this window are explained in “Using the Initial Configuration Utility” on page 1-11.
The Initial Configuration window for KS systems contains the following fields and con-trols:
High Availability Setting
(Required) Has the following selections:
Disabled Indicates that High Availability (HA) is not installed. This radio button is selected by default.
Primary Indicates that the specified host is the primary firewall in an HA pair
Secondary Indicates that the specified host is the secondary firewall in an HA pair
Firewall Appliance
Specifies the type of firewall appliance for which you are entering initial configura-tion informaconfigura-tion. The drop-down list box includes the following selecconfigura-tions: Fire-STAR, KnightFire-STAR, KnightSTAR[5U], STARLord.
KnightSTAR Models
(Required) Has the following selections:
KS Denotes a unit with one on-board network interface KS1000 Denotes a 1U Westville motherboard with two on-board
network interfaces. This model number appears on a label on the front panel of the computer.
KS1500 Denotes a 2U Westville motherboard with two on-board network interfaces. This model number appears on a label on the front panel of the computer.
Customize
Displays the KnightSTAR Network Device Configuration window. Use this window to specify the types of network interface cards that are installed on the com-puter.
NOTE
In the drop-down list boxes on this window, the crypto selection denotes a cryptographic hardware accelerator.
On KS models, the KnightSTAR Network Device Configuration window contains the following fields and controls:
Card 1 Indicates the type of network interface card installed in Slot 1. The drop-down list box includes the types of network interface cards that are supported on this platform: dec[4], a d p ts f [ 4 ], e 1 0 0 0 [ 1 ], e 1 0 0 0 [ 2 ], c r y p t o, e e E [ 1 ], eeE[2], rav[1]
Card 2 Indicates the type of network interface card installed in Slot 2. The drop-down list box includes the following selec-tions: dec[4], adptsf[4], e1000[1], e1000[2], crypto, eeE[1], eeE[2], rav[1], empty
On KS1000 models, the KnightSTAR Network Device Configuration window contains the following fields and controls.
NOTE
You may specify up to two network interface cards. Only one may be a full-height card. -h denotes a half-height (low profile) card. A half-height card can be used in a full-height slot with a mounting bracket.
Card 1 Indicates the type of network interface card. The drop-down list box includes the types of network interface cards that are supported on this platform: dec[4], a dptsf[4 ], e 1 0 0 0 [ 1 ], c r y p t o, r a v [ 1 ] , e e E [ 1 ] - h , e e E [ 2 ] - h , e1000[2]-h, empty.
Card 2 Indicates the type of network interface card. The drop-down list box includes the following selections: e 100 0[2]-h, dec[4], adptsf[4], e1000[1], crypto, rav[1], eeE[1]-h, eeE[2]-eeE[1]-h, empty.
On KS1500 models, the KnightSTAR Network Device Configuration window contains the following fields and controls.
NOTE
You may specify up to six network interface cards. Only three may be a full-height card. -h denotes a half-height (low profile) card. A half-height card can be used in a full-height slot with a mounting bracket.
Card 2 Indicates the type of network interface card. The drop-down list box includes the following selections: dec[4], a d p ts f [ 4 ], e 1 0 0 0 [ 1 ], c r y p t o, r a v [ 1 ] , e e E [ 1 ] - h , eeE[2]-h, e1000[2]-h, empty.
Card 3 Indicates the type of network interface card. The drop-down list box includes the following selections: dec[4], a d p ts f [ 4 ], e 1 0 0 0 [ 1 ], c r y p t o, r a v [ 1 ] , e e E [ 1 ] - h , eeE[2]-h, e1000[2]-h, empty.
Card 4 Indicates the type of network interface card. The drop-down list box includes the following selections: dec[4], a d p ts f [ 4 ], e 1 0 0 0 [ 1 ], c r y p t o, r a v [ 1 ] , e e E [ 1 ] - h , eeE[2]-h, e1000[2]-h, empty.
Card 5 Indicates the type of network interface card. The drop-down list box includes the following selections: dec[4], a d p ts f [ 4 ], e 1 0 0 0 [ 1 ], c r y p t o, r a v [ 1 ] , e e E [ 1 ] - h , eeE[2]-h, e1000[2]-h, empty.
Card 6 Indicates the type of network interface card. The drop-down list box includes the following selections: dec[4], a d p ts f [ 4 ], e 1 0 0 0 [ 1 ], c r y p t o, r a v [ 1 ] , e e E [ 1 ] - h , eeE[2]-h, e1000[2]-h, empty.
Firewall Host Name
(Required) Specifies the host name by which the system identifies itself during net-work and login connections. Should be unique within a local area netnet-work.
Domain Name
(Required) Specifies the externally visible partial or fully-qualified name that is reg-istered with the Network Information Center (NIC). The domain name provides a point of contact for external connections to a local area network; this field identifies the domain that provides information about connecting to this host.
Aggregates
Displays the KnightSTAR LAG Configuration window. LAG (link aggrega-tion) is an optional feature that allows you to combine multiple physical network interface cards into one logical network interface. You must have obtained a license key that includes this feature prior to configuring LAG.
Use this window to configure LAG groups. You may configure up to 16 groups and assign up to 8 members per group. The KnightSTAR LAG Configuration win-dow contains the following fields and controls:
Aggregates Drop-down list box that contains the names of the LAG groups that can be configured (lag0 - lag15)
Members Displays the network interface cards that have been selected from the Choices list to be members of the specified LAG group. Click on the right (>>) button to return a selected item to the Choices list.
Choices Displays the network interface cards that are set to Dis-a bl ed in the Type field and that may be added to a LAG group. Only PCI Ethernet cards based on the DECTM 2114x (e.g., dec0 - dec3) and Adaptec® cards based on the AIC-6915 (e.g., adptsf0 - adptsf3) are supported and may be displayed in this list. The number and type of cards displayed varies according to whether you have used the Customize button to specify a par-ticular configuration of network interface cards. Click on the left (<<) arrow button to move a selected card to the Members list.
Aggregate (Read-only) Displays the interface name of the currently selected LAG group
Mode Specifies the operation mode for the selected LAG
group. Selections available from the drop-down list box include the following:
Standby
(Default) Denotes hot-standby mode. Typically in this mode, two physical ports are configured beneath one LAG group. Output traffic flows through the opera-tional port with the highest priority.
Aggregate
Denotes basic aggregation mode. Typically in this mode, two to four physical ports are configured beneath one LAG group. Output traffic flows through all opera-tional ports. If you select this mode, you may select a Distribution Algorithm for the specified LAG group.
Distribution Algorithm Specifies the frame fields on which to base the port dis-tribution algorithm. The drop-down list box includes the following selections:
Service
(Default) Selects a physical port based on the frame’s service number (e.g., TCP or UDP source and destina-tion ports).
Dest. MAC
Selects a port based on the frame’s destination MAC address
Source IP
Selects a port based on the frame’s source IP address Dest. IP
Selects a port based on the frame’s destination IP address
Source/Dest. IP
Selects a port based on the frame’s source and destina-tion IP addresses
Type
(Required) Indicates the side of the firewall where the interface is connected and if High Availability is installed, may also indicate whether the interface is a heartbeat interface or an exempt interface. If High Availability is installed, the drop-down list box includes the following selections. Otherwise, it includes only Disable, Inter-nal, and External.
Disable Denotes an interface that is not being used. All interfaces are set to Disable by default.
Internal Denotes an interface that is used to connect to your private internal network
External Denotes an interface that is used to connect to a publicly accessible network (e.g., the Internet)
Internal Exempt Denotes an internal interface that is not to be marked down when the served firewall fails over to the standby
External Exempt Denotes an external interface that is not to be marked down when the served firewall fails over to the standby
Heartbeat Denotes an interface that is used to monitor the state of the served firewall and provide communication between the served and standby firewalls. Two heartbeat interfaces are
Name
Specifies the unique primary name (host name) of the network interface or its fully-qualified domain name. Host names must begin with an alphabetic character; other-wise, they may contain only alphanumeric characters, periods, and hyphens.
Domain names entered in this field for the various network interfaces may all be dif-ferent and need not match the name entered in the Domain Name field.
NOTE
Remote Web Administration Interface (e.g., eeE0) Requirements A fully-qualified domain name is required for the Remote Web Administration interface (e.g., eeE0) on each machine in an HA pair. If the Remote Web Admin-istration interfaces are Exempt, the name specified for the primary machine must be different from the name specified for the secondary machine. If you do not spec-ify a name, a fully-qualified domain name of the following form is used by default:
node_name-n.domain, where node_name is the value specified in the F irewal l Host Name field, n is 1 for the primary and 2 for the secondary machine in the pair, and domain is the value entered in the Dom ain Nam e field. This makes it possible to use name resolution to manage the machines in an HA pair separately.
A fully-qualified domain name is also required for the Remote Web Administration interface on a stand-alone machine. If you do not specify a name, the default is node_name.domain, where node_name is the value specified in the Firewall Host Name field and domain is the value entered in the Domain Name field.
An entry is made in the /etc/hosts file to make the unqualified node_name an alias for the interface specified by Management Interface.
The computer or network specified by Manager IP must be able to resolve the name for the Remote Web Administration interface (i.e., via the hosts file or name server).
You must use the name for the Remote Web Administration interface to connect to the firewall via Remote Web Administration.
IP Address
(Required) Specifies the unique Internet Protocol address of the network interface. It must be a Class A, Class B, or Class C address; that is, the value of the first byte of the address must be less than 224.
Subnetwork Mask
Specifies a subnet mask as a dotted quad mask (e.g., 255.255.255.0) or a bit count (e.g., 24). If you do not specify a subnet mask, the default mask associated with the address class is used (i.e., 255.0.0.0 for Class A, 255.255.0.0 for Class B,
FSO User
(Required) Specifies the login ID for a privileged Firewall Security Officer (FSO).
An FSO is authorized to use the firewall GUI, execute commands associated with administrative roles (e.g., auditor, site security officer, network administrator), and execute firewall-related commands installed on the system. This user is cleared to the SYS_PRIVATE and NETWORK levels. The default is cgadmin. It is recom-mended that you specify a different FSO user. If you do so, the cgadmin user will be disabled.
FSO Password
(Required) Specifies the password associated with the user entered in the F SO User field. Note that the password entered in this window is weakly encrypted;
you will be prompted to change it when you log in to the firewall for the first time.
Password Confirmation
(Required) Respecifies the string entered in the FSO Password field Remote Management Service
(Required) Indicates the application to be used to manage the firewall from a remote system. The drop-down list box includes the following selections: None, Secure Shell - SSH, Remote Web Admin. The default is None.
Management Interface
(Required if a Remote Management Service is specified or a configuration is to be restored) Indicates the network interface that is to be used to access the fire-wall from the remote system. On KS models, the drop-down list box includes the following selections by default: None, dec0, dec1, dec2, dec3, eeE0. On KS1 000 models, the drop-down list box includes the following selections by default: N o n e, d e c 0, d e c 1, d e c 2, d e c 3, e 1 0 0 00, e 1 0 0 0 1, e 1 0 0 0 2, e100 03. On K S1 500 models, the drop-down list box includes the following selections by default: None, dec0, d ec1, dec2, dec3, dec4, dec5, de c6, dec7, e10000, e10001. The selections vary according to whether you have used the Customize button to specify a particular configuration of network interface cards or the Aggregates button to configure a LAG group. The default is None.
Manager IP
(Required if a Remote Management Service is specified) Specifies the IP address of the computer or network on which the specified Remote Management Service is used to manage the firewall
Manager Route IP
Specifies the IP address to which packets are forwarded if the specified Manager IP address is not on the local network.
System Mouse Type
(Required) Indicates the type of mouse that is being used. The drop-down list box includes the following selections: None, PS/2. The default is None.
Time Zone
(Required) Specifies the time zone in which the firewall is located. The US/Central time zone is selected by default. The drop-down list box includes all time zones.
Time Server IP
Specifies the IP address of the server to which time requests are to be sent to main-tain system time synchronization
Onboard MAC Address
Specifies the address of the onboard Ethernet port as it appears on a label on the computer. On KS and KS1000 models, this label is on the front panel; on KS1500 models, it is on the top of the front right-hand corner. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field.
Hardware ID
(Read-only) Contains an eight-digit hexadecimal number that uniquely identifies the computer. This number is obtained by clicking on the Generate button.
Generate
Allows you to obtain the hardware ID for the computer. This ID is needed to obtain a license key. NOTE: If you are using a thirty-day trial license, you are not required to obtain a hardware ID.
Serial Number
Specifies the 10-character serial number that you previously received from Cyber-Guard Customer Support Center. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field.
License Key
Specifies the 20-character license key that you obtained from the CyberGuard Cor-poration Web site. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field.
CyberGuard Firewall Online Registration
Allows you to jump directly to the CyberGuard Firewall Online Registration Web page to obtain a license key
RADIUS Server IP
Backup Server IP
Specifies the IP address of the backup RADIUS server RADIUS Port
Specifies the port on which the RADIUS server listens for connections. The default is 1812 (the officially assigned port number as noted in RFC 2138)
RADIUS Secret Key
Specifies a string that represents the password encryption key that is shared between the RADIUS client and the RADIUS server. The string may include any printable character.
Key Confirmation
Respecifies the string entered in the RADIUS Secret Key field Organizational Unit
Specifies the group to which a centrally-authenticated administrator must belong to be authorized to log in to the firewall. The default value is NONE.
Remote Host IP
Specifies the IP address of the remote host from which you wish to restore a firewall configuration
Remote Route IP
Specifies the IP address to which packets are forwarded if the specified Remote Host IP address is not on the local network. NOTE: You must specify a network interface in the Management Interface field to be able to restore a firewall con-figuration from a remote host.
Configuration File
Specifies the full or relative path name of the configuration file that you wish to restore. NOTE: Do not include the .tar or .tar.encr extension in the file name.
Remote User
Specifies the login name to be used on the remote host. The default is anonymous.
Remote Password
Specifies the password associated with the login name entered in the R em ote User field. If you use the default anonymous, you are not required to enter a value in this field; if you leave the field blank, the password that will be used is [email protected].
Encryption Key
(Required if Configuration F ile is encrypted) Specifies the key to be used to decrypt the restored configuration file. NOTE: The value that you enter in this field must be the same as the encryption key used to save the configuration.
Default Route IP
Specifies the IP address to which packets are forwarded if an explicit route does not already exist.
KS 5U Systems
3This section provides information specific to KS 5U systems. It includes hardware and firmware setup procedures and reference information needed to complete the KS Initial Configuration window.
Hardware
3This section describes PCI slot and port ordering for KS 5U systems and explains how to set up the hardware. Refer to Appendix A for information needed to use the getmib and resmgr utilities to identify ports and interface unit number assignments.
PCI Slot Ordering
3Figure 3-12 shows the ordering of PCI slots on KS 5U systems with a Lancewood mother-board. The view is from the back of the chassis.
1 2
3 4
5 6 0
Figure 3-13 shows the ordering of PCI slots on KS 5U systems with a Tupelo mother-board. The view is from the back of the chassis.
Figure 3-13. Tupelo Motherboard PCI Slot Ordering
Figure 3-14 shows the ordering of PCI slots on KS1500R systems with Hodges or Bryson motherboards. The view is from the back of the chassis.
Figure 3-14. KS1500R PCI Slot Ordering
6 5
4 3
1 2
RAID Expansion
2310 4567 Expansion
Not Used Expansion
Setup
3To set up a KS 5U or KS1500R firewall system, complete the following steps.
❑
Remove the computer from the box.❑
Using the diagram in Figure 3-15, “Back Panel of KS 5U with Lancewood Motherboard,” Figure 3-16, “Back Panel of KS 5U with Tupelo Mother-board,” or Figure 3-17, “Back Panel of KS1500R,” plug in the serial or PS/2 mouse and the keyboard, video, network, and power cables.NOTE
The current default video setting for these appliance firewall sys-tems is 1024 x 768 x 256 colors @ 72 Hz refresh.
❑
Turn on the computer.Figure 3-15. Back Panel of KS 5U with Lancewood Motherboard PS/2 Mouse
Keyboard
Serial Terminal (COM2)
Serial Mouse (COM1)
On-Board Ethernet Port (eeE0)
Video
Figure 3-16. Back Panel of KS 5U with Tupelo Motherboard
Figure 3-17. Back Panel of KS1500R
On-Board Ethernet Port
(eeE0) Keyboard PS/2
Mouse
Video Serial
Terminal (COM2) Serial Port
(COM1)
NIC 1 10/100 (eeE_0)
Serial Port (COM1)
Keyboard NIC 2Gbit
(e1000_0)
USBs (not used)
Video PS/2
Mouse