CyberGuard 5.2 Installation Guide

(1)

(2)

This publication or any part thereof is intended solely for use with CyberGuard Corporation products by CyberGuard Corporation personnel, customers, and end users.

The information contained in this document is believed to be correct at the time of publication. It is subject to change without notice. CyberGuard Corporation makes no warranties, express or implied, concerning the information con-tained in this document.

To report an error or comment on a specific portion of the manual, photocopy the page in question and mark the cor-rection or comment on the copy. Mail the photocopied page (and any additional comments) to CyberGuard Corpora-tion, 2000 West Commercial Boulevard, Suite 200, Fort Lauderdale, FL 33309. Mark the envelope “Attention: Pub-lications Department.”

Adaptec, ANA, Quartet, and Quartet64 are trademarks of Adaptec, Inc., which may be registered in some jurisdic-tions.

CyberGuard is a registered trademark of CyberGuard Corporation. DEC is a trademark of Digital Equipment Corporation.

Ethernet is a registered trademark of Xerox Corporation. Ghost is a trademark of Symantec Corporation.

Microsoft and Windows are registered trademarks of Microsoft Corporation. UnixWare is a registered trademark of Caldera International, Inc.

(3)

Scope of Manual

This manual explains the procedures for setting up CyberGuard’s appliance firewalls.

Structure of Manual

This manual consists of four chapters and three appendixes. A brief description of the chapters and appendixes is presented as follows.

•

Chapter 1 explains the procedures for preparation and initial setup of CyberGuard’s appliance firewalls. It describes the software and proce-dures for installing, upgrading, and configuring an appliance firewall sys-tem.

•

Chapter 2 explains the procedures for setting up and configuring FS appli-ance firewalls.

•

Chapter 3 explains the procedures for setting up and configuring KS appli-ance firewalls.

•

Chapter 4 explains the procedures for setting up and configuring SL appli-ance firewalls.

•

Appendix A provides information needed to use the getmib and resmgr

utilities to identify ports and interface unit number assignments.

•

Appendix B describes the system backup and restore procedures for the appliance firewalls.

•

Appendix C provides information needed to use the privadm command. This command allows you to set up an administrative network at the SYS_PRIVATE level.

(4)

Syntax Notation

The following notation is used throughout this manual:

italic Books, reference cards, and items that the user must specify appear in italic type. Special terms may also appear in italics.

list bold User input appears in list bold type and must be entered exactly as shown. Names of directories, files, commands, options and system manual page references also appear in list bold

type.

list Operating system and program output such as prompts and mes-sages and listings of files and programs appear in list type. [ ] Brackets enclose command options and arguments that are

optional. You do not type the brackets if you choose to specify such options or arguments

(5)

Chapter 1 Installing and Configuring Appliances

Before You Begin . . . 1-1 Appliance Firewall Software . . . 1-1 Licensing . . . 1-2 Upgrading an Existing Firewall System . . . 1-3 Upgrading an Appliance Firewall System . . . 1-3 Upgrading a Standard Firewall System to an Appliance . . . 1-7 Using the Initial Configuration Utility . . . 1-11 Setting Up the Hardware . . . 1-21 Appliance Firewall Autoconfiguration . . . 1-22 Logging Into the Appliance Firewall. . . 1-23

Chapter 2 FS Systems

Hardware . . . 2-1 Ethernet Port Ordering . . . 2-1 Setup . . . 2-1 Firmware for ISP1100 Systems . . . 2-4 Setting the BIOS. . . 2-4 Setting Up the COM Port . . . 2-4 Setting Up Boot Devices . . . 2-5 Saving Changes . . . 2-7 Firmware for FS Systems with Bonham Motherboard . . . 2-7 Setting the BIOS. . . 2-7 Setting Up Boot Devices . . . 2-7 Saving Changes . . . 2-10 Firmware for FS250 and FS500 Systems . . . 2-11 Setting the BIOS. . . 2-11 Setting Up Boot Devices . . . 2-12 Saving Changes . . . 2-15 FS Initial Configuration. . . 2-15

Chapter 3 KS Systems

KS 1U and 2U Systems . . . 3-1 Hardware . . . 3-1 Ethernet Port Ordering . . . 3-1 Setup . . . 3-4 Firmware for KS 2U with Lancewood Motherboard . . . 3-7 Setting the BIOS . . . 3-7 Setting Up the COM Port. . . 3-7 Setting Up Boot Devices . . . 3-8 Saving Changes . . . 3-8

(6)

Setting the BIOS . . . 3-10 Setting Up the COM Port . . . 3-10 Setting Up Boot Devices . . . 3-11 Saving Changes . . . 3-11 Setting the SCSI BIOS . . . 3-11 Firmware for KS1000 Systems. . . 3-13 Setting the BIOS . . . 3-13 Setting Up Advanced Features . . . 3-14 Setting Up Security . . . 3-16 Setting Up the Server . . . 3-16 Setting Up Boot Devices . . . 3-17 Saving Changes . . . 3-17 Setting the SCSI BIOS . . . 3-17 Firmware for KS1500 Systems. . . 3-18 Setting the BIOS . . . 3-18 Setting Up Advanced Features . . . 3-19 Setting Up Security . . . 3-21 Setting Up the Server . . . 3-21 Setting Up Boot Devices . . . 3-22 Saving Changes . . . 3-22 Setting the SCSI BIOS . . . 3-23 KS Initial Configuration . . . 3-24 KS 5U Systems . . . 3-34 Hardware. . . 3-34 PCI Slot Ordering . . . 3-34 Setup . . . 3-36 Firmware for KS 5U with Lancewood Motherboard . . . 3-38 Setting the BIOS . . . 3-38 Setting Up the COM Port . . . 3-38 Setting Up Boot Devices . . . 3-39 Saving Changes . . . 3-39 Setting the SCSI BIOS . . . 3-40 Firmware for KS 5U with Tupelo Motherboard . . . 3-41 Setting the BIOS . . . 3-41 Setting Up the COM Port . . . 3-41 Setting Up Boot Devices . . . 3-42 Saving Changes . . . 3-42 Setting the SCSI BIOS . . . 3-42 Firmware for KS 5U with Tupelo Motherboard and RAID . . . 3-44 Setting the BIOS . . . 3-44 Setting Up the COM Port . . . 3-44 Setting Up Boot Devices . . . 3-45 Saving Changes . . . 3-45 Setting up the RAID Array . . . 3-45 Firmware for KS1500R with Hodges Motherboard . . . 3-48 Setting the BIOS . . . 3-48 Setting Up Advanced Features . . . 3-49 Setting Up the Server . . . 3-51

(7)

Setting Up Security . . . 3-58 Setting Up the Server . . . 3-58 Setting Up Boot Devices . . . 3-59 Saving Changes . . . 3-59 Setting up the RAID Array . . . 3-59 KS [5U] Initial Configuration . . . 3-62

Chapter 4 SL Systems

Hardware . . . 4-1 PCI Slot and Port Ordering . . . 4-1 Setup . . . 4-3 Firmware for SL 4U with KOA Motherboard. . . 4-5 Setting the BIOS. . . 4-5 Setting Up the COM Port . . . 4-6 Setting Up Boot Devices . . . 4-6 Saving Changes . . . 4-6 Setting Up the RAID Array . . . 4-7 Firmware for SL2000 Systems . . . 4-9 Setting the BIOS. . . 4-9 Setting Up Advanced Features. . . 4-10 Setting Up Security . . . 4-12 Setting Up the Server . . . 4-12 Setting Up Boot Devices . . . 4-13 Saving Changes . . . 4-14 Setting Up the RAID Array . . . 4-14 Firmware for SL3200 Systems . . . 4-16 Setting the BIOS. . . 4-16 Setting Up Advanced Features. . . 4-17 Setting Up Security . . . 4-19 Setting Up the Server . . . 4-19 Setting Up Boot Devices . . . 4-20 Saving Changes . . . 4-21 Setting Up the RAID Array . . . 4-21 SL Initial Configuration. . . 4-23

Appendix A Identifying Ports and Unit Numbers

Appendix B Backup and Restore Procedures

Backing Up an Appliance Firewall Configuration . . . B-1 Restoring an Appliance Firewall Configuration . . . B-2 Restoring a Configuration . . . B-3 Restoring a Configuration After a System Failure . . . B-4

(8)

Illustrations

Figure 1-1. Initial Configuration Window for Appliance Firewalls . . . 1-13 Figure 1-2. Stand-Alone KS System . . . 1-15 Figure 1-3. Sample Initial Configuration Data for Stand-Alone System . . . 1-16 Figure 1-4. KS High Availability Pair. . . 1-17 Figure 1-5. Sample Configuration Data for HA Primary System . . . 1-18 Figure 1-6. Sample Configuration Data for HA Secondary System . . . 1-19 Figure 2-1. ISP1100 Back Panel . . . 2-2 Figure 2-2. ISP1100 Front Panel. . . 2-2 Figure 2-3. FS with Bonham Motherboard Back Panel . . . 2-3 Figure 2-4. FS250 Back Panel . . . 2-3 Figure 2-5. FS500 Back Panel . . . 2-3 Figure 2-6. Initial Configuration Window for FS Platform . . . 2-16 Figure 3-1. Port Ordering for First-Generation Systems—Top Slot Empty . . . 3-2 Figure 3-2. Port Ordering for Other First-Generation Systems . . . 3-2 Figure 3-3. Port Ordering for Second-Generation Systems . . . 3-3 Figure 3-4. Port Ordering for KS 2U with Tupelo Motherboard . . . 3-3 Figure 3-5. Port Ordering for KS1000 Systems . . . 3-3 Figure 3-6. Port Ordering for KS1500 Systems . . . 3-4 Figure 3-7. KS 2U with Lancewood Motherboard Back Panel . . . 3-5 Figure 3-8. KS 2U with Tupelo Motherboard Back Panel . . . 3-5 Figure 3-9. KS1000 Back Panel . . . 3-6 Figure 3-10. KS1500 Back Panel . . . 3-6 Figure 3-11. Initial Configuration Window for KS Platform . . . 3-24 Figure 3-12. Lancewood Motherboard PCI Slot Ordering . . . 3-34 Figure 3-13. Tupelo Motherboard PCI Slot Ordering . . . 3-35 Figure 3-14. KS1500R PCI Slot Ordering . . . 3-35 Figure 3-15. Back Panel of KS 5U with Lancewood Motherboard . . . 3-36 Figure 3-16. Back Panel of KS 5U with Tupelo Motherboard . . . 3-37 Figure 3-17. Back Panel of KS1500R . . . 3-37 Figure 3-18. Initial Configuration Window for KS 5U Platform . . . 3-62 Figure 4-1. PCI Slot Ordering on SL 4U Systems . . . 4-2 Figure 4-2. PCI Slot Ordering on SL2000 Systems . . . 4-2 Figure 4-3. PCI Slot Ordering on SL3200 Systems . . . 4-3 Figure 4-4. SL 4U with KOA Motherboard Back Panel. . . 4-4 Figure 4-5. SL2000 Back Panel . . . 4-4 Figure 4-6. SL3200 Back Panel . . . 4-5 Figure 4-7. Initial Configuration Window for SL Platform . . . 4-24 Figure C-1. Firewall Administered by a Private Administrative Network . . . C-1

(9)

Installing and Configuring Appliances

Before You Begin . . . 1-1 Appliance Firewall Software . . . 1-1 Licensing . . . 1-2 Upgrading an Existing Firewall System . . . 1-3 Upgrading an Appliance Firewall System . . . 1-3 Upgrading a Standard Firewall System to an Appliance . . . 1-7 Using the Initial Configuration Utility . . . 1-11 Setting Up the Hardware . . . 1-21 Appliance Firewall Autoconfiguration . . . 1-22 Logging Into the Appliance Firewall. . . 1-23

(10)

(11)

Chapter 1

Installing and Configuring Appliances

1 1 1

This chapter describes CyberGuard appliance firewall software for FS, KS, and SL appli-ances and explains the procedures for setting up, installing, and configuring these types of systems. It also explains the procedures for upgrading FS, KS, and SL appliance firewall systems to Release 5.2.

Before You Begin

1

This section provides an overview of the appliance firewall software and licensing.

Appliance Firewall Software

1

The appliance firewall software consists of one CD-ROM for each type of FS, KS, and SL appliance.

The CD-ROM provides a complete image of an installed appliance firewall system. This image is created using Symantec Corporation’s Norton GhostTM_{. The CD-ROM is} boota-ble; consequently, the appliance firewall has the CD-ROM device as the first boot device. The appliance firewall image is loaded onto the system’s hard drive prior to shipment from the factory. It is ready when you first power up the system.

In addition to the firewall image, the CD-ROM contains the following important direc-tory: ksinit. This directory contains the browser-based CyberGuard Firewall Appli-ance Initial Configuration utility, ksinit.htm, and associated files: mssave.htm,

shieldwm.jpg, fshelp.htm, kshelp.htm, ks5uhelp.htm, slhelp.htm,

FSBack.jpg, FSBackS.jpg, FSBBack.jpg, FSBBackS.jpg, KSLBack.jpg,

KSLBackS.jpg, KSTBack.jpg, KSTBackS.jpg. This utility allows you to create a configuration file that can be used for autoconfiguration of the basic components of the firewall during initial boot. These components include the following:

High Availability Administrative user Licensing

Firewall host name Remote management Central authentication Domain name System mouse type Restore firewall configuration Network interfaces System time and

time synchronization

(12)

The ksinit utility can be run on a remote workstation that runs Microsoft®_Internet Explorer 4.x or higher or Netscape Navigator 4.x. The configuration file that you create is saved as a text file and stored on a diskette. The diskette can then be inserted in the floppy drive of the firewall for which the configuration is intended. During initial boot, the fire-wall will read the configuration file from the diskette, load the initial configuration, and reboot.

Procedures for using the CyberGuard Firewall Appliance Initial Configuration utility are explained in “Using the Initial Configuration Utility,” page 1-11.

The appliance firewall software also consists of one additional CD-ROM that contains CyberGuard Supplemental Products and CyberGuard Firewall Release 5.2 manuals in PDF format. These manuals are the Release Notes, Installation Guide, and the Cyber-Guard Firewall Manual, a 3-volume set that includes Administering the CyberCyber-Guard Firewall, Configuring the CyberGuard Firewall, and Configuring SmartProxies on the CyberGuard Firewall.

Licensing

1

To use the features of the appliance firewall, you must have one of the following types of licenses:

•

30-day trial license

•

System license obtained from the CyberGuard Corporation Web site

The type of license that you have affects the information that you must enter on the Initial Configuration window (see “Using the Initial Configuration Utility,” page 1-11, and Figure 1-1 for a picture of this window). Information required with each type of license is outlined as follows.

30-Day Trial License

Allows you to leave the following fields blank:

•

Onboard MAC Address

•

Hardware ID

•

Serial Number

(13)

System License

Requires that you enter information in the following fields:

•

Onboard MAC Address

•

Hardware ID (read-only field completed by clicking the Generate

button)

•

Serial Number

•

License Key

NOTE

If you are upgrading an existing FS, KS, or SL appliance firewall system to Release 5.2, you may choose to use your current hard-ware ID to obtain a system license. In this case, you must enter only the Serial Number and License Key on the Initial Configura-tion window.

Upgrading an Existing Firewall System

1

If you wish to upgrade an existing firewall system to Release 5.2, you must complete the following procedures. Otherwise, proceed to “Using the Initial Configuration Utility” on page 1-11.

To upgrade an appliance firewall, follow the procedures presented on page 1-3. To upgrade a standard firewall system to an appliance, follow the procedures presented on page 1-7.

Upgrading an Appliance Firewall System

1

If you wish to upgrade an existing FS, KS, or SL appliance firewall system to Release 5.2, complete the following procedures.

NOTE

Currently, on FS250 and FS500 models only, the PS/2 mouse must be plugged in when the system is booted.

Be sure that you have a box of blank diskettes available for back-ing up the system. Label each diskette as appropriate so that you will be able to restore your configuration successfully.

(14)

NOTE

Some of the procedures can be performed by accessing the appli-ance from a remote workstation; some of the procedures must be performed on the appliance.

❑

Follow the procedures described in “Using the Initial Configuration Util-ity” on page 1-11 to create a Release 5.2 configuration file that can be used for autoconfiguration of the basic components of the firewall during initial boot.

❑

On the appliance firewall system, insert a blank, writable diskette into the floppy drive to prepare for backing up your system.

❑

On the appliance or a remote workstation:

❑

Select System from the firewall Control Panel, and then select Soft-ware Update.

❑

When the Software Update window is displayed, enter the follow-ing in the RemoteHost field:

ftp.cybg.com

❑

Enter the following in the RemoteDirectory field:

/Unix/5.2/Optional_pkgs

❑

Enter the following in the RemoteFileName field:

backupconfig_orders

❑

Enter the login name to be used on the RemoteHost in the Remote UserName field (anonymous login is allowed).

❑

Enter the password associated with the Remote UserName in the

RemotePassword field.

❑

Check the UseEncryption check box.

❑

Enter the string required to decrypt the file in the Encryption Password field.

❑

Click on Invoke.

The following message will be displayed when the process has been completed:

(15)

NOTE The system will not be restarted.

❑

Click on OK.

❑

On the appliance firewall system:

❑

Remove the diskette from the drive, and label it Firewall Recovery Diskette n, where n represents the sequence number of the recovery diskette.

❑

Continue to insert, remove, and label recovery diskettes until you have completed backing up your system.

❑

Insert the FS, KS, or SL appliance firewall Release 5.2 bootable CD in the CD-ROM drive.

❑

Press <Reset> to reboot the system.

❑

When prompted, press <F2> to enter Setup. The BIOS Setup Utility screen is displayed.

❑

On the Main page, set System Time and System Date to appro-priate values for Greenwich Mean Time (GMT).

❑

Use the right arrow key to select Exit.

❑

Select Exit Saving Changes, and press <Enter>.

❑

A window displays the following message:

Save configuration changes and exit now?

❑

Select Yes, and press <Enter>.

A system reboot occurs.

❑

Following installation of several drivers, the following message is dis-played on the appliance firewall:

IMPORTANT: This program is about to overwrite your hard drive! All existing data will be lost!

Do you want to continue (you have 20 seconds to respond) [Y,N]?

If you do not wish to proceed, press <N>. Otherwise, press <Y> or wait 20 seconds for the program to continue.

❑

The system runs Norton GhostTM_{. As the image is loaded, the}

Pr o g r e ss In d i c a to r window is displayed. Loading the image requires approximately 20 minutes.

(16)

❑

When the image has been loaded, the computer beeps, and the follow-ing messages and prompt are displayed on the appliance firewall: Image loaded successfully

. . .

Batch File Finished D:\

❑

Remove the appliance firewall CD from the CD-ROM drive.

❑

Proceed with autoconfiguration as explained in “Appliance Firewall Autoconfiguration” on page 1-22.

❑

After the firewall system reboots (requires approximately four min-utes), remove the Initial Configuration diskette from the floppy drive.

❑

Insert Firewall Recovery Diskette n, where n is a sequence number ranging from one to the total number of recovery diskettes, into the drive.

NOTE

You must continue to remove and insert recovery diskettes into the drive until you have completed recovery of your firewall con-figuration.

❑

As applicable, use an attached monitor or Remote Web Administration to log in to the appliance firewall system.

❑

Select Tools from the firewall Control Panel, and then select Shell Window.

❑

When the ShellWindow is displayed, enter the following to become root:

/sbin/tfadmin newlvl SYS_PRIVATE su

Enter the corresponding password, and press <Enter>.

(17)

❑

Enter 4 to select Restore Configuration Files. The following message is displayed:

Select source device: (t)ape, (f)loppy, (d)isk Enter f.

When the configuration files have been restored, you are returned to the menu.

❑

Enter q to quit.

❑

Enter exit to exit the root shell.

❑

Enter exit to return to the previous level.

❑

Enter exit to close the Shell Window.

❑

Select System from the firewall Control Panel, and then select

System Shutdown.

❑

When the System Shutdown window is displayed, select

Reinitialize Network.

❑

On the appliance firewall system, remove the last Firewall Recovery Dis-kette from the drive.

Upgrading a Standard Firewall System to an Appliance

1

If you wish to upgrade an existing standard firewall system to a Release 5.2 appliance fire-wall, you must complete the following procedures.

NOTE

Be sure that you have a box of blank diskettes available for back-ing up the system. Label each diskette as appropriate so that you will be able to restore your configuration successfully.

❑

Follow the procedures described in “Using the Initial Configuration Util-ity” on page 1-11 to create a Release 5.2 configuration file that can be used for autoconfiguration of the basic components of the appliance firewall during initial boot.

(18)

❑

Select System from the firewall Control Panel, and then select Software Update.

❑

When the Software Update window is displayed, enter the following in the RemoteHost field:

ftp.cybg.com

❑

Enter the following in the RemoteDirectory field:

/Unix/5.2/Optional_pkgs

❑

Enter the following in the RemoteFileName field:

backupconfig_orders

❑

Enter the login name to be used on the Remote Host in the Remote UserName field (anonymous login is allowed).

❑

Enter the password associated with the Remote User Name in the

RemotePassword field.

❑

Check the UseEncryption check box.

❑

Enter the string required to decrypt the file in the EncryptionPassword

field.

❑

Click on Invoke.

The following message will be displayed when the process has been com-pleted:

Software Update has been invoked. The system will be restarted to perform

upgrade maintenance in a few minutes. Please wait. See /var/adm/log/cg_getorders.log for details.

NOTE The system will not be restarted.

❑

Click on OK.

❑

Remove the diskette from the drive, and label it Firewall Recovery Dis-kette n, where n represents the sequence number of the recovery disDis-kette.

❑

Continue to insert, remove, and label recovery diskettes until you have completed backing up your standard firewall system.

(19)

❑

Proceed with autoconfiguration as explained in “Appliance Firewall Auto-configuration” on page 1-22.

❑

After the appliance firewall system reboots (requires approximately four minutes), remove the Initial Configuration diskette from the floppy drive.

Now that you have installed and configured the appliance firewall, you can access it via an attached monitor or via a remote management service (i.e., Remote Web Administration or SSH-Secure Shell).

On the appliance or a remote workstation, complete the following steps:

❑

When the CyberGuard Firewall login window is displayed with your sys-tem name, log in as the FSO user that you specified on the appliance fire-wall Initial Configuration window.

❑

When prompted, enter the FSO password, and press <Enter>.

❑

The CyberGuard Firewall Control Panel is displayed.

❑

Change the root password by completing the following steps.

❑

Select the Configuration menu, and then select Users.

❑

When the Users window appears, click on ShowEditor.

❑

Select the root user, and click on the Authentication tab.

❑

Click on the Password tab.

❑

Click on Generate, or enter a new password in the Password field.

❑

Click on Save.

Set up your security policy by restoring the configuration that you backed up to diskettes on the standard firewall system. Complete the following steps:

❑

On the appliance firewall system:

❑

Insert Firewall Recovery Diskette n, where n is a sequence number ranging from one to the total number of recovery diskettes, into the drive.

NOTE

You must continue to remove and insert recovery diskettes into the drive until you have completed recovery of your firewall con-figuration.

❑

Select Tools from the firewall Control Panel, and then select Shell Window.

(20)

❑

When the ShellWindow is displayed, enter the following to become root:

/sbin/tfadmin newlvl SYS_PRIVATE su

Enter the corresponding password, and press <Enter>.

❑

Enter the following to change level to network:

newlvl network

❑

Enter the following to execute cginstall:

cginstall

❑

Enter 4 to select Restore Configuration Files. The following message is displayed:

Select source device: (t)ape, (f)loppy, (d)isk Enter f.

When the configuration files have been restored, you are returned to the menu.

❑

Enter q to quit.

❑

Enter exit to exit the root shell.

❑

Enter exit to return to the previous level.

❑

Enter exit to close the Shell Window.

❑

Select System from the firewall Control Panel, and then select

System Shutdown.

❑

When the System Shutdown window is displayed, select

Reinitialize Network.

❑

On the appliance firewall system, remove the last Firewall Recovery Dis-kette from the drive.

(21)

Using the Initial Configuration Utility

1

This section explains the procedures for extracting the appliance firewall Initial Configu-ration utility, ksinit.htm, from the FS, KS, or SL Appliance Firewall Release 5.2 CD and for using it to create a configuration file that can be used to configure an appliance firewall automatically on first boot.

The onboard MAC address is used to generate the hardware ID that is required for obtain-ing a system license. It may be used in formobtain-ing the name of the configuration file (other-wise, the name is generic.txt). If the configuration file names are based on the MAC address, they are unique, and multiple configuration files can be stored on a single dis-kette; the firewall will be able to select the appropriate one when the diskette is inserted in its floppy drive.

If you are upgrading an appliance firewall system to Release 5.2, you already have your MAC address and your hardware ID. It is recommended that you make a note of both before proceeding. The MAC address appears on a label on the front panel of the machine. The hardware ID is displayed in the Hardware Number field on the License Keys window of the CyberGuard Firewall GUI.

If you have a newly-shipped FS, SL, or KS appliance system other than the KS1000 model, the MAC address appears on a label on the front panel of the machine. If you have a KS1000 system, the MAC address appears on a label on the top of the front right-hand corner of the machine. It is recommended that you make a note of the MAC address before proceeding.

NOTE

If you are upgrading an existing FS, KS, or SL appliance and you wish to use the MAC address to form the name of your configura-tion file, you must enter the MAC address in the Onboard MAC Add ress field on the CyberGuard Firewall Appliance Initial Configuration window. You must also generate a new hardware ID to use in obtaining a system license.

If you are upgrading an existing FS, KS, or SL appliance firewall system to Release 5.2 and you do not wish to base the initial con-figuration file name on the MAC address, you may use your cur-rent hardware ID to obtain a system license.

Proceed as follows to use the appliance firewall Initial Configuration utility.

❑

Insert the FS, KS, or SL Appliance Firewall 5.2 bootable CD in the CD-ROM drive on a remote workstation that runs Microsoft Internet Explorer 4.x or higher or Netscape Navigator 4.x.

❑

Open the Windows®_{Explorer, and use the scroll bars to locate the} CD-ROM drive in the left pane. Click on the drive to display the contents of the appliance firewall 5.2 CD in the right pane. Locate the ksinit folder, and

(22)

❑

Be sure that you have one or more diskettes available for creating the initial configuration file(s) for your appliance firewall system(s).

❑

Insert a blank diskette in the floppy drive on the remote workstation.

❑

Open a browser, and in the Location or Address field, enter the follow-ing:

file://c:/ksinit/ksinit.htm

where c represents the hard drive to which you copied the ksinit folder. The screen shown in Figure 1-1 is displayed:

(23)

Figure 1-1. Initial Configuration Window for Appliance Firewalls

The CyberGuard Firewall Appliance Initial Configuration window provides an easy means for you to supply the information required for initial setup of an FS, KS, or SL appliance system. The fields and controls on this window vary according to the type of appliance that you select from the Firewall Appliance drop-down list box and the par-ticular model that you select from the associated Models drop-down list box. The fol-lowing sections show the Initial Configuration window for each type of appliance and

(24)

•

“FS Initial Configuration” on page 2-15

•

“KS Initial Configuration” on page 3-24

•

“KS [5U] Initial Configuration” on page 3-62

•

“SL Initial Configuration” on page 4-23

Prior to entering data in the Initial Configuration window, it is recommended that you use the blank configuration window provided in the section associated with your appliance to record information that is appropriate for your system. To assist you, diagrams and exam-ple configurations for a stand-alone KS system and a primary and secondary system in a KS High Availability pair are provided in the pages that follow. In the diagrams, note that dashed lines are used to denote optional features.

(25)

Figure 1-2. Stand-Alone KS System

The KS Initial Configuration window shown in Figure 1-3 contains data appropriate for the stand-alone KS system illustrated in Figure 1-2.

INTERNET

Administrative Interface 172.18.41.1 RADIUS Server 192.168.7.7 External Interface 148.16.27.7 Internal Interface 192.168.7.1 Gateway Remote Web Administration Hosts Host A 227.16.3.1 Host B 227.16.3.2 172.18.3.4 227.16.3.3 Server A 192.168.7.5 Server B 192.168.7.6

(26)

Figure 1-3. Sample Initial Configuration Data for Stand-Alone System Figure 1-4 shows a KS High Availability pair.

(27)

Figure 1-4. KS High Availability Pair Remote Web Administration Hosts dministrative (Exempt) Interface 172.18.41.2

INTERNET

Administrative (Exempt) Interface 172.18.41.1 148.16.27.7 Internal Interface 192.168.7.1 Heartbeat Interfaces 10.10.11.1 Internal Interface 192.168.7.1 External Interfaces Gateway 172.18.3.4 227.16.3.3 148.16.27.7 10.10.10.1 10.10.11.2 10.10.10.2 Host B 227.16.3.2 Host A 227.16.3.1 RADIUS Server 223.25.7.7 Server A 223.25.7.5 Server B 223.25.7.6 Gateway 192.168.7.2 223.25.7.1

(28)

The KS Initial Configuration window shown in Figure 1-5 contains data appropriate for the primary KS system illustrated in Figure 1-4.

(29)

The KS Initial Configuration window shown in Figure 1-6 contains data appropriate for the secondary KS system illustrated in Figure 1-4.

.

(30)

❑

Enter data in the fields on the appliance firewall Initial Configuration

window as appropriate for your site. Click on the Help button to obtain a detailed description of the fields and controls on the window.

NOTE

A Class A, Class B, or Class C address must be entered in the IP Address field associated with each network interface; that is, the value of the first byte of the address must be less than 224.

If you are configuring an HA primary or secondary system, the

Type setting for the Remote Web Administration interface (e.g.,

eeE0) interface must be Internal Exempt; otherwise, it must be Internal.

You must configure the Managem ent Interface (e.g., eeE0) to permit further configuration of the firewall using Remote Web Administration.

❑

Verify that the information that you have entered is correct, and press the

Submit button.

❑

A configuration page is displayed in the browser. Follow the instructions provided on that page to save it as a text file. When you select Save As

from the browser’s File menu, you must select Text File (*.txt) from the

Save as type drop-down list.

NOTE

If you have entered a value in the O nboa rd M AC Ad dress

field, the file name is based on the MAC address; otherwise, it is

generic.txt.

If the file name is based on the MAC address, you may save mul-tiple configuration files to the diskette. In this case, the firewall will select the correct file when the diskette is inserted in the floppy drive on a firewall. If the firewall does not find a file with a unique name, it looks for the generic.txt file.

❑

Remove the diskette from the drive, and take it to the firewall on which you plan to use it.

(31)

Setting Up the Hardware

1

Hardware requirements for Release 5.2 for FS, KS, and SL appliances are as follows:

•

FS, KS, or SL system

•

Keyboard

•

Video monitor

•

PS/2 or Serial mouse

Hardware and firmware setup procedures vary according to type of appliance. The fol-lowing chapters and sections explain the procedures for setting up each type of appliance:

•

Chapter 2, “FS Systems,” “Hardware” on page 2-1

•

Chapter 3, “KS Systems,” “KS 1U and 2U Systems” on page 3-1

•

Chapter 3, “KS Systems, “KS 5U Systems” on page 3-34

•

Chapter 4, “SL Systems,” “Hardware” on page 4-1

NOTE

With the exception of FS250 and FS500 models, the keyboard, monitor, and mouse are not required after you have completed the hardware and firmware setup procedures.

❑

Complete the hardware and firmware setup procedures applicable to your appliance.

❑

Proceed with appliance firewall autoconfiguration as explained in the sec-tion that follows (page 1-22).

(32)

Appliance Firewall Autoconfiguration

1

Before you begin, be sure that you have the diskette containing the FS, KS, KS[5U], or SL initial configuration file that you have created for your system.

NOTE

On first boot of the SL, SL2000, or SL3200 software image, an error message regarding a partition not mounted will be displayed. Disregard this message.

❑

Insert the Initial Configuration diskette in the floppy drive on the firewall.

❑

Press <Reset> to reboot the machine.

❑

During the initial boot to run level 2, the firewall will attempt to read the configuration file created through use of the appliance firewall In itia l Configuration window.

NOTE

If the file is not found, the system will retry the read every five seconds for three minutes. After three minutes, the system will shut down.

❑

If the file is read successfully, the initial configuration is loaded, and the system automatically reboots.

NOTE

The firewall will not attempt to read the diskette on the second and subsequent boots.

A log file (log) that contains the status of the autoconfiguration is written to the diskette (if it is writable).

(33)

Logging Into the Appliance Firewall

1

After you have installed and configured the appliance firewall, you can access it via an attached monitor or via a remote management service (i.e., Remote Web Administration or SSH-Secure Shell). Complete the following steps:

❑

When the CyberGuard Firewall login window is displayed with your sys-tem name, log in as the FSO user that you specified on the appliance fire-wall Initial Configuration window.

❑

When prompted, enter the FSO password, and press <Enter>.

❑

The CyberGuard Firewall Control Panel is displayed.

❑

Change the root password by completing the following steps.

❑

Select the Configuration menu, and then select Users.

❑

When the Users window appears, click on ShowEditor.

❑

Select the root user, and click on the Authentication tab.

❑

Click on the Password tab.

❑

Click on Generate, or enter a new password in the Password field.

❑

Click on Save.

❑

If you have a new appliance firewall system, use the menus accessible from the firewall Control Panel to set up the security policy for your enterprise network. Refer to the CyberGuard Firewall Manual for assistance.

❑

Back up your system. Procedures are explained in the “Backing Up an Appliance Firewall Configuration” section of Appendix B.

(34)

(35)

FS Systems

Hardware . . . 2-1 Ethernet Port Ordering . . . 2-1 Setup . . . 2-1 Firmware for ISP1100 Systems . . . 2-4 Setting the BIOS. . . 2-4 Setting Up the COM Port . . . 2-4 Setting Up Boot Devices . . . 2-5 Saving Changes . . . 2-7 Firmware for FS Systems with Bonham Motherboard . . . 2-7 Setting the BIOS. . . 2-7 Setting Up Boot Devices . . . 2-7 Saving Changes . . . 2-10 Firmware for FS250 and FS500 Systems . . . 2-11 Setting the BIOS. . . 2-11 Setting Up Boot Devices . . . 2-12 Saving Changes . . . 2-15 FS Initial Configuration. . . 2-15

(36)

(37)

Chapter 2

FS Systems

2 2 2

This chapter provides information specific to FS systems. These include ISP1100 sys-tems, FS systems with Bonham motherboards, and FS systems with Woodruff mother-boards (hereinafter referred to as models FS250 and FS500). This chapter explains hard-ware and firmhard-ware setup procedures and provides reference information needed to complete the FS Initial Configuration window.

Hardware

2

This section shows port ordering foreach type of FS system and explains how to set up the hardware. Refer to Appendix A for information needed to use the getmib and resmgr

utilities to identify ports and interface unit number assignments.

Ethernet Port Ordering

2

Port ordering for an ISP110 system is shown in Figure 2-1 (page 2-2). Port ordering for an FS with Bonham motherboard is shown in Figure 2-3 (page 2-3). Port ordering for an FS250 is shown in Figure 2-4 (page 2-3). Port ordering for an FS500 is shown in Figure 2-5 (page 2-3).

Setup

2

To set up an FS firewall system, complete the following steps.

❑

Remove the computer from the box.

❑

Plug in the serial or PS/2 mouse and the keyboard, video, network, and power cables by using the diagrams in Figure 2-1, “ISP1100 Back Panel,” and Figure 2-2, “ISP1100 Front Panel,” or Figure 2-3, “FS with Bonham Motherboard Back Panel,” Figure 2-4, “FS250 Back Panel,” or Figure 2-5, “FS500 Back Panel.”

NOTE

(38)

The current default video setting for this appliance firewall system is 1024 x 768 x 256 colors @ 72 Hz refresh.

❑

Turn on the computer.

Figure 2-1. ISP1100 Back Panel

Figure 2-2 shows the ISP1100 front panel and indicates the position of the COM2 port. The FS applianceswith Bonhamand Woodruff motherboards do not have a COM2 port.

Figure 2-2. ISP1100 Front Panel On-Board Ethernet Port eeE0 Video COM1 Keyboard PS/2 Mouse On-Board Ethernet Port eeE1 0 3 2 1 Four-Port Adapter USB COM2

(39)

Figure 2-3. FS with Bonham Motherboard Back Panel

Figure 2-4. FS250 Back Panel

Figure 2-5. FS500 Back Panel Keyboard

On-Board Ethernet Port eeE0

USB

Video COM1 USB

PS2 Mouse 0 3 2 1 Four-Port Adapter Keyboard USBs Video COM1

PS2 Mouse _{Single-Port Adapter}

(eeE_0) RJ45 10/100 (eeE_1) RJ45 10/100 (eeE_2) Keyboard USBs Video COM1 PS2 Mouse RJ45 10/100 (eeE_0) RJ45 10/100

(eeE_1) _{Four-Port Adapter}

0

(40)

Firmware for ISP1100 Systems

2

NOTE

The BIOS and SCSI BIOS are set as required for operation of the firewall prior to shipment of the appliance firewall system from the factory. It is recommended that you check the settings to ensure that they are correct, however. Follow the steps presented in “Setting the BIOS” on page 2-4.

Setting the BIOS

2

❑

Ensure that you have turned on the computer.

❑

On the Main page, verify that System Time and System Date are set to appropriate values for Greenwich Mean Time (GMT).

Setting Up the COM Port

2

❑

Use the right arrow key to select System Management, and press <Enter>.

❑

Select Serial Features, and press <Enter>.

❑

On the Serial Features page, select Serial Console Redirection, and press <Enter>.

❑

Use the arrow key to select Disabled, and press <Enter>.

❑

On the Serial Features page, select Serial Port, and press <Enter>.

❑

Use the arrow key to select COM1 3F8 IRQ4, and press <Enter>.

❑

On the Serial Features page, select BAUD Rate, and press <Enter>.

❑

Use the arrow key to select 9600, and press <Enter>.

❑

On the Serial Features page, select Flow Control, and press <Enter>.

(41)

Setting Up Boot Devices

2

❑

Use the right arrow key to select Advanced from the Menu Bar.

❑

On the Advanced page, select Boot Configuration, and press <Enter>.

❑

Verify the following settings:

Plug & Play O/S [No] Reset Config Data [No]

Numlock [No]

❑

Press <Esc>.

❑

On the Advanced page, select Peripheral Configuration, and press <Enter>.

❑

Serial Port A [Enabled] Base I/O Address [3F8]

Interrupt [IRQ 4]

Serial Port B [Enabled] Base I/O Address [2F8]

Interrupt [IRQ 3]

Legacy USB Support [Disabled]

❑

Press <Esc>.

❑

On the Advanced page, select IDE Configuration, and press <Enter>.

❑

Set the value of IDE Controller to Primary.

❑

Hard Disk Pre-Delay [Disabled]

Primary IDE Master [QUANTUM FIREBALLlct1] Primary Slave [CD-224E]

Secondary Master [Not Installed] Secondary Slave [Not Installed]

❑

Press <Esc>.

❑

On the Advanced page, select Diskette Configuration, and press <Enter>.

(42)

❑

Diskette Controller [Enabled]

Floppy A [1.44/1.25 MB 3½"] Diskette Write Protect [Disabled]

❑

Press <Esc>.

❑

On the Advanced page, select Event Log Configuration, and press <Enter>.

❑

Event Log [Space Available]

Event Log Validity [Valid] Clear All Event Logs [No]

Event Logging [Enabled]

ECC Event Logging [Enabled]

❑

Press <Esc>.

❑

Use the right arrow key to select Boot from the Menu Bar.

❑

Quiet Boot [Disabled]

Quick Boot [Enabled]

After Power Failure [Last State] On Modem Ring [Stay Off]

On LAN [Stay Off]

On PME [Stay Off]

Primary master IDE [1st IDE] Primary slave IDE [2nd IDE] Secondary master IDE [3rd IDE] Secondary slave IDE [4th IDE]

❑

On the Boot page, select 1st Boot Device, and press <Enter>.

❑

Use the arrow key to select ATAPI CD-ROM, and press <Enter>.

❑

On the Boot page, select 2nd Boot Device, and press <Enter>.

❑

Use the arrow key to select IDE-HDD, and press <Enter>.

(43)

Saving Changes

2

❑

Follow the remainder of the procedures outlined in “Setting Up the Hard-ware” on page 1-21.

Firmware for FS Systems with Bonham Motherboard

2

NOTE

Setting the BIOS

2

❑

Setting Up Boot Devices

2

❑

Use the right arrow key to select Advanced from the Menu Bar.

❑

(44)

❑

Numlock [No]

❑

Press <Esc>.

❑

Serial Port A [Enabled] Base I/O Address [3F8]

Interrupt [IRQ 4]

Parallel Port [Enabled]

Mode [Bi-directional]

Base I/O Address [378]

Interrupt [IRQ 7]

LAN Device [Enabled]

❑

Press <Esc>.

❑

On the Advanced page, select IDE Configuration, and press <Enter>.

❑

IDE Controller [Primary] Hard Disk Pre-Delay [Disabled]

Primary IDE Master [ST340016A] Primary Slave [CDU5211]

Secondary Master [Not Installed] Secondary Slave [Not Installed]

❑

Press <Esc>.

❑

Floppy A [1.44/1.25 MB 3½'']

(45)

❑

Event Log Validity [Valid] View Event Log

Clear All Event Logs [No] Event Logging [Enabled]

Mark Events as Read

❑

Press <Esc>.

❑

On the Advanced page, select Video Configuration, and press

<Enter>.

❑

On the Video Configuration panel, verify the following settings:

Primary Video Adapter [AGP] AGP Hardware Detected Integrated

NOTE

If the optional video card is installed, you must set the Primary Video Adapter to [PCI].

Actual performance of the video hardware is dependent upon the operating system and video drivers.

❑

Press <Esc>.

❑

Use the right arrow key to select Power from the Menu Bar.

❑

Select APM, and press <Enter>.

❑

Verify the following setting:

Power Management [Disabled]

❑

Press <Esc>.

❑

Select ACPI, and press <Enter>.

❑

On the Advanced Configuration and Power Interface panel, verify the following setting:

Wake on LAN from S5 [Stay Off]

❑

Press <Esc>.

(46)

❑

After Power Failure [Last State] The following message is displayed:

The options below are not related to ACPI and may be ignored when shutting down using an ACPI OS.

Wake On LAN [Stay Off]

Wake On PME [Stay Off}

Wake On Modem Ring [Stay Off]

❑

Intel (R) Rapid BIOS Boot [Enabled] Scan User Flash Area [Disabled]

❑

Select Boot Device Priority, and press <Enter>.

❑

Ensure that the boot devices are ordered as follows: 1st Boot Device [ATAPI CD-ROM]

2nd Boot Device [Hard Drive]

3rd Boot Device [Removable Dev.]

4th Boot Device [Disabled]

❑

Press <Esc>.

Saving Changes

2

❑

(47)

Firmware for FS250 and FS500 Systems

2

NOTE

In some cases, settings for FS250 systems are different from those for FS500 systems. In such cases, the applicable model is shown in brackets—e.g., [FS250].

Setting the BIOS

2

❑

Select Main, and press <Enter>.

❑

Processor Type Intel®_Pentium®₄

Processor Speed 1.80 GHz

System Bus Speed 400 MHz

Processor1 L2 Cache Size 256 KB

Total Memory 256 MB

Memory Bank 1 128 MB [FS250]

256 MB (DDR266) [FS500]

Memory Bank 2 Not Installed

Internal Cache [WriteBack]

External Cache [WriteThru]

IOAPIC [Enabled]

Language [English]

❑

(48)

Setting Up Boot Devices

2

❑

Use the right arrow key to select Advanced from the Menu Bar. The following message is displayed:

Setup Warning

Setting items on this screen to incorrect values may cause your system to malfunction.

❑

Numlock [On]

❑

Press <Esc>.

❑

Serial Port A [Enabled]

Base I/O Address [3F8]

Interrupt [IRQ 4]

Serial Port B [Enabled]

Base I/O Address [2F8]

Interrupt [IRQ 3]

Parallel Port [Auto]

Mode [Bi-directional]

Keyboard error message [Enabled] LAN#1 Controller [Enabled] LAN#2 Controller [Enabled] ATA RAID Controller [Disabled]

ATI Rage Video [Enabled]

❑

Press <Esc>.

(49)

❑

IDE Controller [Both] PCI IDE Bus Master [Enabled] Hard Disk Pre-Delay [Disabled] Primary IDE Master [ST340016A]

Primary Slave [Not Installed] [FS250] [CDU5211] [FS500] Secondary Master [SR243T] [FS250] [Not Installed] [FS500] Secondary Slave [Not Installed]

❑

Press <Esc>.

❑

Floppy A [1.44/1.25 MB 3½'']

Floppy B [Not Installed]

Diskette Write Protect [Disabled]

❑

Press <Esc>.

❑

On the Advanced page, select Event Log Configuration, and press <Enter>.

❑

Event Log Validity [Valid] View Event Log

Clear All Event Logs [No] Event Logging [Enabled] ECC Event Logging [Enabled] Mark Events as Read

❑

Press <Esc>.

❑

On the Advanced page, select Video Configuration, and press

<Enter>.

❑

On the Video Configuration panel, verify the following settings:

AGP Aperture Size [64MB] Primary Video Adapter [AGP]

(50)

❑

Press <Esc>.

❑

Use the right arrow key to select Power, and press <Enter>.

❑

Select ACPI, and press <Enter>.

❑

On the Advanced Configuration and Power Interface panel, verify the following setting:

ACPI Suspend State [S3 State] Wake on LAN from S5 [Stay Off]

❑

Press <Esc>.

❑

After Power Failure [Last State] The following message is displayed:

The options below are not related to ACPI and may be ignored when shutting down using an ACPI OS.

Wake On LAN [Stay Off]

Wake On PME [Stay Off}

Wake On Modem Ring [Stay Off]

❑

Intel (R) Rapid BIOS Boot [Enabled] Scan User Flash Area [Disabled]

USB Boot [Disabled]

PXE Remote Boot [Disabled]

❑

Use the down arrow key to select Boot Device Priority, and press

<Enter>.

❑

Verify the order of the boot devices is as follows:

1st Boot Device [ATAPI CD-ROM]

2nd Boot Device [Hard Drive]

3rd Boot Device [Removable Dev.]

4th Boot Device [Disabled]

(51)

Saving Changes

2

❑

FS Initial Configuration

2

Figure 2-6 shows the Initial Configuration window for FS systems. Procedures for using this window are explained in “Using the Initial Configuration Utility” on page 1-11.

(52)

(53)

For FS systems, the Initial Configuration window contains the following fields and con-trols:

High Availability Setting

(Required) Has the following selections:

Disabled Indicates that High Availability (HA) is not installed. This radio button is selected by default.

Primary Indicates that the specified host is the primary firewall in an HA pair

Secondary Indicates that the specified host is the secondary firewall in an HA pair

Firewall Appliance

Specifies the type of firewall appliance for which you are entering initial configura-tion informaconfigura-tion. The drop-down list box includes the following selecconfigura-tions:

FireSTAR, KnightSTAR, KnightSTAR[5U], STARLord.

FireSTAR Models

(Required) Has the following selections:

FS250 Denotes a Woodruff motherboard with two on-board network interfaces. Its only slot is populated with a single-port network interface.

FS500 Denotes a Woodruff motherboard with two on-board network interfaces. Its only slot is populated with a four-port network interface.

OEM-F1210RCG Denotes a Bonham motherboard with one on-board network interface

Other Denotes an ISP1100 unit with two on-board network inter-faces

Firewall Host Name

(Required) Specifies the host name by which the system identifies itself during net-work and login connections. Should be unique within a local area netnet-work.

Domain Name

(Required) Specifies the externally visible partial or fully-qualified name that is reg-istered with the Network Information Center (NIC). The domain name provides a point of contact for external connections to a local area network; this field identifies the domain that provides information about connecting to this host.

(54)

Type

(Required) Indicates the side of the firewall where the interface is connected and if High Availability is installed, may also indicate whether the interface is a heartbeat interface or an exempt interface. If High Availability is installed, the drop-down list box includes the following selections. Otherwise, it includes only D i sa b l e , Internal, and External.

Disable Denotes an interface that is not being used. All interfaces are set to Disable by default.

Internal Denotes an interface that is used to connect to your private internal network

External Denotes an interface that is used to connect to a publicly accessible network (e.g., the Internet)

Internal Exempt Denotes an internal interface that is not to be marked down when the served firewall fails over to the standby

External Exempt Denotes an external interface that is not to be marked down when the served firewall fails over to the standby

Heartbeat Denotes an interface that is used to monitor the state of the served firewall and provide communication between the served and standby firewalls. Two heartbeat interfaces are required for each firewall.

Name

Specifies the unique primary name (host name) of the network interface or its fully-qualified domain name. Host names must begin with an alphabetic character; other-wise, they may contain only alphanumeric characters, periods, and hyphens. Domain names entered in this field for the various network interfaces may all be dif-ferent and need not match the name entered in the DomainName field.

NOTE

Remote Web Administration Interface (e.g., eeE0) Requirements A fully-qualified domain name is required for the Remote Web Administration interface (e.g., eeE0) on each machine in an HA pair. If the Remote Web Admin-istration interfaces are Exempt, the name specified for the primary machine must be different from the name specified for the secondary machine. If you do not spec-ify a name, a fully-qualified domain name of the following form is used by default: node_name-n.domain, where node_name is the value specified in the F irewal l Host Name field, n is 1 for the primary and 2 for the secondary machine in the pair, and domain is the value entered in the Domain Name field. This makes it

(55)

An entry is made in the /etc/hosts file to make the unqualified node_name an alias for the interface specified by Management Interface.

The computer or network specified by Manager IP must be able to resolve the name for the Remote Web Administration interface (i.e., via the hosts file or name server).

You must use the name for the Remote Web Administration interface to connect to the firewall via Remote Web Administration.

IP Address

(Required) Specifies the unique Internet Protocol address of the network interface. It must be a Class A, Class B, or Class C address; that is, the value of the first byte of the address must be less than 224.

Subnetwork Mask

Specifies a subnet mask as a dotted quad mask (e.g., 255.255.255.0) or a bit count (e.g., 24). If you do not specify a subnet mask, the default mask associated with the address class is used (i.e., 255.0.0.0 for Class A, 255.255.0.0 for Class B, 255.255.255.0 for Class C).

FSO User

(Required) Specifies the login ID for a privileged Firewall Security Officer (FSO). An FSO is authorized to use the firewall GUI, execute commands associated with administrative roles (e.g., auditor, site security officer, network administrator), and execute firewall-related commands installed on the system. This user is cleared to the SYS_PRIVATE and NETWORK levels. The default is cgadmin. It is recommended that you specify a different FSO user. If you do so, the cgadmin user will be dis-abled.

FSO Password

(Required) Specifies the password associated with the user entered in the F SO User field. Note that the password entered in this window is weakly encrypted; you will be prompted to change it when you log in to the firewall for the first time.

Password Confirmation

(Required) Respecifies the string entered in the FSO Password field

Remote Management Service

(Required) Indicates the application to be used to manage the firewall from a remote system. The drop-down list box includes the following selections: None, Secure Shell - SSH, Remote Web Admin. The default is None.

(56)

Management Interface

(Required if a Remote Management Service is specified or a configuration is to be restored) Indicates the network interface that is to be used to access the fire-wall from the remote system. On FS250 models, the drop-down list box includes the following selections by default: N one, ee E0, e eE1, eeE2. On FS5 00, OEM-F1210RCG, and Other models, the drop-down list box includes the fol-lowing selections by default: None, dec0, dec1, dec2, dec3, eeE0, and eeE1. The default is None.

Manager IP

(Required if a Remote Management Service is specified) Specifies the IP address of the computer or network on which the specified Remote Management Service

is used to manage the firewall

Manager Route IP

Specifies the IP address to which packets are forwarded if the specified Manager IP address is not on the local network.

System Mouse Type

(Required) Indicates the type of mouse that is being used. The drop-down list box includes the following selections: None, Serial, PS/2. The default is None. NOTE: You must select Serial or PS/2.

Time Zone

(Required) Specifies the time zone in which the firewall is located. The US/Central time zone is selected by default. The drop-down list box includes all time zones.

Time Server IP

Specifies the IP address of the server to which time requests are to be sent to main-tain system time synchronization

Onboard MAC Address

Specifies the address of the onboard Ethernet port as it appears on a label on the front panel of the computer. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field.

Hardware ID

(Read-only) Contains an eight-digit hexadecimal number that uniquely identifies the computer. This number is obtained by clicking on the Generate button.

Generate

(57)

Serial Number

Specifies the 10-character serial number that you previously received from Cyber-Guard Customer Support Center. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field.

License Key

Specifies the 20-character license key that you obtained from the CyberGuard Cor-poration Web site. NOTE: If you are using a 30-day trial license, you are not required to enter a value in this field.

CyberGuard Firewall Online Registration

Allows you to jump directly to the CyberGuard Firewall Online Registration Web page to obtain a license key

RADIUS Server IP

Specifies the IP address of the RADIUS server

Backup Server IP

Specifies the IP address of the backup RADIUS server

RADIUS Port

Specifies the port on which the RADIUS server listens for connections. The default is 1812 (the officially assigned port number as noted in RFC 2138)

RADIUS Secret Key

Specifies a string that represents the password encryption key that is shared between the RADIUS client and the RADIUS server. The string may include any printable character.

Key Confirmation

Respecifies the string entered in the RADIUS Secret Key field

Organizational Unit

Specifies the group to which a centrally-authenticated administrator must belong to be authorized to log in to the firewall. The default value is NONE.

Remote Host IP

Specifies the IP address of the remote host from which you wish to restore a firewall configuration

Remote Route IP

Specifies the IP address to which packets are forwarded if the specified Remote Host IP address is not on the local network. NOTE: You must specify a network interface in the Management Interface field to be able to restore a firewall con-figuration from a remote host.

(58)

Configuration File

Specifies the full or relative path name of the configuration file that you wish to restore. NOTE: Do not include the .tar or .tar.encr extension in the file name.

Remote User

Spec ifie s the login nam e to be use d on the re m ote host. The de fault is

anonymous.

Remote Password

Specifies the password associated with the login name entered in the R em ote User field. If you use the default anonymous, you are not required to enter a value in this field; if you leave the field blank, the password that will be used is

[email protected].

Encryption Key

(Required if Configuration F ile is encrypted) Specifies the key to be used to decrypt the restored configuration file. NOTE: The value that you enter in this field must be the same as the encryption key used to save the configuration.

Default Route IP

Specifies the IP address to which packets are forwarded if an explicit route does not already exist.

(59)

KS Systems

KS 1U and 2U Systems . . . 3-1 Hardware . . . 3-1 Ethernet Port Ordering . . . 3-1 Setup . . . 3-4 Firmware for KS 2U with Lancewood Motherboard . . . 3-7 Setting the BIOS . . . 3-7 Setting Up the COM Port. . . 3-7 Setting Up Boot Devices . . . 3-8 Saving Changes . . . 3-8 Setting the SCSI BIOS . . . 3-9 Firmware for KS 2U with Tupelo Motherboard. . . 3-10 Setting the BIOS . . . 3-10 Setting Up the COM Port. . . 3-10 Setting Up Boot Devices . . . 3-11 Saving Changes . . . 3-11 Setting the SCSI BIOS . . . 3-11 Firmware for KS1000 Systems . . . 3-13 Setting the BIOS . . . 3-13 Setting Up Advanced Features. . . 3-14 Setting Up Security . . . 3-16 Setting Up the Server . . . 3-16 Setting Up Boot Devices . . . 3-17 Saving Changes . . . 3-17 Setting the SCSI BIOS . . . 3-17 Firmware for KS1500 Systems . . . 3-18 Setting the BIOS . . . 3-18 Setting Up Advanced Features. . . 3-19 Setting Up Security . . . 3-21 Setting Up the Server . . . 3-21 Setting Up Boot Devices . . . 3-22 Saving Changes . . . 3-22 Setting the SCSI BIOS . . . 3-23 KS Initial Configuration . . . 3-24 KS 5U Systems . . . 3-34 Hardware . . . 3-34 PCI Slot Ordering . . . 3-34 Setup . . . 3-36 Firmware for KS 5U with Lancewood Motherboard . . . 3-38 Setting the BIOS . . . 3-38 Setting Up the COM Port. . . 3-38 Setting Up Boot Devices . . . 3-39 Saving Changes . . . 3-39 Setting the SCSI BIOS . . . 3-40 Firmware for KS 5U with Tupelo Motherboard. . . 3-41 Setting the BIOS . . . 3-41