GB-OS. Firewall. Version 3.7. User s Guide SOFTWARE GBUG

User’s Guide

GBUG200506-01

ii GB-OS 3.7 User’s Guide

Copyright

© 1996-2005, Global Technology Associates, Incorporated (GTA). All rights reserved.

Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated.

Technical Support

GTA includes 30 days “up and running” installation support from the date of purchase. See GTA’s web site for more information. GTA’s direct customers in the USA should call or email GTA using the telephone and email address below. International customers should contact a local GTA authorized channel partner.

Tel: +1.407.380.0220 Email: [email protected]

Disclaimer

Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the software and documentation, including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose. GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifications of the program and contents of the manual without obligation to notify any person or organization of such changes.

Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products.

Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors.

Trademarks & Copyrights

GNAT Box, GB Commander and Surf Sentinel 2.0 are registered trademarks of Global Technology Associates, Incorporated. GB-OS, RoBoX, GB-Ware and Firewall Control Center are trademarks of Global Technology Associates, Incorporated. Global Technology Associates and GTA are registered service marks of Global Technology Associates, Incorporated.

Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.

Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. UNIX is a registered trademark of The Open Group.

Linux is a registered trademark of Linus Torvalds.

BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley. WELF and WebTrends are trademarks of NetIQ.

Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Java software may include software licensed from RSA Security, Inc.

Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/.

SurfControl is a registered trademark of SurfControl plc. Some products contain technology licensed from SurfControl plc. Some products include software developed by the OpenSSL Project (http://www.openssl.org/).

Kaspersky Lab and Kaspersky Anti-Virus is licensed from Kaspersky Lab Int. Some products contain technology licensed from Kaspersky Lab Int. Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed from Mailshell Incorporated. All other products are trademarks of their respective companies.

Global Technology Associates, Inc.

3505 Lake Lynda Drive, Suite 109 • Orlando, FL 32817 USA

Documentation Conventions ……… 3

Additional Documentation ……… 3

Mailing List ……… 4

2 INSTALLATION AND SETUP 5 Registration ……… 5

Getting Your Activation Code ……… 5

Connecting Your Computer to the Firewall ……… 5

Requirements ……… 5

Installing Utilities & Documentation ……… 6

Setup by Temporary Peer Network ……… 6

Alternate Method: Setup by LAN Using the Firewall’s Default Network ……… 7

Powering On the Firewall ……… 8

Network Configuration ……… 8

Configuration Using a Web Browser ……… 8

Browser Compatibility ……… 8

Connecting to the Web Interface ……… 8

Setting Your Time ……… 9

Entering Your Network Information ……… 9

Re-configuring Your Computer ……… 11

Accessing the Firewall ……… 11

Configuration Using GBAdmin ……… 11

Entering Your Network Information ……… 12

Re-configuring Your Computer ……… 12

Accessing the Firewall ……… 12

3 BASIC CONFIGURATION 13 DNS (DNS Proxy) ……… 13

Features ……… 13

Serial Number ……… 14

Activation Codes ……… 14

Network Information ……… 14

Logical Interfaces ……… 15

Interface Object Names ……… 16

Host Name ……… 16

Default Gateway ……… 16

Bridged Interfaces ……… 16

Bridging Mode ……… 17

Network Interface Cards (NICs) or Physical Interfaces ……… 17

PPP ……… 18

PPPoE ……… 18

Enabling PPP/PPPoE in Network Information ……… 18

PPTP ……… 18

Preferences (Basic Configuration) ……… 23

4 SERVICES 25 DHCP Server ……… 25

DNS Server ……… 26

DNS Domains ……… 27

Dynamic DNS ……… 28

GB-Commander Server ……… 29

High Availability ……… 30

Mail Sentinel (Email Proxy) ……… 31

Defining an Email White List or Black List ……… 35

iv GB-OS 3.7 User’s Guide

Defining a Mail Abuse Prevention System (MAPS) ……… 41

Network Time Service ……… 42

Finding NTP Servers ……… 42

Designating the Firewall as an NTP Server ……… 42

Remote Logging ……… 43

WELF (WebTrends Enhanced Log Format) ……… 43

GTAsyslog ……… 44

Unix Facilities ……… 44

Filter ……… 44

NAT (Network Address Translation) ……… 45

WWW ……… 45

SNMP ……… 45

5 AUTHORIZATION 47 Admin Accounts ……… 47

Authentication ……… 48

RADIUS ……… 49

LDAP ……… 49

Defining a User Authentication Remote Access Filter ……… 49

GTA Authentication ……… 49

LDAP ……… 50

Using LDAP on a GTA Firewall ……… 50

RADIUS ……… 50

Using RADIUS on a GTA Firewall ……… 50

Remote Admin ……… 50

Changing the Remote Administration Port ……… 51

WWW ……… 51

RMC (GBAdmin) ……… 51

SSL Encryption ……… 52

Browser Compatibility ……… 52

Generating and Installing SSL Certificate ……… 52

Users ……… 53

VPNs ……… 54

Security Associations ……… 54

Multiple Networks ……… 55

Mobile Protocol ……… 55

Encryption Key Length ……… 55

Hash Key Length ……… 55

Security Parameter Index (SPI) ……… 55

Creating a VPN ……… 55

6 CONTENT FILTERING 59 Access Control Lists ……… 59

Local Allow and Deny Lists ……… 60

Content Blocking ……… 60

Local Content Lists ……… 60

Adding Domain Names to LCLs ……… 61

Preferences (Content Filtering) ……… 61

Traditional Proxy ……… 62

Creating an RAF for a Traditional Proxy ……… 62

Transparent Proxy ……… 62

Block Action ……… 62

7 ROUTING 63 Gateway Policies ……… 63

Selecting Useful Beacons ……… 67

Gateway Policies and Bridging Mode ……… 67

RIP ……… 68

Static Routes ……… 69

8 OBJECTS 71 Addresses ……… 71

Using Regular Expressions ……… 73

Default Address Objects ……… 74

Traffic Shaping (Bandwidth Limiting) ……… 74

Weight vs. Priority ……… 74

Using Traffic Shaping ……… 74

VPN Objects ……… 76

Default VPN Objects ……… 76

Which VPN Object Is Used? ……… 76

Coalesce ……… 86

Email Server ……… 87

SNMP Traps ……… 87

Pager ……… 87

Remote Access Filters ……… 88

Muffling Benign Protocols ……… 89

Access a Protected Network from a PSN ……… 89

Time Groups ……… 90

10 PASS THROUGH 91 Pass Through (No NAT) ……… 91

Filters ……… 91

Creating Passthrough Filter Pairs ……… 92

Hosts/Networks ……… 92

Creating a New Host or Network ……… 93

Bridged Protocols ……… 93

Protocol Definitions ……… 93

11 NAT 95 Aliases ……… 95

Inbound Tunnels ……… 95

Creating Inbound Tunnels ……… 97

Static Address Mapping ……… 97

Allowing Static Address Mapping ……… 98

Timeouts ……… 98

12 ADMINISTRATION 101 Download Configuration ……… 101

Resetting the Firewall or Defaulting Sections ……… 101

Retaining Filters After Defaulting ……… 101

Flush ARP Table ……… 101

Halt ……… 102

Interfaces ……… 102

Ping ……… 102

Using Ping ……… 102

Reboot ……… 103

Set Date/Time ……… 103

UTC and Logging ……… 103

Set Timezone ……… 103

Trace Route ……… 104

Upload Configuration ……… 104

Upload Runtime ……… 104

13 REPORTS 107 Configuration ……… 107

Hardware ……… 107

Email Configuration ……… 108

Verify Configuration ……… 108

14 SYSTEM ACTIVITY 111 Active ARP Table ……… 111

Active Connections ……… 111

Active Filters ……… 112

Active Routes ……… 112

Active Hosts ……… 113

Active VPNs ……… 113

vi GB-OS 3.7 User’s Guide

Current Statistics ……… 114

DHCP Leases ……… 115

Locked Out ……… 115

Mail Sentinel (Email Proxy) ……… 115

View Log Messages ……… 119

15 UTILITY SOFTWARE 121 DBmanager ……… 121

Database Maintenance ……… 121

Utilities ……… 121

GTAsyslog Settings ……… 121

Help ……… 122

Verify Installation ……… 122

LogView ……… 122

GBAuth User Authentication ……… 122

Using GBAuth for GTA Authentication ……… 123

Using GBAuth for LDAP Authentication ……… 124

Using GBAuth for RADIUS Authentication ……… 124

16 TROUBLESHOOTING 127 Troubleshooting Basics ……… 127

Frequently Asked Questions (FAQ) ……… 127

APPENDIX A PORTS AND SERVICES 133 GTA Ports & Services ……… 133

Well-known Ports and Services ……… 133

Registered Port Numbers ……… 134

APPENDIX B LOG MESSAGES 137 Default Logging ……… 137

Interface Errors ……… 137

Bridged Interfaces and Protocols ……… 137

Gateway Policies ……… 137

Filtered Packet Types ……… 138

Log Messages ……… 138

Permitted Inbound Connection ……… 138

Permitted Outbound Connection ……… 139

Remote Access Filters ……… 139

Outbound Filters ……… 139

Network Address Translation (NAT) ……… 139

HTML Sessions ……… 139

Outbound ICMP ……… 140

Outbound UDP ……… 140

Outbound TCP ……… 140

Pass Through (No NAT) ……… 140

Inbound Pass Through Filter Block ……… 140

Outbound Pass Through Filter Block ……… 140

Inbound/Outbound Security Policy Violation ……… 141

Unauthorized Firewall Access Attempts ……… 141

GBAdmin (RMC) ……… 141

Web Interface ……… 141

Console ……… 142

Attempts to Compromise Remote Admin Ports ……… 142

Ping Flood/DoS Attack ……… 142

Content Filtering (HTTP Proxy) ……… 143

Transparent Proxy ……… 143

Traditional Proxy ……… 143

Surf Sentinel 2.0 ……… 143

Mail Sentinel (Email Proxy) ……… 144

Email Headers ……… 145

Virtual Private Network (VPN) ……… 145

Authentication ……… 146

Automatic Filters ……… 147

Saving GB-Commander on Firewall ……… 147

Exceeding the Count of Licensed Users ……… 147

APPENDIX C USER INTERFACES 149 Web Interface ……… 149

Features ……… 149

Web Interface Access ……… 149

Characteristics ……… 149

External Network ……… 157

Protected Network ……… 157

Private Service Network ……… 157

Network Interface Cards (NICs) ……… 157

External Network Interface ……… 158

Protected Network Interface ……… 158

Private Service Network Interface ……… 158

Network Address Translation (NAT) ……… 158

Default NAT (Dynamic NAT) ……… 158

Static Address Mapping (Static NAT) ……… 158

IP Pass Through (No NAT) ……… 159

Objects ……… 159

Address Objects ……… 159

Interface Objects ……… 159

VPN Objects ……… 159

Filters ……… 160

Filter Defaults ……… 160

Filter Types ……… 160

Automatic Filters ……… 160

Stealth Mode ……… 160

VPN ……… 160

DNS ……… 160

DNS Server ……… 161

APPENDIX E DEFAULT SETTINGS 163 Outbound Security Policies ……… 163

Outbound Filters ……… 163

Remote Access Security Policies ……… 163

Remote Access Filters ……… 163

About GB-OS

Standard Features

GTA’s NAT (Network Address Translation) and Stateful Packet Inspection engine are at the heart of all GB-OS firewalls. These

facilities, tightly integrated with the network layer, guarantee maximum data throughput, reliable NAT and unparalleled security.

Passthrough filters allow the use of the firewall without NAT. GB-OS features also include:

• Email proxy and spam and email virus prevention tools • Gateway-to-gateway IPSec VPN (Virtual Private Networking) • Encryption methods including DES, 3DES, AES and Blowfish • User authentication for any platform via the Java GBAuth utility • DHCP and DNS services via built-in DHCP and DNS servers* • Transparent network access for standard TCP and UDP applications

• Protocols including FTP, PASV FTP, CU-SeeMe, RealAudio/Video, ICQ, AIM, online gaming, Net2Phone, PPP, PPPoE and PPTP

• Bridging for user-identified Ethernet protocols

• Safer external access to internal networks using the PSN, GTA’s improved DMZ network • Secure remote logging using the GTAsyslog or a third-party syslog

• Default stealth mode

GB-OS administrators have a choice of three user interfaces.

• Web interface: a secure cross-platform remote management interface providing comprehensive access to configuration options via a frames-enabled, SSL-compatible web browser

• GBAdmin: secure Windows-compatible remote management interface

• Console interface: on-site serial or video fail-safe and firewall recovery access

Options

• Secure access of internal networks with mobile VPN client

• Email filtering with Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus • Web content filtering with Surf Sentinel 2.0

• Firewall failover ability with H₂A High Availability* • VPN hardware acceleration*

• Variable support contracts

*Available on select GTA firewalls.

What’s New

GB-OS version 3.7.0 offers new features for both VPN users, users with multiple Internet gateways, and users desiring

policy-based gateway assignment. New features include:

2 GB-OS 3.7 User’s Guide

• NAT-T (NAT traversal) for IPSec VPNs • Dead peer detection for IPSec VPNs

• Additional Diffie-Hellman groups for greater IPSec VPN key size • Multiple gateway (multi-WAN) support

• Policy-based gateways

• Bandwidth sharing (load balancing) over multiple gateways

GB-OS Roles

As firewalls, GB-OS systems are dedicated to network security. Unlike servers and computers whose many running software

applications may inadvertently open your network to vulnerability, GTA firewalls only run necessary security software: no

unre-lated applications run on them; you can’t telnet to them, and you can’t use them as a web server. An authorized user can log on

only to configure and administer a GTA firewall’s security functions.

By definition, the effectiveness of a firewall is determined by traffic it denies.

GB-OS systems are based on this principle:

that which is not explicitly allowed is denied.

If all filters were deleted and nothing

was explicitly allowed, a GB-OS firewall would deny all traffic, and there would be no inbound or outbound packet flow.

GB-OS software is:

• A firewall that prevents unauthorized access to internal networks, while allowing authorized connections to operate nor-mally

• A virtual private network (VPN) gateway between two networks or a network and a VPN client using the IPSec VPN standards and supporting many third-party VPN products

• A network address translation (NAT) engine that allows unregistered IP addresses to be used on the protected and PSN networks so that IP addresses are hidden from external networks and translated to the primary external network interface IP address

• A network gateway that links network topographies (e.g. 10 Mbps to gigabit) and replaces a router in a PPP configuration • A bridging firewall that links Ethernet networks together transparently like a bridge, while filtering IP packets as a firewall • An email proxy that restricts access to your email server

• A DNS proxy or server that makes DNS requests or maintains a database of domain names (host names) and their cor-responding IP addresses

• A DHCP server that automates the assignment of IP addresses to host systems on locally attached networks

Support

Installation ("up and running") support is available to registered users. If you have registered your product and need installation

assistance during the first 30 days, contact the GTA Support team by email to [email protected]. Include your product name,

serial number, activation code, feature activation code numbers for your optional/subscription features, and a Configuration

Report (available in

Reports

under

Configuration

in the web user interface), if possible.

Installation support only covers installation and default configuration of the firewall. For further assistance, contact an authorized

GTA Channel Partner or GTA Sales staff for information about support offerings.

Support Options

If you need support after installation and default configuration, a variety of support contracts are available. Contact an

autho-rized GTA Channel Partner or GTA Sales staff for more information. Support ranges from support per incident to annual contract

coverage.

Other avenues for assistance are available through authorized GTA Channel Partners, the GNAT Box Mailing List, or the GTA

web site (http://www.gta.com).

Updates

Once registered, you can view available updates in the GTA online support center section of the GTA web site (www.gta.

com/support/center/login/). Click on the serial number of your registered product to see if an update is available for that specific

model.

Special chapters may provide information on features not directly present in the GB-OS web interface. For example, a chapter

about utility software contains information on GBAuth, DBmanager, LogView and GTAsyslog. These utilities are used by

GB-OS, GB-Commander and GTA Reporting Suite. The troubleshooting chapter presents answers to some of the common questions

users have when configuring and using a GTA firewall. The appendices contain lists of ports and services, log messages, user

interfaces, GB-OS terms and default settings.

Documentation Conventions

A few conventions are used in this guide to help you recognize specific elements of the text. If you are viewing this in PDF format,

color variations may also used to emphasize notes, warnings and new sections.

Bold Italics

Italics publications

SMALL CAPS field names

Monospace Font screen text

Condensed Bold menus, menu items

BOLD SMALL CAPS buttons, links

Additional Documentation

For additional instructions on installation, registration and setup of a GTA product, see applicable Quick Guides, FAQs or

tech-nical papers. For optional features, see the appropriate option guide. Documentation is included with new GTA products, and is

available for download from the GTA web site.

Note

Check the GTA web site for the latest PDFs and other documentation.

These manuals and other documentation can also be found on the GTA web site (www.gta.com). Documents on the web site are

either in plain text (*.txt) or portable document format (*.pdf) which requires Adobe Acrobat Reader version 5.0, Apple Preview

or ghostview. A free copy of Adobe Acrobat Reader can be obtained at www.adobe.com.

Document Topics

GB-OS Firewall Software User’s

Guide GB-OS firewall software features; web user interface, GBAdmin Console Interface User’s Guide console interface

GB-Commander Product Guide GB-Commander for GTA firewalls GTA Reporting Suite Product Guide stand-alone reporting software

Mail Sentinel Feature Guide email anti-spam and anti-virus filtering optional feature Surf Sentinel Content Filtering

Feature Guide content filtering optional feature H₂A High Availability Feature Guide high availability optional feature

VPN Option Guide VPN (virtual private networks) optional feature

FAQs on www.gta.com frequently asked questions (FAQs)

4 GB-OS 3.7 User’s Guide

Mailing List

These instructions are for GTA firewall appliances only, and do not apply to software firewalls such as GB-Ware. See the

GB-Ware Product Guide for installation and setup of GB-Ware firewalls.

Any firewall use or administration described in later chapters assumes that you have completed this chapter’s instructions

or the equivalent instructions in the GB-Ware Product Guide, as appropriate to your firewall model.

Registration

To get technical support and software updates, you must register your GTA firewall.

1. To register, go to www.gta.com. Click on SUPPORT and then the SUPPORT CENTER link.

2. If you do not have an GTA online support center account, click on the CREATE AN ACCOUNT NOW link and enter your information. Once you have completed the form, click the SUBMIT button to save the profile.

3. Enter your user ID and password on the login page. Click on the REGISTER A PRODUCT link. Enter your serial number and activation code, then click the SUBMIT button. To view your registered products, click the VIEW YOUR REGISTERED PRODUCTS link.

In addition to qualifying you for installation support, your product registration will allow GTA to inform you about updates and

special offers.

Note

If you cannot retrieve your activation code, or a code does not appear under VIEW YOUR REGISTERED PRODUCTS, please email support with a brief description of your problem in the body of the email. Include the product serial number and your online support account’s user ID in the message subject.

Getting Your Activation Code

All commercial GTA firewalls use an activation code to protect system software. This code is pre-installed in all firewall

appli-ance models. Optional features require separate feature activation codes. Serial numbers and activation codes are included with

the packaging and are also available under

on the GTA Support site, http://www.gta.com/support/

center/login/.

Note

GB-OS firewall software may be copied for backup purposes.

Connecting Your Computer to the Firewall

First install any necessary console software or documentation. Then physically connect the firewall to your computer or network

using the provided cables. If your LAN’s network configuration is different from the default firewall network, temporarily

connect a computer to the firewall’s default network or use the console interface to configure the firewall for integration with your

LAN.

Requirements

To connect the firewall, you will need the following hardware:

• 1 crossover Ethernet cable to connect to a host or router, or a straight-through cable to connect to a hub or switch (1 yel-low crossover cable may be included; consult your package contents list)

6 GB-OS 3.7 User’s Guide

• 1 external power supply or cable (may be included; consult your package contents list) • 1 computer

In addition, you will need:

• an understanding of TCP/IP networking

• network IP addresses for all firewall network ports used • subnet masks for each attached network

• default route to the external network (gateway) • a list of services / ports to allow inbound (if any) • a list of services / ports to restrict outbound (if any)

Installing Utilities & Documentation

Prior to setup of the firewall, install any desired utility software (such as GBAdmin) and documentation on your computer. If

the computer is running a non-Windows

_{operating system (e.g. Apple Macintosh}

_{or Unix}

_{) or an older version of Microsoft}

Windows incapable of using the automated installer, locate the directory on the CD appropriate for your operating system

(OS) and use the

Read Me

document to install documentation and utility programs. Note that some software may only run on a

Windows operating system.

Setup by Temporary Peer Network

The factory network settings on the firewall are unlikely to match your existing network. In this case, you must first temporarily

join a computer to the firewall’s default network. This allows you to connect to configure the firewall’s network settings to match

your network IP address scheme.

1. Use a crossover Ethernet cable to connect a computer to the firewall’s network port (NIC) 0. Alternately, use straight-through cables to connect your computer and the firewall’s NIC 0 to a hub or switch.

Note

NIC 0 is the Ethernet network port/connector labelled with a zero (0).

2. Back up your computer’s network configuration. Temporarily change your computer’s network configuration to join the firewall’s default network:

IP ADDRESS: 192.168.71.253 (or any address on the default network) GATEWAY: 192.168.71.254

NETMASK: 255.255.255.0

Temporary Network Configuration for Connection with Firewall Defaults - Windows

Temporary Network Configuration for Connection with Firewall Defaults - Mac OS X 3. Reboot your computer if necessary to affect the network configuration.

Alternate Method: Setup by LAN Using the Firewall’s Default Network

1. If your LAN currently matches the firewall’s default 192.168.71.xxx network (which is unlikely), you can configure the firewall over the LAN without making a temporary network. Just make sure that the firewall’s IP address (192.168.71.254) is not currently assigned to any other device on your network, then connect your firewall.

2. If another device does have this IP address assigned, do not connect the firewall to the LAN. Instead, use a crossover Ethernet cable and connect your computer directly to the firewall’s NIC 0. You can use the yellow crossover cable in-cluded with the firewall appliance using the first method.

8 GB-OS 3.7 User’s Guide

The next step is to enter your network information over the firewall's default configuration.

Powering On the Firewall

Connect the power supply or cable to a power outlet, then insert the power connector tip into the firewall. If there is a power

switch, turn the firewall on; if there is no power switch, applying the power cable should cause the boot process to begin.

The system should be operational in about one minute. Check to see that the power indicator LED on the front panel is lit.

Verify your ability to connect to the firewall by pinging its default IP address of 192.168.71.254.

Preparation is now complete. Next, replace the firewall’s default configuration with your own network’s configuration.

Network Configuration

The following sections will describe how to replace the firewall’s default configuration with your own network settings. Use

either the web user interface or the GBAdmin user interface.

Configuration Using a Web Browser

Browser Compatibility

GTA recommends using Apple Safari (www.apple.com), Mozilla (www.mozilla.org), Netscape Navigator (www.netscape.com),

Opera (www.opera.com), Microsoft Internet Explorer

_{for Windows, or another SSL-compatible and frames-enabled browser to}

administer your firewall.

On Macintosh computers, GTA does not recommend using Microsoft Internet Explorer for Macintosh (Mac IE 5). OpenSSL

encryption, used by the firewall, is known to be incompatible with Mac IE 5, and your browser will not allow you to continue past

the security alert screen. If you must use Mac IE 5, install the firewall using a compatible browser, GBAdmin or the console and

disable SSL before using Mac IE 5. Mac IE 5 can only be used with SSL encryption disabled.

Caution

Administration of the firewall without SSL is insecure and may send sensitive information such as passwords in clear text, and is not recommended if you have a hub or any other network device between your computer and the firewall appliance.

Connecting to the Web Interface

1

Start a web browser on your computer and enter the firewall’s default IP address into the browser’s location/address field:

https://192.168.71.254

.

2. If your network and cables are set up correctly, you will be prompted with a security alert dialog indicating that the certifi-cate authority is not one you have chosen to trust; that the security (SSL) certificertifi-cate date is valid; and that the name on the security certificate does not match the name of the site.

Accepting the Firewall’s SSL Certificate

Select YES, or, if your alert differs, choose the selection that allows you to proceed. (You may establish your firewall SSL certificate once you have logged on to the firewall.)

3

Next, in the login screen, enter the default user ID, "

gnatbox

" (all lower case). Then enter the default password, also

"

gnatbox

" (all lower case). Select

or press the

key when finished.

Caution

GTA recommends changing the default user ID and password to prevent unauthorized access.

Setting Your Time

Firewall logs record events and schedule time-based filters by current time. To ensure that the correct time is used, your GTA

firewall should poll a network time (NTP) server. To enter which network time servers you would like to use, click

Services

to

expand the menu, then

Network Time Service

. Check the

box, enter the domain name of a network time server (e.g. time.

apple.com), then click the

and

buttons.

Entering Your Network Information

The firewall has default settings which need to be changed to match your network settings. Click on

Basic Configuration

and expand

the menu, then select

Network Information

.

Only one external and one protected network interface is required to initially configure and test the firewall. The other interface

can be defined as any of the three network types: protected, external or PSN (Private Service Network, GTA's enhanced DMZ).

1. On the Network Information section:

• Enter IP addresses and subnet masks (in either dotted decimal or CIDR notation) for your external and protected net-works on each network interface.

• Disable the DHCP option on the external network interface if necessary. • Enter the default route to your Internet router’s IP address.

• Enter the firewall’s domain name according to your DNS server. This will automatically generate a new SSL certificate for the firewall using its domain name.

Caution

Closing the browser without clicking SAVE will cause the entered data to be lost, and your firewall will remain in default configuration. You will need to re-connect to the firewall and re-enter the network information.

2. Once you have completed the network configuration, apply the changes by clicking SAVE. The firewall will then join the assigned network. Close your browser.

Caution

Failure to close the browser may allow unauthorized access to the firewall. To prevent this, always log out and close your browser after a firewall administration session.

Note

If you changed the IP of NIC 0’s protected network, the firewall will now be on a different logical network than your computer, and you will not be able to access the firewall from your computer. You must restore your computer’s original network settings to access the firewall again.

10 GB-OS 3.7 User’s Guide

Entering a Network Configuration Using a Browser Using CIDR-based or Slash (/) Notation

CIDR (Classless Inter-Domain Routing) notation for a subnet mask aggregates routes so that one IP address can represent

thousands served by a backbone provider. GB-OS uses CIDR notation as the default for subnet masks, instead of dotted decimal

notation (e.g. 255.255.255.0).

Instead of the fixed 8, 16 and 24 bits used in dotted decimal Class A, B, or C subnet masks, CIDR notation can further divide the

network into subnets by using bit masking of any number from 1 to 32 to determine network class (/32 representing one IP

ad-dress). For example, the CIDR address 204.12.01.42/24 indicates that the first 24 bits are used for the network class ID. The /24

mask includes 254 hosts on the network, and is equivalent to 255.255.255.0 in dotted decimal notation.

Calculate a CIDR-based notation subnet mask by converting the dotted decimal subnet mask to binary and count the ones. For a

Class C network, the dotted decimal subnet mask is 255.255.255.0. The binary notation of that subnet mask is 11111111.1111111

1.11111111.00000000. There are 24 ones, so the CIDR notation would be /24. Using a 255.255.255.240 subnet mask, the binary

representation would be: 11111111.11111111.11111111.11110000. The notation would be /28.

You may also enter a host address that is defined by

not

including a subnet mask (e.g. 192.168.123.1). This is equivalent to

a /32 bit mask. To enter a range of addresses, use a hyphen (-) between the two extremes of the range (e.g.

192.168.123.0-192.168.123.255).

Failure to change the default password is a serious security vulnerability. GTA recommends changing the default user ID and password to prevent unauthorized access.

Configuration Using GBAdmin

If your computer’s operating system is Microsoft Windows, you can choose to configure your firewall by using the GBAdmin

software you installed earlier instead of using the web interface.

Note

GBAdmin can only be installed on a local computer that uses Windows 98, NT 4.0, XP, Me, 2000 or 2003.

1. Select GBAdmin from the Windows Start menu to start GBAdmin.

2. Select File from the tool bar, then select Open. In the dialog box’s SOURCEarea, select NETWORK. In the SERVER field, enter the default IP address for the firewall (192.168.71.254). Make sure that there is a check in the box next to CONFIGURATIONin the INFORMATIONTO LOAD section. Once this is complete, press the RETURN key or click OK.

Opening a GBAdmin Firewall Connection

3. GBAdmin will prompt you for a user ID and password to the firewall. Enter the default USER ID, which is "gnatbox" (all lower case) and enter the default PASSWORD, which is also "gnatbox" (all lower case), then press the RETURN key or select OK when finished.

Entering the Default User ID and Password

Caution

12 GB-OS 3.7 User’s Guide

GBAdmin Network Information Window

Entering Your Network Information

The firewall has default settings which need to be changed to match your network settings. Click on

Basic Configuration

and expand

the menu to select

Network Information

.

Only one external and one protected network are required to initially configure and test the firewall. The other network interface

can be defined as any of the three network types: protected, external or PSN (Private Service Network, GTA's DMZ).

1. On the Network Information section:

• Enter IP addresses and subnet masks (in either dotted decimal or CIDR notation, as described in the web setup method) for your external and protected networks on each port.

• Disable the DHCP option on the external network if necessary. • Enter the default route to your Internet router’s IP address.

• Enter the firewall’s domain name according to your DNS server. This will automatically generate a new SSL certificate for the firewall using its domain name.

Caution

Closing GBAdmin without clicking SAVE will cause the entered data to be lost, and your firewall will remain in default configuration. You will need to re-connect to the firewall and re-enter the network information.

2. Once you have completed the Network Information form, apply the changes by clicking SAVE. The firewall will then join the assigned network. Close GBAdmin.

Note

If you changed the IP address of network interface 0’s protected network, the firewall will now be on a different logical network than your computer, and you will not be able to access the firewall from your computer. You must restore your computer’s original network settings to access the firewall again.

Re-configuring Your Computer

If you temporarily changed your computer’s network configuration to connect to the firewall, restore the original configuration

now. If you formed a temporary peer network during network configuration, disassemble it now; reconnect your computer and

the firewall to your network. Now your computer and firewall should both be members of your network. Reboot your computer if

necessary to affect the network configuration change.

Accessing the Firewall

Access the firewall using the IP address you assigned to the protected network interface.

The firewall should now be active and functioning in default security mode (all internal users are allowed outbound and no

unso-licited inbound connections are allowed). You can now perform any additional configuration tasks.

DNS proxy requires a remote access filter to allow DNS proxy replies and to specify which hosts may use the DNS proxy. The

hosts will be represented either by an IP address or an address object. The DNS proxy sends a request to all available DNS

resolvers (those listed and those acquired dynamically) to resolve a host name. The first reply will be sent to the requestor.

A DNS proxy is unnecessary with a local DNS server configured, so enabling the DNS Server will disable the DNS Proxy feature.

Note

DNS services are optional on certain GTA firewalls.

Use an internal network DNS server if one is available; see the services chapter to configure the firewall as a DNS server. Use a

DNS server from outside your network (e.g. a name server accessed through your ISP) as your external network DNS server.

Field Description

Primary Domain Name Primary domain name used for the network (i.e. gta.com)

Enable External Name Server Use the name servers listed in this section. Disabled by default.

External Name Server IP Address IP address of an external DNS server that will provide records for your internal DNS server/proxy.

Enable Internal Name Server Use the name servers listed in this section. Disabled by default. Internal Name Server IP Address IP address of an internal DNS server.

Enable (DNS Proxy) Enable DNS proxy. Disabled by default.

Note

Enabling Services’s DNS Server overrides the DNS Proxy.

DNS (DNS Proxy)

Features

Enter the system serial number and firewall activation codes in

Features

. The

button reverts to previously saved

14 GB-OS 3.7 User’s Guide

Features

Serial Number

The firewall serial number can be found on the card shipped with the firewall (along with the activation code), and on GTA

firewall appliances. After registration, the serial number can also be retrieved from the GTA online support center.

Activation Codes

Activation code entry is necessary to use GB-Ware, feature updates or subscription services.

Enter activation codes (hexadecimal characters only – 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F) in the A

C

fields and

select

. The firewall will display a description of what has been activated. If this description is garbled or does not appear,

the code has been entered incorrectly or is not correct for the current system or version. Activation codes are available on the card

shipped with your product or on the GTA Support web site after registration.

Additional entry spaces will be added as codes are entered and saved. Up to twenty (20) activation codes may be entered in the

Features

section.

Note

It is not necessary to delete old activation codes. However, if you would like to delete an entry, remove all of the code characters and select SAVE.

To add entries in GBAdmin, click the

button and then select

. To delete a saved code, click

(

), then click

. The

button reverts to previously saved information if you have not yet saved the section.

Note

Activation codes will not function without the firewall serial number. Hardware appliances have this number pre-installed.

Network Information

Much of the

Network Information

data will have been entered during installation, including the required protected and external

networks.

Gateway (Web only.) When checked, make the interface an Internet gateway (default route).

Host Name Identifying host name for the firewall. GTA recommends using a fully qualified

domain name.

Default Gateway Selected default route. Additional gateways can be defined in Gateway Policies.

GBAdmin: When the gateway is dynamic, select the gateway’s logical inter-face or interinter-face object.

Network Information – Logical Interfaces, Host Name and Default Gateway

Logical Interfaces

A GTA firewall requires two logical networks, a protected and an external network, except when in bridging mode. Additional

external and protected logical networks can be added, as well as one or more Private Service Networks (PSN).

A logical interface:

• assigns a network (represented by an IP address and subnet mask) to a physical NIC • designates a network type

• identifies a gateway (default route)

The logical interface name serves as an interface object, allowing the administrator to reference the interface quickly when

config-uring the firewall.

Logical network interfaces that do not use PPP or DHCP configurations require an IP address and subnet mask. If a subnet mask

is not entered, the system will attempt to create one based on the network class: in CIDR notation, Class C = /24, Class B = /16,

Class A = /8. This helps to prevent misconfiguration.

16 GB-OS 3.7 User’s Guide

Interface Object Names

Interface object names may not use a number as the first character.

Caution

If a logical name is changed, but a filter that references it is not updated to refer to the new name, you will lose all connections maintained by the filter.

To change any object name without losing connectivity, copy the object, change the name in the copy, enable it, then update the

configuration references with the new name. After saving the new object, you may delete the original. Alternatively, to change

interface logical names, first set filters to accept an IP address and/or interface of

Any

, then change the interface name and restore

filters to accept the new logical name.

Host Name

The host name is the system name assigned to the GTA firewall and used to tag log messages. GTA recommends using a fully

qualified domain name as the host name for your GTA firewall. A fully qualified domain name is the complete domain name for

a specific computer (host) on the network, consisting of a host, domain, and top-level domain (e.g. gtafirewall.example.com, or

www.gta.com). Host names must be unique. If your network DHCP servers make IP address assignments based on the system

name, enter the host name, often assigned by your ISP.

Note

Changing the host (domain) name of your firewall will cause it to automatically generate a new SSL certificate using the new host name.

Default Gateway

On a static interface, enter the IP address of the selected default route in the D

G

field. This value is usually the

IP address of the router connecting the network to the Internet and must be on the same logical network as the associated external

interface except when using PPP.

The gateway value will be set automatically on a dynamically negotiated interface (DHCP or PPP). On the web interface, select

the

check box for the DHCP or PPP network in the L

I

section to make the network the default

gateway (default route) to the Internet.

In GBAdmin, select the interface object of the DHCP or PPP connection from the

Default Gateway

drop down menu.

Note

Gateway Policies will initially take the first gateway from the default route listed in Network Information. Further modifications to Gateway Policies causes it to override the default route listed in Network Information: GATEWAY 1 in Gateway Policies will become the default

route, regardless of the default route listed in Network Information.

Bridged Interfaces

In B

I

, additional interfaces can be configured to share the IP address of one of the primary logical interfaces.

TCP/IP packets pass between these bridged interfaces according to normal firewall rules on specified ports if allowed by a

passthrough filter.

Caution

Packets with non-TCP/IP Ethernet protocols that have been allowed in Bridged Protocols can bypass all filtering between the bridged interfaces. Allowing unnecessary protocols, or protocols that may contain untrusted traffic, can pose a serious security vulnerability to your network, and is not recommended by GTA.

Field Description

Logical Name Interface object name for this bridged logical network interface.

Type Interface type: protected, external or PSN.

Interface Logical interface to which to bridge the network interface card/physical

inter-face in the NIC field.

NIC Network interface card (“port”; see NICs or physical interfaces) to associate

with the bridged network. The drop down menu lists all physical devices on the firewall.

Caution

There is no firewall filtering of the protocol types that have been allowed in Bridged Protocols. Allowing unnecessary protocols, or protocols may contain untrusted traffic, can pose a serious security threat to your network, and is not recommended by GTA.

A GTA firewall in bridging mode can be inserted behind a router to the Internet between the router and the internal networks

without changing IP addresses, gateways or any other network addresses for the rest of your network hosts.

A GTA firewall in bridging mode can also be inserted in an internal network to separate networks that are at a peer level, or to

further segregate Private Service Networks (a.k.a. DMZ). This configuration allows two internal networks to communicate as one,

while filtering non-bridged IP traffic between them and preventing the passage of non-IP protocols (except ARP, which operates at

both data link layer 2, and network layer 3).

In bridging mode, a GTA firewall can be connected directly to a host, a switch, a router or a non-bridged firewall.

Note

Bridging can only be configured in GBAdmin or the web interface. Gateway Policies

In order for gateway selection (see

Routing

’s

Gateway Policies

) to function correctly in bridging mode, the host must use the IP

address of a logical interface on the firewall as its gateway.

Services

The H

A High Availability service is not supported in bridging mode.

PPP, PPPoE and PPTP are not supported on a bridged interface.

If a host points to a router or gateway on a bridged interface as its default route to the Internet, the firewall will override that

pref-erence, routing the packet through its logical external network interface.

Also, in bridging mode (as in unbridged firewall operation) any packet that goes through the firewall will use the firewall’s routing

tables. This means that even though a host may have indicated a particular route, the firewall will instead use the routes set up in

Static Routing

and

RIP

to route the traffic.

Network Interface Cards (NICs) or Physical Interfaces

Physical interfaces are supported and configured network interface devices detected by the system, including configured Ethernet

NIC and PPP connections.

Field Description

NIC (& PPP) Network interface (Ethernet) cards detected, including configured PPP

(modem) connections.

MAC Address If the physical interface device is an Ethernet card, the card’s MAC address will

be displayed. Record MAC addresses before installing system software.

Connection AUTO is generally recommended. Selections are:

AUTO: Auto-select the active network connection. UTP_10: Unshielded twisted pair interface at 10 Mbps. TX_100: Unshielded twisted pair interface at 100 Mbps.

Option Default (full- or half-duplex) or full duplex.

MTU Maximum Transmission Unit. Default is 1500.

Incorrect MTUs can cause poor performance, but it may be beneficial to increase MTU for a gigabit Ethernet interface when jumbo packets are to be used.

18 GB-OS 3.7 User’s Guide

Network Information - Network Information Cards (NICs)

PPP

PPP connections are frequently used in conjunction with dial-up modems or DSL ISPs.

PPP

configures a PPP (Point-to-Point

Protocol), PPPoE (PPP over Ethernet) or PPTP (Point-to-Point Transport Protocol) connection for the firewall.

After

creating the

configuration in the PPP section, enable the connection in the

Network Information

section by associating the configuration with the

chosen logical interface.

PPP

Insert PPP - Select Transport Protocol

In GBAdmin, create a new PPP configuration by selecting the

button from the tool bar, creating a blank PPP tab with three

sub-tabs. Create a PPPoE configuration by selecting the PPP

E or PPTP check box, which changes the selections on each sub-tab.

PPPoE

PPPoE is commonly used to assign IP addresses for DSL service providers.

Note

GB-OS automatically detects connection preferences so that the user is no longer required to enter chat or dial scripts, select CHAP or PAP, or set parity and flow control.

Enabling PPP/PPPoE in Network Information

1. After completing the PPP or PPPoE configuration in the PPP section, go to the Network Interface section and select the NIC number (e.g. PPP0) on the logical interface for the external network interface you have selected for the PPP connection. 2. Select the logical interface as the gateway. Once these have been selected, the system will dynamically negotiate the

IP address of the gateway.

The DHCP selection will be unavailable.

Caution

PPP connections are automatically named PPP0, 1, 2, 3 or 4, in order of creation. When an entry in the PPP section is deleted, the remaining entries will be renamed according to the new order. Interfaces which use PPP connections must be changed to the revised designations.

PPTP

PPTP (point-to-point tunneling protocol) is typically used on GTA firewalls as an alternative to DHCP when allocating subnet IP

addresses. It encapsulates and uses weak encryption on packets so that data or internal network IPs cannot be seen during transit

4. Create a remote access filter (RAF) that allows generic routing encapsulation (GRE) like PPTP to be accepted and routed to your internal network. Click Filters then Remote Access. Click the _✓ (check) button next to the ALLOW GRE FROM PPTP SERVER field. You may edit the default filter, or you may click the COPY button at the bottom of the page to make a separate filter templated by that default filter. Click the OK button, then the SAVE button. Once the settings have been saved, the PPTP connection will dynamically negotiate the gateway IP address.

Caution

Default RAF are broad in scope. Modification may be required to meet the standards of your security policy.

Field Settings

Description Allow GRE from PPTP server.

Type Accept

Interface ANY

Authentication Required Select

Protocol GRE (IP Protocol 47)

Source <Use IP address> e.g. 192.168.71.220

Destination <Use IP address> e.g. 10.0.0.81

20 GB-OS 3.7 User’s Guide

Field Description

Name PPP0, 1,2,3 or 4. The name is automatically assigned, and will be the same for

a PPPoE connection. The name will appear as a tab in GBAdmin.

Description A user-defined description of the connection.

Connection Type Dedicated

Establishes a link when the firewall boots up and remains up until the interface is manually disabled, or the system is halted. Select for PPTP. The logical choice for PPPoE, as DSL is an “always on” connection. Select to test a con-figuration.

On-demand

Initiates and establishes a link with the remote site whenever a packet arrives on a protected or PSN interface, destined for the external network. The link will stay up as long as packets continue to be received before the time-out has expired.

On-enabled

Requires manually enabling the external interface to initiate a session and establish a link with the remote site. The link will stay established until disabled. Interfaces may easily be enabled/disabled in Interfaces under Administration.

Transport Select in the INSERT PPP dialog box. GBAdmin: enable by selecting the check

box.

NIC** Network interface on which PPPoE will run.

Interface*** Select the interface defined in Network Information.

PPTP Server*** Enter IP address of the internal PPTP server.

Primary COM Port* COM Port used for the PPP interface. COM 1-4 are allowed, except for

GB-1000: COM 2, and RoBoX: COM 1.

Phone Number* Number used to dial the remote site. This field should contain any required

access codes, e.g. 9 to dial out. Characters used for pauses and secondary dial tones can be used. Consult your modem or ISDN TA manual for dialing codes.

User Name User ID for remote access; password and user ID are generally issued by the

remote site.

Password Password remote access, obscured in the data field.

Local IP Address A PPP-type link uses a local and remote IP address.

Remote IP Address If the remote site supports dynamic IP address assignment (as for most ISPs

and remote sites), leave the local address set to the default, 0.0.0.0. Set the remote address to an IP address on the remote network, such as the router IP or the DNS server address. PPP will use that address to dynamically negoti-ate the actual value. If the Remote IP address is static (dedicnegoti-ated), enter the address and leave the Local IP address set to 0.0.0.0. If both addresses are static, set both fields to the appropriate IP address.

Connection Time-out Number of seconds during which a connection will stay connected when

inac-tive. To prevent timing out, enter 0. Default is 600 (10 minutes).

communicates with the modem. Options: 1200, 2400, 4800, 9600, 19200, 38400, 57600, 76800, 115200, 230400.

Number of Retries* Number of attempts the system will make to establish a connection. After

failure, any new packets arriving for the external network will restart a new dialing attempt. Dedicated connections do not use retries; they continue to try to connect. Default is 3.

Time before retry* This is the amount of time the system waits before re-dialing to establish a

con-nection. Default is 10 seconds.

Address/Field Compression Options: Enable (local) or Accept (Remote). §

Line Quality Report Options: Enable (local) or Accept (Remote). §

Protocol Field Compression Options: Enable (local) or Accept (Remote). §

Van Jacobsen Compression Options: Enable (local) or Accept (Remote). §

Don’t Bond Channels* Use to configure ISDN connections. Check with your provider for required

set-tings. Off by default. Options: Yes/No.

Switch Type* Use to configure ISDN connections. Check with your provider for required

set-tings. Options: Default; NI-1; DMS-100; 5ESS P2P; 5ESS MP.

Debug These options provide helpful information when creating a PPP configuration.

Chat records dialing and login chat script conversations. LCP records LCP conversations. Use to set non-default Link Control Protocol options. Phase records network phase conversations. Use to determine the LOCAL and REMOTE IP address specifications. Options: CHAT, LCP, and/or PHASE.

* PPP screens only. ** PPPoE screens only. *** PPTP screens only.

§ Each Link Control Protocol (LCP) option has a pair of settings for side of the link: Enable for local and Accept for remote. If Local is enabled, the firewall will request that the remote side use that LCP. If Local is disabled, the firewall will not send a request for that LCP. If Remote is set to Accept (enabled), and the remote side of the connection offers to use the protocol, the firewall will accept it. If it is set to Deny (disabled), then the firewall will not accept the LCP if the remote side offers it.

Default LCP settings are correct for most cases. If you are unsure which options to select, use the default setting and enable the LCP debug option. Then, when a session is attempted, use the debug data in the logs to determine which options have been requested and rejected. Match your LCP settings to the desired requests.

22 GB-OS 3.7 User’s Guide

Insert PPP - Serial PPP

Insert PPP - PPTP

Preferences (Basic Configuration)

Preferences

stores an administrator’s contact information used by email, report and list functions.

Field Description

Name Primary contact name of the administrator.

Company Company or organization name of the owner.

Email Address Email address of the administrator.

Phone Number Phone number of the administrator.

Support Email Email support address, supplied by GTA or your GTA Channel Partner; used if

you send a configuration report to GTA Support.

Character Set (Web only.) Select the appropriate character set for your language.

DHCP Server

DHCP

Server

automates assignment of IP addresses and configures the DNS server and gateway for computers on local networks

using DHCP (Dynamic Host Configuration Protocol).

The

DHCP Server

manages a range of IP addresses (a “pool”, e.g. 10.10.10.4 – 10.10.10.254) which can be assigned to hosts.

Non-contiguous sets of IP addresses can be defined using exclusion ranges. Exclusion ranges indicate which IP addresses within the

previously defined address range must

not

to be assigned to hosts.

When the

DHCP Server

receives an initial request from a client host, it assigns an available IP address from its pool. Upon

subsequent requests by the same client, the

DHCP Server

will attempt to reassign the same IP address. The only case in which it will

not reassign the same IP address is when the number of DHCP clients exceeds the number of IP addresses available in the pool,

and the IP address has been assigned to a different host.

Changes to

DHCP Server

are applied when you click

.

Note

The default gateway is usually either the firewall’s protected/PSN network card or the Internet router’s IP address, as specified in Network Information or Gateway Policies.

Field Description

Disable Disable this DHCP IP address pool.

Description User-defined description of the IP address pool.

Beginning Address First IP address of the pool’s range.

Ending Address Last IP address of the pool’s range..

Net Mask Subnet mask used to divide hosts into network groups..

Lease Duration Maximum length of time the assigned IP address may be used before renewal.

A client must negotiate IP address renewal before the expiration of the lease, or quit using the IP address.

Exclusion Ranges Define up to five address ranges to exclude from each DHCP range. To

exclude a single IP address, enter it in both the beginning and ending address fields.

Domain Name DNS domain name, typically that of the local network.

Name Server IP Address IP address of a DNS server that will be issued to the requesting client. This can be any valid server: a local server, such as the built-in DNS Server, or a remote server, such as one located at an ISP. Up to three name servers can be defined.

Default Gateway Gateway (default route) given to DHCP clients. For hosts located behind a

firewall (on protected or PSNs) this will be the IP address of the firewall’s inter-nal network card.

26 GB-OS 3.7 User’s Guide

DHCP Server

Insert DHCP Address Range

Note

The DHCP IP address range must consist of subnetwork IP addresses for one of the firewall’s attached networks. The DHCP Server cannot allot IP addresses that are not part of its attached networks.

In GBAdmin, first click the

check box to allow DHCP to be edited, then click

to add a DHCP service. Select the

inserted line. Once the fields have been saved, the basic information will appear in the DHCP service line below. To add an

exclu-sion range, click

next to the E

fields. This will create a blank IP address for both the beginning and ending of the

range. Double-click within the field to edit the B

IP address. Delete any extra characters, then edit the E

field.

DNS Server

DNS

(Domain Name System)

Server

allows the firewall to be configured to function as a primary domain name server, maintaining

a database of domain names and the IP addresses of hosts where those domains reside. Enabling the

DNS Server

section overrides

the DNS Proxy in the

DNS

section of

Basic Configuration

. On some firewall products, DNS Server is optional and requires an

activa-tion code. See your product specificaactiva-tions for more informaactiva-tion.

Note

GTA recommends a thorough knowledge of the domain name system before configuring any DNS server. One reference is DNS and Bind, 3rd Edition, by Paul Albitz & Cricket Liu, published by O’Reilly and Associates.

The built-in DNS Server is functional and flexible enough for most firewall users, but cannot be configured to support all possible

DNS options. If your network requires a more complex configuration, or hosts secondary name services, GTA suggests using a

non-firewall DNS server.

(255.255.255.0) and Class B: /16 (255.255.0.0) are commonly used networks.

Reverse Zone Name Optional name used by reverse DNS, which looks up an IP address to obtain a

domain name and confirm a DNS record. The firewall can determine the zone name automatically if the subnet uses a Class A, B or C subnet mask. Reverse zone names are typically assigned by your ISP.

Subnets make a large network more manageable by splitting it into a series of contiguous address ranges.

DNS Server

DNS Domains

The DNS Domain screen allows the user to define host names and associated IP addresses (A records), aliases (CNAME records)

and email exchangers (MX records) for the selected domain. To create DNS domains, click the

button and continue