initial Configuration window provides an easy means for you to supply the information required for initial setup of an FS, KS, or SL appliance system. The fields and controls on this window vary according to the type of appliance that you select from the Firewall Appliance drop-down list box and the particular model that you select from the associated Models drop-down list box. The following sections show the Initial Configuration window for each type of appliance and describe the fields and controls on each window: 1-13

24 CyberGuard 5.2 Installation Guide FS Initial Configuration on page 2-15 KS Initial Configuration on page 3-24 KS [5U] Initial Configuration on page 3-62 SL Initial Configuration on page 4-23 Prior to entering data in the Initial Configuration window, it is recommended that you use the blank configuration window provided in the section associated with your appliance to record information that is appropriate for your system. To assist you, diagrams and example configurations for a stand-alone KS system and a primary and secondary system in a KS High Availability pair are provided in the pages that follow. In the diagrams, note that dashed lines are used to denote optional features. Figure 1-2 shows a stand-alone KS system. 1-14

25 Installing and Configuring Appliances INTERNET External Interface Remote Web Administration Hosts Administrative Interface Host A Gateway Internal Interface Host B Server A Server B RADIUS Server Figure 1-2. Stand-Alone KS System The KS Initial Configuration window shown in Figure 1-3 contains data appropriate for the stand-alone KS system illustrated in Figure

26 CyberGuard 5.2 Installation Guide Figure 1-3. Sample Initial Configuration Data for Stand-Alone System Figure 1-4 shows a KS High Availability pair. 1-16

27 Installing and Configuring Appliances INTERNET dministrative (Exempt) Interface External Interfaces Heartbeat Interfaces Administrative (Exempt) Interface Gateway Internal Interface Internal Interface Remote Web Administration Hosts Gateway Host A Host B Server A Server B RADIUS Server Figure 1-4. KS High Availability Pair 1-17

28 CyberGuard 5.2 Installation Guide The KS Initial Configuration window shown in Figure 1-5 contains data appropriate for the primary KS system illustrated in Figure 1-4. Figure 1-5. Sample Configuration Data for HA Primary System 1-18

29 Installing and Configuring Appliances The KS Initial Configuration window shown in Figure 1-6 contains data appropriate for the secondary KS system illustrated in Figure Figure 1-6. Sample Configuration Data for HA Secondary System 1-19

30 CyberGuard 5.2 Installation Guide Enter data in the fields on the appliance firewall Initial Configuration window as appropriate for your site. Click on the Help button to obtain a detailed description of the fields and controls on the window. NOTE A Class A, Class B, or Class C address must be entered in the IP Address field associated with each network interface; that is, the value of the first byte of the address must be less than 224. If you are configuring an HA primary or secondary system, the Type setting for the Remote Web Administration interface (e.g., eee0) interface must be Internal Exempt; otherwise, it must be Internal. You must configure the Management Interface (e.g., eee0) to permit further configuration of the firewall using Remote Web Administration. Verify that the information that you have entered is correct, and press the Submit button. A configuration page is displayed in the browser. Follow the instructions provided on that page to save it as a text file. When you select Save As from the browser s File menu, you must select Text File (*.txt) from the Save as type drop-down list. NOTE If you have entered a value in the Onboard MAC Address field, the file name is based on the MAC address; otherwise, it is generic.txt. If the file name is based on the MAC address, you may save multiple configuration files to the diskette. In this case, the firewall will select the correct file when the diskette is inserted in the floppy drive on a firewall. If the firewall does not find a file with a unique name, it looks for the generic.txt file. Remove the diskette from the drive, and take it to the firewall on which you plan to use it. 1-20

31 Installing and Configuring Appliances Setting Up the Hardware 1 Hardware requirements for Release 5.2 for FS, KS, and SL appliances are as follows: FS, KS, or SL system Keyboard Video monitor PS/2 or Serial mouse Hardware and firmware setup procedures vary according to type of appliance. The following chapters and sections explain the procedures for setting up each type of appliance: Chapter 2, FS Systems, Hardware on page 2-1 Chapter 3, KS Systems, KS 1U and 2U Systems on page 3-1 Chapter 3, KS Systems, KS 5U Systems on page 3-34 Chapter 4, SL Systems, Hardware on page 4-1 NOTE With the exception of FS250 and FS500 models, the keyboard, monitor, and mouse are not required after you have completed the hardware and firmware setup procedures. Complete the hardware and firmware setup procedures applicable to your appliance. Proceed with appliance firewall autoconfiguration as explained in the section that follows (page 1-22). 1-21

32 CyberGuard 5.2 Installation Guide Appliance Firewall Autoconfiguration 1 Before you begin, be sure that you have the diskette containing the FS, KS, KS[5U], or SL initial configuration file that you have created for your system. NOTE On first boot of the SL, SL2000, or SL3200 software image, an error message regarding a partition not mounted will be displayed. Disregard this message. Insert the Initial Configuration diskette in the floppy drive on the firewall. Press <Reset> to reboot the machine. During the initial boot to run level 2, the firewall will attempt to read the configuration file created through use of the appliance firewall Initial Configuration window. NOTE If the file is not found, the system will retry the read every five seconds for three minutes. After three minutes, the system will shut down. If the file is read successfully, the initial configuration is loaded, and the system automatically reboots. NOTE The firewall will not attempt to read the diskette on the second and subsequent boots. A log file (log) that contains the status of the autoconfiguration is written to the diskette (if it is writable). 1-22

33 Installing and Configuring Appliances Logging Into the Appliance Firewall 1 After you have installed and configured the appliance firewall, you can access it via an attached monitor or via a remote management service (i.e., Remote Web Administration or SSH-Secure Shell). Complete the following steps: When the CyberGuard Firewall login window is displayed with your system name, log in as the FSO user that you specified on the appliance firewall Initial Configuration window. When prompted, enter the FSO password, and press <Enter>. The CyberGuard Firewall Control Panel is displayed. Change the root password by completing the following steps. Select the Configuration menu, and then select Users. When the Users window appears, click on Show Editor. Select the root user, and click on the Authentication tab. Click on the Password tab. Click on Generate, or enter a new password in the Password field. Click on Save. If you have a new appliance firewall system, use the menus accessible from the firewall Control Panel to set up the security policy for your enterprise network. Refer to the CyberGuard Firewall Manual for assistance. Back up your system. Procedures are explained in the Backing Up an Appliance Firewall Configuration section of Appendix B. 1-23

34 CyberGuard 5.2 Installation Guide 1-24

35 2 FS Systems Hardware Ethernet Port Ordering Setup Firmware for ISP1100 Systems Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Firmware for FS Systems with Bonham Motherboard Setting the BIOS Setting Up Boot Devices Saving Changes Firmware for FS250 and FS500 Systems Setting the BIOS Setting Up Boot Devices Saving Changes FS Initial Configuration

36 CyberGuard 5.2 Installation Guide

37 2 Chapter 2FS Systems 2 This chapter provides information specific to FS systems. These include ISP1100 systems, FS systems with Bonham motherboards, and FS systems with Woodruff motherboards (hereinafter referred to as models FS250 and FS500). This chapter explains hardware and firmware setup procedures and provides reference information needed to complete the FS Initial Configuration window. 2 2 Hardware 2 This section shows port ordering for each type of FS system and explains how to set up the hardware. Refer to Appendix A for information needed to use the getmib and resmgr utilities to identify ports and interface unit number assignments. Ethernet Port Ordering 2 Port ordering for an ISP110 system is shown in Figure 2-1 (page 2-2). Port ordering for an FS with Bonham motherboard is shown in Figure 2-3 (page 2-3). Port ordering for an FS250 is shown in Figure 2-4 (page 2-3). Port ordering for an FS500 is shown in Figure 2-5 (page 2-3). Setup 2 To set up an FS firewall system, complete the following steps. Remove the computer from the box. Plug in the serial or PS/2 mouse and the keyboard, video, network, and power cables by using the diagrams in Figure 2-1, ISP1100 Back Panel, and Figure 2-2, ISP1100 Front Panel, or Figure 2-3, FS with Bonham Motherboard Back Panel, Figure 2-4, FS250 Back Panel, or Figure 2-5, FS500 Back Panel. NOTE Currently, on FS250 and FS500 models only, the PS/2 mouse must be plugged in when the system is booted. 2-1

38 CyberGuard 5.2 Installation Guide The current default video setting for this appliance firewall system is 1024 x 768 x Hz refresh. Turn on the computer. PS/2 Mouse On-Board Ethernet Port eee1 Video Four-Port Adapter Keyboard USB On-Board Ethernet Port eee0 COM1 Figure 2-1. ISP1100 Back Panel Figure 2-2 shows the ISP1100 front panel and indicates the position of the COM2 port. The FS appliances with Bonham and Woodruff motherboards do not have a COM2 port. COM2 Figure 2-2. ISP1100 Front Panel 2-2

39 FS Systems PS2 Mouse On-Board Ethernet Port eee0 Four-Port Adapter Keyboard USB Video COM1 USB Figure 2-3. FS with Bonham Motherboard Back Panel PS2 Mouse RJ45 10/100 (eee_2) Single-Port Adapter (eee_0) Keyboard COM1 Video USBs RJ45 10/100 (eee_1) Figure 2-4. FS250 Back Panel PS2 Mouse RJ45 10/100 (eee_1) Four-Port Adapter Keyboard COM1 Video USBs RJ45 10/100 (eee_0) Figure 2-5. FS500 Back Panel 2-3

40 CyberGuard 5.2 Installation Guide Firmware for ISP1100 Systems 2 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page 2-4. Setting the BIOS 2 Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). Setting Up the COM Port 2 Use the right arrow key to select System Management, and press <Enter>. Select Serial Features, and press <Enter>. On the Serial Features page, select Serial Console Redirection, and press <Enter>. Use the arrow key to select Disabled, and press <Enter>. On the Serial Features page, select Serial Port, and press <Enter>. Use the arrow key to select COM1 3F8 IRQ4, and press <Enter>. On the Serial Features page, select BAUD Rate, and press <Enter>. Use the arrow key to select 9600, and press <Enter>. On the Serial Features page, select Flow Control, and press <Enter>. Use the arrow key to select XON/XOFF, and press <Enter>. Press <Esc>. Use the right arrow key to select Exit from the Menu Bar. 2-4

41 FS Systems Setting Up Boot Devices 2 Use the right arrow key to select Advanced from the Menu Bar. On the Advanced page, select Boot Configuration, and press <Enter>. Verify the following settings: Plug & Play O/S Reset Config Data Numlock [No] [No] [No] Press <Esc>. On the Advanced page, select Peripheral Configuration, and press <Enter>. Verify the following settings: Serial Port A Base I/O Address [3F8] Interrupt [IRQ 4] Serial Port B Base I/O Address [2F8] Interrupt [IRQ 3] Legacy USB Support Press <Esc>. On the Advanced page, select IDE Configuration, and press <Enter>. Set the value of IDE Controller to Primary. Verify the following settings: Hard Disk Pre-Delay Primary IDE Master Primary Slave Secondary Master Secondary Slave [QUANTUM FIREBALLlct1] [CD-224E] [Not Installed] [Not Installed] Press <Esc>. On the Advanced page, select Diskette Configuration, and press <Enter>. 2-5

42 CyberGuard 5.2 Installation Guide Verify the following settings: Diskette Controller Floppy A [1.44/1.25 MB 3½"] Diskette Write Protect Press <Esc>. On the Advanced page, select Event Log Configuration, and press <Enter>. Verify the following settings: Event Log Event Log Validity Clear All Event Logs Event Logging ECC Event Logging [Space Available] [Valid] [No] Press <Esc>. Use the right arrow key to select Boot from the Menu Bar. Verify the following settings: Quiet Boot Quick Boot After Power Failure On Modem Ring On LAN On PME [Last State] [Stay Off] [Stay Off] [Stay Off] Primary master IDE [1 st IDE] Primary slave IDE [2 nd IDE] Secondary master IDE [3 rd IDE] Secondary slave IDE [4 th IDE] On the Boot page, select 1 st Boot Device, and press <Enter>. Use the arrow key to select ATAPI CD-ROM, and press <Enter>. On the Boot page, select 2nd Boot Device, and press <Enter>. Use the arrow key to select IDE-HDD, and press <Enter>. On the Boot page, select 3rd Boot Device, and press <Enter>. Use the arrow key to select Floppy, and press <Enter>. On the Boot page, select 4th Boot Device, and press <Enter>. Use the arrow key to select Disabled, and press <Enter>. 2-6

43 FS Systems Saving Changes 2 Select Exit Saving Changes, and press <Enter>. A window displays the following message: Save configuration changes and exit now? Select Yes, and press <Enter>. A system reboot occurs. Follow the remainder of the procedures outlined in Setting Up the Hardware on page Firmware for FS Systems with Bonham Motherboard 2 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page 2-7. Setting the BIOS 2 Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). Setting Up Boot Devices 2 Use the right arrow key to select Advanced from the Menu Bar. On the Advanced page, select Boot Configuration, and press <Enter>. 2-7

44 CyberGuard 5.2 Installation Guide Verify the following settings: Plug & Play O/S Reset Config Data Numlock [No] [No] [No] Press <Esc>. On the Advanced page, select Peripheral Configuration, and press <Enter>. Verify the following settings: Serial Port A Base I/O Address [3F8] Interrupt [IRQ 4] Parallel Port Mode [Bi-directional] Base I/O Address [378] Interrupt [IRQ 7] LAN Device Legacy USB Support Press <Esc>. On the Advanced page, select IDE Configuration, and press <Enter>. Verify the following settings: IDE Controller Hard Disk Pre-Delay Primary IDE Master Primary Slave Secondary Master Secondary Slave [Primary] [ST340016A] [CDU5211] [Not Installed] [Not Installed] Press <Esc>. On the Advanced page, select Diskette Configuration, and press <Enter>. Verify the following settings: Diskette Controller Floppy A Floppy B [1.44/1.25 MB 3½''] [Not Installed] Diskette Write Protect Press <Esc>. On the Advanced page, select Event Log Configuration, and press <Enter>. 2-8

45 FS Systems Verify the following settings: Event Log Event Log Validity [Space Available] [Valid] View Event Log Clear All Event Logs Event Logging [No] Mark Events as Read Press <Esc>. On the Advanced page, select Video Configuration, and press <Enter>. On the Video Configuration panel, verify the following settings: Primary Video Adapter AGP Hardware Detected [AGP] Integrated NOTE If the optional video card is installed, you must set the Primary Video Adapter to [PCI]. Actual performance of the video hardware is dependent upon the operating system and video drivers. Press <Esc>. Use the right arrow key to select Power from the Menu Bar. Select APM, and press <Enter>. Verify the following setting: Power Management Press <Esc>. Select ACPI, and press <Enter>. On the Advanced Configuration and Power Interface panel, verify the following setting: Wake on LAN from S5 [Stay Off] Press <Esc>. 2-9

46 CyberGuard 5.2 Installation Guide Verify the following setting: After Power Failure [Last State] The following message is displayed: The options below are not related to ACPI and may be ignored when shutting down using an ACPI OS. Wake On LAN Wake On PME Wake On Modem Ring [Stay Off] [Stay Off} [Stay Off] Use the right arrow key to select Boot from the Menu Bar. Verify the following settings: Quiet Boot Intel (R) Rapid BIOS Boot Scan User Flash Area Select Boot Device Priority, and press <Enter>. Ensure that the boot devices are ordered as follows: 1st Boot Device 2nd Boot Device 3rd Boot Device 4th Boot Device [ATAPI CD-ROM] [Hard Drive] [Removable Dev.] Press <Esc>. Saving Changes 2 Use the right arrow key to select Exit. Select Exit Saving Changes, and press <Enter>. A window displays the following message: Save configuration changes and exit now? Select Yes, and press <Enter>. A system reboot occurs. Follow the remainder of the procedures outlined in Setting Up the Hardware on page

47 FS Systems Firmware for FS250 and FS500 Systems 2 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page In some cases, settings for FS250 systems are different from those for FS500 systems. In such cases, the applicable model is shown in brackets e.g., [FS250]. Setting the BIOS 2 Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. Select Main, and press <Enter>. Verify the following settings: Processor Type Intel Pentium 4 Processor Speed 1.80 GHz System Bus Speed 400 MHz Processor1 L2 Cache Size 256 KB Total Memory 256 MB Memory Bank MB [FS250] 256 MB (DDR266) [FS500] Memory Bank 2 Not Installed Internal Cache External Cache IOAPIC Language [WriteBack] [WriteThru] [English] On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). 2-11

48 CyberGuard 5.2 Installation Guide Setting Up Boot Devices 2 Use the right arrow key to select Advanced from the Menu Bar. The following message is displayed: Setup Warning Setting items on this screen to incorrect values may cause your system to malfunction. On the Advanced page, select Boot Configuration, and press <Enter>. Verify the following settings: Plug & Play O/S Reset Config Data Numlock [No] [No] [On] Press <Esc>. On the Advanced page, select Peripheral Configuration, and press <Enter>. Verify the following settings: Serial Port A Base I/O Address [3F8] Interrupt [IRQ 4] Serial Port B Base I/O Address [2F8] Interrupt [IRQ 3] Parallel Port [Auto] Mode [Bi-directional] Keyboard error message LAN#1 Controller LAN#2 Controller ATA RAID Controller ATI Rage Video Legacy USB Support Press <Esc>. On the Advanced page, select IDE Configuration, and press <Enter>. 2-12

49 FS Systems Verify the following settings: IDE Controller [Both] PCI IDE Bus Master Hard Disk Pre-Delay Primary IDE Master [ST340016A] Primary Slave [Not Installed] [FS250] [CDU5211] [FS500] Secondary Master [SR243T] [FS250] [Not Installed] [FS500] Secondary Slave [Not Installed] Press <Esc>. On the Advanced page, select Diskette Configuration, and press <Enter>. Verify the following settings: Diskette Controller Floppy A Floppy B [1.44/1.25 MB 3½''] [Not Installed] Diskette Write Protect Press <Esc>. On the Advanced page, select Event Log Configuration, and press <Enter>. Verify the following settings: Event Log Event Log Validity [Space Available] [Valid] View Event Log Clear All Event Logs Event Logging ECC Event Logging [No] Mark Events as Read Press <Esc>. On the Advanced page, select Video Configuration, and press <Enter>. On the Video Configuration panel, verify the following settings: AGP Aperture Size Primary Video Adapter [64MB] [AGP] 2-13

50 CyberGuard 5.2 Installation Guide Press <Esc>. Use the right arrow key to select Power, and press <Enter>. Select ACPI, and press <Enter>. On the Advanced Configuration and Power Interface panel, verify the following setting: ACPI Suspend State Wake on LAN from S5 [S3 State] [Stay Off] Press <Esc>. Verify the following setting: After Power Failure [Last State] The following message is displayed: The options below are not related to ACPI and may be ignored when shutting down using an ACPI OS. Wake On LAN Wake On PME Wake On Modem Ring [Stay Off] [Stay Off} [Stay Off] Use the right arrow key to select Boot from the Menu Bar. Verify the following settings: Quiet Boot Intel (R) Rapid BIOS Boot Scan User Flash Area USB Boot PXE Remote Boot Use the down arrow key to select Boot Device Priority, and press <Enter>. Verify the order of the boot devices is as follows: 1st Boot Device 2nd Boot Device 3rd Boot Device 4th Boot Device [ATAPI CD-ROM] [Hard Drive] [Removable Dev.] Press <Esc>. 2-14

51 FS Systems Saving Changes 2 Use the right arrow key to select Exit. Select Exit Saving Changes, and press <Enter>. A window displays the following message: Save configuration changes and exit now? Select Yes, and press <Enter>. A system reboot occurs. Follow the remainder of the procedures outlined in Setting Up the Hardware on page FS Initial Configuration 2 Figure 2-6 shows the Initial Configuration window for FS systems. Procedures for using this window are explained in Using the Initial Configuration Utility on page

52 CyberGuard 5.2 Installation Guide Figure 2-6. Initial Configuration Window for FS Platform 2-16

53 FS Systems For FS systems, the Initial Configuration window contains the following fields and controls: High Availability Setting (Required) Has the following selections: Disabled Primary Secondary Indicates that High Availability (HA) is not installed. This radio button is selected by default. Indicates that the specified host is the primary firewall in an HA pair Indicates that the specified host is the secondary firewall in an HA pair Firewall Appliance Specifies the type of firewall appliance for which you are entering initial configuration information. The drop-down list box includes the following selections: FireSTAR, KnightSTAR, KnightSTAR[5U], STARLord. FireSTAR Models (Required) Has the following selections: FS250 FS500 OEM-F1210RCG Other Denotes a Woodruff motherboard with two on-board network interfaces. Its only slot is populated with a singleport network interface. Denotes a Woodruff motherboard with two on-board network interfaces. Its only slot is populated with a fourport network interface. Denotes a Bonham motherboard with one on-board network interface Denotes an ISP1100 unit with two on-board network interfaces Firewall Host Name (Required) Specifies the host name by which the system identifies itself during network and login connections. Should be unique within a local area network. Domain Name (Required) Specifies the externally visible partial or fully-qualified name that is registered with the Network Information Center (NIC). The domain name provides a point of contact for external connections to a local area network; this field identifies the domain that provides information about connecting to this host. 2-17

54 CyberGuard 5.2 Installation Guide Type (Required) Indicates the side of the firewall where the interface is connected and if High Availability is installed, may also indicate whether the interface is a heartbeat interface or an exempt interface. If High Availability is installed, the drop-down list box includes the following selections. Otherwise, it includes only Disable, Internal, and External. Disable Internal External Internal Exempt External Exempt Heartbeat Denotes an interface that is not being used. All interfaces are set to Disable by default. Denotes an interface that is used to connect to your private internal network Denotes an interface that is used to connect to a publicly accessible network (e.g., the Internet) Denotes an internal interface that is not to be marked down when the served firewall fails over to the standby Denotes an external interface that is not to be marked down when the served firewall fails over to the standby Denotes an interface that is used to monitor the state of the served firewall and provide communication between the served and standby firewalls. Two heartbeat interfaces are required for each firewall. Name Specifies the unique primary name (host name) of the network interface or its fullyqualified domain name. Host names must begin with an alphabetic character; otherwise, they may contain only alphanumeric characters, periods, and hyphens. Domain names entered in this field for the various network interfaces may all be different and need not match the name entered in the Domain Name field. NOTE Remote Web Administration Interface (e.g., eee0) Requirements A fully-qualified domain name is required for the Remote Web Administration interface (e.g., eee0) on each machine in an HA pair. If the Remote Web Administration interfaces are Exempt, the name specified for the primary machine must be different from the name specified for the secondary machine. If you do not specify a name, a fully-qualified domain name of the following form is used by default: node_name-n.domain, where node_name is the value specified in the Firewall Host Name field, n is 1 for the primary and 2 for the secondary machine in the pair, and domain is the value entered in the Domain Name field. This makes it possible to use name resolution to manage the machines in an HA pair separately. A fully-qualified domain name is also required for the Remote Web Administration interface on a stand-alone machine. If you do not specify a name, the default is node_name.domain, where node_name is the value specified in the Firewall Host Name field and domain is the value entered in the Domain Name field. 2-18

55 FS Systems An entry is made in the /etc/hosts file to make the unqualified node_name an alias for the interface specified by Management Interface. The computer or network specified by Manager IP must be able to resolve the name for the Remote Web Administration interface (i.e., via the hosts file or name server). You must use the name for the Remote Web Administration interface to connect to the firewall via Remote Web Administration. IP Address (Required) Specifies the unique Internet Protocol address of the network interface. It must be a Class A, Class B, or Class C address; that is, the value of the first byte of the address must be less than 224. Subnetwork Mask Specifies a subnet mask as a dotted quad mask (e.g., ) or a bit count (e.g., 24). If you do not specify a subnet mask, the default mask associated with the address class is used (i.e., for Class A, for Class B, for Class C). FSO User (Required) Specifies the login ID for a privileged Firewall Security Officer (FSO). An FSO is authorized to use the firewall GUI, execute commands associated with administrative roles (e.g., auditor, site security officer, network administrator), and execute firewall-related commands installed on the system. This user is cleared to the SYS_PRIVATE and NETWORK levels. The default is cgadmin. It is recommended that you specify a different FSO user. If you do so, the cgadmin user will be disabled. FSO Password (Required) Specifies the password associated with the user entered in the FSO User field. Note that the password entered in this window is weakly encrypted; you will be prompted to change it when you log in to the firewall for the first time. Password Confirmation (Required) Respecifies the string entered in the FSO Password field Remote Management Service (Required) Indicates the application to be used to manage the firewall from a remote system. The drop-down list box includes the following selections: None, Secure Shell - SSH, Remote Web Admin. The default is None. 2-19

56 CyberGuard 5.2 Installation Guide Management Interface (Required if a Remote Management Service is specified or a configuration is to be restored) Indicates the network interface that is to be used to access the firewall from the remote system. On FS250 models, the drop-down list box includes the following selections by default: None, eee0, eee1, eee2. On FS500, OEM-F1210RCG, and Other models, the drop-down list box includes the following selections by default: None, dec0, dec1, dec2, dec3, eee0, and eee1. The default is None. Manager IP (Required if a Remote Management Service is specified) Specifies the IP address of the computer or network on which the specified Remote Management Service is used to manage the firewall Manager Route IP Specifies the IP address to which packets are forwarded if the specified Manager IP address is not on the local network. System Mouse Type (Required) Indicates the type of mouse that is being used. The drop-down list box includes the following selections: None, Serial, PS/2. The default is None. NOTE: You must select Serial or PS/2. Time Zone (Required) Specifies the time zone in which the firewall is located. The US/Central time zone is selected by default. The drop-down list box includes all time zones. Time Server IP Specifies the IP address of the server to which time requests are to be sent to maintain system time synchronization Onboard MAC Address Specifies the address of the onboard Ethernet port as it appears on a label on the front panel of the computer. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field. Hardware ID (Read-only) Contains an eight-digit hexadecimal number that uniquely identifies the computer. This number is obtained by clicking on the Generate button. Generate Allows you to obtain the hardware ID for the computer. This ID is needed to obtain a license key. NOTE: If you are using a thirty-day trial license, you are not required to obtain a hardware ID. 2-20

57 FS Systems Serial Number Specifies the 10-character serial number that you previously received from Cyber- Guard Customer Support Center. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field. License Key Specifies the 20-character license key that you obtained from the CyberGuard Corporation Web site. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field. CyberGuard Firewall Online Registration Allows you to jump directly to the CyberGuard Firewall Online Registration Web page to obtain a license key RADIUS Server IP Specifies the IP address of the RADIUS server Backup Server IP Specifies the IP address of the backup RADIUS server RADIUS Port Specifies the port on which the RADIUS server listens for connections. The default is 1812 (the officially assigned port number as noted in RFC 2138) RADIUS Secret Key Specifies a string that represents the password encryption key that is shared between the RADIUS client and the RADIUS server. The string may include any printable character. Key Confirmation Respecifies the string entered in the RADIUS Secret Key field Organizational Unit Specifies the group to which a centrally-authenticated administrator must belong to be authorized to log in to the firewall. The default value is NONE. Remote Host IP Specifies the IP address of the remote host from which you wish to restore a firewall configuration Remote Route IP Specifies the IP address to which packets are forwarded if the specified Remote Host IP address is not on the local network. NOTE: You must specify a network interface in the Management Interface field to be able to restore a firewall configuration from a remote host. 2-21

58 CyberGuard 5.2 Installation Guide Configuration File Specifies the full or relative path name of the configuration file that you wish to restore. NOTE: Do not include the.tar or.tar.encr extension in the file name. Remote User Specifies the login name to be used on the remote host. The default is anonymous. Remote Password Specifies the password associated with the login name entered in the Remote User field. If you use the default anonymous, you are not required to enter a value in this field; if you leave the field blank, the password that will be used is [email protected]. Encryption Key (Required if Configuration File is encrypted) Specifies the key to be used to decrypt the restored configuration file. NOTE: The value that you enter in this field must be the same as the encryption key used to save the configuration. Default Route IP Specifies the IP address to which packets are forwarded if an explicit route does not already exist. 2-22

59 3 KS Systems KS 1U and 2U Systems Hardware Ethernet Port Ordering Setup Firmware for KS 2U with Lancewood Motherboard Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Setting the SCSI BIOS Firmware for KS 2U with Tupelo Motherboard Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Setting the SCSI BIOS Firmware for KS1000 Systems Setting the BIOS Setting Up Advanced Features Setting Up Security Setting Up the Server Setting Up Boot Devices Saving Changes Setting the SCSI BIOS Firmware for KS1500 Systems Setting the BIOS Setting Up Advanced Features Setting Up Security Setting Up the Server Setting Up Boot Devices Saving Changes Setting the SCSI BIOS KS Initial Configuration KS 5U Systems Hardware PCI Slot Ordering Setup Firmware for KS 5U with Lancewood Motherboard Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Setting the SCSI BIOS Firmware for KS 5U with Tupelo Motherboard Setting the BIOS Setting Up the COM Port Setting Up Boot Devices

60 CyberGuard 5.2 Installation Guide Saving Changes Setting the SCSI BIOS Firmware for KS 5U with Tupelo Motherboard and RAID Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Setting up the RAID Array Firmware for KS1500R with Hodges Motherboard Setting the BIOS Setting Up Advanced Features Setting Up the Server Setting Up Boot Devices Saving Changes Setting up the RAID Array Firmware for KS1500R with Bryson Motherboard Setting the BIOS Setting Up Advanced Features Setting Up Security Setting Up the Server Setting Up Boot Devices Saving Changes Setting up the RAID Array KS [5U] Initial Configuration

61 3 Chapter 3KS Systems 3 This chapter provides information specific to KS systems. These include KS 2U systems with Lancewood motherboards, KS 2U systems with Tupelo motherboards, KS 1U systems with Westville motherboards (hereinafter referred to as model KS1000 systems), KS 2U systems with Westville motherboards (hereinafter referred to as model KS1500 systems), KS 5U systems with Lancewood motherboards, KS 5U systems with Tupelo motherboards, and KS1500R systems with Hodges or Bryson motherboards. 3 3 This chapter explains hardware and firmware setup procedures and provides reference information needed to complete the KS Initial Configuration window. KS 1U and 2U Systems 3 This section provides information specific to KS 1U and 2U systems. It includes hardware and firmware setup procedures and reference information needed to complete the KS Initial Configuration window. Hardware 3 This section describes port ordering for Ethernet network interface cards and explains how to set up the hardware. Refer to Appendix A for information needed to use the getmib and resmgr utilities to identify ports and interface unit number assignments. Ethernet Port Ordering 3 Port ordering for Ethernet network interface cards varies according to the type of system. Port ordering for the following types of KS 1U and 2U systems is shown in the illustrations that follow. First-generation systems shipped from Patriot Technologies, Inc. Second-generation KS 2U systems (Intel ISP2150) with Lancewood motherboard KS 2U systems with Tupelo motherboard KS1000 systems KS1500 systems 3-1

62 CyberGuard 5.2 Installation Guide Figure 3-1 shows port ordering for first-generation systems that were shipped from Patriot Technologies, Inc. during the period from December 1999 to May It shows port ordering on systems in which the top slot is empty. Top Slot Bottom Slot Figure 3-1. Port Ordering for First-Generation Systems Top Slot Empty Figure 3-2 shows port ordering on first-generation systems in which the top slot is not empty Top Slot Bottom Slot Figure 3-2. Port Ordering for Other First-Generation Systems Figure 3-3 shows port ordering for second-generation KS 2U systems (Intel ISP2150) with Lancewood motherboard. 3-2

63 KS Systems Top Slot Bottom Slot Figure 3-3. Port Ordering for Second-Generation Systems Figure 3-4 shows port ordering for KS 2U systems with Tupelo motherboard Top Slot Bottom Slot Figure 3-4. Port Ordering for KS 2U with Tupelo Motherboard Figure 3-5 shows port ordering for KS1000 systems. 5 4 Card Card 1 Figure 3-5. Port Ordering for KS1000 Systems 3-3

64 CyberGuard 5.2 Installation Guide Figure 3-6 shows port ordering for KS1500 systems Card Card Card Card Card Card 3 Figure 3-6. Port Ordering for KS1500 Systems Setup 3 To set up a KS 1U or 2U firewall system, complete the following steps. Remove the computer from the box. Using the diagram in Figure 3-7, KS 2U with Lancewood Motherboard Back Panel, Figure 3-8, KS 2U with Tupelo Motherboard Back Panel, Figure 3-9, KS1000 Back Panel, or Figure 3-10, KS1500 Back Panel, plug in the serial or PS/2 mouse and the keyboard, video, network, and power cables. NOTE The current default video setting for these appliance firewall systems is 1024 x 768 x Hz refresh. Turn on the computer. 3-4

65 KS Systems PS/2 Mouse Keyboard Serial Terminal (COM2) Serial Mouse (COM1) On-Board Ethernet Port (eee0) Video Figure 3-7. KS 2U with Lancewood Motherboard Back Panel Serial Mouse (COM1) Serial Terminal (COM2) Keyboard PS/2 Mouse Video On-Board Ethernet Port (eee0) Figure 3-8. KS 2U with Tupelo Motherboard Back Panel 3-5

66 CyberGuard 5.2 Installation Guide RJ45 10/100/1000 (e1000_1) RJ45 (COM2) USB (not used) Video SCSI RJ45 10/100/1000 (e1000_0) PS/2 Mouse USB (not used) Figure 3-9. KS1000 Back Panel Serial (COM1) RJ45 10/100/1000 (e1000_1) RJ45 (COM2) USB (not used) Video SCSI RJ45 10/100/1000 (e1000_0) PS/2 Mouse USB (not used) Figure KS1500 Back Panel 3-6

67 KS Systems Firmware for KS 2U with Lancewood Motherboard 3 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page 3-7 and Setting the SCSI BIOS on page 3-9. Setting the BIOS 3 This section explains the procedures for setting up the COM port, reordering boot devices, and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). Setting Up the COM Port 3 Use the right arrow key to select Server from the Menu Bar. On the Server page, select System Management, and press <Enter>. Under Server Management Info, verify the following setting: EMP Access Mode Press <Esc>. Use the down arrow key to select Console Redirection, and press <Enter>. On the Console Redirection panel, verify the following setting: Com Port Address: Press <Esc>. Use the down arrow key to select PEP Management, and press <Enter>. 3-7

68 CyberGuard 5.2 Installation Guide Verify the following setting: PEP Enable Press <Esc> twice. Setting Up Boot Devices 3 Use the left arrow key to select Boot from the Menu Bar. Verify the following settings: Boot-time Diagnostic Screen: Extended Ram Step BIOS Boot Spec Support: [No memory test] Use the down arrow key to select Boot Device Priority, and press <Enter>. On the Boot Device Priority panel, the boot devices are displayed. Order them as follows: 1. [ATAPI CD-ROM Drive] 2. [Hard Drive] 3. [Diskette Drive] 4. [Removable Devices] 5. [LANDesk ( R ) Service Agent II] Press <Esc>. Saving Changes 3 Use the right arrow key to select Exit from the Menu Bar. Select Exit Saving Changes, and press <Enter>. The Setup Confirmation window and the following message are displayed: Save configuration changes and exit now? Select Yes and press <Enter>: The system will reboot. 3-8

69 KS Systems Setting the SCSI BIOS 3 When prompted, press <Ctrl> <A> to enter the SCSI Select Utility. The SCSI Select Utility screen is displayed. Under Bus:Device:Channel, select 00:0C:A, and press <Enter>. The AIC-7896 at Bus:00h Device:0Ch Channel:A window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. On the Configuration panel, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, verify the following setting: Extended BIOS Translation for DOS Drives > 1 GByte...Disabled Press <Esc> three times. On the SCSI Select Utility screen, under Bus:Device:Channel, select 00:0C:B, and press <Enter>. The AIC-7896 at Bus:00h Device:0Ch Channel:B window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. On the Configuration panel, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, verify the following setting: Extended BIOS Translation for DOS Drives >1 GByte...Disabled Press <Esc> four times. When prompted to exit utility, select Yes, and press <Enter>. Follow the remainder of the procedures outlined in Setting Up the Hardware on page

70 CyberGuard 5.2 Installation Guide Firmware for KS 2U with Tupelo Motherboard 3 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page 3-10 and Setting the SCSI BIOS on page Setting the BIOS 3 This section explains the procedures for setting up the COM port, reordering boot devices, and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). Setting Up the COM Port 3 Use the right arrow key to select System from the Menu Bar. On the System page, use the down arrow key to select Console Redirection, and press <Enter>. On the Console Redirection panel, verify the following setting: Com Port Address: Press <Esc>. On the System page, verify the following setting: Assert NMI on PERR: 3-10

71 KS Systems Setting Up Boot Devices 3 Use the left arrow key to select Boot from the Menu Bar. Verify the following settings: Boot-time Diagnostic Screen: Extended Ram Step BIOS Boot Spec Support: [No memory test] Use the down arrow key to select Boot Device Priority, and press <Enter>. On the Boot Device Priority panel, the boot devices are displayed. Order them as follows: 1. [ATAPI CD-ROM Drive] 2. [Hard Drive] 3. [Diskette Drive] 4. [Removable Devices] 5. [Intel ( R ) Boot Agent Version 4.0] Press <Esc>. Saving Changes 3 Use the right arrow key to select Exit from the Menu Bar. Select Exit Saving Changes, and press <Enter>. The Setup Confirmation window and the following message are displayed: Confirm saving changes? Select Yes and press <Enter>. The system will reboot. Setting the SCSI BIOS 3 When prompted, press <Ctrl> <A> to enter the SCSI Select Utility. The SCSI Select Utility screen is displayed. Under Bus:Device:Channel, select 02:04:A, and press <Enter>. The Bus:02h Device:04 Channel:A window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. 3-11

72 CyberGuard 5.2 Installation Guide On the Configuration panel, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, verify the following setting: Extended BIOS Translation for DOS Drives > 1 GByte...Disabled Press <Esc> twice. When prompted to Save Changes Made, select Yes and press <Enter>. Press <Esc>. On the SCSI Select Utility screen, under Bus:Device:Channel, select 02:04:B, and press <Enter>. The Bus:02h Device:04 Channel:B window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. On the Configuration panel, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, verify the following setting: Extended BIOS Translation for DOS Drives >1 GByte...Disabled Press <Esc> twice. When prompted to Save Changes Made, select Yes and press <Enter>. Press <Esc> twice. When prompted to exit utility, select Yes, and press <Enter>. Press any key to reboot. Follow the remainder of the procedures outlined in Setting Up the Hardware on page

73 KS Systems Firmware for KS1000 Systems 3 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page 3-13 and Setting the SCSI BIOS on page Setting the BIOS 3 This section explains the procedures for verifying settings and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). Verify the following settings: Floppy A Hard Disk Pre-Delay Primary IDE Master Primary IDE Slave Secondary IDE Master [1.44/1.25/1.2 MB 3½''] [Not Installed] [Not Installed] [SAMSUNG CD-ROM SN-12] Select Processor Settings, and press <Enter>. Verify the following settings: Processor POST Speed Processor Retest Hyper-threading(TM) Processor 1 CPUID Processor 1 L2 Cache Processor 2 CPUID Processor 2 L2 Cache 1.80 GHz F24 512KB ECC Not Installed Press <Esc> to exit. Verify the following setting: Language: [English (US)] 3-13

74 CyberGuard 5.2 Installation Guide Setting Up Advanced Features 3 Use the right arrow key to select Advanced from the Menu Bar. The following message is displayed: Setup Warning Setting items on this screen to incorrect values may cause your system to malfunction! Select PCI Configuration, and then press <Enter>. Select USB Function, and then press <Enter>. On the USB Function panel, verify the following setting: USB Function Press <Esc> to exit. Select Onboard NIC, and then press <Enter>. On the Onboard NIC panel, verify the following settings: Onboard NIC Onboard NIC1 ROM Onboard NIC2 ROM Press <Esc> to exit. Select Onboard SCSI, and then press <Enter>. On the Onboard SCSI panel, verify the following settings: Onboard SCSI Onboard SCSI ROM Press <Esc> to exit. Select Onboard Video, and then press <Enter>. On the Onboard Video panel, verify the following setting: Onboard Video Press <Esc> to exit. On the PCI Configuration panel, verify the following settings: PCI SLOT 1B ROM PCI SLOT 1C ROM Press <Esc> to exit. Select Peripheral Configuration, and then press <Enter>. 3-14

75 KS Systems On the Peripheral Configuration panel, verify the following settings: Serial 1 (DB-9) Address Serial 2 (RJ45) Address [3F8] Serial 2 (RJ45) IRQ [4] Diskette Controller Legacy USB Support Front Panel USB Press <Esc> to exit. Select Memory Configuration, and then press <Enter>. On the Memory Configuration panel, verify the following settings: Extended Memory Test Bank #1 Bank #2 Bank #3 Memory Retest [Installed] [Not Installed] [Not Installed] Press <Esc> to exit. Select Advanced Chipset Control, and then press <Enter>. On the Advanced Chipset Control panel, verify the following settings: Wake on Ring Wake on LAN/PME PCI-X B Wake on PME PCI-X C Wake on RTC Alarm Press <Esc> to exit. Verify the following settings: Boot-time Diag Screen Reset Config Data Numlock [No] [Off] 3-15

76 CyberGuard 5.2 Installation Guide Setting Up Security 3 Use the right arrow key to select Security from the Menu Bar. Verify the following settings: User Password Is Administrator Password Is [Not Installed] [Not Installed] Set Admin Password Fixed Disk Boot Sector Power Switch Inhibit NMI Control [None] Setting Up the Server 3 Use the right arrow key to select Server from the Menu Bar. Select Console Redirection, and then press <Enter>. On the Console Redirection panel, verify the following settings: BIOS Redirection Port ACPI Redirection BAUD Rate [9600] Flow Control [XON/XOFF] Terminal Type [VT100+] Serial Port Connector [Serial B/EMP] Press <Esc> to exit. Select Event Log Configuration, and then press <Enter>. On the Event Log Configuration panel, verify the following settings: Clear All Event Logs Event Logging Critical Event Logging [No] Press <Esc> to exit. Verify the following settings: Assert NMI on PERR Assert NMI on SERR FRB-2 Policy [Disable BSP] POST Error Pause Platform Event Filtering Boot Monitoring [Disable] Boot Monitoring Policy [Retry 3 Times] 3-16

77 KS Systems Setting Up Boot Devices 3 Use the right arrow key to select Boot from the Menu Bar. Select Boot Device Priority, and press <Enter>. Ensure that the boot devices are ordered as follows: 1st Boot Device 2nd Boot Device 3rd Boot Device 4th Boot Device [ATAPI CD-ROM] [Hard Drive] [Removable Devices] Press <Esc> to exit. Saving Changes 3 Use the right arrow key to select Exit from the Menu Bar. Select Exit Saving Changes, and press <Enter>. The following message is displayed: Save configuration changes and exit now? Select Yes and press <Enter>. The system will reboot. Setting the SCSI BIOS 3 When prompted, press <Ctrl> <A> to enter the SCSI Select Utility. The SCSISelect(TM) Utility screen is displayed. Under Bus:Device:Channel, select 05:07:A, and press <Enter>. The Bus:05h Device:07h Channel:A window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. On the Configuration panel, under Additional Options, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, select Extended BIOS Translation for DOS Drives > 1 GByte, and press <Enter>. Select Disabled, and press <Enter>. Press <Esc> three times. 3-17

78 CyberGuard 5.2 Installation Guide On the SCSI Select Utility screen, under Bus:Device:Channel, select 05:07:B, and press <Enter>. The Bus:05h Device:07h Channel:B window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. On the Configuration panel, under Additional Options, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, select Extended BIOS Translation for DOS Drives >1 GByte, and press <Enter>. Select Disabled, and press <Enter>. Press <Esc> four times. When prompted to exit utility, select Yes, and press <Enter>. Press any key to reboot. Follow the remainder of the procedures outlined in Setting Up the Hardware on page Firmware for KS1500 Systems 3 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page 3-18 and Setting the SCSI BIOS on page Setting the BIOS 3 This section explains the procedures for verifying settings and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). 3-18

79 KS Systems Verify the following settings: Floppy A Hard Disk Pre-Delay Primary IDE Master Primary IDE Slave Secondary IDE Master [1.44/1.25/1.2 MB 3½''] [Not Installed] [Not Installed] [SAMSUNG CD-ROM SN-12] Select Processor Settings, and press <Enter>. Verify the following settings: Processor POST Speed Processor Retest Hyper-threading(TM) Processor 1 CPUID Processor 1 L2 Cache Processor 2 CPUID Processor 2 L2 Cache 2.0 GHz F24 512KB ECC Not Installed Press <Esc> to exit. Verify the following setting: Language: [English (US)] Setting Up Advanced Features 3 Use the right arrow key to select Advanced from the Menu Bar. The following message is displayed: Setup Warning Setting items on this screen to incorrect values may cause your system to malfunction! Select PCI Configuration, and then press <Enter>. Select USB Function, and then press <Enter>. On the USB Function panel, verify the following setting: USB Function Press <Esc> to exit. Select Onboard NIC, and then press <Enter>. On the Onboard NIC panel, verify the following settings: Onboard NIC Onboard NIC1 ROM Onboard NIC2 ROM 3-19

80 CyberGuard 5.2 Installation Guide Press <Esc> to exit. Select Onboard SCSI, and then press <Enter>. On the Onboard SCSI panel, verify the following settings: Onboard SCSI Onboard SCSI ROM Press <Esc> to exit. Select Onboard Video, and then press <Enter>. On the Onboard Video panel, verify the following setting: Onboard Video Press <Esc> to exit. On the PCI Configuration panel, verify the following settings: PCI SLOT 1B ROM PCI SLOT 2B ROM PCI SLOT 3B ROM PCI SLOT 1C ROM PCI SLOT 2C ROM PCI SLOT 3C ROM Press <Esc> to exit. Select Peripheral Configuration, and then press <Enter>. On the Peripheral Configuration panel, verify the following settings: Serial 1 (DB-9) Address [3F8] Serial 1 (DB-9) IRQ [4] Serial 2 (RJ45) Address [2F8] Serial 2 (RJ45) IRQ [3] Diskette Controller Legacy USB Support Front Panel USB Press <Esc> to exit. Select Memory Configuration, and then press <Enter>. 3-20

81 KS Systems On the Memory Configuration panel, verify the following settings: Extended Memory Test Bank #1 Bank #2 Bank #3 Memory Retest [Installed] [Not Installed] [Not Installed] Press <Esc> to exit. Select Advanced Chipset Control, and then press <Enter>. On the Advanced Chipset Control panel, verify the following settings: Wake on Ring Wake on LAN/PME PCI-X B Wake on PME PCI-X C Wake on RTC Alarm Press <Esc> to exit. Verify the following settings: Boot-time Diag Screen Reset Config Data Numlock [No] [Off] Setting Up Security 3 Use the right arrow key to select Security from the Menu Bar. Verify the following settings: User Password Is Administrator Password Is [Not Installed] [Not Installed] Set Admin Password Fixed Disk Boot Sector Power Switch Inhibit NMI Control [None] Setting Up the Server 3 Use the right arrow key to select Server from the Menu Bar. Select Console Redirection, and then press <Enter>. 3-21

82 CyberGuard 5.2 Installation Guide On the Console Redirection panel, verify the following settings: BIOS Redirection Port ACPI Redirection BAUD Rate [9600] Flow Control [XON/XOFF] Terminal Type [VT100+] Press <Esc> to exit. Select Event Log Configuration, and then press <Enter>. On the Event Log Configuration panel, verify the following settings: Clear All Event Logs Event Logging Critical Event Logging [No] Press <Esc> to exit. Verify the following settings: Assert NMI on PERR Assert NMI on SERR FRB-2 Policy [Disable BSP] POST Error Pause Platform Event Filtering Boot Monitoring [Disable] Boot Monitoring Policy [Retry 3 Times] Setting Up Boot Devices 3 Use the right arrow key to select Boot from the Menu Bar. Select Boot Device Priority, and press <Enter>. Ensure that the boot devices are ordered as follows: 1st Boot Device 2nd Boot Device 3rd Boot Device 4th Boot Device [ATAPI CD-ROM] [Hard Drive] [Removable Devices] Press <Esc> to exit. Saving Changes 3 Use the right arrow key to select Exit from the Menu Bar. Select Exit Saving Changes, and press <Enter>. 3-22

83 KS Systems The following message is displayed: Save configuration changes and exit now? Select Yes and press <Enter>. The system will reboot. Setting the SCSI BIOS 3 When prompted, press <Ctrl> <A> to enter the SCSI Select Utility. The SCSISelect(TM) Utility screen is displayed. Under Bus:Device:Channel, select 04:07:A, and press <Enter>. The Bus:04h Device:07h Channel:A window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. On the Configuration panel, under Additional Options, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, select Extended BIOS Translation for DOS Drives > 1 GByte, and press <Enter>. Select Disabled, and press <Enter>. Press <Esc> three times. On the SCSI Select Utility screen, under Bus:Device:Channel, select 04:07:B, and press <Enter>. The Bus:04h Device:07h Channel:B window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. On the Configuration panel, under Additional Options, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, select Extended BIOS Translation for DOS Drives >1 GByte, and press <Enter>. Select Disabled, and press <Enter>. Press <Esc> four times. When prompted to exit utility, select Yes, and press <Enter>. Press any key to reboot. Follow the remainder of the procedures outlined in Setting Up the Hardware on page

84 CyberGuard 5.2 Installation Guide KS Initial Configuration 3 Figure 3-11 shows the Initial Configuration window for KS systems. Procedures for using this window are explained in Using the Initial Configuration Utility on page Figure Initial Configuration Window for KS Platform 3-24

85 KS Systems The Initial Configuration window for KS systems contains the following fields and controls: High Availability Setting (Required) Has the following selections: Disabled Primary Secondary Indicates that High Availability (HA) is not installed. This radio button is selected by default. Indicates that the specified host is the primary firewall in an HA pair Indicates that the specified host is the secondary firewall in an HA pair Firewall Appliance Specifies the type of firewall appliance for which you are entering initial configuration information. The drop-down list box includes the following selections: Fire- STAR, KnightSTAR, KnightSTAR[5U], STARLord. KnightSTAR Models (Required) Has the following selections: KS KS1000 KS1500 Denotes a unit with one on-board network interface Denotes a 1U Westville motherboard with two on-board network interfaces. This model number appears on a label on the front panel of the computer. Denotes a 2U Westville motherboard with two on-board network interfaces. This model number appears on a label on the front panel of the computer. Customize Displays the KnightSTAR Network Device Configuration window. Use this window to specify the types of network interface cards that are installed on the computer. NOTE In the drop-down list boxes on this window, the crypto selection denotes a cryptographic hardware accelerator. 3-25

86 CyberGuard 5.2 Installation Guide On KS models, the KnightSTAR Network Device Configuration window contains the following fields and controls: Card 1 Card 2 Indicates the type of network interface card installed in Slot 1. The drop-down list box includes the types of network interface cards that are supported on this platform: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1] Indicates the type of network interface card installed in Slot 2. The drop-down list box includes the following selections: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty On KS1000 models, the KnightSTAR Network Device Configuration window contains the following fields and controls. NOTE You may specify up to two network interface cards. Only one may be a full-height card. -h denotes a half-height (low profile) card. A half-height card can be used in a full-height slot with a mounting bracket. Card 1 Card 2 Indicates the type of network interface card. The dropdown list box includes the types of network interface cards that are supported on this platform: dec[4], adptsf[4], e1000[1], crypto, rav[1], eee[1]-h, eee[2]-h, e1000[2]-h, empty. Indicates the type of network interface card. The drop-down list box includes the following selections: e1000[2]-h, dec[4], adptsf[4], e1000[1], crypto, rav[1], eee[1]- h, eee[2]-h, empty. On KS1500 models, the KnightSTAR Network Device Configuration window contains the following fields and controls. NOTE You may specify up to six network interface cards. Only three may be a full-height card. -h denotes a half-height (low profile) card. A half-height card can be used in a full-height slot with a mounting bracket. Card 1 Indicates the type of network interface card. The dropdown list box includes the types of network interface cards that are supported on this platform: dec[4], adptsf[4], e1000[1], crypto, rav[1], eee[1]-h, eee[2]-h, e1000[2]-h, empty. 3-26

87 KS Systems Card 2 Card 3 Card 4 Card 5 Card 6 Indicates the type of network interface card. The dropdown list box includes the following selections: dec[4], adptsf[4], e1000[1], crypto, rav[1], eee[1]-h, eee[2]-h, e1000[2]-h, empty. Indicates the type of network interface card. The dropdown list box includes the following selections: dec[4], adptsf[4], e1000[1], crypto, rav[1], eee[1]-h, eee[2]-h, e1000[2]-h, empty. Indicates the type of network interface card. The dropdown list box includes the following selections: dec[4], adptsf[4], e1000[1], crypto, rav[1], eee[1]-h, eee[2]-h, e1000[2]-h, empty. Indicates the type of network interface card. The dropdown list box includes the following selections: dec[4], adptsf[4], e1000[1], crypto, rav[1], eee[1]-h, eee[2]-h, e1000[2]-h, empty. Indicates the type of network interface card. The dropdown list box includes the following selections: dec[4], adptsf[4], e1000[1], crypto, rav[1], eee[1]-h, eee[2]-h, e1000[2]-h, empty. Firewall Host Name (Required) Specifies the host name by which the system identifies itself during network and login connections. Should be unique within a local area network. Domain Name (Required) Specifies the externally visible partial or fully-qualified name that is registered with the Network Information Center (NIC). The domain name provides a point of contact for external connections to a local area network; this field identifies the domain that provides information about connecting to this host. Aggregates Displays the KnightSTAR LAG Configuration window. LAG (link aggregation) is an optional feature that allows you to combine multiple physical network interface cards into one logical network interface. You must have obtained a license key that includes this feature prior to configuring LAG. Use this window to configure LAG groups. You may configure up to 16 groups and assign up to 8 members per group. The KnightSTAR LAG Configuration window contains the following fields and controls: Aggregates Members Drop-down list box that contains the names of the LAG groups that can be configured (lag0 - lag15) Displays the network interface cards that have been selected from the Choices list to be members of the specified LAG group. Click on the right (>>) button to return a selected item to the Choices list. 3-27

88 CyberGuard 5.2 Installation Guide Choices Aggregate Mode Displays the network interface cards that are set to Disabled in the Type field and that may be added to a LAG group. Only PCI Ethernet cards based on the DEC TM 2114x (e.g., dec0 - dec3) and Adaptec cards based on the AIC-6915 (e.g., adptsf0 - adptsf3) are supported and may be displayed in this list. The number and type of cards displayed varies according to whether you have used the Customize button to specify a particular configuration of network interface cards. Click on the left (<<) arrow button to move a selected card to the Members list. (Read-only) Displays the interface name of the currently selected LAG group Specifies the operation mode for the selected LAG group. Selections available from the drop-down list box include the following: Standby (Default) Denotes hot-standby mode. Typically in this mode, two physical ports are configured beneath one LAG group. Output traffic flows through the operational port with the highest priority. Aggregate Denotes basic aggregation mode. Typically in this mode, two to four physical ports are configured beneath one LAG group. Output traffic flows through all operational ports. If you select this mode, you may select a Distribution Algorithm for the specified LAG group. 3-28

89 KS Systems Distribution Algorithm Specifies the frame fields on which to base the port distribution algorithm. The drop-down list box includes the following selections: Service (Default) Selects a physical port based on the frame s service number (e.g., TCP or UDP source and destination ports). Dest. MAC Selects a port based on the frame s destination MAC address Source IP Selects a port based on the frame s source IP address Dest. IP Selects a port based on the frame s destination IP address Source/Dest. IP Selects a port based on the frame s source and destination IP addresses Type (Required) Indicates the side of the firewall where the interface is connected and if High Availability is installed, may also indicate whether the interface is a heartbeat interface or an exempt interface. If High Availability is installed, the drop-down list box includes the following selections. Otherwise, it includes only Disable, Internal, and External. Disable Internal External Internal Exempt External Exempt Heartbeat Denotes an interface that is not being used. All interfaces are set to Disable by default. Denotes an interface that is used to connect to your private internal network Denotes an interface that is used to connect to a publicly accessible network (e.g., the Internet) Denotes an internal interface that is not to be marked down when the served firewall fails over to the standby Denotes an external interface that is not to be marked down when the served firewall fails over to the standby Denotes an interface that is used to monitor the state of the served firewall and provide communication between the served and standby firewalls. Two heartbeat interfaces are required for each firewall. 3-29

90 CyberGuard 5.2 Installation Guide Name Specifies the unique primary name (host name) of the network interface or its fullyqualified domain name. Host names must begin with an alphabetic character; otherwise, they may contain only alphanumeric characters, periods, and hyphens. Domain names entered in this field for the various network interfaces may all be different and need not match the name entered in the Domain Name field. NOTE Remote Web Administration Interface (e.g., eee0) Requirements A fully-qualified domain name is required for the Remote Web Administration interface (e.g., eee0) on each machine in an HA pair. If the Remote Web Administration interfaces are Exempt, the name specified for the primary machine must be different from the name specified for the secondary machine. If you do not specify a name, a fully-qualified domain name of the following form is used by default: node_name-n.domain, where node_name is the value specified in the Firewall Host Name field, n is 1 for the primary and 2 for the secondary machine in the pair, and domain is the value entered in the Domain Name field. This makes it possible to use name resolution to manage the machines in an HA pair separately. A fully-qualified domain name is also required for the Remote Web Administration interface on a stand-alone machine. If you do not specify a name, the default is node_name.domain, where node_name is the value specified in the Firewall Host Name field and domain is the value entered in the Domain Name field. An entry is made in the /etc/hosts file to make the unqualified node_name an alias for the interface specified by Management Interface. The computer or network specified by Manager IP must be able to resolve the name for the Remote Web Administration interface (i.e., via the hosts file or name server). You must use the name for the Remote Web Administration interface to connect to the firewall via Remote Web Administration. IP Address (Required) Specifies the unique Internet Protocol address of the network interface. It must be a Class A, Class B, or Class C address; that is, the value of the first byte of the address must be less than 224. Subnetwork Mask Specifies a subnet mask as a dotted quad mask (e.g., ) or a bit count (e.g., 24). If you do not specify a subnet mask, the default mask associated with the address class is used (i.e., for Class A, for Class B, for Class C). 3-30

91 KS Systems FSO User (Required) Specifies the login ID for a privileged Firewall Security Officer (FSO). An FSO is authorized to use the firewall GUI, execute commands associated with administrative roles (e.g., auditor, site security officer, network administrator), and execute firewall-related commands installed on the system. This user is cleared to the SYS_PRIVATE and NETWORK levels. The default is cgadmin. It is recommended that you specify a different FSO user. If you do so, the cgadmin user will be disabled. FSO Password (Required) Specifies the password associated with the user entered in the FSO User field. Note that the password entered in this window is weakly encrypted; you will be prompted to change it when you log in to the firewall for the first time. Password Confirmation (Required) Respecifies the string entered in the FSO Password field Remote Management Service (Required) Indicates the application to be used to manage the firewall from a remote system. The drop-down list box includes the following selections: None, Secure Shell - SSH, Remote Web Admin. The default is None. Management Interface (Required if a Remote Management Service is specified or a configuration is to be restored) Indicates the network interface that is to be used to access the firewall from the remote system. On KS models, the drop-down list box includes the following selections by default: None, dec0, dec1, dec2, dec3, eee0. On KS1000 models, the drop-down list box includes the following selections by default: None, dec0, dec1, dec2, dec3, e10000, e10001, e10002, e On KS1500 models, the drop-down list box includes the following selections by default: None, dec0, dec1, dec2, dec3, dec4, dec5, dec6, dec7, e10000, e The selections vary according to whether you have used the Customize button to specify a particular configuration of network interface cards or the Aggregates button to configure a LAG group. The default is None. Manager IP (Required if a Remote Management Service is specified) Specifies the IP address of the computer or network on which the specified Remote Management Service is used to manage the firewall Manager Route IP Specifies the IP address to which packets are forwarded if the specified Manager IP address is not on the local network. 3-31

92 CyberGuard 5.2 Installation Guide System Mouse Type (Required) Indicates the type of mouse that is being used. The drop-down list box includes the following selections: None, PS/2. The default is None. Time Zone (Required) Specifies the time zone in which the firewall is located. The US/Central time zone is selected by default. The drop-down list box includes all time zones. Time Server IP Specifies the IP address of the server to which time requests are to be sent to maintain system time synchronization Onboard MAC Address Specifies the address of the onboard Ethernet port as it appears on a label on the computer. On KS and KS1000 models, this label is on the front panel; on KS1500 models, it is on the top of the front right-hand corner. NOTE: If you are using a 30- day trial license, you are not required to enter a value in this field. Hardware ID (Read-only) Contains an eight-digit hexadecimal number that uniquely identifies the computer. This number is obtained by clicking on the Generate button. Generate Allows you to obtain the hardware ID for the computer. This ID is needed to obtain a license key. NOTE: If you are using a thirty-day trial license, you are not required to obtain a hardware ID. Serial Number Specifies the 10-character serial number that you previously received from Cyber- Guard Customer Support Center. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field. License Key Specifies the 20-character license key that you obtained from the CyberGuard Corporation Web site. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field. CyberGuard Firewall Online Registration Allows you to jump directly to the CyberGuard Firewall Online Registration Web page to obtain a license key RADIUS Server IP Specifies the IP address of the RADIUS server 3-32

93 KS Systems Backup Server IP Specifies the IP address of the backup RADIUS server RADIUS Port Specifies the port on which the RADIUS server listens for connections. The default is 1812 (the officially assigned port number as noted in RFC 2138) RADIUS Secret Key Specifies a string that represents the password encryption key that is shared between the RADIUS client and the RADIUS server. The string may include any printable character. Key Confirmation Respecifies the string entered in the RADIUS Secret Key field Organizational Unit Specifies the group to which a centrally-authenticated administrator must belong to be authorized to log in to the firewall. The default value is NONE. Remote Host IP Specifies the IP address of the remote host from which you wish to restore a firewall configuration Remote Route IP Specifies the IP address to which packets are forwarded if the specified Remote Host IP address is not on the local network. NOTE: You must specify a network interface in the Management Interface field to be able to restore a firewall configuration from a remote host. Configuration File Specifies the full or relative path name of the configuration file that you wish to restore. NOTE: Do not include the.tar or.tar.encr extension in the file name. Remote User Specifies the login name to be used on the remote host. The default is anonymous. Remote Password Specifies the password associated with the login name entered in the Remote User field. If you use the default anonymous, you are not required to enter a value in this field; if you leave the field blank, the password that will be used is [email protected]. 3-33

94 CyberGuard 5.2 Installation Guide Encryption Key (Required if Configuration File is encrypted) Specifies the key to be used to decrypt the restored configuration file. NOTE: The value that you enter in this field must be the same as the encryption key used to save the configuration. Default Route IP Specifies the IP address to which packets are forwarded if an explicit route does not already exist. KS 5U Systems 3 This section provides information specific to KS 5U systems. It includes hardware and firmware setup procedures and reference information needed to complete the KS Initial Configuration window. Hardware 3 This section describes PCI slot and port ordering for KS 5U systems and explains how to set up the hardware. Refer to Appendix A for information needed to use the getmib and resmgr utilities to identify ports and interface unit number assignments. PCI Slot Ordering 3 Figure 3-12 shows the ordering of PCI slots on KS 5U systems with a Lancewood motherboard. The view is from the back of the chassis Figure Lancewood Motherboard PCI Slot Ordering 3-34

95 KS Systems Figure 3-13 shows the ordering of PCI slots on KS 5U systems with a Tupelo motherboard. The view is from the back of the chassis Figure Tupelo Motherboard PCI Slot Ordering Figure 3-14 shows the ordering of PCI slots on KS1500R systems with Hodges or Bryson motherboards. The view is from the back of the chassis. Not Used Expansion Expansion RAID Expansion Figure KS1500R PCI Slot Ordering 3-35

96 CyberGuard 5.2 Installation Guide Setup 3 To set up a KS 5U or KS1500R firewall system, complete the following steps. Remove the computer from the box. Using the diagram in Figure 3-15, Back Panel of KS 5U with Lancewood Motherboard, Figure 3-16, Back Panel of KS 5U with Tupelo Motherboard, or Figure 3-17, Back Panel of KS1500R, plug in the serial or PS/2 mouse and the keyboard, video, network, and power cables. NOTE The current default video setting for these appliance firewall systems is 1024 x 768 x Hz refresh. Turn on the computer. PS/2 Mouse Keyboard Serial Terminal (COM2) Serial Mouse (COM1) On-Board Ethernet Port (eee0) Video Figure Back Panel of KS 5U with Lancewood Motherboard 3-36

97 KS Systems Serial Port (COM1) Serial Terminal (COM2) Keyboard PS/2 Mouse Video On-Board Ethernet Port (eee0) Figure Back Panel of KS 5U with Tupelo Motherboard PS/2 Mouse Keyboard USBs (not used) Serial Port (COM1) Video NIC 2 Gbit (e1000_0) NIC 1 10/100 (eee_0) Figure Back Panel of KS1500R 3-37

98 CyberGuard 5.2 Installation Guide Firmware for KS 5U with Lancewood Motherboard 3 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page 3-38 and Setting the SCSI BIOS on page Setting the BIOS 3 This section explains the procedures for setting up the COM port, reordering boot devices, and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). Setting Up the COM Port 3 Use the right arrow key to select Server from the Menu Bar. On the Server page, select System Management, and press <Enter>. Under Server Management Info, verify the following setting: EMP Access Mode Press <Esc>. Use the down arrow key to select Console Redirection, and press <Enter>. On the Console Redirection panel, verify the following setting: Com Port Address: Press <Esc>. Use the down arrow key to select PEP Management, and press <Enter>. 3-38

99 KS Systems Verify the following setting: PEP Enable Press <Esc> twice. Setting Up Boot Devices 3 Use the left arrow key to select Boot from the Menu Bar. Verify the following settings: Boot-time Diagnostic Screen: Extended Ram Step BIOS Boot Spec Support: [No memory test] Use the down arrow key to select Boot Device Priority, and press <Enter>. On the Boot Device Priority panel, the boot devices are displayed. Order them as follows: 1. [ATAPI CD-ROM Drive] 2. [Hard Drive] 3. [Diskette Drive] 4. [Removable Devices] 5. [LANDesk ( R ) Service Agent II] Press <Esc>. Saving Changes 3 Use the right arrow key to select Exit from the Menu Bar. Select Exit Saving Changes, and press <Enter>. The Setup Confirmation window and the following message are displayed: Save configuration changes and exit now? Select Yes and press <Enter>: The system will reboot. 3-39

100 CyberGuard 5.2 Installation Guide Setting the SCSI BIOS 3 When prompted, press <Ctrl> <A> to enter the SCSI Select Utility. The SCSI Select Utility screen is displayed. Under Bus:Device:Channel, select 00:0C:A, and press <Enter>. The AIC-7896 at Bus:00h Device:0Ch Channel:A window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. On the Configuration panel, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, verify the following setting: Extended BIOS Translation for DOS Drives > 1 GByte...Disabled Press <Esc> three times. On the SCSI Select Utility screen, under Bus:Device:Channel, select 00:0C:B, and press <Enter>. The AIC-7896 at Bus:00h Device:0Ch Channel:B window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. On the Configuration panel, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, verify the following setting: Extended BIOS Translation for DOS Drives >1 GByte...Disabled Press <Esc> four times. When prompted to exit utility, select Yes, and press <Enter>. Follow the remainder of the procedures outlined in Setting Up the Hardware on page

101 KS Systems Firmware for KS 5U with Tupelo Motherboard 3 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page 3-41 and Setting the SCSI BIOS on page Setting the BIOS 3 This section explains the procedures for setting up the COM port, reordering boot devices, and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). Setting Up the COM Port 3 Use the right arrow key to select System from the Menu Bar. On the System page, use the down arrow key to select Console Redirection, and press <Enter>. On the Console Redirection panel, verify the following setting: Com Port Address: Press <Esc>. On the System page, verify the following setting: Assert NMI on PERR:[ Disabled] 3-41

102 CyberGuard 5.2 Installation Guide Setting Up Boot Devices 3 Use the left arrow key to select Boot from the Menu Bar. Verify the following settings: Boot-time Diagnostic Screen: Extended Ram Step BIOS Boot Spec Support: [No memory test] Use the down arrow key to select Boot Device Priority, and press <Enter>. On the Boot Device Priority panel, the boot devices are displayed. Order them as follows: 1. [ATAPI CD-ROM Drive] 2. [Hard Drive] 3. [Diskette Drive] 4. [Removable Devices] 5. [Intel ( R ) Boot Agent Version 4.0] Press <Esc>. Saving Changes 3 Use the right arrow key to select Exit from the Menu Bar. Select Exit Saving Changes, and press <Enter>. The Setup Confirmation window and the following message are displayed: Confirm saving changes? Select Yes and press <Enter>: The system will reboot. Setting the SCSI BIOS 3 When prompted, press <Ctrl> <A> to enter the SCSI Select Utility. The SCSI Select Utility screen is displayed. Under Bus:Device:Channel, select 02:04:A, and press <Enter>. The Bus:02h Device:04 Channel:A window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. 3-42

103 KS Systems On the Configuration panel, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, verify the following setting: Extended BIOS Translation for DOS Drives > 1 GByte...Disabled Press <Esc> twice. When prompted to Save Changes Made, select Yes and press <Enter>. Press <Esc>. On the SCSI Select Utility screen, under Bus:Device:Channel, select 02:04:B, and press <Enter>. The Bus:02h Device:04 Channel:B window is displayed. Under Options, select Configure/View Host Adapter Settings, and press <Enter>. On the Configuration panel, select Advanced Configuration Options, and press <Enter>. On the Advanced Configuration Options panel, verify the following setting: Extended BIOS Translation for DOS Drives >1 GByte...Disabled Press <Esc> twice. When prompted to Save Changes Made, select Yes and press <Enter>. Press <Esc> twice. When prompted to exit utility, select Yes, and press <Enter>. Press any key to reboot. Follow the remainder of the procedures outlined in Setting Up the Hardware on page

104 CyberGuard 5.2 Installation Guide Firmware for KS 5U with Tupelo Motherboard and RAID 3 NOTE The BIOS is set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. The SCSI BIOS does not have to be set on the KS 5U with RAID. Follow the steps presented in Setting the BIOS on page 3-41 and Setting up the RAID Array on page Setting the BIOS 3 This section explains the procedures for setting up the COM port, reordering boot devices, and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). Setting Up the COM Port 3 Use the right arrow key to select System from the Menu Bar. On the System page, use the down arrow key to select Console Redirection, and press <Enter>. On the Console Redirection panel, verify the following setting: Com Port Address: Press <Esc>. On the System page, verify the following setting: Assert NMI on PERR: 3-44

105 KS Systems Setting Up Boot Devices 3 Use the left arrow key to select Boot from the Menu Bar. Verify the following settings: Boot-time Diagnostic Screen: Extended Ram Step BIOS Boot Spec Support: [No memory test] Use the down arrow key to select Boot Device Priority, and press <Enter>. On the Boot Device Priority panel, the boot devices are displayed. Order them as follows: 1. [ATAPI CD-ROM Drive] 2. [Hard Drive] 3. [Diskette Drive] 4. [Removable Devices] 5. [Intel ( R ) Boot Agent Version 4.0] Press <Esc>. Saving Changes 3 Use the right arrow key to select Exit from the Menu Bar. Select Exit Saving Changes, and press <Enter>. The Setup Confirmation window and the following message are displayed: Confirm saving changes? Select Yes and press <Enter>: The system will reboot. Setting up the RAID Array 3 When you complete the steps in Saving Changes and the system reboots, complete the following steps to configure the RAID array. Press <Ctrl> <M> as soon as you see the following message displayed: To run MegaRAID Configuration Utility, press Ctrl- M. When the Management Menu window is displayed, select Configure, and press <Enter>. 3-45

106 CyberGuard 5.2 Installation Guide When the Configure window is displayed, select New Configuration, and press <Enter>. When the Proceed? window is displayed, select Yes, and press <Enter>. When the New Configuration ARRAY SELECTION MENU window is displayed, press the space bar three times to select drive IDs 0, 1, and 2 for the array. Drive ID 2 is highlighted in the ONLINE state following the above actions. While positioned at drive ID 2: Press <Enter> to end the array, and press <Enter> again to continue. The Logical Drives Configured window is displayed. In the Logical Drive 1 box: Ensure that the setting for RAID is 5. Select Size, and press <Enter>; change the setting for Size to 5400, and press <Enter>. Ensure that the setting for Span is NO. Select Advanced Menu, and press <Enter>. The Advanced window is displayed. Ensure that settings are as follows: Stripe Size Write Policy Read Policy Cache Policy 64KB WRTHRU NORMAL DirectIO Press <Esc> to exit the Advanced window and return to the Logical Drive 1 box. Accept is highlighted. Press <Enter>. When the Logical Drive 2 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 3 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 4 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Ensure that the setting for SIZE to

107 KS Systems The following message is displayed: Accept This Logical Drive Configuration And Go To Next Logical Drive Press <Enter>. When the Save Configuration? window is displayed, select Yes, and press <Enter>. When the following message is displayed, press any key: Configuration is Saved. Press Any Key to Continue. Press <Esc> to exit the Configure window. When you return to the Management Menu window, initialize the drives. Select Initialize, and press <Enter>. The logical drives are displayed. Press <F2> to select all drives. Press <F10> to initialize drives. When the Initialize Drives? window is displayed, select Yes, and press <Enter>. The Initial Logical Drives in Progress window is displayed. When all drives are initialized, press any key to continue. Press <Esc> to exit the Initialize Menu. Press <Esc> to exit the Management Menu. At the Exit? window, select Yes, and press <Enter>. The following message is displayed: Configuration has changed. Press Ctrl-Alt-Del to REBOOT. Press <Ctrl> <Alt> <Delete> to reboot the system. Follow the remainder of the procedures outlined in Setting Up the Hardware on page

108 CyberGuard 5.2 Installation Guide Firmware for KS1500R with Hodges Motherboard 3 NOTE The BIOS is set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. The SCSI BIOS does not have to be set on the KS1500R. Follow the steps presented in Setting the BIOS on page 3-55 and Setting up the RAID Array on page Setting the BIOS 3 This sectionexplains the procedures for verifying settings and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. Select Main, and press <Enter>. On the Main page, verify that the System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). Verify the following settings: Legacy Floppy A: [1.44/1.25 MB 3.5 ] Legacy Floppy B: Hard Disk Pre-Delay: Primary IDE Master [Auto] Primary IDE Slave Secondary IDE Master Secondary IDE Slave [None] [None] [None] Select Processor Settings, and press <Enter>. Verify the following settings: Processor Retest [No] Processor 1 CPUID: Processor 1 L2 Cache: Processor 2 CPUID: 0F24 512KB ECC Not Installed Hyper-Threading Technology: Disabled] Thermal Management: Press <Esc> to exit. 3-48

109 KS Systems Verify the following setting: Language: [English (US)] Setting Up Advanced Features 3 Use the right arrow key to select Advanced from the menu. Select Memory Configuration, and then press <Enter>. Verify the following memory settings: DIMM Group #1 Status DIMM Group #2 Status DIMM Group #3 Status Memory Retest Extended RAM Step Normal Not Installed Not Installed [No] Press <Esc> to exit. Select PCI Configuration, and then press <Enter>. Select Embedded SCSI, and then press <Enter>. Verify the following settings: SCSI Controller: Option ROM Scan: Press <Esc> to exit. Select Embedded NIC 1 (10/100), and then press <Enter>. Verify the following settings: LAN Controller 1: Option ROM Scan: Press <Esc> to exit. Select Embedded NIC 2 (Gbit), and then press <Enter>. Verify the following settings: LAN Controller 2: Option ROM Scan: Press <Esc> to exit. Select Embedded Video Controller, and then press <Enter>. Verify the following setting: VGA Controller: 3-49

110 CyberGuard 5.2 Installation Guide Press <Esc> to exit. Verify that the following PCI Expansion slots are set to : PCI Slot 1 PCI Slot 2 PCI Slot 3 PCI Slot 4 PCI Slot 5 PCI Slot 6 Press <Esc> to exit Select I/O Device Configuration, and then press <Enter>. Verify the following settings: Serial Port A: Base I/O Address: [3F8] Interrupt: [IRQ 4] Serial Port B: Base I/O Address: [2F8] Interrupt: [IRQ 3] Parallel Port: Mode: [Bi-directional] Base I/O Address: [378] Interrupt: [IRQ 7] Legacy USB Support PS/2 Mouse Press <Esc> to exit. Select Advanced Chipset Control, and then press <Enter>. Verify the following settings: Wake on LAN: Wake on Ring: Wake on PME: Wake on RTC: Sleep Button: [Present] Press <Esc> to exit. Verify the remaining Advanced BIOS settings: Boot-time Diagnostic Screen: Reset Configuration Data: Numlock: [No] [Off] Use the right arrow key to select Security. 3-50

111 KS Systems Verify the following settings: User Password Is: Supervisor Password Is: Set User Password Set Supervisor Password Password on boot: Fixed disk boot sector: Secure Mode Timer: Hot Key (CTRL+ALT+): Secure Mode Boot: Video Blanking Floppy Write Protect: Power Switch Inhibit: Clear Clear [Enter] [Enter] [Normal] [2 hr] [L] Setting Up the Server 3 Use the right arrow key to select Server. Select Console Redirection, and then press <Enter>. Verify the following settings: BIOS Redirection Port ACPI Redirection Baud Rate: [9600] Flow Control [XON/XOFF] Console Type [VT100+] Remote Console Reset: Press <Esc> to exit. Verify the following setting: Service Partition Type 12 Select Event Log Configuration, and then press <Enter>. Verify the following settings: Clear All Event Logs Event Logging Critical Event Logging [Press Enter] Press <Esc> to exit. 3-51

112 CyberGuard 5.2 Installation Guide Verify the remaining Server settings: Assert NMI on PERR: Assert NMI on SERR: FRB-2 Policy [Disable BSP] Boot Monitoring: [Disable] Boot Monitoring Policy: [Retry 3 times] Thermal Sensor: BMC IRQ: [11] Post Error Pause AC-LINK: [Last State] Platform Event Filtering Setting Up Boot Devices 3 Use the right arrow key to select Boot from the Menu Bar. Select Boot Device Priority, and press <Enter>. Order the boot devices as follows: 1. [CD-ROM Drive] 2. [Hard Drive] 3. [Removable Devices] Press <Esc>. Saving Changes 3 Use the right arrow key to select Exit. Select Exit Saving Changes. The following message is displayed: Confirm saving changes? Select Yes and press <Enter> The system will reboot. Setting up the RAID Array 3 When you complete the steps in Saving Changes and the system reboots, complete the following steps to configure the RAID array. Press <Ctrl> <M> as soon as you see the following message displayed: To run MegaRAID Configuration Utility, press Ctrl-M. When the Management Menu window is displayed, select Configure, and press <Enter>. When the Configure window is displayed, select New Configuration, and press <Enter>. 3-52

113 KS Systems When the Proceed? window is displayed, select Yes, and press <Enter>. When the New Configuration ARRAY SELECTION MENU window is displayed, press the space bar three times to select drive IDs 0, 1, and 2 for the array. Press <Enter> to end the array, and press <Enter> again to continue. The Logical Drives Configured window is displayed. In the Logical Drive 1 box: Ensure that the setting for RAID is 5. Select Size, and press <Enter>; change the setting for Size to 5400, and press <Enter>. Ensure that the setting for Span is NO. Select Advanced Menu, and press <Enter>. The Advanced window is displayed. Ensure that settings are as follows: Stripe Size Write Policy Read Policy Cache Policy 64KB WRTHRU NORMAL DirectIO Press <Esc> to exit the Advanced window and return to the Logical Drive 1 box. Accept is highlighted. Press <Enter>. When the Logical Drive 2 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 3 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 4 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Ensure that the setting for SIZE is (or all of the remaining blocks [ 6520 for 9 GB hard drives] ). 3-53

114 CyberGuard 5.2 Installation Guide The following message is displayed: Accept This Logical Drive Configuration And Go To Next Logical Drive. Press <Enter>. Assign Logical Drive 4 all of the remaining space. When the Save Configuration? window is displayed, select Yes, and press <Enter>. When the following message is displayed, press any key: Configuration is Saved. Press Any Key to Continue. Press <Esc> to exit the Configure window. When you return to the Management Menu window, initialize the drives. Select Initialize, and press <Enter>. The logical drives are displayed. Press <F2> to select all drives. Press <F10> to initialize drives. When the Initialize Drives? window is displayed, select Yes, and press <Enter>. The Initialize Logical Drives in Progress window is displayed. When all drives are initialized, press any key to continue. Press <Esc> to exit the Initialize Menu. Press <Esc> to exit the Management Menu. At the Exit? window, select Yes, and press <Enter>. The following message is displayed: Configuration has changed. Press Ctrl-Alt-Del to REBOOT. Press <Ctrl> <Alt> <Del> to reboot the system. Follow the remainder of the procedures outlined in Setting Up the Hardware on page

115 KS Systems Firmware for KS1500R with Bryson Motherboard 3 NOTE The BIOS is set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. The SCSI BIOS does not have to be set on the KS1500R. Follow the steps presented in Setting the BIOS on page 3-55 and Setting up the RAID Array on page Setting the BIOS 3 This section explains the procedures for verifying settings and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that the System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). Verify the following settings: Floppy A [1.44/1.25/1.2MB 3 1/2"] Hard Disk Pre-Delay Primary IDE Master Primary IDE Slave Secondary IDE Master Secondary IDE Slave [CDU5211] [Not Installed] [Not Installed] [Not Installed] Select Processor Settings, and press <Enter>. On the Processor Settings panel, verify the following settings: Processor Retest Hyper-Threading Technology: Processor 1 CPUID Processor 1 L2 Cache Processor 2 CPUID F27 512KB ECC Not Installed Press <Esc>. Verify the following setting: Language [English (US)] 3-55

116 CyberGuard 5.2 Installation Guide Setting Up Advanced Features 3 Use the right arrow key to select Advanced. Select PCI Configuration, and press <Enter>. Select USB Function, and press <Enter>. On the USB Function panel, verify the following setting: USB Function Press <Esc> to exit. Select Onboard NIC 1 (10/100Mb), and press <Enter>. On the Onboard NIC 1 (10/100Mb) panel, verify the following settings: Onboard NIC 1 Onboard NIC 1 ROM Press <Esc> to exit. Select Embedded NIC 2 (1.0Gb), and press <Enter>. On the Onboard NIC 2 (1.0Gb) panel, verify the following settings: Onboard NIC 2 Onboard NIC 2 ROM Press <Esc> to exit. Select Onboard SCSI, and press <Enter>. On the Onboard SCSI panel, verify the following settings: Onboard SCSI Onboard SCSI ROM Press <Esc> to exit. Select Onboard Video, and then press <Enter> On the Onboard Video panel, verify the following setting: Onboard Video Press <Esc> to exit. Verify the following settings: PCI SLOT 1 ROM PCI SLOT 2 ROM PCI SLOT 3 ROM PCI SLOT 4 ROM 3-56

117 KS Systems PCI SLOT 5 ROM PCI SLOT 6 ROM Press <Esc> to exit. Select Peripheral Configuration, and press <Enter>. On the Peripheral Configuration panel, verify the following settings: Serial Port A Address [3F8] Serial Port A IRQ [4] Serial Port B Address [2F8] Serial Port B IRQ [3] Parallel Port Address [378] Parallel Port IRQ [7] Parallel Port Mode [Bi-directional] Diskette Controller Legacy USB Support Front Panel USB [Auto] (Or Disabled) Press <Esc> to exit. Select Memory Configuration, and press <Enter>. On the Memory Configuration panel, verify the following settings: Extended Memory Test Bank #1(DIMM1A, DIMM1B Bank #2(DIMM2A, DIMM2B Memory Retest [Installed] [Not Installed] Press <Esc> to exit. Select Advanced Chipset Control, and press <Enter>. On the Advanced Chipset Control panel, verify the following settings: Wake On Ring Wake On LAN Wake On PME Wake On RTC Alarm Press <Esc> to exit. 3-57

118 CyberGuard 5.2 Installation Guide Verify the remaining settings on the Advanced panel: Boot-time Diag Screen Reset Config Data Numlock Sleep Button [No] [Off] Setting Up Security 3 Use the right arrow key to select Security. Verify the following settings: User Password Is Administrator Password Is [Not Installed] [Not Installed] Set Admin Password Fixed Disk Boot Sector Power Switch Inhibit NMI Control [None] Setting Up the Server 3 Use the right arrow key to select Server. Select Console Redirection, and press <Enter>. Verify the following settings: BIOS Redirection Port ACPI Redirection BAUD Rate [9600] Flow Control [XON/XOFF] Terminal Type [VT100+] Press <Esc> to exit. Select Event Log Configuration, and then press <Enter> Verify the following settings: Clear All Event Logs Event Logging Critical Event Logging [No] Press <Esc> to exit. Select Fault Resilient Booting, and press <Enter>. Verify the following settings: Late POST Timeout 3-58

119 KS Systems Fault Resilient Booting Hard Disk OS Boot Timeout PXE OS Boot Timeout [Stay On] Press <Esc> to exit. Verify the remaining server settings: Assert NMI on PERR Assert NMI on SERR FRB-2 Policy Post Error Pause Boot Monitoring Boot Monitoring Policy [Disable BSP] [Disable] [Retry 3 times] Setting Up Boot Devices 3 Use the right arrow key to select Boot from the Menu Bar. Select Boot Device Priority, and press <Enter>. Order the boot devices as follows: 1st Boot Device 2nd Boot Device 3rd Boot Device 4th Boot Device [ATAPI CD-ROM] [Hard Drive] [Removable Devices] Press <Esc> to exit. Saving Changes 3 Use the right arrow key to select Exit. Select Exit Saving Changes. The following message is displayed: Confirm saving changes? Select Yes, and press <Enter>. The system will reboot. Setting up the RAID Array 3 When you complete the steps in Saving Changes and the system reboots, complete the following steps to configure the RAID array. Press <Ctrl> <M> as soon as you see the following message displayed: To run MegaRAID Configuration Utility, press Ctrl-M. When the Management Menu window is displayed, select Configure, and press <Enter>. 3-59

120 CyberGuard 5.2 Installation Guide When the Configure window is displayed, select New Configuration, and press <Enter>. When the Proceed? window is displayed, select Yes, and press <Enter>. When the New Configuration ARRAY SELECTION MENU window is displayed, press the space bar three times to select drive IDs 0, 1, and 2 for the array. Press <Enter> to end the array, and press <Enter> again to continue. The Logical Drives Configured window is displayed. In the Logical Drive 1 box: Ensure that the setting for RAID is 5. Select Size, and press <Enter>; change the setting for Size to 5400, and press <Enter>. Ensure that the setting for Span is NO. Select Advanced Menu, and press <Enter>. The Advanced window is displayed. Ensure that settings are as follows: Stripe Size Write Policy Read Policy Cache Policy 64KB WRTHRU NORMAL DirectIO Press <Esc> to exit the Advanced window and return to the Logical Drive 1 box. Accept is highlighted. Press <Enter>. When the Logical Drive 2 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 3 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 4 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Ensure that the setting for SIZE is (or all of the remaining blocks [ 6520 for 9 GB hard drives] ). 3-60

121 KS Systems The following message is displayed: Accept This Logical Drive Configuration And Go To Next Logical Drive. Press <Enter>. Assign Logical Drive 4 all of the remaining space. When the Save Configuration? window is displayed, select Yes, and press <Enter>. When the following message is displayed, press any key: Configuration is Saved. Press Any Key to Continue. Press <Esc> to exit the Configure window. When you return to the Management Menu window, initialize the drives. Select Initialize, and press <Enter>. The logical drives are displayed. Press <F2> to select all drives. Press <F10> to initialize drives. When the Initialize Drives? window is displayed, select Yes, and press <Enter>. The Initialize Logical Drives in Progress window is displayed. When all drives are initialized, press any key to continue. Press <Esc> to exit the Initialize Menu. Press <Esc> to exit the Management Menu. At the Exit? window, select Yes, and press <Enter>. The following message is displayed: Configuration has changed. Press Ctrl-Alt-Del to REBOOT. Press <Ctrl> <Alt> <Delete> to reboot the system. Follow the remainder of the procedures outlined in Setting Up the Hardware on page KS [5U] Initial Configuration 3 Figure 3-18 shows the Initial Configuration window for KS 5U systems. Procedures for using this window are explained in Using the Initial Configuration Utility on page

122 CyberGuard 5.2 Installation Guide Figure Initial Configuration Window for KS 5U Platform 3-62

123 KS Systems For KS 5U systems, the Initial Configuration window contains the following fields and controls: High Availability Setting (Required) Has the following selections: Disabled Primary Secondary Indicates that High Availability (HA) is not installed. This radio button is selected by default. Indicates that the specified host is the primary firewall in an HA pair Indicates that the specified host is the secondary firewall in an HA pair Firewall Appliance Specifies the type of firewall appliance for which you are entering initial configuration information. The drop-down list box includes the following selections: Fire- STAR, KnightSTAR, KnightSTAR[5U], STARLord. KnightSTAR 5U Models (Required) Has the following selections: KS[5U] KS1500R Denotes a Tupelo motherboard with one onboard network interface. Denotes a Hodges or a Bryson motherboard with two onboard network interfaces. This model number appears on a label on the front bezel. Customize Displays the KnightSTAR[5U] Network Device Configuration window. Use this window to specify the type of network interface card that is installed in each slot on the computer. NOTE In the drop-down list boxes on this window, the crypto selection denotes a cryptographic hardware accelerator. On KS[5U] models, the KnightSTAR[5U] Network Device Configuration window contains the following fields and controls: Card 1 Card 2 Indicates the type of network interface card installed in Slot 1. The drop-down list box includes the types of network interface cards that are supported on this platform: dec[4], adptsf[4], e1000[1], crypto, rav[1] Indicates the type of network interface card installed in Slot 2. The drop-down list box includes the following selec- 3-63

124 CyberGuard 5.2 Installation Guide tions: dec[4], adptsf[4], e1000[1], crypto, rav[1], empty Card 3 Card 4 Card 5 Card 6 Indicates the type of network interface card installed in Slot 3. The drop-down list box includes the following selections: dec[4], adptsf[4], e1000[1], crypto, rav[1], empty Indicates the type of network interface card installed in Slot 4. The drop-down list box includes the following selections: dec[4], adptsf[4], e1000[1], crypto, rav[1], empty Indicates the type of network interface card installed in Slot 5. The drop-down list box includes the following selections: dec[4], adptsf[4], e1000[1], crypto, rav[1], empty Indicates the type of network interface card installed in Slot 6. The drop-down list box includes the following selections: dec[4], adptsf[4], e1000[1], crypto, rav[1], empty On KS1500R models, the KnightSTAR[5U] Network Device Configuration window contains the following fields and controls: Card 1 Card 2 Card 3 Card 4 Card 5 Indicates the type of network interface card installed. The drop-down list box includes the types of network interface cards that are supported on this platform: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty Indicates the type of network interface card installed. The drop-down list box includes the types of network interface cards that are supported on this platform: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty Indicates the type of network interface card installed. The drop-down list box includes the types of network interface cards that are supported on this platform: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty Indicates the type of network interface card installed. The drop-down list box includes the types of network interface cards that are supported on this platform: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty Indicates the type of network interface card installed. The drop-down list box includes the types of network interface cards that are supported on this platform: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty 3-64

125 KS Systems Firewall Host Name (Required) Specifies the host name by which the system identifies itself during network and login connections. Should be unique within a local area network. Domain Name (Required) Specifies the externally visible partial or fully-qualified name that is registered with the Network Information Center (NIC). The domain name provides a point of contact for external connections to a local area network; this field identifies the domain that provides information about connecting to this host. Aggregates Displays the KnightSTAR [5U] LAG Configuration window. LAG (link aggregation) is an optional feature that allows you to combine multiple physical network interface cards into one logical network interface. You must have obtained a license key that includes this feature prior to configuring LAG. Use this window to configure LAG groups. You may configure up to 16 groups and assign up to 8 members per group. The KnightSTAR [5U] LAG Configuration window contains the following fields and controls: Aggregates Members Drop-down list box that contains the names of the LAG groups that can be configured (lag0 - lag15) Displays the network interface cards that have been selected from the Choices list to be members of the specified LAG group. Click on the right (>>) button to return a selected item to the Choices list. 3-65

126 CyberGuard 5.2 Installation Guide Choices Aggregate Mode Displays the network interface cards that are set to Disabled in the Type field and that may be added to a LAG group. Only PCI Ethernet cards based on the DEC TM 2114x (e.g., dec0 - dec3) and Adaptec cards based on the AIC-6915 (e.g., adptsf0 - adptsf3) are supported and may be displayed in this list. The number and type of cards displayed varies according to whether you have used the Customize button to specify a particular configuration of network interface cards. Click on the left (<<) arrow button to move a selected card to the Members list. (Read-only) Displays the interface name of the currently selected LAG group Specifies the operation mode for the selected LAG group. Selections available from the drop-down list box include the following: Standby (Default) Denotes hot-standby mode. Typically in this mode, two physical ports are configured beneath one LAG group. Output traffic flows through the operational port with the highest priority. Aggregate Denotes basic aggregation mode. Typically in this mode, two to four physical ports are configured beneath one LAG group. Output traffic flows through all operational ports. If you select this mode, you may select a Distribution Algorithm for the specified LAG group. 3-66

127 KS Systems Distribution Algorithm Specifies the frame fields on which to base the port distribution algorithm. The drop-down list box includes the following selections: Service (Default) Selects a physical port based on the frame s service number (e.g., TCP or UDP source and destination ports). Dest. MAC Selects a port based on the frame s destination MAC address Source IP Selects a port based on the frame s source IP address Dest. IP Selects a port based on the frame s destination IP address Source/Dest. IP Selects a port based on the frame s source and destination IP addresses Type (Required) Indicates the side of the firewall where the interface is connected and if High Availability is installed, may also indicate whether the interface is a heartbeat interface or an exempt interface. If High Availability is installed, the drop-down list box includes the following selections. Otherwise, it includes only Disable, Internal, and External. Disable Internal External Internal Exempt External Exempt Heartbeat Denotes an interface that is not being used. All interfaces are set to Disable by default. Denotes an interface that is used to connect to your private internal network Denotes an interface that is used to connect to a publicly accessible network (e.g., the Internet) Denotes an internal interface that is not to be marked down when the served firewall fails over to the standby Denotes an external interface that is not to be marked down when the served firewall fails over to the standby Denotes an interface that is used to monitor the state of the served firewall and provide communication between the served and standby firewalls. Two heartbeat interfaces are required for each firewall. 3-67

128 CyberGuard 5.2 Installation Guide Name Specifies the unique primary name (host name) of the network interface or its fullyqualified domain name. Host names must begin with an alphabetic character; otherwise, they may contain only alphanumeric characters, periods, and hyphens. Domain names entered in this field for the various network interfaces may all be different and need not match the name entered in the Domain Name field. NOTE Remote Web Administration Interface (e.g., eee0) Requirements A fully-qualified domain name is required for the Remote Web Administration interface (e.g., eee0) on each machine in an HA pair. If the Remote Web Administration interfaces are Exempt, the name specified for the primary machine must be different from the name specified for the secondary machine. If you do not specify a name, a fully-qualified domain name of the following form is used by default: node_name-n.domain, where node_name is the value specified in the Firewall Host Name field, n is 1 for the primary and 2 for the secondary machine in the pair, and domain is the value entered in the Domain Name field. This makes it possible to use name resolution to manage the machines in an HA pair separately. A fully-qualified domain name is also required for the Remote Web Administration interface on a stand-alone machine. If you do not specify a name, the default is node_name.domain, where node_name is the value specified in the Firewall Host Name field and domain is the value entered in the Domain Name field. An entry is made in the /etc/hosts file to make the unqualified node_name an alias for the interface specified by Management Interface. The computer or network specified by Manager IP must be able to resolve the name for the Remote Web Administration interface (i.e., via the hosts file or name server). You must use the name for the Remote Web Administration interface to connect to the firewall via Remote Web Administration. IP Address (Required) Specifies the unique Internet Protocol address of the network interface. It must be a Class A, Class B, or Class C address; that is, the value of the first byte of the address must be less than 224. Subnetwork Mask Specifies a subnet mask as a dotted quad mask (e.g., ) or a bit count (e.g., 24). If you do not specify a subnet mask, the default mask associated with the address class is used (i.e., for Class A, for Class B, for Class C). 3-68

129 KS Systems FSO User (Required) Specifies the login ID for a privileged Firewall Security Officer (FSO). An FSO is authorized to use the firewall GUI, execute commands associated with administrative roles (e.g., auditor, site security officer, network administrator), and execute firewall-related commands installed on the system. This user is cleared to the SYS_PRIVATE and NETWORK levels. The default is cgadmin. It is recommended that you specify a different FSO user. If you do so, the cgadmin user will be disabled. FSO Password (Required) Specifies the password associated with the user entered in the FSO User field. Note that the password entered in this window is weakly encrypted; you will be prompted to change it when you log in to the firewall for the first time. Password Confirmation (Required) Respecifies the string entered in the FSO Password field Remote Management Service (Required) Indicates the application to be used to manage the firewall from a remote system. The drop-down list box includes the following selections: None, Secure Shell - SSH, Remote Web Admin. The default is None. Management Interface (Required if a Remote Management Service is specified or a configuration is to be restored) Indicates the network interface that is to be used to access the firewall from the remote system. On KS[5U] models, the drop-down list box includes the following selections by default: None, dec0, dec1, dec2, dec3, dec4, dec5, dec6, dec7, eee0. On KS1500R models, the drop-down list box includes the following selections by default: None, dec0, dec1, dec2, dec3, dec4, dec5, dec6, dec7, e1000, eee0. The selections vary according to whether you have used the Customize button to specify a particular configuration of network interface cards or the Aggregates button to configure a LAG group. The default is None. Manager IP (Required if a Remote Management Service is specified) Specifies the IP address of the computer or network on which the specified Remote Management Service is used to manage the firewall Manager Route IP Specifies the IP address to which packets are forwarded if the specified Manager IP address is not on the local network. System Mouse Type (Required) Indicates the type of mouse that is being used. The drop-down list box includes the following selections: None, PS/2. The default is None. 3-69

130 CyberGuard 5.2 Installation Guide Time Zone (Required) Specifies the time zone in which the firewall is located. The US/Central time zone is selected by default. The drop-down list box includes all time zones. Time Server IP Specifies the IP address of the server to which time requests are to be sent to maintain system time synchronization Onboard MAC Address Specifies the address of the onboard Ethernet port as it appears on a label on the front panel of the computer. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field. Hardware ID (Read-only) Contains an eight-digit hexadecimal number that uniquely identifies the computer. This number is obtained by clicking on the Generate button. Generate Allows you to obtain the hardware ID for the computer. This ID is needed to obtain a license key. NOTE: If you are using a thirty-day trial license, you are not required to obtain a hardware ID. Serial Number Specifies the 10-character serial number that you previously received from Cyber- Guard Customer Support Center. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field. License Key Specifies the 20-character license key that you obtained from the CyberGuard Corporation Web site. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field. CyberGuard Firewall Online Registration Allows you to jump directly to the CyberGuard Firewall Online Registration Web page to obtain a license key RADIUS Server IP Specifies the IP address of the RADIUS server Backup Server IP Specifies the IP address of the backup RADIUS server RADIUS Port Specifies the port on which the RADIUS server listens for connections. The default is 1812 (the officially assigned port number as noted in RFC 2138) 3-70

131 KS Systems RADIUS Secret Key Specifies a string that represents the password encryption key that is shared between the RADIUS client and the RADIUS server. The string may include any printable character. Key Confirmation Respecifies the string entered in the RADIUS Secret Key field Organizational Unit Specifies the group to which a centrally-authenticated administrator must belong to be authorized to log in to the firewall. The default value is NONE. Remote Host IP Specifies the IP address of the remote host from which you wish to restore a firewall configuration Remote Route IP Specifies the IP address to which packets are forwarded if the specified Remote Host IP address is not on the local network. NOTE: You must specify a network interface in the Management Interface field to be able to restore a firewall configuration from a remote host. Configuration File Specifies the full or relative path name of the configuration file that you wish to restore. NOTE: Do not include the.tar or.tar.encr extension in the file name. Remote User Specifies the login name to be used on the remote host. The default is anonymous. Remote Password Specifies the password associated with the login name entered in the Remote User field. If you use the default anonymous, you are not required to enter a value in this field; if you leave the field blank, the password that will be used is [email protected]. Encryption Key (Required if Configuration File is encrypted) Specifies the key to be used to decrypt the restored configuration file. NOTE: The value that you enter in this field must be the same as the encryption key used to save the configuration. Default Route IP Specifies the IP address to which packets are forwarded if an explicit route does not already exist. 3-71

132 CyberGuard 5.2 Installation Guide 3-72

133 4 SL Systems Hardware PCI Slot and Port Ordering Setup Firmware for SL 4U with KOA Motherboard Setting the BIOS Setting Up the COM Port Setting Up Boot Devices Saving Changes Setting Up the RAID Array Firmware for SL2000 Systems Setting the BIOS Setting Up Advanced Features Setting Up Security Setting Up the Server Setting Up Boot Devices Saving Changes Setting Up the RAID Array Firmware for SL3200 Systems Setting the BIOS Setting Up Advanced Features Setting Up Security Setting Up the Server Setting Up Boot Devices Saving Changes Setting Up the RAID Array SL Initial Configuration

134 CyberGuard 5.2 Installation Guide

135 4 Chapter 4SL Systems 4 This chapter provides information specific to SL 4U and 5U systems (SL 5U systems are hereinafter referred to as model SL2000 and SL3200 systems). It includes hardware and firmware setup procedures and reference information needed to complete the SL Initial Configuration window. 4 4 Hardware 4 This section describes PCI slot and port ordering for SL 4U, SL2000, and SL3200 systems and explains how to set up the hardware. Refer to Appendix A for information needed to use the getmib and resmgr utilities to identify ports and interface unit number assignments. PCI Slot and Port Ordering 4 The SL 4U firewall system with KOA motherboard contains eight vertical external PCI slots, which are located on the back of the unit. Figure 4-1 shows the ordering of PCI slots on SL 4U systems when looking down on the motherboard with the front of the machine located at the top of the drawing. 4-1

136 CyberGuard 5.2 Installation Guide Not Used Not Used 32/64-Bit 66 MHz 32/64-Bit 66 MHz 32/64-Bit 33 MHz 32/64-Bit 33 MHz 32/64-Bit 33 MHz RAID Figure 4-1. PCI Slot Ordering on SL 4U Systems The SL2000, a 5U firewall system with Hodges motherboard, contains six vertical external PCI slots, which are located on the back of the unit. Figure 4-2 shows the ordering of PCI slots on SL2000 systems when looking down on the motherboard with the front of the machine located at the top of the drawing. e1000_0 eee_0 e Expansion RAID VPN Accelerator Figure 4-2. PCI Slot Ordering on SL2000 Systems 4-2

137 SL Systems The SL3200, a 5U firewall system with Bryson motherboard, contains six vertical external PCI slots, which are located on the back of the unit. Figure 4-3 shows the ordering of PCI slots on SL3200 systems when looking down on the motherboard with the front of the machine located at the top of the drawing. e1000_0 eee_0 Not Used e VPN Accelerator RAID Expansion Figure 4-3. PCI Slot Ordering on SL3200 Systems Setup 4 To set up the SL firewall system, complete the following steps. Remove the computer from the box. Using the diagram in Figure 4-4, SL 4U with KOA Motherboard Back Panel, Figure 4-5, SL2000 Back Panel, or Figure 4-6, SL3200 Back Panel, plug in the serial or PS/2 mouse and the keyboard, video, network, and power cables. NOTE The current default video setting for this appliance firewall system is 1024 x 768 x Hz refresh. Turn on the computer. 4-3

138 CyberGuard 5.2 Installation Guide PS/2 Mouse Keyboard COM1 COM2 On-Board Ethernet Port (eee0) USB (not used) Video Figure 4-4. SL 4U with KOA Motherboard Back Panel PS/2 Mouse USBs (not used) PS/2 Keyboard Serial Port (COM1) Video RJ (e1000_0) RJ45 10/100 (eee_0) Figure 4-5. SL2000 Back Panel 4-4

139 SL Systems PS/2 Mouse USBs (not used) Video Keyboard Serial Port NIC 2 (COM1) Gbit (e1000_0) NIC 1 10/100 (eee_0) Figure 4-6. SL3200 Back Panel Firmware for SL 4U with KOA Motherboard 4 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page 4-5 and Setting Up the RAID Array on page 4-7. Setting the BIOS 4 This section explains the procedures for setting up the COM port, reordering boot devices, and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). 4-5

140 CyberGuard 5.2 Installation Guide Setting Up the COM Port 4 Use the right arrow key to select Server from the Menu Bar. On the Server page, use the down arrow key to select Console Redirection, and press <Enter>. On the Console Redirection panel, verify the following setting: Com Port Address: Press <Esc>. On the Server page, verify the following setting: Service Book: Service Boot Partition Type: [12h] System Event Logging: Clear Event Log: [No] Assert NMI on PERR: Assert NMI on SERR: RDB-2 BSP Policy Disable Immediately Setting Up Boot Devices 4 Use the right arrow key to select Boot from the Menu Bar. Verify the following setting: Boot-time Diagnostic Screen: Use the down arrow key to select Boot Device Priority, and press <Enter>. On the Boot Device Priority panel, the boot devices are displayed. Order them as follows: 1. [Removable Devices] 2. [ATAPI CD-ROM Drive] 3. [Hard Drive] 4. [Intel (R) Boot Agent Version 4.0] Press <Esc>. Saving Changes 4 Use the right arrow key to select Exit from the Menu Bar. Select Exit Saving Changes, and press <Enter>. 4-6

141 SL Systems The Setup Confirmation window and the following message are displayed: Confirm saving changes? Select Yes and press <Enter>: The system will reboot. Setting Up the RAID Array 4 When you complete the steps in Saving Changes and the system reboots, complete the following steps to configure the RAID array: Press <Ctrl> <M> as soon as you see the following message displayed: To run MegaRAID Configuration Utility, press Ctrl-M. When the Management Menu window is displayed, select Configure, and press <Enter>. When the Configure window is displayed, select New Configuration, and press <Enter>. When the Proceed? window is displayed, select Yes, and press <Enter>. When the New Configuration ARRAY SELECTION MENU window is displayed, press the space bar three times to select drive IDs 0, 1, and 2 for the array. Drive ID 3 is highlighted in the RDY state following the above actions. While positioned at drive ID 3: Press <F4> to create a hot-swap spare. When the Make HotSpare? window is displayed, select Yes, and press <Enter>. Press <Enter> to end the array, and press <Enter> again to continue. The Logical Drives Configured window is displayed. In the Logical Drive 1 box: Ensure that the setting for RAID is 5. Select Size, and press <Enter>; change the setting for Size to 5400, and press <Enter>. Ensure that the setting for Span is NO. 4-7

142 CyberGuard 5.2 Installation Guide Select Advanced Menu, and press <Enter>. The Advanced window is displayed. Ensure that settings are as follows: Stripe Size Write Policy Read Policy Cache Policy 64KB WRTHRU NORMAL DirectIO Press <Esc> to exit the Advanced window and return to the Logical Drive 1 box. Accept is highlighted. Press <Enter>. When the Logical Drive 2 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 3 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 4 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Ensure that the setting for SIZE is The following message is displayed: Accept This Logical Drive Configuration And Go To Next Logical Drive Press <Enter>. When the Save Configuration? window is displayed, select Yes, and press <Enter>. When the following message is displayed, press any key: Configuration is Saved. Press Any Key to Continue. Press <Esc> to exit the Configure window. When you return to the Management Menu window, initialize the drives. Select Initialize, and press <Enter>. The logical drives are displayed. Press <F2> to select all drives. Press <F10> to initialize drives. 4-8

143 SL Systems When the Initialize Drives? window is displayed, select Yes, and press <Enter>. The Initial Logical Drives in Progress window is displayed. When all drives are initialized, press any key to continue. Press <Esc> to exit the Initialize Menu. Press <Esc> to exit the Management Menu. At the Exit? window, select Yes, and press <Enter>. The following message is displayed: Configuration has changed. Press Ctrl-Alt-Del to REBOOT. Press <Ctrl> <Alt> <Delete> to reboot the system. Follow the remainder of the procedures outlined in Setting Up the Hardware on page Firmware for SL2000 Systems 4 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page 4-9 and Setting Up the RAID Array on page Setting the BIOS 4 This section explains the procedures for verifying settings and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). 4-9

144 CyberGuard 5.2 Installation Guide Verify the following settings: Legacy Floppy A: [1.44/1.25 MB 3.5 ] Legacy Floppy B: Hard Disk Pre-Delay Primary IDE Master Primary IDE Slave Secondary IDE Master Secondary IDE Slave [Auto] [None] [None] [None] Select Processor Settings, and press <Enter>. Verify the following settings: Processor Retest Processor Speed Setting: Processor 1 CPUID: Processor 1 L2 Cache: Processor 2 CPUID: Processor 2 L2 Cache: [No] 2.4 GHz 0F KB 0F KB Hyper-Threading Technology: Thermal Management: Press <Esc> to exit. Verify the following setting: Language: [English (US)] Setting Up Advanced Features 4 Use the right arrow key to select Advanced from the Menu Bar. Select Memory Configuration, and then press <Enter>. On the Memory Configuration panel, verify the following settings: DIMM Group #1 Status DIMM Group #2 Status DIMM Group #3 Status Memory Retest Extended RAM Step Normal Not Installed Not Installed [No] Press <Esc> to exit. Select PCI Configuration, and then press <Enter>. Select Embedded SCSI, and then press <Enter>. 4-10

145 SL Systems On the Embedded SCSI panel, verify the following setting: SCSI Controller: Option ROM Scan: Press <Esc> to exit. Select Embedded NIC 1 (10/100), and then press <Enter>. On the Embedded NIC 1 (10/100) panel, verify the following settings: LAN Controller 1: Option ROM Scan: Press <Esc> to exit. Select Embedded NIC 2 (Gbit), and then press <Enter>. On the Embedded NIC 2 (Gbit) panel, verify the following settings: LAN Controller 2: Option ROM Scan: Press <Esc> to exit. Select Embedded Video Controller, and then press <Enter>. On the Embedded Video Controller panel, verify the following setting: VGA Controller: Press <Esc> twice to exit. Select I/O Device Configuration, and then press <Enter>. On the I/O Device Configuration panel, verify the following settings: Serial Port A: Base I/O Address: [3F8] Interrupt: [IRQ 4] Serial Port B: Base I/O Address: [2F8] Interrupt: [IRQ 3] Parallel Port: Mode: [ECP] Base I/O Address: [378] Interrupt: [IRQ 7] DMA Channel: [DMA 1] Legacy USB Support PS/2 Mouse Press <Esc> to exit Select Advanced Chipset Control, and then press <Enter>. 4-11

146 CyberGuard 5.2 Installation Guide On the Advanced Chipset Control panel, verify the following settings: Wake on LAN: Wake on Ring: Wake on PME: Wake on RTC: Sleep Button: [Present] Press <Esc> to exit. Verify the following settings: Boot-time Diagnostic Screen: Reset Configuration Data: Numlock: [No] [Off] Setting Up Security 4 Use the right arrow key to select Security from the Menu Bar. Verify the following settings: User Password Is Supervisor Password Is Set User Password Set Supervisor Password Password on boot: Fixed Disk Boot Sector: Secure Mode Timer: Hot Key (CTRL+ALT+) Secure Mode Boot: Video Blanking Floppy Write Protect: Power Switch Inhibit Clear Clear [Enter] [Enter] [Normal] [2 hr] [L] Setting Up the Server 4 Use the right arrow key to select Server from the Menu Bar. Select Console Redirection, and then press <Enter>. 4-12

147 SL Systems On the Console Redirection panel, verify the following settings: BIOS Redirection Port ACPI Redirection Port BAUD Rate Flow Control Terminal Type Remote Control Reset: [19.2K] [CTS/RTS] [VT100+] Press <Esc> to exit. Verify the following setting: Service Partition Type 12 Select Event Log Configuration, and then press <Enter>. On the Event Log Configuration panel, verify the following settings: Clear All Event Logs Event Logging Critical Event Logging [Press Enter] Press <Esc> to exit. Verify the following settings: Assert NMI on PERR Assert NMI on SERR FRB-2 Policy [Disable BSP] Boot Monitoring: [Disable] Boot Monitoring Policy: [Retry 3 Times] Thermal Sensor: BMC IRQ: [11] Post Error Pause AC-Link: [Last State] Platform Event Filtering Setting Up Boot Devices 4 Use the right arrow key to select Boot from the Menu Bar. Select Boot Device Priority, and press <Enter>. Order the boot devices as follows: CD-ROM Drive Removable Devices Hard Drive IBA Slot 0304 IBA Slot

148 CyberGuard 5.2 Installation Guide Saving Changes 4 Use the right arrow key to select Exit from the Menu Bar. Select Exit Saving Changes, and press <Enter>. The Setup Confirmation window and the following message are displayed: Save configuration changes and exit now? Select Yes and press <Enter>. The system will reboot. Setting Up the RAID Array 4 When you complete the steps in Saving Changes and the system reboots, complete the following steps to configure the RAID array: Press <Ctrl> <M> as soon as you see the following message displayed: To run MegaRAID Configuration Utility, press Ctrl-M. When the Management Menu window is displayed, select Configure, and press <Enter>. When the Configure window is displayed, select New Configuration, and press <Enter>. When the Proceed? window is displayed, select Yes, and press <Enter>. When the New Configuration ARRAY SELECTION MENU window is displayed, press the space bar three times to select drive IDs 0, 1, and 2 for the array. Drive ID 3 is highlighted in the READY state following the above actions. While positioned at drive ID 3: Press <F4> to create a hot-swap spare. When the Make HotSpare? window is displayed, select Yes, and press <Enter>. Press <Enter> to end the array, and press <Enter> again to continue. The Logical Drives Configured window is displayed. In the Logical Drive 01 box: Ensure that the setting for RAID is 5. Select Size, and press <Enter>; change the setting for Drive Size to 5400, and press <Enter>. 4-14

149 SL Systems Ensure that the setting for Span is NO. Select Advanced Menu, and press <Enter>. The Advanced window is displayed. Ensure that settings are as follows: Stripe Size = 4KB Write Policy = WRTHRU Read Policy = NORMAL Cache Policy = DirectIO Press <Esc> to exit the Advanced window and return to the Logical Drive 1 box. Accept is highlighted. Press <Enter>. When the Logical Drive 2 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 3 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 4 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Ensure that the setting for SIZE is MB (or all of the remaining blocks [6520 for 9 GB hard drives] ). The following message is displayed: Accept This Logical Drive Configuration And Go To Next Logical Drive Press <Enter>. When the Save Configuration? window is displayed, select Yes, and press <Enter>. When the following message is displayed, press any key: Configuration is Saved. Press Any Key to Continue. Press <Esc> to exit the Configure window. When you return to the Management Menu window, initialize the drives: Select Initialize, and press <Enter>. The logical drives are displayed. 4-15

150 CyberGuard 5.2 Installation Guide Press <F2> to select all drives. Press <F10> to initialize drives. When the Initialize? window is displayed, select Yes, and press <Enter>. The Initialize Logical Drives in Progress window is displayed. When all drives are initialized, press any key to continue. Press <Esc> to exit the Initialize Menu. Press <Esc> to exit the Management Menu. At the Exit? window, select Yes, and press <Enter>. The following message is displayed: Configuration has changed. Press Ctrl-Alt-Del to REBOOT. Press <Ctrl> <Alt> <Delete> to reboot the system. Follow the remainder of the procedures outlined in Setting Up the Hardware on page Firmware for SL3200 Systems 4 NOTE The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in Setting the BIOS on page 4-16 and Setting Up the RAID Array on page Setting the BIOS 4 This section explains the procedures for verifying settings and saving changes. Ensure that you have turned on the computer. When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed. Select Main, and press <Enter>. On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT). 4-16

151 SL Systems Verify the following settings: Floppy A [1.44/1.25/1.2 MB 3 1/2 ] Hard Disk Pre-Delay Primary IDE Master Primary IDE Slave Secondary IDE Master Secondary IDE Slave [CDU5211] [Not Installed] [Not Installed] [Not Installed] Select Processor Settings, and press <Enter>. On the Processor Settings panel, verify the following settings: Processor Retest Hyper-Threading Technology: Processor 1 CPUID Processor 1 L2 Cache Processor 2 CPUID Processor 2 L2 Cache F27 512KB ECC F27 512KB ECC Press <Esc>. Verify the following setting: Language [English (US)] Setting Up Advanced Features 4 Use the right arrow key to select Advanced. Select PCI Configuration, and press <Enter>. Select USB Function, and press <Enter>. On the USB Function panel, verify the following setting: USB Function Press <Esc> to exit. Select Onboard NIC 1 (10/100Mb), and press <Enter>. On the Onboard NIC 1 (10/100Mb) panel, verify the following settings: Onboard NIC 1 Onboard NIC 1 ROM Press <Esc> to exit. Select Embedded NIC 2 (1.0Gb), and press <Enter>. 4-17

152 CyberGuard 5.2 Installation Guide On the Onboard NIC 2 (1.0Gb) panel, verify the following settings: Onboard NIC 2 Onboard NIC 2 ROM Press <Esc> to exit. Select Onboard SCSI, and press <Enter>. On the Onboard SCSI panel, verify the following settings: Onboard SCSI Onboard SCSI ROM Press <Esc> to exit. Select Onboard Video, and press <Enter> On the Onboard Video panel, verify the following setting: Onboard Video Press <Esc> to exit. Verify the following settings: PCI SLOT 1 ROM PCI SLOT 2 ROM PCI SLOT 3 ROM PCI SLOT 4 ROM PCI SLOT 5 ROM PCI SLOT 6 ROM Press <Esc> to exit. Select Peripheral Configuration, and press <Enter>. On the Peripheral Configuration panel, verify the following settings: Serial Port A Address [3F8] Serial Port A IRQ [4] Serial Port B Address [2F8] Serial Port B IRQ [3] Parallel Port Address [378] Parallel Port IRQ [7] Parallel Port Mode [Bi-directional] Diskette Controller Legacy USB Support Front Panel USB [Auto] (Or Disabled) Press <Esc> to exit. Select Memory Configuration, and press <Enter>. 4-18

153 SL Systems On the Memory Configuration panel, verify the following settings: Extended Memory Test Bank #1(DIMM1A, DIMM1B Bank #2(DIMM2A, DIMM2B Memory Retest [Installed] [Not Installed] Press <Esc> to exit. Select Advanced Chipset Control, and press <Enter>. On the Advanced Chipset Control panel, verify the following settings: Wake On Ring Wake On LAN Wake On PME Wake On RTC Alarm Press <Esc> to exit. Verify the remaining settings on the Advanced panel: Boot-time Diag Screen Reset Config Data Numlock Sleep Button [No] [Off] Setting Up Security 4 Use the right arrow key to select Security. Verify the following settings: User Password Is Administrator Password Is [Not Installed] [Not Installed] Set Admin Password Fixed Disk Boot Sector Power Switch Inhibit NMI Control [None] Setting Up the Server 4 Use the right arrow key to select Server. Select Console Redirection, and then press <Enter>. 4-19

154 CyberGuard 5.2 Installation Guide On the Console Redirection panel, verify the following settings: BIOS Redirection Port ACPI Redirection BAUD Rate [9600] Flow Control [XON/XOFF] Terminal Type [VT100+] Press <Esc> to exit. Select Event Log Configuration, and press <Enter> On the Event Log Configuration panel, verify the following settings: Clear All Event Logs Event Logging Critical Event Logging [No] Press <Esc> to exit. Select Fault Resilient Booting, and press <Enter>. Verify the following settings: Late POST Timeout Fault Resilient Booting Hard Disk OS Boot Timeout PXE OS Boot Timeout [Stay On] Press <Esc> to exit. Verify the remaining server settings: Assert NMI on PERR Assert NMI on SERR FRB-2 Policy Post Error Pause Boot Monitoring Boot Monitoring Policy [Disable BSP] [Disable] [Retry 3 times] Setting Up Boot Devices 4 Use the right arrow key to select Boot. Select Boot Device Priority, and press <Enter>. 4-20

155 SL Systems Order the boot devices as follows: 1st Boot Device 2nd Boot Device 3rd Boot Device 4th Boot Device [ATAPI CD-ROM] [Hard Drive] [Removable Devices] Press <Esc> to exit. Saving Changes 4 Use the right arrow key to select Exit from the Menu Bar. Select Exit Saving Changes. The following message is displayed: Confirm saving changes? Select Yes, and press <Enter>. The system will reboot. Setting Up the RAID Array 4 When you complete the steps in Saving Changes and the system reboots, complete the following steps to configure the RAID array. Press <Ctrl> <M> as soon as you see the following message displayed: To run MegaRAID Configuration Utility, press Ctrl-M. When the Management Menu window is displayed, select Configure, and press <Enter>. When the Configure window is displayed, select New Configuration, and press <Enter>. When the Proceed? window is displayed, select Yes, and press <Enter>. When the New Configuration ARRAY SELECTION MENU window is displayed, press the space bar three times to select drive IDs 0, 1, and 2 for the array. Drive ID 3 is highlighted in the RDY state. While positioned at drive ID 3: Press <F4> to create a hot-swap spare. When the Make HotSpare? window is displayed, select Yes, and press <Enter>. Press <Enter> to end the array, and press <Enter> again to continue. 4-21

156 CyberGuard 5.2 Installation Guide The Logical Drives Configured window is displayed. In the Logical Drive 1 box: Ensure that the setting for RAID is 5. Select Size, and press <Enter>; change the setting for Size to 5400, and press <Enter>. Ensure that the setting for Span is NO. Select Advanced Menu, and press <Enter>. The Advanced window is displayed. Ensure that settings are as follows: Stripe Size Write Policy Read Policy Cache Policy 64KB WRTHRU NORMAL DirectIO Press <Esc> to exit the Advanced window and return to the Logical Drive 1 box. Accept is highlighted. Press <Enter>. When the Logical Drive 2 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 3 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Change the setting for SIZE to When the Logical Drive 4 box is displayed, repeat the procedure outlined to configure Logical Drive 1 except for the following: Ensure that the setting for SIZE is (or all of the remaining blocks [ 6520 for 9 GB hard drives] ). The following message is displayed: Accept This Logical Drive Configuration And Go To Next Logical Drive. Press <Enter>. Assign Logical Drive 4 all of the remaining space. When the Save Configuration? window is displayed, select Yes, and press <Enter>. 4-22

157 SL Systems When the following message is displayed, press any key: Configuration is Saved. Press Any Key to Continue. Press <Esc> to exit the Configure window. When you return to the Management Menu window, initialize the drives. Select Initialize, and press <Enter>. The logical drives are displayed. Press <F2> to select all drives. Press <F10> to initialize drives. When the Initialize Drives? window is displayed, select Yes, and press <Enter>. The Initialize Logical Drives in Progress window is displayed. When all drives are initialized, press any key to continue. Press <Esc> to exit the Initialize Menu. Press <Esc> to exit the Management Menu. At the Exit? window, select Yes, and press <Enter>. The following message is displayed: Configuration has changed. Press Ctrl-Alt-Del to REBOOT. Press <Ctrl> <Alt> <Delete> to reboot the system. Follow the remainder of the procedures in Setting Up the Hardware on page SL Initial Configuration 4 Figure 4-7 shows the Initial Configuration window for SL systems. Procedures for using this window are explained in Using the Initial Configuration Utility on page

158 CyberGuard 5.2 Installation Guide Figure 4-7. Initial Configuration Window for SL Platform 4-24

159 SL Systems For SL systems, the Initial Configuration window contains the following fields and controls: High Availability Setting (Required) Has the following selections: Disabled Primary Secondary Indicates that High Availability (HA) is not installed. This radio button is selected by default. Indicates that the specified host is the primary firewall in an HA pair Indicates that the specified host is the secondary firewall in an HA pair Firewall Appliance Specifies the type of firewall appliance for which you are entering initial configuration information. The drop-down list box includes the following selections: Fire- STAR, KnightSTAR, KnightSTAR[5U], STARLord. STARLord Models (Required) Has the following selections: SL SL2000 SL3200 Denotes a unit with one on-board network interface Denotes a Hodges motherboard with two on-board network interfaces. This model number appears on a label on the front panel of the computer. Denotes a Bryson motherboard with two on-board network interfaces. This model number appears on a label on the front panel of the computer. Customize Displays the STARLord Network Device Configuration window. Use this window to specify the types of network interface cards that are installed on the computer. NOTE In the drop-down list boxes on this window, the crypto selection denotes a cryptographic hardware accelerator. 4-25

160 CyberGuard 5.2 Installation Guide On SL models, the STARLord Network Device Configuration window contains the following fields and controls: Card 1 Card 2 Card 3 Card 4 Card 5 Indicates the type of network interface card installed in Slot 1. The drop-down list box includes the types of network interface cards that are supported on this platform: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1] Indicates the type of network interface card installed in Slot 2. The drop-down list box includes the following selections: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty Indicates the type of network interface card installed in Slot 3. The drop-down list box includes the following selections: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty Indicates the type of network interface card installed in Slot 4. The drop-down list box includes the following selections: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty Indicates the type of network interface card installed in Slot 5. The drop-down list box includes the following selections: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty On SL2000 and SL3200 models, the STARLord Network Device Configuration window contains the following fields and controls: Card 1 Card 2 Card 3 Card 4 Indicates the type of network interface card. The dropdown list box includes the types of network interface cards that are supported on this platform: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty Indicates the type of network interface card. The dropdown list box includes the following selections: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty Indicates the type of network interface card. The dropdown list box includes the following selections: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty Indicates the type of network interface card. The dropdown list box includes the following selections: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty 4-26

161 SL Systems Card 5 Indicates the type of network interface card. The dropdown list box includes the following selections: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eee[1], eee[2], rav[1], empty Firewall Host Name (Required) Specifies the host name by which the system identifies itself during network and login connections. Should be unique within a local area network. Domain Name (Required) Specifies the externally visible partial or fully-qualified name that is registered with the Network Information Center (NIC). The domain name provides a point of contact for external connections to a local area network; this field identifies the domain that provides information about connecting to this host. Aggregates Displays the STARLord LAG Configuration window. LAG (link aggregation) is an optional feature that allows you to combine multiple physical network interface cards into one logical network interface. You must have obtained a license key that includes this feature prior to configuring LAG. Use this window to configure LAG groups. You may configure up to 16 groups and assign up to 8 members per group. The STARLord LAG Configuration window contains the following fields and controls: Aggregates Members Choices Aggregate Drop-down list box that contains the names of the LAG groups that can be configured (lag0 - lag15) Displays the network interface cards that have been selected from the Choices list to be members of the specified LAG group. Click on the right (>>) button to return a selected item to the Choices list. Displays the network interface cards that are set to Disabled in the Type field and that may be added to a LAG group. Only PCI Ethernet cards based on the DEC TM 2114x (e.g., dec0 - dec3) and Adaptec cards based on the AIC-6915 (e.g., adptsf0 - adptsf3) are supported and may be displayed in this list. The number and type of cards displayed varies according to whether you have used the Customize button to specify a particular configuration of network interface cards. Click on the left (<<) arrow button to move a selected card to the Members list. (Read-only) Displays the interface name of the currently selected LAG group 4-27

162 CyberGuard 5.2 Installation Guide Mode Specifies the operation mode for the selected LAG group. Selections available from the drop-down list box include the following: Standby (Default) Denotes hot-standby mode. Typically in this mode, two physical ports are configured beneath one LAG group. Output traffic flows through the operational port with the highest priority. Aggregate Denotes basic aggregation mode. Typically in this mode, two to four physical ports are configured beneath one LAG group. Output traffic flows through all operational ports. If you select this mode, you may select a Distribution Algorithm for the specified LAG group. Distribution Algorithm Specifies the frame fields on which to base the port distribution algorithm. The drop-down list box includes the following selections: Service (Default) Selects a physical port based on the frame s service number (e.g., TCP or UDP source and destination ports). Dest. MAC Selects a port based on the frame s destination MAC address Source IP Selects a port based on the frame s source IP address Dest. IP Selects a port based on the frame s destination IP address Source/Dest. IP Selects a port based on the frame s source and destination IP addresses 4-28

163 SL Systems Type (Required) Indicates the side of the firewall where the interface is connected and if High Availability is installed, may also indicate whether the interface is a heartbeat interface or an exempt interface. If High Availability is installed, the drop-down list box includes the following selections. Otherwise, it includes only Disable, Internal, and External. Disable Internal External Internal Exempt External Exempt Heartbeat Denotes an interface that is not being used. All interfaces are set to Disable by default. Denotes an interface that is used to connect to your private internal network Denotes an interface that is used to connect to a publicly accessible network (e.g., the Internet) Denotes an internal interface that is not to be marked down when the served firewall fails over to the standby Denotes an external interface that is not to be marked down when the served firewall fails over to the standby Denotes an interface that is used to monitor the state of the served firewall and provide communication between the served and standby firewalls. Two heartbeat interfaces are required for each firewall. Name Specifies the unique primary name (host name) of the network interface or its fullyqualified domain name. Host names must begin with an alphabetic character; otherwise, they may contain only alphanumeric characters, periods, and hyphens. Domain names entered in this field for the various network interfaces may all be different and need not match the name entered in the Domain Name field. NOTE Remote Web Administration Interface (e.g., eee0) Requirements A fully-qualified domain name is required for the Remote Web Administration interface (e.g., eee0) on each machine in an HA pair. If the Remote Web Administration interfaces are Exempt, the name specified for the primary machine must be different from the name specified for the secondary machine. If you do not specify a name, a fully-qualified domain name of the following form is used by default: node_name-n.domain, where node_name is the value specified in the Firewall Host Name field, n is 1 for the primary and 2 for the secondary machine in the pair, and domain is the value entered in the Domain Name field. This makes it possible to use name resolution to manage the machines in an HA pair separately. A fully-qualified domain name is also required for the Remote Web Administration interface on a stand-alone machine. If you do not specify a name, the default is node_name.domain, where node_name is the value specified in the Firewall Host Name field and domain is the value entered in the Domain Name field. 4-29

164 CyberGuard 5.2 Installation Guide An entry is made in the /etc/hosts file to make the unqualified node_name an alias for the interface specified by Management Interface. The computer or network specified by Manager IP must be able to resolve the name for the Remote Web Administration interface (i.e., via the hosts file or name server). You must use the name for the Remote Web Administration interface to connect to the firewall via Remote Web Administration. IP Address (Required) Specifies the unique Internet Protocol address of the network interface. It must be a Class A, Class B, or Class C address; that is, the value of the first byte of the address must be less than 224. Subnetwork Mask Specifies a subnet mask as a dotted quad mask (e.g., ) or a bit count (e.g., 24). If you do not specify a subnet mask, the default mask associated with the address class is used (i.e., for Class A, for Class B, for Class C). FSO User (Required) Specifies the login ID for a privileged Firewall Security Officer (FSO). An FSO is authorized to use the firewall GUI, execute commands associated with administrative roles (e.g., auditor, site security officer, network administrator), and execute firewall-related commands installed on the system. This user is cleared to the SYS_PRIVATE and NETWORK levels. The default is cgadmin. It is recommended that you specify a different FSO user. If you do so, the cgadmin user will be disabled. FSO Password (Required) Specifies the password associated with the user entered in the FSO User field. Note that the password entered in this window is weakly encrypted; you will be prompted to change it when you log in to the firewall for the first time. Password Confirmation (Required) Respecifies the string entered in the FSO Password field Remote Management Service (Required) Indicates the application to be used to manage the firewall from a remote system. The drop-down list box includes the following selections: None, Secure Shell - SSH, Remote Web Admin. The default is None. 4-30

165 SL Systems Management Interface (Required if a Remote Management Service is specified or a configuration is to be restored) Indicates the network interface that is to be used to access the firewall from the remote system. On SL models, the drop-down list box includes the following selections by default: None, adptsf0, adptsf1, adptsf2, adptsf3, adptsf4, adptsf5, adptsf6, adptsf7, e10000, e10001, eee0. On SL2000 and SL3200 models, the drop-down list box includes the following selections by default: None, dec0, dec1, dec2, dec3, dec4, dec5, dec6, dec7, e10000, e10001, e10002, eee0. The selections vary according to whether you have used the Customize button to specify a particular configuration of network interface cards or the Aggregates button to configure a LAG group. The default is None. Manager IP (Required if a Remote Management Service is specified) Specifies the IP address of the computer or network on which the specified Remote Management Service is used to manage the firewall Manager Route IP Specifies the IP address to which packets are forwarded if the specified Manager IP address is not on the local network. System Mouse Type (Required) Indicates the type of mouse that is being used. The drop-down list box includes the following selections: None, PS/2. The default is None. Time Zone (Required) Specifies the time zone in which the firewall is located. The US/Central time zone is selected by default. The drop-down list box includes all time zones. Time Server IP Specifies the IP address of the server to which time requests are to be sent to maintain system time synchronization Onboard MAC Address Specifies the address of the onboard Ethernet port as it appears on a label on the front panel of the computer. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field. Hardware ID (Read-only) Contains an eight-digit hexadecimal number that uniquely identifies the computer. This number is obtained by clicking on the Generate button. Generate Allows you to obtain the hardware ID for the computer. This ID is needed to obtain a license key. NOTE: If you are using a thirty-day trial license, you are not required to obtain a hardware ID. 4-31

166 CyberGuard 5.2 Installation Guide Serial Number Specifies the 10-character serial number that you previously received from Cyber- Guard Customer Support Center. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field. License Key Specifies the 20-character license key that you obtained from the CyberGuard Corporation Web site. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field. CyberGuard Firewall Online Registration Allows you to jump directly to the CyberGuard Firewall Online Registration Web page to obtain a license key RADIUS Server IP Specifies the IP address of the RADIUS server Backup Server IP Specifies the IP address of the backup RADIUS server RADIUS Port Specifies the port on which the RADIUS server listens for connections. The default is 1812 (the officially assigned port number as noted in RFC 2138) RADIUS Secret Key Specifies a string that represents the password encryption key that is shared between the RADIUS client and the RADIUS server. The string may include any printable character. Key Confirmation Respecifies the string entered in the RADIUS Secret Key field Organizational Unit Specifies the group to which a centrally-authenticated administrator must belong to be authorized to log in to the firewall. The default value is NONE. Remote Host IP Specifies the IP address of the remote host from which you wish to restore a firewall configuration Remote Route IP Specifies the IP address to which packets are forwarded if the specified Remote Host IP address is not on the local network. NOTE: You must specify a network interface in the Management Interface field to be able to restore a firewall configuration from a remote host. 4-32

167 SL Systems Configuration File Specifies the full or relative path name of the configuration file that you wish to restore. NOTE: Do not include the.tar or.tar.encr extension in the file name. Remote User Specifies the login name to be used on the remote host. The default is anonymous. Remote Password Specifies the password associated with the login name entered in the Remote User field. If you use the default anonymous, you are not required to enter a value in this field; if you leave the field blank, the password that will be used is [email protected]. Encryption Key (Required if Configuration File is encrypted) Specifies the key to be used to decrypt the restored configuration file. NOTE: The value that you enter in this field must be the same as the encryption key used to save the configuration. Default Route IP Specifies the IP address to which packets are forwarded if an explicit route does not already exist. 4-33

168 CyberGuard 5.2 Installation Guide 4-34

169 A Appendix AIdentifying Ports and Unit Numbers 1 This appendix provides information needed to use two utilities that help you to identify ports and interface unit number assignments: getmib and resmgr(1m). 1 1 The getmib utility provides link layer information about the network interface drivers installed on the firewall. The -l option allows you to display link status information. To determine the ports to which to connect network cables, complete the following steps: 1. Select Tools from the firewall Control Panel, and then select Shell Window. 2. When the Shell Window is displayed, enter the following to become root: /sbin/tfadmin newlvl SYS_PRIVATE su Enter the corresponding password, and press <Enter>. 3. Enter the following command: /usr/sbin/getmib -l Information similar to the following is displayed: dec0 UP 10 HD dec1 UP 10 HD dec2 UP 10 HD dec3 UP 10 HD e10000 UP 1000 FD e10001 UP 1000 FD e10002 DOWN 1000 FD e10003 DOWN 1000 FD In this example, only the e10002 and e10003 ports are not connected. 4. Enter exit to exit the root shell. 5. Enter exit to return to the previous level. 6. Enter exit to close the Shell Window. The resmgr utility allows you to display and update the Resource Manager database. The dec driver (and other network drivers) assign unit numbers to interfaces according to Resource Manager database KEY order (see the resmgr(1m) online man page). The dec interface with the lowest KEY becomes dec0, the next dec1, and so on. KEY order among dec interfaces is determined by UnixWare, sorted by PCI bus number (BUSNUM) and PCI device number (DEVNUM). A-1

170 CyberGuard 5.2 Installation Guide The -m modname option allows you to specify the name of the kernel module for the device for which you want information. The -p option allows you to obtain values for one or more specified parameters (e.g., bus number, slot number). To display the PCI bus number, device number, and slot number for a device, complete the following steps: 1. Select Tools from the firewall Control Panel, and then select Shell Window. 2. When the Shell Window is displayed, enter the following to become root: /sbin/tfadmin newlvl SYS_PRIVATE su Enter the corresponding password, and press <Enter>. 3. Enter the following command: resmgr -m modname -p BUSNUM DEVNUM SLOT where modname specifies the kernel module for a device (e.g., e1000) Information similar to the following is displayed: MODNAME BUSNUM DEVNUM SLOT e [Unit 0] e [Unit 1] e [Unit 2] e [Unit 3] 4. Enter exit to exit the root shell. 5. Enter exit to return to the previous level. 6. Enter exit to close the Shell Window. A-2

171 B Appendix B Backup and Restore Procedures 2 2 NOTE The procedures described in this appendix apply only to FS, KS, and SL appliances. This appendix provides information needed to back up and restore a CyberGuard FS, KS, or SL appliance firewall by using the cgbackup(1m) command. This command allows you to save and recover your firewall configuration, user home directories, and selected system configuration files. Command options allow you to back up to any of the following types of media: tape, diskette, or hard disk. On an FS, KS, or SL appliance firewall, you must back up to one or more diskettes (see Backing Up an Appliance Firewall Configuration, page B-1). Backing up to hard disk is not recommended because you have no way to recover in the event of system failure or a hardware failure. The CyberGuard Firewall 5.2 GUI provides additional support for backing up and restoring a firewall configuration. The Save and Restore window, which is accessible from the System menu of the firewall Control Panel, allows you to save a configuration to tape, a remote system, or a directory on the firewall. It allows you to restore that configuration as the active configuration. For additional information, display the online help associated with this window, or refer to the Save and Restore chapter of Volume 1 of the CyberGuard Firewall Manual. Backing Up an Appliance Firewall Configuration 2 After you have completed installation and configuration of your FS, KS, or SL appliance firewall, complete the following steps to make a set of recovery diskettes of the firewall system. Be sure that you have a box of blank diskettes available for backing up the system. Label each diskette as appropriate so that you will be able to restore your configuration successfully. Note that you must have a monitor, keyboard, and mouse connected to the appliance to back up your configuration. 1. Select Tools from the Control Panel, and then select Shell Window. B-1

172 CyberGuard 5.2 Installation Guide 2. When the Shell Window is displayed, enter the following to become root: (note that su cannot be executed from any level other than SYS_PRIVATE) /sbin/tfadmin newlvl SYS_PRIVATE su Enter the corresponding password, and press <Enter>. 3. If you wish to view a list of the files that will be backed up, execute the following command: /usr/sbin/cgbackup list pg 4. Insert a blank diskette into the floppy drive. Enter the following command to make a recovery diskette of your firewall configuration, user home directories, and selected system configuration files: /usr/sbin/cgbackup backup disk 5. Remove the diskette from the drive, and label it Firewall Recovery Diskette n, where n represents the sequence number of the recovery diskette 6. Repeat Steps 4 and 5 until you have completed backing up your system. 7. Enter exit to exit the root shell. 8. Enter exit to return to the previous level. 9. Enter exit to close the Shell Window. Restoring an Appliance Firewall Configuration 2 The cgbackup command can be used to restore an FS, KS, or SL appliance firewall configuration, user home directories, and selected system configuration files. Note that you must have a monitor, keyboard, and mouse connected to the appliance to restore your configuration. CAUTION If you use the cgbackup command to restore the configuration to a system other than the one for which you created a set of backup diskettes, the licensing information is removed. The CyberGuard Firewall will be licensed for a thirty-day trial period. If you use the cgbackup command to transfer a firewall configuration to another firewall system, you must ensure that the two systems have the same CyberGuard Firewall release and product software updates installed. B-2

173 Backup and Restore Procedures To restore an appliance firewall configuration, complete the procedures presented in the section that follows. To restore a configuration after experiencing a system failure, follow the procedures in Restoring a Configuration After a System Failure (page B-4). Restoring a Configuration 2 To restore your FS, KS, or SL appliance firewall configuration, complete the following steps. 1. Connect a monitor, keyboard, and mouse to the appliance firewall whose configuration you wish to restore. 2. Press <Enter>. 3. At the login prompt, log in as an FSO. Enter the corresponding password, and press <Enter>. 4. Enter the following to become root: (note that su cannot be executed from any level other than SYS_PRIVATE) /sbin/tfadmin newlvl SYS_PRIVATE su Enter the corresponding password, and press <Enter>. 5. Enter the following to change to single-user state: init 1 6. When the following message is displayed, press <Enter>: UX:init: INFO: New run level: 1 7. At the login prompt, log in again as an FSO. Enter the corresponding password, and press <Enter>. 8. Enter the following to become root: (note that su cannot be executed from any level other than SYS_PRIVATE) /sbin/tfadmin newlvl SYS_PRIVATE su Enter the corresponding password, and press <Enter>. 9. Insert Firewall Recovery Diskette n, where n is a sequence number ranging from one to the total number of recovery diskettes, into the drive. 10. Enter the following command to recover your firewall configuration from the diskettes: /usr/sbin/cgbackup restore disk B-3

174 CyberGuard 5.2 Installation Guide 11. When a message similar to the following is displayed, insert the next Firewall Recovery Diskette into the drive, and press <Enter>: UX:tar: INFO: Needs new volume: UX:tar: TO FIX: Please insert new volume, then press RETURN. 12. Repeat Steps 10 and 11 until you have completed recovery of your firewall configuration. 13. Enter the following to complete system boot and initialize networking: init When the following message is displayed, press <Enter>: UX:init: INFO: New run level: Enter exit to return to the previous shell. 16. Enter exit to return to the previous shell. 17. Enter exit to exit the login shell. After the system has been booted, you must reconnect to the firewall via a Remote Management Service to display the CyberGuard Firewall Control Panel and administer the firewall. Restoring a Configuration After a System Failure 2 To recover your FS, KS, or SL appliance firewall configuration after a system failure, complete the following steps. 1. Connect a monitor, keyboard, and mouse to the appliance firewall whose configuration you wish to restore. 2. Insert the KS, SL, or FS firewall bootable CD in the CD-ROM drive. 3. Press <Reset> to reboot the system. 4. Following installation of several drivers, the following message is displayed: IMPORTANT: This program is about to overwrite your hard drive! All existing data will be lost! Do you want to continue (you have 20 seconds to respond) [Y,N]? If you do not wish to proceed, press <N>. Otherwise, press <Y> or wait 20 seconds for the program to continue. 5. The system runs Norton Ghost TM. As the image is loaded, the Progress Indicator window is displayed. Loading the image requires approximately 20 minutes. B-4

175 Backup and Restore Procedures 6. When the image has been loaded, the computer beeps, and the following messages and prompt are displayed: Image loaded successfully... Batch File Finished D:\ 7. Remove the KS, SL, or FS firewall CD from the CD-ROM drive. 8. Insert the KS, SL, or FS appliance firewall Initial Configuration diskette in the floppy drive on the firewall. 9. Press <Reset> to reboot the machine. 10. During the initial boot to run level 2, the firewall will attempt to read the configuration file created through use of the appliance firewall Initial Configuration window. NOTE If the file is not found, the system will retry the read every five seconds for three minutes. After three minutes, the system will shut down. 11. If the file is read successfully, the initial configuration is loaded, and the system automatically reboots. NOTE The firewall will not attempt to read the diskette on the second and subsequent boots. A log file (log) that contains the status of the autoconfiguration is written to the diskette (if it is writable). 12. When the CyberGuard Firewall login window is displayed, press <Alt> <SysRq> and then <P> to get to the console. 13. Press <Enter>. 14. At the login prompt, log in as an FSO. Enter the corresponding password, and press <Enter>. B-5

176 CyberGuard 5.2 Installation Guide 15. Enter the following to become root: (note that su cannot be executed from any level other than SYS_PRIVATE) /sbin/tfadmin newlvl SYS_PRIVATE su Enter the corresponding password, and press <Enter>. 16. Enter the following to change to single-user state init When the following message is displayed, press <Enter>: UX:init: INFO: New run level: At the login prompt, log in again as an FSO. Enter the corresponding password, and press <Enter>. 19. Enter the following to become root: (note that su cannot be executed from any level other than SYS_PRIVATE) /sbin/tfadmin newlvl SYS_PRIVATE su Enter the corresponding password, and press <Enter>. 20. Insert Firewall Recovery Diskette n, where n is a sequence number ranging from one to the total number of recovery diskettes, into the drive. 21. Enter the following command to recover your firewall configuration from the diskettes: /usr/sbin/cgbackup restore disk 22. When a message similar to the following is displayed, insert the next Firewall Recovery Diskette into the drive, and press <Enter>: UX:tar: INFO: Needs new volume: UX:tar: TO FIX: Please insert new volume, then press RETURN. 23. Repeat Steps 20 and 21 until you have completed recovery of your firewall configuration. 24. Enter the following to complete system boot and initialize networking: init When the following message is displayed, press <Enter>: UX:init: INFO: New run level: 2 After the system has been booted, you must reconnect to the firewall via a Remote Management Service to display the CyberGuard Firewall Control Panel and administer the firewall. B-6

177 Backup and Restore Procedures NOTE The following steps are particularly important if you use the cgbackup command to restore the configuration to a system on which the network interface cards are different from those on the system for which you created a set of backup diskettes. 1. Select System from the Control Panel, and then select Network Interfaces. When the Network Interfaces window is displayed, ensure that the Host Name, IP Address, and Sub-Network Mask fields contain the correct information. 2. Select Configuration from the Control Panel, and then select Network Address Translation. 3. Click on the Static tab, and then click on Show Editor. When the expanded Static page appears, ensure that the network interface names are correct. 4. Click on the Dynamic tab. When the Dynamic page appears, ensure that the settings for the network interfaces are correct. B-7

178 CyberGuard 5.2 Installation Guide B-8

179 C Appendix Cprivadm Command 3 The privadm(1m) command allows some hosts on an administrative network to connect at SYS_PRIVATE level to administer the firewall remotely. Figure C-1 shows three network interfaces: one external network and two internal networks, the Internal Network and the Private Administrative Network. Host A, Host B, and Host C are part of a private network used by administrators to administer the firewall. Host A is not allowed to connect to the firewall. All other hosts are connected to the firewall at SYS_PRIVATE level. The interface for the Private Administrative Network is /dev/dec INTERNET Private Administrative Network Host A CyberGuard Internet Firewall Host B Internal Network Host C Host X Host Y Host Z Figure C-1. Firewall Administered by a Private Administrative Network C-1

180 CyberGuard 5.2 Installation Guide After you have completed installation of UnixWare and CyberGuard Firewall 5.2, complete the following steps if you wish to use the privadm command: 1. Log into the CyberGuard Firewall as the Firewall Security Officer (FSO). 2. Select System from the Control Panel, and then select System Shutdown. 3. When the System Shutdown window is displayed, select Shutdown System and Reboot. When prompted to confirm your selection, click on OK. 4. Press any key as soon as you see the following message displayed (note that you have five seconds to do so): Booting CyberGuard Firewall [Hit any key in 5 sec. to cancel] The following message and prompt are displayed as you enter interactive mode: Entering BOOT interactive session...[? for help] [boot]# 5. Right away, press <Enter> at the [boot]# prompt, and then enter the following to boot to single-user mode: [boot]# INITSTATE=1 6. Enter the following to continue the boot process: [boot]# go 7. At the console login prompt, log in as the FSO. 8. Enter the following to become root: su Enter the corresponding password, and press <Enter>. 9. Enter the following to execute the privadm command: /usr/sbin/firewall/privadm -d network_interface The network_interface argument specifies the name of a network interface (e.g., dec0 or /dev/dec0). C-2

181 privadm Command When the command is executed, the admin_list file is created, and the net_clearances(4) file is modified to change the range on the administrative network from: NETWORK;NETWORK to: SYS_PRIVATE;SYS_PRIVATE The following entries show the net_clearances file before modification: /dev/dec0;h;network;network/etc/security/mls/host_list; /dev/dec1;h;network;network/etc/security/mls/host_list; /dev/dec2;h;network;network/etc/security/mls/host_list; The following entries show the net_clearances file after modification: /dev/dec0;h;sys_private;sys_private;/etc/security/mls/admin_list; /dev/dec1;h;network;network/etc/security/mls/host_list; /dev/dec2;h;network;network/etc/security/mls/host_list; 10. Edit the /etc/security/mls/admin_list file if there are hosts on the administrative network that are not allowed to connect to the firewall. a. Uncomment the following line: #badguy;; badguy is not allowed to connect to firewall b. Replace badguy with the host name that is part of the private administrative network but cannot connect to the firewall at all. Repeat this step for each host on the administrative network that is not allowed to connect to the firewall. 11. Enter the following to complete system boot and initialize networking: init 2 C-3

182 CyberGuard 5.2 Installation Guide C-4