Basic Firewall Configuration An Introduction to GTA Firewalls GB-OS Course # 1101 8/26/2013 Global Technology Associates, Inc. 1
Introduction to GTA Firewalls Firewall Administration Serial SSL Initial Configuration Networking Configuration Options Advanced Options Objects Security Policies & Preferences Features Overview; UTM Features Dynamic Gateway Architecture Remote Access Options Interface Basics Monitor & Reporting Trouble Shooting Basics & Miscellaneous Global Technology Associates, Inc.
Firewall Administration Console Serial interface Used for basic set up of IP address Local access when remote access is lost. Advanced configuration must be performed via web interface. Does not support via the console Bridge configuration Link Aggregation IPv6 Configuration Web - SSL Primary method of configuration for the firewall. Web Interface is consistent across all products. GB-250 interfaces is same as the GB-2500 Features not supported on a product such as HA on a GB-250 will not display. Features requiring a code that is not present will display a message that an activation code is required.
Accessing the firewall using the Console User Interface Video Console GB-Ware Only Monitor Keyboard Video Console GB-Ware Login Screen Alt+F2 Logging screen Alt+F1 Stats Screen Alt+F3 Serial Interface - All Firewall DB9 file transfer cable DB9 to RJ45 serial cable. Top Right Or DB9 to DB9 file transfer cable. Middle Right Terminal or terminal emulation software. Hyperterminal Terraterm Putty with serial support (v5.0)(recommended) Serial Console Terminal Settings Emulation VT 100 Port Port connected to the DB 9 cable on host. Baud Rate 38400 Data/Bit Rate 8 Stop 1 Flow Control Hardware
Default login is ID: fwadmin Password: fwadmin Login prompt will display firewall host name (if configured otherwise displays Unknown) This host name is configured in the Network Settings section. Garble Characters usually indicates the wrong speed is set. Console Interface Login Note: In versions 3.7 and below the default login is gnatbox/gnatbox
Access Firewall Using Web Interface! 1. Connect port 0 (eth0) on your GTA Firewall to a switch, hub, or your workstation s Ethernet port. If you are directly connected to the firewall be sure to use a cross over cable. 2. If this is the first time you have access the firewall enter the default IP address of https://192.168.71.254 3. Security Alert - You may see an alert notification for the serves certificate. The notification depends on the browser. 1.254.
Access Firewall Using Web User Interface Embedded login is used by GB-OS versions 5.3 and above (Bottom). Login page is customizable with corporate logo - 100 KB size - 32x32 pixels (recommended) - support jpg, png or gif. After login you may see an initial splash screen. This screen display after runtime updates and logins from new systems. Just click continue to move past it.
System Overview - Dashboard Provides a snap shot of the system status with quick links to other configuration sections. (Overview shows the last 24 hours.)
Firewall Administration Options [Configure -> Accounts -> Remote Administration] Remote Administration Lock Out Denies all login access to the firewall from IP addresses which fails to provide the correct login credentials. Remote Admin Customization Allows for a customize Administration login
Administrators Firewall Administration privileges are based on Users Group. Administrators may be defined on firewall or use LDAP authentication or Radius. Creating a firewall administrator - Create an Administration Group or use an existing group. User Defined a user and select the administrative group he uses. Group may be users Primary group or a group they are a member of. Default Administrator There MUST always be one Administrator defined on firewall If no default administrator is defined on firewall. Login of fwadmin for user and password of fwadmin will allow administrative access.
Set Up Wizard Set Up Wizard will allow entering of all firewalls basic information for both IPv6 and IPv4 addressing. Including enabling DNS,DHCP servers on an interface.
Network Configuration Set Up Networking Network IP Addresses: [Configure -> Network -> Interfaces -> Settings] Configure Default Routes/ Gateway: [Configure -> Network -> Routing -> Static Routes] Security Policies & Objects [Configure -> Security Policies -> Policy Editor] [Configure -> Objects -> Address Objects]
Internet Connection Methods DHCP IPv4 IPv6 PPP PPPoE PPTP Serial GSM Statically Assigned SLAAC IPv6 Stateless Address Auto configuration
Advanced Network Options: Dual Stack IPv4 & IPv6 Mode IPv6 Default is IPv4 only Upgrades firewall runs in IPv4 mode only Switching Firewall to Dual Stack Mode from IPv4 only mode [Configure -> Network -> Preferences] Requires a Reboot
Network Types or Zones EXTERNAL Least Trusted Protected Most Trusted, other Protected Networks are peers PSN Not Trusted by Protected, is NOT a peer to other PSN s
Advanced Network Options TimeOuts
Advanced Network Options Connection Limits
Advanced Network Options Licenses & SIP Disables remote licenses For Intranet Firewalls No Licenses Checking No compatible with Online License GB-Ware, or any subscription options. Disabled SIP support
Objects Address Holds IP Address and domain names to be referenced in other parts of the firewall. Domain names/host names can only be used in Email Proxy and Web Content filtering. Bookmarks Tools create quick links for SSL Browsers. Covered further in Remote Access SSL. Encryption Building Blocks for IPSec VPN. Covered further in VPN course IPSec Objects Used in IPSec Client and Site to Site VPN to define Encryption and authentication methods. Covered further in VPN course Service Groups Tools ease creation of polices and tunnels. Time Groups Used to create time based policies.
Address Objects Type:! Controls where an object can be used. No Type selected is an internal object that can only be referenced in another object. Object:! Can be another object. User Define Regular Expression. No Type selected is an internal object that can only be referenced in another object.
Service Objects Allow for creation of custom service and objects. Group Service together to easily create security policies and tunnels.
Service Objects Direction If used in a Tunnel 8080 -> 80 means redirect from port 8080 to port 80. If used in a Policy it means from Source Port 8080 to Destination Port 80.
Security Policies Country Inbound Connections to the firewall. Outbound Connections out through the firewall using NAT. Pass Through Connections inbound and Outbound using no NAT. VPN IPSec IPSec Site to Site IPSec Client L2TP LT2P Client connections PPTP PPTP Client Connections SSL SSL Client Connections
[Configure -> Security Policies -> Country Blocking] Database is derived from WebNet77 - http://software77.net/geo-ip/ Built in Set of Country IP and an download able update set. Firewalls with current support or maintenance contracts will be able to dynamically update the country IP Database. Includes both IPv4 and IPv6 Addresses
[Configure -> Security Policies -> Country Blocking] Global Applies to all Inbound and Outbound connections Cannot be set up on an individual policy basis. Two Types Accept Deny Country IP White List
Block by Country Oct 3 14:42:28 pri=4 pol_type=cbp pol_action=block count=60 msg="block CBP" duration=59.143997 proto=icmpv4 country=jp src=192.168.181.1 srcport=8 dst=160.239.1.12 dstport=8 interface="protected"
Reports and Monitoring Country Blocking [Monitor -> Activity -> Security Policies] Displays current denied by country. Reports Include Report on Countries hitting firewall.
Security Policy Accept Deny Depending on Type (Accept or Deny) security Policies give different Options
Security Policy Preferences
[Configure -> Security Policies -> Preferences] Feb 5 12:00:49 pri=4 pol_type=cbp pol_action=block count=3 msg="block CBP" duration=9.008992 proto=80/tcp country=nl src=10.10.1.75 srcport=15047 dst=85.90.89.15 dstport=80 interface="psn" flags=0x2
Using Names in Policies Host names can be used in Security Policies Address Objects used in Security Policies An address object must be of Type Security Policy to have the name resolved. Names are verified/resolved On save of the section Every five minutes. Responses are cached.
DNS Object Example
IPS Automatic updates available with Support and Annual Maintenance contracts. All new GB-OS releases includes updated IPS signatures. Policy based and can be configure for inbound and outbound connections. Email Proxy Anti-Spam Subscription based per firewall type 30 days Evaluations are available Available on all firewalls Firewalls on current version can request evaluation via firewall interface. Anti-Virus Included with Annual Maintenance and Support Contracts Available on all firewalls except for GB-250 Rev A. Content Filtering 30 Day Evaluations are available. Subscription based per firewall type and level (Basic, Corporate, Enterprise) Available on all firewalls. Firewalls on current version can request evaluation via firewall interface. Filtering based on User Group or IP Address 8/26/2013 Global Technology Associates, Inc. 33
Request Service Evaluations Evaluations for Anti-Spam, Anti-Virus, and Content filtering available via firewall interface. Requires the firewall to be registered in GTA Support Center and no prior contracts.
Traffic Shaping Routing OSPF BGP (GB-2000 class and above) RIP Static Routes Policy Based Routes Source Based Routes Sharing Gateway Failover Link Aggregation Failover LACP Load Balance Round Robin 8/26/2013 Global Technology Associates, Inc. 35
VPN & Remote Access Solutions Option GB-250 10 User All Other Firewalls IPSEC Tunnels Optional Included Mobile IPSec Optional Included - 2 users SSL Browser Optional Included - 2 users SSL Client Optional Included - 2 users PPTP/L2TP Optional Included - 2 users Download IPSec from firewall XAuth Support Optional Yes v5.3.1 Optional Yes v5.3.1 Yes v5.3.1 Yes v5.3.1 1. Number of IPSec Tunnels and Mobile Users connected are based on each product. 2. SSL Browser Portal is customizable with corporate logo, Greeting and Disclaimer 3. v5.3.1 includes support to download the client configuration and installer from firewall. 4. Xauth support included in v5.3.1. 5. IPSec/L2TP/PPTP are all counted together for licenses 6. SSL is counted separately 7. Iphone Ipsec Supported! 8/26/2013 Global Technology Associates, Inc. 36
Additional Services 8/26/2013 Global Technology Associates, Inc. 37
Authentication! LDAP! Radius! Firewall User List! Single Sign On 8/26/2013 Global Technology Associates, Inc. 38
Monitoring & Reporting Monitoring System Report Audit Events Log Files Activity Reports Global Technology Associates, Inc.
Monitoring & Reporting Reporting Configuration Reports Graphs Global Technology Associates, Inc.
All reports can be scheduled. Display /download as HTML, MHTML, ZIP, 7 ZIP Report Menu
8/26/2013 42 Global Technology Associates, Inc. Reporting 1. GB-250 Rev B. GB-250 Rev A is not supported on v6.1.0 or later. 2. GB-Ware Enterprise & GB-2500 v6.0.4 and above support Top 50 reporting. For v6.0.0-6.0.3 only Top 25 reporting is available.
Tools Interfaces Network Diagnostics Ping traceroute (tracert) Packet Capture Sniffer Shutdown
Certificates V5.3 & above supports Ability to create Certificate Signing Requests (CSR s) used to get a signed certificate from a Certificate Authority. Certificate Signing CA s. The Firewall CA can be used to create Firewall Administration Certificates Remote User certificates for IPSec and SSL. VPN Certificates for Site to Site IPSec Tunnels. V6.0.3 & above supports using Intermediate & Chained Certificates. Using these will prevent SSL Users from having to accept an untrusted certificate. V6.1.0 Supports Certificate Revocation List (CRL). See Certificate Management Guide for more information on Certificates - http://www.gta.com/ downloads/external/60/general/gb-os_certificate_management.pdf
Live Mode All changes saved are applied to the running firewall. You can only upload the firewall runtimes in live mode. Test Mode Changes saved in test mode are not applied until one goes to Apply and commits the changes to live mode. Used to verify a configuration and make changes to be applied later. Only upload a configuration in Test Mode. Used Different Methods for updating configuration Back Up configuration to test. Make changes ion live mode. Restore test mode if needed. Back up to test mode. Change Configuration in test mode and copy back to live when all changes are complete. Configuration Modes Test and Live Mode
Standard View Only shows the most common used features. Advanced View Shows features/ option a more advanced user would need Configuration Views Standard and Advanced Global Technology Associates, Inc.
Interface Behavior Hidden Configuration until enabled Double clicking a Highlighted Object will bring you to its edit screen. Where am I? Global Technology Associates, Inc.
Time Stamps and Audits Summaries show time of last change of the configuration. Audit shows who made the change and when. Global Technology Associates, Inc.
Verification Verification is run each time a section is updated. Warnings and errors designed to bubble up through the menu. Mouse over displays each verification message.
Verification - Continued System -> Overview: Shows number of errors or warnings. Yellow Flag Warning, generally warning mean there is a configuration problem. And this issue may or may not effect the firewall performance. Red Flag Error, this is a serious condition that may effect firewall performance Each verification flag hyper links to the verification section. Global Technology Associates, Inc.
System Summary There is one complete summary Small summary for each configuration section. Verification Flags bubble up through the summaries and the verification link Global Technology Associates, Inc.
Web Interface Detailed View Standard View - https:// 192.168.71.80/?!!! Detailed View add?detail behind the URL - https:// 192.168.71.80/?details Global Technology Associates, Inc.
Trouble Shooting Provide the firewall configuration Model Serial number If VPN Both Firewall Configurations. If non GTA Please Specify. If mobile client indicate type and user. Relevant tables Arp table Routes Hardware Report Etc Log files (We almost always ask for log files) Key Words - Error Kernel arp Global Technology Associates, Inc.
Firewall Crashes Web Interface Core Dump files If the system crashes you can download the core dump from the firewall by entering the following url in your browser v5.4.2-3 & 6.0.0 https://<fw_ip_address>/cat?/var/scratch/savecore/vmcore.0.gz or by running the following command on a linux system. curl -k -o vmcore.0.gz https://<fw_ip_address>/cat?/var/scratch/ savecore/vmcore.0.gz!! v6.0.1 and above - https://<fw_ip_address>/cat?/var/scratch/savecore/vmcore Global Technology Associates, Inc.
Firewall Crashes Console Core Dump files - Core file menu section on console only displays of firewall has crashed. Requires USB device formatted in FAT32 or NTFS to save file to. Console Log - Provides last messages before the firewall stops or reboots Can be helpful in determining if it is a hardware or software issue. Terminal software usually has an option to increase buffer or log all output. Global Technology Associates, Inc.
Basic Auth Login Not Supported with Internet Explorer.
Trouble Shooting Not Supported Error Problem Firewall Login Fails and browser will display "Not Implemented". Browser sends inefficient 1 byte commands. Effects Chrome, Internet Explorer and Firefox 10. Resolution Upgrade to v6.0.3 or v5.4.3 Use Firefox v9.0 Try removing KB2585542.
References GTA Documents http://www.gta.com/support/ documents/ Certificate Management - http://www.gta.com/ downloads/external/61/general/gb- OS_Certificate_Management.pdf WebNet77 - http://software77.net/geo-ip/
If you require additional assistance or have additional questions please contact GTA Technical Support. Customer Email: support @gta.com Support Line Phone: 1.407.482.6925 Normal Hours 0830-1900 EST U.S. Free User Support http://forum.gta.com 8/26/2013 Global Technology Associates, Inc.