Date Version Author Details April 2010 V1.0 NETASQ Creation September 2010 V1.1 NETASQ Update

INSTALLATION GUIDE PRESENTATION AND INSTALLATION OF NETASQ PRODUCTS Date Version Author Details April 2010 V1.0 NETASQ Creation September 2010 V1.1 NETASQ Update Reference: naengde_product-installation Copyright NETASQ 2010 Page 1/65

INSTALLATION GUIDE You are strongly advised to read this document in full before installing any NETASQ UTM product. This guide aims to facilitate the quick integration of a NETASQ firewall into your network, but does not provide information on how to configure it. Please consult the relevant help file on the CD-ROM provided for configuration matters. Copyright NETASQ 2010 Page 2/65

INSTALLATION GUIDE Copyright NETASQ 2010. All rights reserved. Any reproduction, adaptation or translation of this current document without prior written permission is prohibited, except where expressly allowed by copyright laws. NETASQ applies a method of constant development and as such reserves the right to modify and improve any product described in the document without prior notice. Under no circumstances shall NETASQ be held liable for any loss of data or revenue, or any special damage or incident, resulting from or indirectly caused by the use of the product and its associated documentation. The contents of this document relate to the developments in NETASQ s technology at the time of its writing. With the exception of the mandatory applicable laws, no guarantee shall be made in any form whatsoever, expressly or implied, including but not limited to implied warranties as to the merchantability or fitness for a particular purpose, as to the accuracy, reliability or the contents of the document. NETASQ reserves the right to revise this document, to remove sections or to remove this whole document at any moment without prior notice. To ensure the availability of products, which may vary according to your geographical locations, contact your nearest NETASQ distributor. Products concerned U30, U70, U120, U250, U450, U1100, U1500 and U6000, NG1000-A, NG5000-A. Copyright NETASQ 2010 Page 3/65

INSTALLATION GUIDE: CONTENTS CONTENTS CONTENTS 4 1 INTRODUCTION 7 2 USAGE PRECAUTIONS 8 3 UPON RECEIVING YOUR FIREWALL 10 3.1 INTEGRITY OF THE PRODUCT 10 3.1.1 LABELS 10 3.1.2 QUALITY SEAL 11 3.1.3 FIREWALL SEAL 12 3.2 CONTENTS OF THE PACKAGING 12 3.2.1 THE CHASSIS 13 3.3 WARRANTY AND DISMANTLING THE APPLIANCE 13 4 PRESENTATION OF THE APPLIANCES 14 4.1 FRONT PANELS OF PRODUCTS IN THE U RANGE 14 4.2 THE U30 APPLIANCE 14 4.3 THE U70 APPLIANCE 16 4.4 THE U120 APPLIANCE 17 4.5 THE U250 APPLIANCE 18 4.6 THE U450 APPLIANCE 20 4.7 THE U1100 APPLIANCE 21 4.7.1 FRONT PANEL 21 4.7.2 REAR PANEL 22 4.8 THE U1500 APPLIANCE 22 4.8.1 FRONT PANEL 23 4.8.2 REAR PANEL 24 4.9 THE U6000 APPLIANCE 25 4.9.1 FRONT PANEL 25 4.9.2 REAR PANEL 26 4.10 THE NG1000-A APPLIANCE 27 4.10.1 FRONT PANEL 27 4.10.2 REAR PANEL 28 4.11 THE NG5000-A APPLIANCE 28 4.11.1 FRONT PANEL 28 4.11.2 REAR PANEL 30 5 CONNECTIONS 31 5.1 INSTALLATION PRECAUTIONS 31 5.1.1 LOCATION 31 5.2 POWER PLUG 31 5.3 CONNECTION FOR ADMINISTERING THE APPLIANCE 32 5.4 CONNECTING TO THE NETWORK 32 5.4.1 U30 32 5.4.2 U70 33 Copyright NETASQ 2010 Page 4/65

INSTALLATION GUIDE: CONTENTS 5.4.3 U120 33 5.4.4 U250 33 5.4.5 U450 34 5.4.6 U1100 34 5.4.7 U1500 34 5.4.8 U6000 35 5.4.9 NG1000-A 35 5.4.10 NG5000-A 36 5.4.11 USING A STRAIGHT CABLE 36 5.4.12 USING A CROSSOVER CABLE (CABLE PROVIDED WITH THE PRODUCT) 36 5.4.13 ANTISPOOFING MECHANISM 37 6 PHYSICAL INSTALLATION OF THE APPLIANCE 37 6.1 PREPARATION BEFORE INSTALLATION 37 6.1.1 PREPARATION OF THE NETWORK CABLES 37 6.1.2 PREPARATION OF THE RACKING CABINET OR BAY 38 6.1.3 PREPARATION OF INTERNET ACCESS 38 6.2 PLACING THE APPLIANCE IN A BAY 38 6.2.1 INSTALLING A U30 OR U70 38 6.2.2 INSTALLING A U120, U250 OR U450 39 6.2.3 INSTALLING A U1100, U1500 OR U6000 40 6.2.4 PRECONFIGURING A FIREWALL 41 7 INITIAL CONNECTION TO THE PRODUCT 42 7.1 PREREQUISITES 42 7.1.1 MINIMUM CONFIGURATION FOR CONFIGURING A NETASQ FIREWALL 42 7.1.2 PREPARATION OF INTERNET ACCESS 42 7.2 CONFIGURATION 43 7.3 REGISTERING AND INSTALLING THE PRODUCT 44 APPENDIX A: UPDATING THE LICENSE 45 INSTALLING THE LICENSE 48 APPENDIX B: RESETTING THE FIREWALL 49 APPENDIX C: ADDING AN ADDITIONAL U6000 NETWORK CARD 51 GENERAL POINTS 51 AUTHORIZATION 51 51 APPLIANCES CONCERNED 52 DESCRIPTION OF THE CARDS 52 STEPS TO FOLLOW 52 INTRODUCTION 52 PROCEDURE FOR ADDING A CARD 53 7.3.1 ADDING A PCI-E NETWORK CARD 54 7.3.2 ADDING A 2 ND PCI-E NETWORK CARD 56 7.3.3 ADDING A PCI-X NETWORK CARD 56 7.4 SCENARIOS FOR ADDING PCI-X CARDS 58 7.4.1 SCENARIO IN WHICH A 6-PORT PCI-X CARD IS ADDED TO A DEFAULT CONFIGURATION 59 7.4.2 SCENARIO IN WHICH A 2-PORT PCI-X CARD IS ADDED TO A DEFAULT CONFIGURATION 60 7.4.3 SCENARIO IN WHICH A 6-PORT PCI-X CARD IS ADDED AFTER A PCI-E CARD 61 APPENDIX D: ADDING AN NG1000-A AND NG5000-A EXTENSION MODULE 62 Copyright NETASQ 2010 Page 5/65

INSTALLATION GUIDE: CONTENTS GENERAL POINTS 62 APPLIANCES CONCERNED 62 DESCRIPTION OF THE CARDS 62 PROCEDURE FOR ADDING A CARD 62 APPENDIX E: INSTALLING VIA THE CD-ROM 64 GLOSSARY 65 Copyright NETASQ 2010 Page 6/65

INSTALLATION GUIDE : 1. INTRODUCTION 1 INTRODUCTION Thank you for choosing NETASQ. Designed to protect structures of all sizes, NETASQ s UTM appliances are pre-configured: no hardware or software installation is needed and no UNIX knowledge is necessary, just a user-friendly configuration via a graphical interface. There are currently 10 products in the range: U30, U70, U120, U250, U450, U1100, U1500, U6000, NG1000-A and NG5000-A. The NETASQ UTM appliance allows the definition of incoming or outgoing access control rules. Its concept is simple: any incoming or outgoing transmission passing through the NETASQ Firewall is monitored, authorized or denied according to the rules, packet by packet. The NETASQ Firewall is based on an upgraded packet filtering mechanism which brings a high level of security. All NETASQ Firewalls integrate the ASQ (Active Security Qualification) technology developed by NETASQ. This technology allows detection and blocking of hacking attempts in real time illegal packets, denial of service attempts, anomalies in a connection, port scans, buffer overflows, etc. In the case of an intrusion attempt, depending on the instructions given in the security policy, the NETASQ Firewall blocks the transmission, generates an alarm and stores the information linked to the packet which had set off the alarm. As such, you would be able to analyze the attack and trace its source. The Firewall not only allows preventing, or restricting to just certain services, incoming connections on your network, but also allows monitoring the use of the internet by your internal users (HTTP, FTP, SMTP...). You may also monitor your users by authenticating them via an internal or external authentication database. The NETASQ Firewall also manages port and address translation mechanisms. These mechanisms provide security (by masking your internal address range) and flexibility (by enabling the use of any private internal addressing range) and reduce costs (by enabling the provision of several servers on the internet with a single public IP address). With ASQ, NETASQ s IPS (Intrusion Prevention System) engine, a NETASQ firewall offers all the more security. Its plugin architecture allows monitoring most of the traffic circulating through the Firewall even at the application layer. Its performance in terms of throughput, number of rules and number of tunnels, has been increased tenfold. Thanks to its Windows-based user interface, it allows the rapid and simple definition of your network's security rules, from a local workstation running under Windows. You may also monitor your Firewall s activity in real time. The NETASQ Firewall is also equipped with advanced log functions. In an intrusion attempt, the network administrator may access all data sent before the attack and see how it had been prepared. NETASQ EVENT REPORTER provides you with a graphical view and fine analysis of logs generated on the Firewall. Lastly, the NETASQ Firewall includes VPN gateway functions allowing you to establish encrypted tunnels with other VPN equipment. In this way, your communications between sites or with your mobile users ( Road Warriors ) may be secured even while using an insecure communication infrastructure like the internet. This installation guide presents the products (front and rear panels), explains the physical installation process and lastly allows you to configure your product in order to integrate it into the desired network architecture. It also explains how to insert additional network cards to the U6000 product or to insert extension modules to the NG1000-A and NG5000-A products. Copyright NETASQ 2010 Page 7/65

INSTALLATION GUIDE : 2. USAGE PRECAUTIONS 2 USAGE PRECAUTIONS Using the wrong type of lithium batteries may cause the components to explode. Please follow the indications given by the manufacturer of the lithium batteries (these are used in your firewall) on how to recycle used batteries. Ensure that you place heavier equipment in the lower racks of the cabinet, and the lighter appliances in the higher racks. Most NETASQ appliances require a land-based connection. Ensure that your power grid has good ground conductivity, which meets NETASQ s specifications concerning the power supply of firewalls. It would be even better to protect the power supply with UPS devices. NETASQ appliances do not have power supply switches. In all cases, unplugging the power cable from the mains socket will disconnect the appliance from the main power supply. NETASQ firewalls should not be installed in locations where the temperature may exceed 35 C. The table below indicates the operating temperature, storage temperature and humidity level for each appliance. U30 U70 U120 U250 U450 U1100 U1500 U6000 NG1000-A NG5000-A Operating temperature Storage temperature Humidity 5 to 40 C (51 to 104 F) -30 to 65 C (-22 to 20% to 90% (sans 149 F) condensation) 5 to 40 C (51 to 104 F) -30 to 65 C (-22 to 20% to 90% (without 149 F) condensation) 5 to 40 C (51 to 104 F) -30 to 65 C (-22 to 20% to 90% (without 149 F) condensation) 5 to 40 C (55 to 104 F) -30 to 65 C (-22 to 20% to 90% (without 149 F) condensation) 5 to 40 C (55 to 104 F) -30 to 65 C (-22 to 20% to 90% (without 149 F) condensation) 10 to 35 C (50 to 95 F) -30 to 65 C (-22 to 20% to 90% (without 149 F) condensation) 10 to 35 C (50 to 95 F) -30 to 65 C (-22 to 20% to 90% (without 149 F) condensation) 10 to 35 C (50 to 95 F) -30 to 65 C (-22 to 20% to 90% (without 149 F) condensation) 10 to 35 C (50 to 95 F) -20 to 65 C (-4 to 20% to 80% (without 149 F) condensation) 10 to 35 C (50 to 95 F) -20 to 70 C (-4 to 20% to 80% (without 158 F) condensation) Copyright NETASQ 2010 Page 8/65

INSTALLATION GUIDE : 2. USAGE PRECAUTIONS Ensure that nothing obstructs the air vents on the product in order to guarantee maximum air circulation. U30, U70, U6000, NG1000-A and NG5000-A appliances comply with the requirements in the EN55022 standard, Class A. In residential environments, these products may cause radioelectric disturbances, in which case the user may be obliged to take the appropriate measures. Ensure that you unplug ALL power cables connected to the firewall before beginning any interventions on it. The metal brackets on the front panel of the U6000, NG1000-A and NG5000 products are not to be used for lifting the product but only for racking the firewall or for removing it from its racks. Copyright NETASQ 2010 Page 9/65

INSTALLATION GUIDE : 3. UPON RECEIVING YOUR FIREWALL 3 UPON RECEIVING YOUR FIREWALL 3.1 Integrity of the product In order to guarantee the integrity of your product, NETASQ has set up several mechanisms. Check these mechanisms to confirm that your product has not been tampered with: 3.1.1 Labels Every firewall is delivered in a cardboard box with three labels affixed, indicating information identifying the product it contains and its version. There is also a Serial number label affixed directly on the product. The 3 rd label serves to identify the configuration of the product. Check that this information matches your order. IMPORTANT It is best that you have your serial number and web password (given on the label on the underside of the product) at hand before connecting or installing the firewall. The 3 labels are as follows: Serial number label: this label, pasted on the product, indicates information such as the serial number, sales platform, web activation code (which enables the activation of the client account in the NETASQ website s client area) and the barcode that contains the product s serial number. Figure 1: Serial number label Packaging identification label: this label, pasted on the packaging of the product, provides information relating to the sales platform, serial number of the product and the barcode containing the product s serial number. Copyright NETASQ 2010 Page 10/65

INSTALLATION GUIDE : 3. UPON RECEIVING YOUR FIREWALL Figure 2: Packaging identification label Version number label: this label, pasted ion the packaging, indicates the software version installed on the firewall. The version is defined by a version number and model (which correspond to a certain export zone). This label helps to check later if the delivered version has been certified. Figure 3: Product version label 3.1.2 Quality seal Every firewall is delivered in a cardboard box on which a NETASQ-specific quality seal or a NETASQ QUALITY SEAL is affixed. Check that there is such a seal on your product s packaging. Below is the type of label or quality seal that you should expect to find: Figure 4: "Quality seal" label Copyright NETASQ 2010 Page 11/65

INSTALLATION GUIDE : 3. UPON RECEIVING YOUR FIREWALL Figure 5: Warranty band If this band is missing, contact your distributor soonest possible to find out why the packaging has been opened. Confirm that these security mechanisms are in place in order to ensure the integrity of the product delivered as well as any subsequent dispute concerning the application of the guarantee in the event a breach has been observed more than 48 hours after receipt of the product. Feel free to contact your distributor if any of the elements does not comply with its description. 3.1.3 Firewall seal A seal label is pasted on all firewalls. This prevents the replacement or modification of the firewall s hardware elements. This label has the peculiarity of displaying a message (VOID) that cannot be erased once the label has been removed. There are two types of seal: one pasted by NETASQ after production and one pasted by your partner if a maintenance operation has been performed on your appliance (your partner would have explained this maintenance operation to you through an activity certificate). Figure 6: Firewall seal Confirm that these security mechanisms are in place in order to ensure the integrity of the product delivered as well as any subsequent dispute concerning the application of the guarantee in the event a breach has been observed more than 48 hours after receipt of the product. Feel free to contact your distributor if any of the elements does not comply with its description. 3.2 Contents of the packaging Keep the cardboard packaging safely in case you need it later for transporting the firewall. It has been designed to give your NETASQ firewall optimum protection (shock and temperature resistance). Upon delivery, check that the following have been included in the packaging The NETASQ firewall in the model ordered A power cable (2 cables for U6000, NG1000-A and NG5000-A appliances) (ref. 1076036). For U30 and U70 products, the cable would be a power cable specific to the power supply unit (plug attached to the unit). A crossover DB9F serial cable (ref. 1076033) (optional) An RJ 45 crossover cable (blue cable, ref. 1076034) The NETASQ software suite CD-ROM (Administration Suite) A sheet indicating the license agreement. Brackets and fastening system for racking your firewall (except for U30 and U70) The power pack for U30 and U70. Copyright NETASQ 2010 Page 12/65

INSTALLATION GUIDE : 3. UPON RECEIVING YOUR FIREWALL Rubber feet for IU products (U120, U250 et U450) If any of the elements is missing, contact your distributor immediately. NOTE For an after-sales exchange, the package will only contain the product and the external power supply unit (U30, U70). 3.2.1 The chassis Flexible feet have been placed under the chassis of the firewall to ensure that the NETASQ firewall is on a stable plane (on a desk or on other IT equipment) and is protected from scratches. These feet are delivered separately for 1U models (products that can be installed on a desk or in a rack), ie, U120, U250, U450, U1100 and U1500. These feet can be delivered already installed on the appliance for non-rackable products (U30 and U70). U6000, NG1000-A and NG5000-A appliances are delivered with racking rails (sliding rails) in addition to front attachment brackets. These rails have to be set up on prder to prevent deterioration of the product. 3.3 Warranty and dismantling the appliance Under no circumstances should you take apart a NETASQ appliance on your own. Only NETASQ and its approved maintenance agents are authorized to do so. Your warranty will be rendered null and void should you dismantle a NETASQ firewall on your own. Copyright NETASQ 2010 Page 13/65

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES 4 PRESENTATION OF THE APPLIANCES 4.1 Front panels of products in the U range On the various models, the 3 LEDs (from bottom to top) described below will appear on the front panel: 3. Online LED (green) 2. Status LED (green) 1. Power LED (yellow) NOTE The U6000 appliance has other LEDs that will be covered later in this document. For all models, upon startup, the LEDs light up in the following order: Power Status Online The Power LED will light up first, then Status, then Online. The Online LED, which indicates that the product is running, will light up after about 2 minutes. For all models, upon shutdown, the LEDs shut off in the following order: Power Status Online The Online LED goes off first, then Status followed by Power. The connectors on U30, U70, U120, U250 and U450 appliances are located on the front panel. 4.2 The U30 appliance The U30 appliance has the following characteristics: Copyright NETASQ 2010 Page 14/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES Throughput of 200 Mbits/s. 50,000 concurrent connections. 4,000 new sessions per second. 1 2 3 4 5 6 7 8 9 1. Software shutdown button. 2. LEDs from bottom to top: Power/Status/Online. 3. Serial port: for connecting the firewall directly to a PC or modem. 4. PS2 mini-din port: for connecting a keyboard. 5. VGA port: for connecting a monitor. 6. Button to reset to the default configuration (defaultconfig). 7. 1 USB port: for secure configuration or updates. 8. OUT Interface. 9. IN Interface. Point 1: to shut down the software, hold down the software shutdown button for 4 seconds (until the Online (green) LED goes off). NOTE: There is no internal fan on this appliance. Point 2: the Power LED (yellow) indicates that the product has been plugged in. If this is the only LED that lights up, this means that the appliance is off. The product is running when the Power LED and the Status and Online LEDs (green) are visible. The Online LED will be the last to light up when the product is running. Traffic will pass through the interfaces. When the appliance is starting, shutting down or being updated, only the Status and Power LEDs will light up. You are strongly advised against unplugging the product when the Status LED is starting, shutting down or being updated. The Status LED will blink (quick blinking every 250 milliseconds) in the event of a major failure of the product (hardware modification, faulty network interface, etc). In this case, do contact your distributor. Points 3, 4 and 5: these different ports enable access to the appliance in console mode. The LEDs above the interfaces provide indications as to the throughput. For the U30, an interface with a LED that does not light up indicates a throughput of 10 mbits/s, an interface with 2 LEDs that light up indicate a throughput of 100 mbits/s. Copyright NETASQ 2010 Page 15/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES Blinking LEDs indicate the presence of network activity. NOTE: power is supplied to this appliance from outside the rear panel. An upgrade to version 8.0 is recommended. 4.3 The U70 appliance The U70 appliance has the following characteristics: Throughput of 600 Mbits/s. 100,000 concurrent connections. 6 Gigabit interfaces. 6,000 new sessions per second. 1 2 3 4 5 6 7 8 9 1. Software shutdown button. 2. LEDs from bottom to top: Power/Status/Online. 3. Serial port: for connecting the firewall directly to a PC or modem. 4. PS2 mini-din port: for connecting a keyboard. 5. VGA port: for connecting a monitor. 6. Button to reset to the default configuration (defaultconfig). 7. 1 USB port: for secure configuration or updates. 8. OUT Interface. 9. IN Interface. Point 1: to shut down the software, hold down the software shutdown button for 4 seconds (until the Online (green) LED goes off). NOTE: The fan is directly linked to the power supply. Point 2: the Power LED (yellow) indicates that the product has been plugged in but has been shut down. If this is the only LED that lights up, this means that the appliance is off. The product is running when the Power LED and the Status and Online LEDs (green) are visible. The Online LED will be the last to light up when the product is running. Traffic will pass through the interfaces. When the appliance is starting, shutting down or being updated, only the Status and Power LEDs will light up. Copyright NETASQ 2010 Page 16/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES You are strongly advised against unplugging the product when the Status LED is restarting, shutting down or being updated. The Status LED will blink (quick blinking every 250 milliseconds) in the event of a major failure of the product (hardware modification, faulty network interface, etc). In this case, do contact your distributor. For an appliance configured in high availability, the Online LED will light up intermittently (for every second it lights up, it will go off for 2 seconds). This means that the appliance is in passive mode. Points 3, 4 and 5: these different ports enable access to the appliance in console mode. The LEDs above the interfaces provide indications as to the throughput. For the U70, if the left LED lights up on an IN interface, this indicates a throughput of 10 mbits/s, 2 LEDs that light up indicate a throughput of 100 mbits/s and if the right LED lights up, this indicates a throughput of 1000 mbits/s. One or two blinking LEDs on an IN interface indicate the presence of network activity. NOTE: power is supplied to this appliance from outside the rear panel. An upgrade to version 8.0 is recommended. 4.4 The U120 appliance The U120 appliance has the following characteristics: Throughput of 700 Mbits/s. 200,000 concurrent connections. 6 Gigabit interfaces. 6,500 new sessions per second. 12 3 4 5 6 7 8 9 1. Software shutdown button. 2. LEDs from bottom to top: Power/Status/Online. 3. Serial port: for connecting the firewall directly to a PC or modem. 4. PS2 mini-din port: for connecting a keyboard. 5. VGA port: for connecting a monitor. 6. Button to reset to the default configuration (defaultconfig). 7. 1 USB port: for secure configuration or updates. Copyright NETASQ 2010 Page 17/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES 8. OUT Interface. 9. IN Interface. Point 1: to shut down the software, hold down the software shutdown button for 4 seconds (until the Online (green) LED goes off). NOTE: The fan is directly linked to the power supply. Point 2: the Power LED (yellow) indicates that the product has been plugged in but has been shut down. If this is the only LED that lights up, this means that the appliance is off. The product is running when the Power LED and the Status and Online LEDs (green) are visible. The Online LED will be the last to light up when the product is running. Traffic will pass through the interfaces. When the appliance is starting, shutting down or being updated, only the Status and Power LEDs will light up. You are strongly advised against unplugging the product when the Status LED is starting, shutting down or being updated. The Status LED will blink (quick blinking every 250 milliseconds) in the event of a major failure of the product (hardware modification, faulty network interface, etc). In this case, do contact your distributor. For an appliance configured in high availability, the Online LED will light up intermittently (for every second it lights up, it will go off for 2 seconds). This means that the appliance is in passive mode. Points 3, 4 and 5: these different ports enable access to the appliance in console mode. The LEDs above the interfaces provide indications as to the throughput. For the U120, if the left LED lights up on an IN interface, this indicates a throughput of 10 mbits/s, 2 LEDs that light up indicate a throughput of 100 mbits/s and if the right LED lights up on an IN interface, this indicates a throughput of 1000 mbits/s. One or two blinking LEDs on an IN interface indicate the presence of network activity. NOTE: power is supplied to this appliance from inside the rear panel. An upgrade to version 8.0 is recommended. 4.5 The U250 appliance The U250 appliance has the following characteristics: Throughput of 850 Mbits/s. 400,000 concurrent connections. 6 Gigabit interfaces. 8,500 new sessions per second. Copyright NETASQ 2010 Page 18/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES 12 3 4 5 67 8 9 1. Software shutdown button. 2. LEDs from bottom to top: Power/Status/Online. 3. Serial port: for connecting the firewall directly to a PC or modem. 4. PS2 mini-din port: for connecting a keyboard. 5. VGA port: for connecting a monitor. 6. Button to reset to the default configuration (defaultconfig). 7. 1 USB port: for secure configuration or updates. 8. OUT Interface. 9. IN Interface. Point 1: to shut down the software, hold down the software shutdown button for 4 seconds (until the Online (green) LED goes off). NOTE: The fan is directly linked to the power supply. Point 2: the Power LED (yellow) indicates that the product has been plugged in but has been shut down. If this is the only LED that lights up, this means that the appliance is off. The product is running when the Power LED and the Status and Online LEDs (green) are visible. The Online LED will be the last to light up when the product is running. Traffic will pass through the interfaces. When the appliance is starting, shutting down or being updated, only the Status and Power LEDs will light up. You are strongly advised against unplugging the product when the Status LED is starting, shutting down or being updated. The Status LED will blink (quick blinking every 250 milliseconds) in the event of a major failure of the product (hardware modification, faulty network interface, etc). In this case, do contact your distributor. For an appliance configured in high availability, the Online LED will light up intermittently (for every second it lights up, it will go off for 2 seconds). This means that the appliance is in passive mode. Points 3, 4 and 5: these different ports enable access to the appliance in console mode. The LEDs above the interfaces provide indications as to the throughput. For the U250, if the left LED lights up on an IN interface, this indicates a throughput of 10 mbits/s, 2 LEDs that light up indicate a throughput of 100 mbits/s and if the right LED lights up, this indicates a throughput of 1000 mbits/s. One or two blinking LEDs on an IN interface indicate the presence of network activity. Copyright NETASQ 2010 Page 19/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES NOTE: power is supplied to this appliance from inside the rear panel. An upgrade to version 8.0 is recommended. 4.6 The U450 appliance The U450 appliance has the following characteristics: Throughput of 1000 Mbits/s. 600,000 concurrent connections. 15 Gigabit interfaces. 10,500 new sessions per second. 1 6 8 2 3 4 5 7 9 1. Software shutdown button. 2. LEDs from bottom to top: Power/Status/Online. 3. Serial port: for connecting the firewall directly to a PC or modem. 4. PS2 mini-din port: for connecting a keyboard. 5. VGA port: for connecting a monitor. 6. Button to reset to the default configuration (defaultconfig). 7. 1 USB port: for secure configuration or updates. 8. OUT Interface. 9. IN Interface. Point 1: to shut down the software, hold down the software shutdown button for 4 seconds (until the Online (green) LED goes off). NOTE: The fan is directly linked to the power supply. Point 2: the Power LED (yellow) indicates that the product has been plugged in but has been shut down. If this is the only LED that lights up, this means that the appliance is off. The product is running when the Power LED and the Status and Online LEDs (green) are visible. The Online LED will be the last to light up when the product is running. Traffic will pass through the interfaces. When the appliance is starting, shutting down or being updated, only the Status and Power LEDs will light up. You are strongly advised against unplugging the product when the Status LED is starting, shutting down or being updated. The Status LED will blink (quick blinking every 250 milliseconds) in the event of a major failure of the product (hardware modification, faulty network interface, etc). In this case, do contact your distributor. Copyright NETASQ 2010 Page 20/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES For an appliance configured in high availability, the Online LED will light up intermittently (for every second it lights up, it will go off for 2 seconds). This means that the appliance is in passive mode. Points 3, 4 and 5: these different ports enable access to the appliance in console mode. The LEDs above the interfaces provide indications as to the throughput. For the U450, if the left LED lights up on an IN interface, this indicates a throughput of 10 mbits/s, 2 LEDs that light up indicate a throughput of 100 mbits/s and if the right LED lights up, this indicates a throughput of 1000 mbits/s. One or two blinking LEDs on an IN interface indicate the presence of network activity. NOTE: power is supplied to this appliance from outside the rear panel. An upgrade to version 8.0 is recommended. 4.7 The U1100 appliance The U1100 appliance has the following characteristics: Throughput of 2,800 Mbits/s. 800,000 concurrent connections. 8 Gigabit interfaces. 20,000 new sessions per second. 4.7.1 Front panel 1 2 3 1. Power LED(yellow): when this LED lights up, this means that the firewall is running. 2. Status LED (green). 3. Online LED (green). Point 1: the Power LED (yellow) indicates that the product has been plugged in but has been shut down. The product is running when the Power LED and the Status and Online LEDs (green) are visible. Point 2: When the appliance is starting, shutting down or being updated, the Status LED will light up. You are strongly advised against switching off the product when the Status LED is starting, shutting down or being updated. Copyright NETASQ 2010 Page 21/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES The Status LED will blink (quick blinking every 250 milliseconds) in the event of a major failure of the product (hardware modification, faulty network interface, etc). In this case, do contact your distributor. Point 3: The Online LED will be the last to light up when the product is running. Traffic will pass through the interfaces. For an appliance configured in high availability, the Online LED will light up intermittently (for every second it lights up, it will go off for 2 seconds). This means that the appliance is in passive mode. 4.7.2 Rear panel 1 2 3 4 5 6 7 8 9 1. Fan grating. 2. Power socket: for plugging in the main power cable. 3. PS2 mini-din port : for plugging in a keyboard. 4. 2 USB ports: for secure configurations and updates. 5. Serial port: for connecting the firewall directly to a PC or a modem. 6. VGA port: for connecting a monitor. 7. 4 RJ45 Ethernet ports for connecting network cables. The port on the top left corresponds to the external interface (OUT). 8. Power button: button for switching the appliance on and off. 9. 4 additional RJ45 Ethernet ports for connecting network cables. Point 8: The Power button serves to switch the appliance on and off. To shut down the firewall, hold down the button for a few seconds (when the orange indicator is on) until the Online indicator goes off. To turn on the firewall, simply press lightly on this button. 4.8 The U1500 appliance The U1500 appliance has the following characteristics: Throughput of 3,800 Mbits/s. 1,200,000 concurrent connections. 10 Gigabit interfaces. 25,000 new sessions per second. Copyright NETASQ 2010 Page 22/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES 4.8.1 Front panel 1 2 3 1. Power LED(yellow): when this LED lights up, this means that the firewall is running. 2. Status LED (green). 3. Online LED (green). Point 1: the Power LED (yellow) indicates that the product has been plugged in but has been shut down. The product is running when the Power LED and the Status and Online LEDs (green) are visible. Point 2: When the appliance is starting, shutting down or being updated, the Status LED will light up. You are strongly advised against switching off the product when the Status LED is starting, shutting down or being updated. The Status LED will blink (quick blinking every 250 milliseconds) in the event of a major failure of the product (hardware modification, faulty network interface, etc). In this case, do contact your distributor. Point 3: The Online LED will be the last to light up when the product is running. Traffic will pass through the interfaces. For an appliance configured in high availability, the Online LED will light up intermittently (for every second it lights up, it will go off for 2 seconds). This means that the appliance is in passive mode. Copyright NETASQ 2010 Page 23/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES 4.8.2 Rear panel 1 2 3 4 5 6 7 8 9 1. Fan grating. 2. Power socket: for plugging in the main power cable. 3. PS2 mini-din port: for connecting a keyboard. 4. 2 USB ports: for secure configuration or updates. 5. Serial port: for connecting the firewall directly to a PC or modem. 6. VGA port: for connecting a monitor. 7. 4 RJ45 Gigabit Ethernet ports for connecting network cables. The port on the top left corresponds to the external interface (OUT). (Ports are numbered). 8. Power button: button for switching the appliance on and off. 9. 6 RJ45 Ethernet gigabit ports for connecting network cables. 10. 6 additional RJ45 Ethernet gigabit ports for connecting network cables. Point 8: The Power button serves to switch the appliance on and off. To shut down the firewall, hold down the button for a few seconds (when the orange indicator is on) until the Online indicator goes off. To turn on the firewall, simply press lightly on this button. Copyright NETASQ 2010 Page 24/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES 4.9 The U6000 appliance The U6000 appliance has the following characteristics: Throughput of 5,000 Mbits/s. 2,500,000 concurrent connections. 6 to 24 Gigabit interfaces. 40,000 new sessions per second. 4.9.1 Front panel 1 2 3 4 1. Online LED. 2. Stand by button: button for switching the appliance on and off. 3. Power LED(yellow): when this LED lights up, this means that the firewall is running. 4. Status LED, Point 1: The Online LED will be the last to light up when the product is running. Traffic will pass through the interfaces. For an appliance configured in high availability, the Online LED will light up intermittently (for every second it lights up, it will go off for 2 seconds). This means that the appliance is in passive mode. Point 2: The button for switching the appliance on and off is called the Standby button here and is found on the appliance s front panel. To shut down the firewall, just hold down the button for a few seconds (the orange indicator will be visible) until the Online indicator lights up. Point 3: the Power LED (yellow) indicates that the product has been plugged in but has been shut down. The product is running when the Power LED and the Status and Online LEDs (green) are visible. Point 4: When the appliance is starting, shutting down or being updated, the Status LED will light up. Copyright NETASQ 2010 Page 25/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES You are strongly advised against switching off the product when the Status LED is starting, shutting down or being updated. The Status LED will blink (quick blinking every 250 milliseconds) in the event of a major failure of the product (hardware modification, faulty network interface, etc). In this case, do contact your distributor. The U6000 firewall has 2 additional indicators a temperature indicator and a power supply indicator. If a unit is not receiving any power supply, the power supply indicator will light up. If a fan is faulty, the temperature indicator will light up. 4.9.2 Rear panel 1 2 3 4 5 6 7 8 9 10 11 12 13 1. 2 power sockets for plugging in the main power cables. The U6000 firewall is equipped with a redundant power supply. You are advised to connect each power unit to a different mains power. 2. Fan grating. 3. Not in use 4. PS2 mini-din port: for plugging in a keyboard (purple). 5. 2 USB ports: for secure configurations and updates. 6. Serial port: for connecting the firewall directly to a PC or a modem. 7. Not in use 8. VGA port: for connecting a monitor. 9. RJ45 Ethernet ports for connecting network cables. Ethernet port extension cards can be purchased separately. The port on the bottom left corresponds to the external interface (OUT). 10. 2 hot-swappable fans 11. RJ45 Ethernet ports for connecting network cables (DMZ) 12. 4 slots for additional network cards. 13. Slot for one 0-channel RAID card. Copyright NETASQ 2010 Page 26/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES When one of the power supply units is no longer working, an alarm will go off. Likewise, the alarm will go off if only one power cable is plugged in. 4.10 The NG1000-A appliance The NG1000-A appliance has the following characteristics: Throughput of 4,500 Mbits/s. 1,000,000 concurrent connections. 8 Gigabit interfaces on the front panel and 2 Gigabit ports behind = 10 Gigabit interfaces 50,000 new sessions per second. Any of the following extension modules below can be added: - 4 Gigabit interfaces - 6 Gigabit interfaces - 2 fiber Gigabit interfaces - 4 fiber Gigabit interfaces - 2 x 10 GB fiber Gigabit interfaces (Q4 2010) The NG1000-A can hold up to 16 interfaces. 4.10.1 Front panel 1 2 3 4 4 5 6 7 1 1. Brackets on both ends of the firewall (handles) 2. LEDs in the hard disk racks indicate disk access (blue, lower LED) and disk installation (yellow, upper LED) 3. 1 hard disk as the standard configuration and another as an option (for RAID) 4. 8 gigabit interfaces in the front panel as the standard configuration. As an option, 1*4 or 1*6 copper or optic fiber modules. 5. LEDs (from left to right): the 1 st indicates that the appliance is overheating. When the 2 nd or 3 rd LED blinks, this indicates network activity on the management ports located at the back of the firewall. The 4 th LED indicates disk activity (similar to the blue LED on the disk but without indicating the active disk). Lastly, the 5 th LED, the power indicator, shows whether the firewall is on. 6. Reset button: resets the firewall electrically. Power button: button for shutting down or turning on the firewall. Copyright NETASQ 2010 Page 27/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES 4.10.2 Rear panel 1 2 3 4 5 6 7 1. 2 power sockets for plugging in 2 mains power cables. The NG1000-A firewall is equipped with a redundant power supply. You are advised to connect each power unit to a different mains power and to use a power supply backed up by an inverter. 2. Not in use 3. PS2 mini-din port: for plugging in a keyboard (purple). 4. 2 USB ports: for secure configurations and updates. 5. Serial port: for connecting the firewall directly to a PC or a modem. 6. VGA port: for connecting a monitor. 7. RJ45 Ethernet ports for connecting network cables. From left to right, MGMT1 and MGMT2 ports these are used for administering the product and also for HA. 4.11 The NG5000-A appliance The NG5000-A appliance has the following characteristics: Throughput of 8,500 Mbits/s. 2,500,000 concurrent connections. 16 Gigabit interfaces on the front panel and 2 Gigabit ports behind = 18 Gigabit interfaces 50,000 new sessions per second. Any of the following extension modules below can be added: - 4 Gigabit interfaces - 6 Gigabit interfaces - 2 fiber Gigabit interfaces - 4 fiber Gigabit interfaces - 2 x 10 GB fiber Gigabit interfaces (Q4 2010) The NG1000-A can hold up to 24 interfaces. 4.11.1 Front panel Copyright NETASQ 2010 Page 28/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES 1 2 3 4 4 4 5 6 7 1 1. Brackets on both ends of the firewall (handles) 2. LEDs in the hard disk racks indicate disk access (blue, lower LED) and disk installation (yellow, upper LED) 3. 2 hard disks as the standard configuration (for RAID) 7. 2*6 +1*4 copper gigabit interfaces in the front panel as the standard configuration. As an option, 1*4 or 1*6 copper or optic fiber gigabit interface modules. 8. LEDs (from left to right): the 1 st indicates that the appliance is overheating. When the 2 nd or 3 rd LED blinks, this indicates network activity on the management ports located at the back of the firewall. The 4 th LED indicates disk activity (similar to the blue LED on the disk but without indicating the active disk). Lastly, the 5 th LED, the power indicator, shows whether the firewall is on. 9. Reset button: resets the firewall electrically. 10. Power button: button for shutting down or turning on the firewall. Copyright NETASQ 2010 Page 29/66

INSTALLATION GUIDE : 4. PRESENTATION OF THE APPLIANCES 4.11.2 Rear panel 1 2 3 4 5 6 7 1. 2 power sockets for plugging in 2 mains power cables. The NG5000-A firewall is equipped with a redundant power supply. You are advised to connect each power unit to a different mains power and to use a power supply backed up by an inverter. 2. Not in use 3. PS2 mini-din port: for plugging in a keyboard (purple). 4. 2 USB ports: for secure configurations and updates. 5. Serial port: for connecting the firewall directly to a PC or a modem. 6. VGA port: for connecting a monitor. 7. RJ45 Gigabit Ethernet ports for connecting network cables. From left to right, MGMT1 and MGMT2 ports these are used for administering the product and also for HA. Copyright NETASQ 2010 Page 30/66

INSTALLATION GUIDE : 5. CONNECTIONS 5 CONNECTIONS 5.1 Installation precautions A firewall is the central device in your network, therefore do not neglect it install it in the best way possible, under the best conditions. NOTE Instructions on how to connect products are also given in the Quickstart CD-ROM provided with the firewall. 5.1.1 Location The NETASQ firewall has been designed to run continually, in an office or other premises. If you do not have a telecom closet, choose a flat and uncluttered surface and avoid places exposes to heat (sun rays, for example), humidity or dust. The firewall has to be installed in compliance with the state of the art corresponding to the practical terms of installation, that is to say: in a protected office or other premises with limited access. In order to guarantee the integrity of the product and to avoid compromising the security of your installation, all unauthorized access to the firewall has to be limited. 5.2 Power plug NETASQ firewalls can operate on 230V or 110V. Insert the connector of the power cable (provided with the product) into the power socket on the rear panel of the NETASQ appliance. Next, plug in the pin of the power cable into an appropriate power supply. The firewall will start up the moment it is plugged into the electrical network. A redundant power supply is provided for on NG1000-A, NG5000-A and U6000 firewalls. We advise you to connect each of the two power cables to distinct electrical networks so that you can protect yourself from power failures on your appliance. You are furthermore advised to connect these power supplies to inverters (preferably online ). Copyright NETASQ 2010 Page 31/66

INSTALLATION GUIDE : 5. CONNECTIONS 5.3 Connection for administering the appliance The appliance is administered by default via the INTERNAL interface. This interface, depending on the model, is identified by the number 2 (U30, U70, U120, U250, U450). 5.4 Connecting to the network Connect the firewall s different interfaces to the network interconnection elements with an RJ45 cable. The numbers of the interfaces apply to the U30, U70, U120, U250 and U450 models: The interface identified as 1 on the firewall corresponds to the EXTERNAL interface (called OUT by default) The interface identified as 2 on the firewall corresponds to the INTERNAL interface (called IN by default) The interfaces identified as 3, 4, 5, etc on the firewall correspond to the DMZ interfaces (like the INTERNAL interface, these interfaces host internal networks) The interfaces are indicated below by appliance model: 5.4.1 U30 Figure 7: U30 interfaces Copyright NETASQ 2010 Page 32/66

INSTALLATION GUIDE : 5. CONNECTIONS 5.4.2 U70 Figure 8: U70 interfaces 5.4.3 U120 Figure 9: U120 interfaces 5.4.4 U250 Figure 10: U250 interfaces Copyright NETASQ 2010 Page 33/66

INSTALLATION GUIDE : 5. CONNECTIONS 5.4.5 U450 Figure 11: U450 interfaces 5.4.6 U1100 Figure 12: U1100 interfaces 5.4.7 U1500 Figure 13: U1500 interfaces Copyright NETASQ 2010 Page 34/66

INSTALLATION GUIDE : 5. CONNECTIONS 5.4.8 U6000 Figure 14: U6000 interfaces 5.4.9 NG1000-A Figure 15: NG1000-A interfaces on the front panel Figure 16: NG1000-A administration interfaces at the back Copyright NETASQ 2010 Page 35/66

INSTALLATION GUIDE : 5. CONNECTIONS 5.4.10 NG5000-A Figure 17: NG5000-A interfaces on the front panel Figure 18: NG5000-A administration interfaces at the back 5.4.11 Using a straight cable A straight cable has to be used between a firewall and a hub, a switch or certain modems (depending on the type of modem, a straight or a crossover cable will be necessary). 5.4.12 Using a crossover cable (cable provided with the product) A crossover cable has to be used for connecting the firewall to an active network element (router, firewall, PC, certain modems, etc). Certain routers have built-in hubs. In this case, you will need to use a straight cable. Copyright NETASQ 2010 Page 36/66

INSTALLATION GUIDE : 5. CONNECTIONS In the event there has been an error in the connection of cables, you will need to restart your product in order to connect again (this is due to the anti-spoofing protection mechanism). NOTE After you hear 8 consecutive beeps, you will be able to insert a USB key containing a configuration if necessary. 2 consecutive beeps indicate the end of the product s startup sequence. 5.4.13 Antispoofing mechanism If you connect to an interface then unplug the cable to connect to another interface, you will trip the firewall s anti-spoofing security feature (it will then be impossible to connect to this appliance). When this situation arises, there are two solutions either you change the address that you have just assigned to the administration host (this is what NETASQ recommends), or you reboot the appliance after you have changed its interface. Copyright NETASQ 2010 Page 37/66

INSTALLATION GUIDE : 6. PHYSICAL INSTALLATION OF THE APPLIANCE 6 PHYSICAL INSTALLATION OF THE APPLIANCE Once the appliances have been installed, the information indicated on the labels and necessary for their installation will no longer be easily accessible. 6.1 Preparation before installation 6.1.1 Preparation of the network cables You need to use a network cable for each firewall interface connected to your infrastructure. 6.1.1.1 Type of network cable according to network port Type of Ethernet port Type of cable Connector 10/100BaseT Ethernet port To run at 100Mbits/s: Category 5 twisted pair or higher. RJ45 10/100/1000BaseT Ethernet port 1000FX Gigabit Ethernet port (fiber cable) To run at 100Mbits/s or 1000Mbits/s: Category 5 twisted pair or higher. Optic fiber cable RJ45 LC 6.1.1.2 Type of network cable according to the connected device Device connected to the firewall Hub Switch Modem Router Autre firewall PC Type of cable Straight cable Straight cable Straight or crossover cable. Check the documentation on the modem to find out the type of cable to use. You can also connect the firewall to the modem (depending on the type of modem) with a serial link by using a straight serial cable. Straight or crossover cable, if the router embeds a hub. Crossover cable Crossover cable Copyright NETASQ 2010 Page 37/66

INSTALLATION GUIDE : 6. PHYSICAL INSTALLATION OF THE APPLIANCE NOTE A crossover cable is delivered with the NETASQ firewall. 6.1.2 Preparation of the racking cabinet or bay You will need to set aside a minimum space in your cabinet or racking bay in order to install the NETASQ appliance. Depending on the product, the minimum height requirements vary: U30, U70: 1U in height, half-19 in width U120, U250 and U450: 1U in height, 19 in width U1100 and U1500: 1U in height, 19 in width U6000: 4U in height, 19 in width. NG1000-A: 1U in height, 19 in width. NG5000-A: 2U in height, 19 in width. Set aside a minimum vertical space between each element in the cabinet or racking bay for proper air circulation. 6.1.3 Preparation of internet access Before installing the NETASQ firewall, ensure that the devices that connect to the internet (if the firewall has to be connected with the internet network) have been appropriately installed and configured. 6.2 Placing the appliance in a bay All NETASQ appliances can be installed in 19-inch cabinets or bays. U1100 and U 1500 products have built-in brackets that allow the direct installation of the product. The NG1000-A, NG 5000-A and U6000 appliances are sold with a rail system that allows integrating it into a bay. U120, U250 and U450 products are sold with a fastening system that has to be added to the product in order to install it. The system is available only by special order for the U30 and U70. 6.2.1 Installing a U30 or U70 6.2.1.1 View from the top Figure 19: U30, U70: Installation in a bay View from the top Copyright NETASQ 2010 Page 38/66

INSTALLATION GUIDE : 6. PHYSICAL INSTALLATION OF THE APPLIANCE 6.2.1.2 View from the front Figure 20: U30,U70: Installation in a bay - View from the front 1. Lateral bars in the bay 2. Supporting deck 3. Screws and caged nuts 4. Appliance A system for installing the appliance in a bay can be delivered for the U30 by special order: Installation of the deck in the bay. Screw the supporting deck to the lateral sides of the rack using the caged nuts. Once the deck has been installed, you will be able to place on or two products (no fastening is needed) on the supporting deck. Ensure there is space of 1U above the product for proper air circulation. 6.2.2 Installing a U120, U250 or U450 Figure 21: U120, U250, U450: Installation in a bay 1. Lateral bars in the bay 2. Front panel 3. Rear panel Copyright NETASQ 2010 Page 39/66

INSTALLATION GUIDE : 6. PHYSICAL INSTALLATION OF THE APPLIANCE 4. Screws and caged nuts U120 appliances are delivered with a set of brackets for mounting the appliance in a bay. These brackets are not shown in the diagram above. Installation of the firewall in the bay. Screw the lugs of the chassis to the lateral sides of the bay. The metal handles on the front panel of the product should not be used for lifting it, but only for setting it in or removing it from the bay. 6.2.3 Installing a U1100, U1500 or U6000 Figure 22: U1100, U1500, U6000: Installation in a bay 1. Brackets 2. Front panel 3. Rear panel 4. Screws and caged nuts 5. Supporting rail 6. Lateral bars in the bay U1100 appliances are delivered with a system of brackets to be attached to the front panel of the appliance and lateral supporting rails. Setup of the supporting rails. Screw the brackets to the appliance. The lugs have to be placed at the front panel of the product. Setup of the supporting rails. The positioning of the supporting rails depends on the size of the bay. Installation of the appliance in the bay. Screw the brackets and supporting bars to the lateral sides of the bay. Copyright NETASQ 2010 Page 40/66

INSTALLATION GUIDE : 6. PHYSICAL INSTALLATION OF THE APPLIANCE 6.2.4 Preconfiguring a firewall You can now connect to the firewall through the NETASQ configuration graphical interface, NETASQ UNIFIED MANAGER. After you have installed this configuration software on your client workstation, you can modify the parameters of the network interfaces on the NETASQ firewall in order to adapt it to your IP addresses and to select the operating mode (transparent or normal). If you had changed the IP address of the Windows client workstation for this configuration, don t forget to reset it to its former configuration. Copyright NETASQ 2010 Page 41/66

INSTALLATION GUIDE : 7. INITIAL CONNECTION TO THE PRODUCT 7 INITIAL CONNECTION TO THE PRODUCT 7.1 Prerequisites 7.1.1 Minimum configuration for configuring a NETASQ firewall The NETASQ firewall is fully configured via a software program developed by NETASQ NETASQ UNIFIED MANAGER. Using this program, you will be able to configure your firewall from a Windows workstation. You will need the following elements in order to install this software: CPU with a minimum of 2GHz A minimum of 512 MB of RAM (Windows XP) for client software, 2 GB for server software. About 300MB of hard disk space as this is what the software will occupy after its installation. If possible, reserve several gigabites of space for the database (depending on the activity of the connected firewall(s). Ethernet 100 or 1000 Mbps network card NETASQ supports the execution of the software in a defined environment: Client software applications are supported on the following 32-bit operating systems: Microsoft Windows Server 2003 SP2 Microsoft Windows XP Service Pack 2 and higher, Microsoft Windows Vista Microsoft Windows Server 2008 Server software applications are supported on the following 32-bit operating systems: Microsoft Windows Server 2003 SP2 Microsoft Windows XP Service Pack 2 and higher 7.1.2 Preparation of internet access Before installing the NETASQ firewall, ensure that the devices that connect to the internet (if the firewall has to be connected with the internet network) have been appropriately installed and configured. Copyright NETASQ 2010 Page 42/66

INSTALLATION GUIDE : 7. INITIAL CONNECTION TO THE PRODUCT 7.2 Configuration When you first receive your firewall, it will run in transparent mode and will have the IP address 10.0.0.254 with a subnetwork mask 255.0.0.0. These parameters do not match your network configuration, but they are however necessary for the preconfiguration phase. If you do not know what these parameters mean, we strongly advise that you read up on TCP/IP in order to understand how to configure your NETASQ firewall. These are the intervals defined by the different classes of IP address: Class IP address range A 0.0.0.0 to 127.255.255.255 B 128.0.0.0 to 191.255.255.255 C 192.0.0.0 to 223.255.255.255 D 224.0.0.0 to 239.255.255.255 E 240.0.0.0 to 247.255.255.255 Some parts of these address ranges are reserved for private networks: Class Reserved IP address ranges A 10.0.0.0 to 10.255.255.255 B 172.16.0.0 to 172.31.255.255 C 192.168.0.0 to 192.168.255.255 Preconfiguring from a Windows workstation is the method that we recommend, which is what we will be using for our illustrations. The workstation can either be directly linked to the firewall s internal interface, or connected to the local network, itself linked to the firewall s internal interface. For a direct connection of the workstation to the firewall, use the crossover Ethernet cable, which has been delivered with the product. Please refer to section 5.4: Connecting to the network for more information. To connect to the firewall, you need to use a workstation with an IP address in the same subnetwork as the firewall. We suggest that you use the address 10.0.0.1 and the subnetwork address 255.0.0.0. The procedure for configuring your Windows workstation is as follows: Go to the Control panel on your Windows workstation, Select the Network menu, Select TCP/IP from the list of network elements, then Properties, Indicate the address information required for the network configuration of the workstation: IP address: 10.0.0.250 or the IP address you have selected for your workstation, Subnetwork mask: 255.0.0.0, Default gateway: indicate the current address of your firewall (10.0.0.254 by default). Copyright NETASQ 2010 Page 43/66

INSTALLATION GUIDE : 7. INITIAL CONNECTION TO THE PRODUCT Or configure your workstation so that it accepts a dynamic IP address from the appliance (DHCP server): Open the Network connections window Windows 2000 Start > Control panel > Network and dial-up connections Windows XP Start > Control panel > Network and Internet connections Right-click against Connect to the local network and select Properties. Select Internet Protocol (TCP/IP) from the list, then Properties. Select the option Obtain an IP address automatically and click on OK. To confirm changes, click on OK again. 7.3 Registering and installing the product Launch your preferred web browser and enter the address https://10.0.0.254/config/index.html. This installation help web server will show you through the different steps in the configuration. you may also use the Quickstart CD-ROM (Appendix E: Installing via the CD-ROM). Next, you will be able to: Configure the network to define the network architecture in which your product will be located. Register your product in order to obtain updates Perform the first updates Obtain the license. For more information on this subject, please refer to Appendix A: Updating the license. Install the administration tools in order to obtain the Manager, Monitor and Reporter software suite. Copyright NETASQ 2010 Page 44/66

INSTALLATION GUIDE : APPENDIX A APPENDIX A: UPDATING THE LICENSE Your appliance is delivered with a temporary license, you therefore need to update it. NOTE The license update step is shown in the installation wizard (CD-ROM). Once you have acquired an additional network card, you will need to update your product with the license that will allow you to use this card. The NETASQ appliance has to be rebooted when a new license is activated on it. Please refer to the procedure below to find out how to update your product license: Retrieving the license Step 1 : Go to NETASQ s website at www.netasq.com Step 2 : Go to the menu CLIENTS-PARTNERS\Secure-Access Areas. The following screen will appear: Copyright NETASQ 2010 Page 45/65

INSTALLATION GUIDE : APPENDIX A Enter your login and password then confirm. The client secure-access area homepage will appear. Copyright NETASQ 2010 Page 46/65

INSTALLATION GUIDE : APPENDIX A Step 3 : Click on License mangement. You will then see a list of all the NETASQ UTM products registered in this area. Select the product for which you wish to retrieve the license, by clicking on the product s serial number. Details of the license will be displayed. Five tabs will provide details on the license. The General tab will open by default. Go to the Details tab to check that the license to be downloaded from the website has indeed the option that will activate the new network ports that you will be able to activate subsequently. Next, go to the General tab and look for the section License download. First, select the major version of your UTM product. Select the minor version. Click on the Download button. Note Before you download the license, you will need to know your product s version. If you do not know it, it is indicated on a label affixed to the product s cardboard packaging. If you no longer have the packaging, or if you have since updated your product, connect to your NETASQ UTM product via NETASQ UNIFIED MANAGER. The product s version will be indicated in the main window in the section General information > NSBSD Version. Copyright NETASQ 2010 Page 47/65

INSTALLATION GUIDE : APPENDIX A Installing the license To install the license that had been downloaded from the client secure-access area on NETASQ s website, connect to the UTM product via NETASQ UNIFIED MANAGER and go to the menu Firewall\Licenses... When you click on the Licenses sub-menu, details of the installed license will appear (if you have never installed a license on the product, then this will be the product s temporary license). Click on the License button in order to insert the license that you have downloaded from the NETASQ website. Select the downloaded license in order to insert it into the NETASQ UTM product. The NETASQ appliance has to be rebooted when a new license is activated on it. Copyright NETASQ 2010 Page 48/65

INSTALLATION GUIDE : APPENDIX B APPENDIX B: RESETTING THE FIREWALL It is possible to restore the default factory settings of a NETASQ Firewall. This operation will bring the product into its initial state. Resetting a Firewall will completely remove the configuration made on the product. This operation is irreversible, so don t apply this procedure unless absolutely needed. For a U30, U70, U120, U250 and U450 In order to reset a NETASQ U30, U70, U120, U250 or U450 Firewall, take a pointed object (a pen for example). A small switch is located on the appliance s front panel (between the USB port and the VGA port) and is accessible through a hole in the hood. Keep the button pressed for about 15 seconds, until you hear a sound. The reset procedure will be automatically launched and after a few minutes the initial settings will be recovered and the Firewall will reboot. This reboot takes about 5 minutes, so do wait until the end of the procedure (you will hear a sound) before reconnecting to the firewall. Caution: this operation will also reset the password. For other products For other products, resetting a NETASQ Firewall has to be done in console mode. Several methods are possible to access the Firewall in console mode. The easiest one can be done with the serial link. For this, use the serial cable provided with the Firewall in order to connect the appliance and a PC through their serial port. Start an application like HyperTerminal (accessible through the menu Start\Programs\Accessories\Communication). Choose a communication on the COM port and specify the following parameters: Bits per second: 9600 Data bits: 8 Parity: None Stop bit: 1 Traffic control: Hardware The following invitation appears: FreeBSD (U70XXA0Z089020) (ttyd0) login: Indicate the admin login and the related password that you use to connect to the Firewall. Enter the following command: defaultconfig -f and press Enter FreeBSD (U70XXA0Z0899020) (ttyd0) Copyright NETASQ 2010 Page 49/65

INSTALLATION GUIDE : APPENDIX B login: admin SSH Passphrase: Copyright (c) 1980, 1983, 1986,1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved U70XXA0Z0899020>defaultconfig -f A beep will sound and your Firewall will reboot. The Firewall is now restored to factory defaults. Copyright NETASQ 2010 Page 50/65

INSTALLATION GUIDE : APPENDIX C APPENDIX C: ADDING AN ADDITIONAL U6000 NETWORK CARD There are 5 main steps to follow when adding a network card to the U6000 firewall: Step 1 Updating the product license. Step 2 Downloading the license. Step 3 Shutting down the firewall. Step 4 Inserting the card. Step 5 Rebooting the firewall in console mode. General points Authorization It is mandatory to ask the technical support in order to be granted the authorization to open the appliance. Warning After the appliance has been dismantled, the warranty remains valid if and only if the person who has performed this operation is NETASQ Expert-certified and has abided by the procedure. The warranty may be rendered null and void in the event any action other than what has been described in this procedure has been carried out. Copyright NETASQ 2010 Page 51/65

INSTALLATION GUIDE : APPENDIX C Appliances concerned U6000 appliances. Description of the cards The U6000 product supports the following cards: PCI-E card 2 copper gigabit ports 4 copper gigabit ports 6 copper gigabit ports 2 SX fiber optic gigabit ports, LC connector 2 LX fiber optic gigabit ports, LC connector 4 SX fiber optic ports, LC connector 4 LX fiber optic ports, LC connector PCI-X card 2 copper gigabit ports 4 copper gigabit ports 6 copper gigabit ports 2 fiber optic gigabit ports SX adapter, LC connector 2 fiber optic gigabit ports: LX adapter, LC connector Steps to follow Introduction The U6000 appliance has 6 gigabit network ports by default and 3 slots that allow for the insertion of additional network cards. The initial order of the ports is as follows: Copyright NETASQ 2010 Page 52/65

INSTALLATION GUIDE : APPENDIX C PCI-E QUAD PCI-E PCI-E PCI-X PCI-X R em2 (dmz-1) em3 (dmz-2) em4 (dmz-3) A I em0 (out) em1 (in) em5 (dmz-4) D 1 2 3 4 5 6 7 NOTE - The QUAD Gigabits card (slot 3) specifies the first few ports on the product. - The terms PCI-E and PCI-X refer to the bus technology on the slot. It therefore has to be conformed with in order to add adapted cards to the right slots. (PCI-E PCI express). The QUAD card has to be kept in its original location regardless of which additional network cards have been added. Procedure for adding a card The license has to be updated before an additional network card can be installed on a NETASQ firewall. For further information, please refer to Appendix A at the end of this document. To ensure that the installation proceeds smoothly, follow the steps below: Update the license using the activation information contained in Appendix A of this document. Download the new license from NETASQ s website (this license activates the new network ports). Install the license using NETASQ UNIFIED MANAGER (in the same manner as for the 1 st activation). NETASQ UNIFIED MANAGER will restart the firewall. Copyright NETASQ 2010 Page 53/65

INSTALLATION GUIDE : APPENDIX C After the firewall has fully restarted, shut it down then dismantle it. Remove the cache from the PCI slot on which you wish to install the card. Insert the network card into the PCI slot. Start up the firewall Connect to the firewall in console mode (keyboard + monitor). Enter the command globalgen (this will show the number of interfaces physically present on the firewall). Enter the command reboot. The firewall will restart When the firewall is rebooting, go to the BIOS configuration by pressing Del or F2 (Del is more widely used). In the menu PnP/PCP Configuration, set the option Reset Configuration Data to ENABLE, save and exit. During the reboot of the firewall, the message Update ESCD Success will appear. REMARKS - The name and location of the option Reset Configuration Data may differ according to the BIOS manufacturer. - The product s Watchdog is enabled within the first few moments of startup. Do not waste any time in BIOS as you may cause Watchdog to reboot the firewall unnecessarily. - The order in which slots are used for adding network cards has a direct impact on the identification of ports on these cards. To add a network card, you need to go by the steps to follow described above and refer to the procedures described in the sections later in this document. - The warranty may be rendered null and void for all actions not included in those described in the current procedure. NOTE The terms PCI-E and PCI-X refer to the bus technology on the slot. It therefore has to be conformed with in order to add adapted cards to the right slots. (PCI-E PCI express). 7.3.1 Adding a PCI-E network card The first additional network card has to be installed in the first free slot on the rear panel (Slot 4). This is the PCI-E port slot directly to the right of the 4 gigabit port QUAD card inserted by default. The diagram below illustrates how a 6-port network card should be inserted. Copyright NETASQ 2010 Page 54/65

INSTALLATION GUIDE : APPENDIX C PCI-E QUAD PCI-E PCI-E PCI-X PCI-X em6 (dmz-5) R em2 (dmz-1) em3 (dmz-2) em7 (dmz-6) em8 (dmz-7) em9 (dmz-8) A I em0 (out) em1 (in) em4 (dmz-3) em5 (dmz-4) em10 (dmz-9) em11 (dmz-10) D 1 2 3 4 Copyright NETASQ 2010 Page 55/65

INSTALLATION GUIDE : APPENDIX C 7.3.2 Adding a 2 nd PCI-E network card The 2 nd additional network card has to be installed in the second free slot on the rear panel (Slot 5). This is the PCI-E port slot directly to the right of the 1 st additional PCI-E card installed on the product. The numbering on the interfaces depends on the number of ports on the existing cards and on those that have just been installed. The interface numbers for this card are added after the other interfaces that are already present. The diagram below illustrates how a 6-port network card should be inserted. PCI-E QUAD PCI-E PCI-E PCI-X PCI-X em6 (dmz-5) em12 (dmz-11) R em2 (dmz-1) em3 (dmz-2) em7 (dmz-6) em8 (dmz-7) em9 (dmz-8) em13 (dmz-12) em14 (dmz-13) em15 (dmz-14) A I em0 (out) em1 (in) em4 (dmz-3) em5 (dmz-4) em10 (dmz-9) em11 (dmz-10) em16 (dmz-15) em17 (dmz-16) D 1 2 3 4 5 NOTE This product holds 6 to 18 network ports. These are detected one after another from left to right (and from top to bottom on the cards). 7.3.3 Adding a PCI-X network card The PCI-X network card has to be installed directly to the right of the 2 nd installed on the product (PCI-X slot). additional PCI-E card The interfaces for this card will be added after those that are already present, giving each PCI-X card 6 additional ports as a result. Copyright NETASQ 2010 Page 56/65

INSTALLATION GUIDE : APPENDIX C The interfaces on the firewall will be renumbered when a PCI-X card is added. As such, the cables connected to these interfaces have to be rearranged accordingly. The diagram below illustrates how a 6-port PCI-X network card should be inserted. PCI-E QUAD PCI-E PCI-E PCI-X PCI-X em12 (dmz-11) em18 (dmz-17) em2 (dmz-1) R em8 (dmz-7) em9 (dmz-8) em13 (dmz-12) em14 (dmz-13) em15 (dmz-14) em19 (dmz-18) em20 (dmz-19) em21 (dmz-20) em3 (dmz-2) em4 (dmz-3) em5 (dmz-4) A I em0 (out) em1 (in) em10 (dmz-9) em11 (dmz-10) em16 (dmz-15) em17 (dmz-16) em22 (dmz-21) em23 (dmz-22) em6 (dmz-5) em7 (dmz-6) D 1 2 4 5 6 3 NOTE The above configuration represents the maximum configuration on the U6000 model: 6 default ports + 18 extension ports. Copyright NETASQ 2010 Page 57/65

INSTALLATION GUIDE : APPENDIX C 7.4 Scenarios for adding PCI-X cards The interfaces on the firewall will be renumbered when a PCI-X card is added. As such, the cables connected to these interfaces have to be rearranged accordingly. Since the interfaces get renumbered according to the location of cards that have been installed and their port numbers, the scenarios below indicate the procedures to follow for plugging the cables into the appropriate interfaces. There are as many scenarios as there are combinations of numbers of cards and numbers of ports. However, they can be grouped into two main categories: Addition of the PCI-X card first: this means the first card inserted into the default configuration. Addition of the PCI-X card after a PCI-E card: we will retain the least favorable scenario (insertion of a PCI-X card in an 18-port configuration). Copyright NETASQ 2010 Page 58/65

INSTALLATION GUIDE : APPENDIX C 7.4.1 Scenario in which a 6-port PCI-X card is added to a default configuration Initial configuration em0 (out) em1 (in) PCI-E QUAD em2 (dmz-1) em3 (dmz-2) em4 (dmz-3) em5 (dmz-4) 1 2 3 PCI-E PCI-E PCI-X PCI-X R A I D Initial configuration em0 (out) em1 (in) PCI-E QUAD em8 (dmz-7) em9 (dmz-8) em10 (dmz-9) em11 (dmz-10) PCI-E PCI-E PCI-X PCI-X em2 (dmz-1) em3 (dmz-2) em4 (dmz-3) em5 (dmz-4) em6 (dmz-5) em7 (dmz-6) 1 2 4 3 R A I D New interfaces Copyright NETASQ 2010 Page 59/65

INSTALLATION GUIDE : APPENDIX C 7.4.2 Scenario in which a 2-port PCI-X card is added to a default configuration Initial configuration em0 (out) em1 (in) PCI-E QUAD em2 (dmz-1) em3 (dmz-2) em4 (dmz-3) em5 (dmz-4) 1 2 3 PCI-E PCI-E PCI-X PCI-X R A I D Initial configuration em0 (out) em1 (in) PCI-E QUAD em4 (dmz-3) em5 (dmz-4) em6 (dmz-6) em7 (dmz-7) PCI-E PCI-E PCI-X PCI-X em2 (dmz-1) em3 (dmz-2) 1 2 4 3 R A I D New interfaces Copyright NETASQ 2010 Page 60/65

INSTALLATION GUIDE : APPENDIX C 7.4.3 Scenario in which a 6-port PCI-X card is added after a PCI-E card Initial configuration em0 (out) em1 (in) PCI-E QUAD em2 (dmz-1) em3 (dmz-2) em4 (dmz-3) em5 (dmz-4) PCI-E PCI-E PCI-X PCI-X em6 (dmz-5) em7 (dmz-6) em8 (dmz-7) em9 (dmz-8) em10 (dmz-9) em11 (dmz-10) em12 (dmz-11) em13 (dmz-12) em14 (dmz-13) em15 (dmz-14) em16 (dmz-15) em17 (dmz-16) 1 2 3 4 5 R A I D Initial configuration em0 (out) em1 (in) PCI-E QUAD em8 (dmz-7) em9 (dmz-8) em10 (dmz-9) em11 (dmz-10) PCI-E PCI-E PCI-X PCI-X em12 (dmz-11) em13 (dmz-12) em14 (dmz-13) em15 (dmz-14) em16 (dmz-15) em17 (dmz-16) em18 (dmz-17) em19 (dmz-18) em20 (dmz-19) em21 (dmz-20) em22 (dmz-21) em23 (dmz-22) em2 (dmz-1) em3 (dmz-2) em4 (dmz-3) em5 (dmz-4) em6 (dmz-5) em7 (dmz-6) 1 2 4 5 6 3 R A I D Copyright NETASQ 2010 Page 61/65

INSTALLATION GUIDE : GLOSSARY APPENDIX D: ADDING AN NG1000-A and NG5000-A EXTENSION MODULE The procedure for adding modules to the NG1000-A or NG5000-A firewall takes place in 5 main steps: Step 1 Updating the product license. Step 2 Downloading the license. Step 3 Shutting down the firewall. Step 4 Inserting the module. Step 5 Restarting the firewall in console mode. General points Appliances concerned NG1000-A and NG5000-A appliances. Description of the cards NG1000-A and NG5000-A appliances support the following extension modules: - 1*4 copper gigabit ports - 1*6 copper gigabit ports - 2 SX fiber optic gigabit ports, LC connector - 2 LX fiber optic gigabit ports, LC connector - 4 SX fiber optic ports, LC connector - 4 LX fiber optic ports, LC connector - 2 x 10GB SR fiber optic ports: LC connector Procedure for adding a card Copyright NETASQ 2010 Page 62/65

INSTALLATION GUIDE : GLOSSARY The license has to be updated before an additional network card can be installed on a NETASQ firewall. For further information on the license update procedure, please refer to Appendix A: Updating the license. To ensure that the installation proceeds smoothly, follow the steps below: Update the license using the activation information contained in Appendix A of this document. Download the new license from NETASQ s website (this license activates the new network ports). Install the license using NETASQ UNIFIED MANAGER (in the same manner as for the 1 st activation). NETASQ UNIFIED MANAGER will restart the firewall. After the firewall has fully restarted, shut it down then dismantle it. Remove the cache from the PCI slot on which you wish to install the card. Insert the network card into the PCI slot. Start up the firewall Connect to the firewall in console mode (keyboard + monitor). Enter the command globalgen (this will show the number of interfaces physically present on the firewall). Copyright NETASQ 2010 Page 63/65

INSTALLATION GUIDE : GLOSSARY APPENDIX E: INSTALLING VIA THE CD-ROM Insert the installation CD-ROM provided. Once the CD-ROM has been inserted, the administration wizard will launch automatically and guide you step by step. Figure 23: installation wizard on the CD-ROM From the CD-ROM, you will be able to: Configure the network to define the network architecture in which your product will be located. For more information on the subject of network connections, please refer to Appendix A. Register your product in order to obtain updates Perform the first updates Obtain the license. For more information on this subject, please refer to Appendix A: Updating the license. Install the administration tools in order to obtain the Manager, Monitor and Reporter software suite. Copyright NETASQ 2010 Page 64/65

INSTALLATION GUIDE : GLOSSARY GLOSSARY P PCI-E PCI Express (Peripheral Component Interconnect Express). This is an interconnection bus that allows adding network cards to the firewall. It operates on a serial interface, thus enabling a much higher bandwidth than on a bus that operates on a parallel interface. PCI-X (Peripheral Component Interconnect extended). This is an add-on interconnection bus that is secondary to a PCI-E. Copyright NETASQ 2010 Page 65/65