Basic Firewall Configuration

Similar documents
REMOTE ACCESS SSL BROWSER & CLIENT

INBOUND AND OUTBOUND NAT

REMOTE ACCESS IPSEC. Course /14/2014 Global Technology Associates, Inc.

GTA SSL Client & Browser Configuration

Configuration Management & Upgrades

AccessEnforcer Version 4.0 Features List

Barracuda Firewall Release Notes 6.6.X

Bridge Mode. Course #2222

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues...

DrayTek Vigor Technical Specifications. PPPoE, PPTP, DHCP client, static IP, L2TP*, Ipv6. Redundancy. By WAN interfaces traffic volume

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 1 Known Issues... 2 Resolved Issues...

High Availability Synchronization PAN-OS 5.0.3

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

Gigabit SSL VPN Security Router

Peplink Balance Multi-WAN Routers

Barracuda Link Balancer

Configure 6in4 Tunnel in pfsense. Lawrence E. Hughes. 18 November 2017

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

RealPresence Access Director System Administrator s Guide

Barracuda Firewall Release Notes 6.5.x

WatchGuard Dimension v2.0 Update 2 Release Notes. Introducing New Dimension Command. Build Number Revision Date 13 August 2015

Console User s Guide

SonicOS Release Notes

System Configuration. The following topics explain how to configure system configuration settings on Firepower Management Centers and managed devices:

GB-Ware. Quick Guide. Powered by: Tel: Fax Web:

H Q&As. HCNA-HNTD (Huawei Network Technology and Device) Pass Huawei H Exam with 100% Guarantee

WatchGuard System Manager Fireware Configuration Guide. WatchGuard Fireware Pro v8.1

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Moxa Remote Connect Server Software User s Manual

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Endian Hotspot main features

Version No. Build Date No./ Release Date. Supported OS Apply to Models New Features/Enhancements. Bugs Fixed/Changes

Sophos Migration Assistant. migration guide

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

NGFW Security Management Center

What s New in Fireware v WatchGuard Training

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.0.0:

Installation and Configuration Guide

Aventail ST2 SSL VPN New Features Guide

McAfee Network Security Platform

SonicOS Release Notes

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Installation and Configuration Guide

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

GB-OS. Certificate Management. Tel: Fax Web:

Wireless a CPE User Manual

NGFW Security Management Center

EdgeConnect for Amazon Web Services (AWS)

WatchGuard XTMv Setup Guide Fireware XTM v11.8

HySecure Quick Start Guide. HySecure 5.0

Fundamentals of Network Security v1.1 Scope and Sequence

Configuring High Availability (HA)

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

McAfee NGFW Installation Guide for Firewall/VPN Role 5.7. NGFW Engine in the Firewall/VPN Role

VPN Routers DSR-150/250/500/1000AC. Product Highlights. Features. Overview. Comprehensive Management Capabilities. Web Authentication Capabilities

Cisco Small Business RV320/RV325 Gigabit Dual WAN VPN Router

NGFW Security Management Center

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

NGFW Security Management Center

This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.

Network Security Platform 8.1

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0

Cisco RV180 VPN Router

AT&T Cloud Web Security Service

HP Load Balancing Module

Stonesoft Management Center. Release Notes for Version 5.6.1

NGFW Security Management Center

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

NGFW Security Management Center

Setting up L2TP Over IPSec Server for remote access to LAN

NGFW Security Management Center

What s New in Fireware v12.3 WatchGuard Training

WatchGuard XTMv Setup Guide

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

GB-OS. User s Guide. Version 6.2. Tel: Fax Web:

VII. Corente Services SSL Client

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

UR version firmware update

Advanced Network Routers. Datasheet. Model: ERPro-8, ER-8, ERPoe-5, ERLite-3. Sophisticated Routing Features

Silver Peak EC-V and Microsoft Azure Deployment Guide

OpenVPN protocol. Restrictions in Conel routers. Modified on: Thu, 14 Aug, 2014 at 2:29 AM

Using the Terminal Services Gateway Lesson 10

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Xrio UBM Quick Start Guide

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

The percent sign (%) is now an allowed character in any user configurable field.

CISCO EXAM QUESTIONS & ANSWERS

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Quick Installation Guide

Cisco Passguide Exam Questions & Answers

How to Set Up External CA VPN Certificates

User Guide TL-R470T+/TL-R480T REV9.0.2

MikroTik, A Router for Today & Tomorrow

Cisco Expressway with Jabber Guest

Manual Overview. This manual contains the following sections:

Integrate Clavister Firewall

Transcription:

Basic Firewall Configuration An Introduction to GTA Firewalls GB-OS Course # 1101 8/26/2013 Global Technology Associates, Inc. 1

Introduction to GTA Firewalls Firewall Administration Serial SSL Initial Configuration Networking Configuration Options Advanced Options Objects Security Policies & Preferences Features Overview; UTM Features Dynamic Gateway Architecture Remote Access Options Interface Basics Monitor & Reporting Trouble Shooting Basics & Miscellaneous Global Technology Associates, Inc.

Firewall Administration Console Serial interface Used for basic set up of IP address Local access when remote access is lost. Advanced configuration must be performed via web interface. Does not support via the console Bridge configuration Link Aggregation IPv6 Configuration Web - SSL Primary method of configuration for the firewall. Web Interface is consistent across all products. GB-250 interfaces is same as the GB-2500 Features not supported on a product such as HA on a GB-250 will not display. Features requiring a code that is not present will display a message that an activation code is required.

Accessing the firewall using the Console User Interface Video Console GB-Ware Only Monitor Keyboard Video Console GB-Ware Login Screen Alt+F2 Logging screen Alt+F1 Stats Screen Alt+F3 Serial Interface - All Firewall DB9 file transfer cable DB9 to RJ45 serial cable. Top Right Or DB9 to DB9 file transfer cable. Middle Right Terminal or terminal emulation software. Hyperterminal Terraterm Putty with serial support (v5.0)(recommended) Serial Console Terminal Settings Emulation VT 100 Port Port connected to the DB 9 cable on host. Baud Rate 38400 Data/Bit Rate 8 Stop 1 Flow Control Hardware

Default login is ID: fwadmin Password: fwadmin Login prompt will display firewall host name (if configured otherwise displays Unknown) This host name is configured in the Network Settings section. Garble Characters usually indicates the wrong speed is set. Console Interface Login Note: In versions 3.7 and below the default login is gnatbox/gnatbox

Access Firewall Using Web Interface! 1. Connect port 0 (eth0) on your GTA Firewall to a switch, hub, or your workstation s Ethernet port. If you are directly connected to the firewall be sure to use a cross over cable. 2. If this is the first time you have access the firewall enter the default IP address of https://192.168.71.254 3. Security Alert - You may see an alert notification for the serves certificate. The notification depends on the browser. 1.254.

Access Firewall Using Web User Interface Embedded login is used by GB-OS versions 5.3 and above (Bottom). Login page is customizable with corporate logo - 100 KB size - 32x32 pixels (recommended) - support jpg, png or gif. After login you may see an initial splash screen. This screen display after runtime updates and logins from new systems. Just click continue to move past it.

System Overview - Dashboard Provides a snap shot of the system status with quick links to other configuration sections. (Overview shows the last 24 hours.)

Firewall Administration Options [Configure -> Accounts -> Remote Administration] Remote Administration Lock Out Denies all login access to the firewall from IP addresses which fails to provide the correct login credentials. Remote Admin Customization Allows for a customize Administration login

Administrators Firewall Administration privileges are based on Users Group. Administrators may be defined on firewall or use LDAP authentication or Radius. Creating a firewall administrator - Create an Administration Group or use an existing group. User Defined a user and select the administrative group he uses. Group may be users Primary group or a group they are a member of. Default Administrator There MUST always be one Administrator defined on firewall If no default administrator is defined on firewall. Login of fwadmin for user and password of fwadmin will allow administrative access.

Set Up Wizard Set Up Wizard will allow entering of all firewalls basic information for both IPv6 and IPv4 addressing. Including enabling DNS,DHCP servers on an interface.

Network Configuration Set Up Networking Network IP Addresses: [Configure -> Network -> Interfaces -> Settings] Configure Default Routes/ Gateway: [Configure -> Network -> Routing -> Static Routes] Security Policies & Objects [Configure -> Security Policies -> Policy Editor] [Configure -> Objects -> Address Objects]

Internet Connection Methods DHCP IPv4 IPv6 PPP PPPoE PPTP Serial GSM Statically Assigned SLAAC IPv6 Stateless Address Auto configuration

Advanced Network Options: Dual Stack IPv4 & IPv6 Mode IPv6 Default is IPv4 only Upgrades firewall runs in IPv4 mode only Switching Firewall to Dual Stack Mode from IPv4 only mode [Configure -> Network -> Preferences] Requires a Reboot

Network Types or Zones EXTERNAL Least Trusted Protected Most Trusted, other Protected Networks are peers PSN Not Trusted by Protected, is NOT a peer to other PSN s

Advanced Network Options TimeOuts

Advanced Network Options Connection Limits

Advanced Network Options Licenses & SIP Disables remote licenses For Intranet Firewalls No Licenses Checking No compatible with Online License GB-Ware, or any subscription options. Disabled SIP support

Objects Address Holds IP Address and domain names to be referenced in other parts of the firewall. Domain names/host names can only be used in Email Proxy and Web Content filtering. Bookmarks Tools create quick links for SSL Browsers. Covered further in Remote Access SSL. Encryption Building Blocks for IPSec VPN. Covered further in VPN course IPSec Objects Used in IPSec Client and Site to Site VPN to define Encryption and authentication methods. Covered further in VPN course Service Groups Tools ease creation of polices and tunnels. Time Groups Used to create time based policies.

Address Objects Type:! Controls where an object can be used. No Type selected is an internal object that can only be referenced in another object. Object:! Can be another object. User Define Regular Expression. No Type selected is an internal object that can only be referenced in another object.

Service Objects Allow for creation of custom service and objects. Group Service together to easily create security policies and tunnels.

Service Objects Direction If used in a Tunnel 8080 -> 80 means redirect from port 8080 to port 80. If used in a Policy it means from Source Port 8080 to Destination Port 80.

Security Policies Country Inbound Connections to the firewall. Outbound Connections out through the firewall using NAT. Pass Through Connections inbound and Outbound using no NAT. VPN IPSec IPSec Site to Site IPSec Client L2TP LT2P Client connections PPTP PPTP Client Connections SSL SSL Client Connections

[Configure -> Security Policies -> Country Blocking] Database is derived from WebNet77 - http://software77.net/geo-ip/ Built in Set of Country IP and an download able update set. Firewalls with current support or maintenance contracts will be able to dynamically update the country IP Database. Includes both IPv4 and IPv6 Addresses

[Configure -> Security Policies -> Country Blocking] Global Applies to all Inbound and Outbound connections Cannot be set up on an individual policy basis. Two Types Accept Deny Country IP White List

Block by Country Oct 3 14:42:28 pri=4 pol_type=cbp pol_action=block count=60 msg="block CBP" duration=59.143997 proto=icmpv4 country=jp src=192.168.181.1 srcport=8 dst=160.239.1.12 dstport=8 interface="protected"

Reports and Monitoring Country Blocking [Monitor -> Activity -> Security Policies] Displays current denied by country. Reports Include Report on Countries hitting firewall.

Security Policy Accept Deny Depending on Type (Accept or Deny) security Policies give different Options

Security Policy Preferences

[Configure -> Security Policies -> Preferences] Feb 5 12:00:49 pri=4 pol_type=cbp pol_action=block count=3 msg="block CBP" duration=9.008992 proto=80/tcp country=nl src=10.10.1.75 srcport=15047 dst=85.90.89.15 dstport=80 interface="psn" flags=0x2

Using Names in Policies Host names can be used in Security Policies Address Objects used in Security Policies An address object must be of Type Security Policy to have the name resolved. Names are verified/resolved On save of the section Every five minutes. Responses are cached.

DNS Object Example

IPS Automatic updates available with Support and Annual Maintenance contracts. All new GB-OS releases includes updated IPS signatures. Policy based and can be configure for inbound and outbound connections. Email Proxy Anti-Spam Subscription based per firewall type 30 days Evaluations are available Available on all firewalls Firewalls on current version can request evaluation via firewall interface. Anti-Virus Included with Annual Maintenance and Support Contracts Available on all firewalls except for GB-250 Rev A. Content Filtering 30 Day Evaluations are available. Subscription based per firewall type and level (Basic, Corporate, Enterprise) Available on all firewalls. Firewalls on current version can request evaluation via firewall interface. Filtering based on User Group or IP Address 8/26/2013 Global Technology Associates, Inc. 33

Request Service Evaluations Evaluations for Anti-Spam, Anti-Virus, and Content filtering available via firewall interface. Requires the firewall to be registered in GTA Support Center and no prior contracts.

Traffic Shaping Routing OSPF BGP (GB-2000 class and above) RIP Static Routes Policy Based Routes Source Based Routes Sharing Gateway Failover Link Aggregation Failover LACP Load Balance Round Robin 8/26/2013 Global Technology Associates, Inc. 35

VPN & Remote Access Solutions Option GB-250 10 User All Other Firewalls IPSEC Tunnels Optional Included Mobile IPSec Optional Included - 2 users SSL Browser Optional Included - 2 users SSL Client Optional Included - 2 users PPTP/L2TP Optional Included - 2 users Download IPSec from firewall XAuth Support Optional Yes v5.3.1 Optional Yes v5.3.1 Yes v5.3.1 Yes v5.3.1 1. Number of IPSec Tunnels and Mobile Users connected are based on each product. 2. SSL Browser Portal is customizable with corporate logo, Greeting and Disclaimer 3. v5.3.1 includes support to download the client configuration and installer from firewall. 4. Xauth support included in v5.3.1. 5. IPSec/L2TP/PPTP are all counted together for licenses 6. SSL is counted separately 7. Iphone Ipsec Supported! 8/26/2013 Global Technology Associates, Inc. 36

Additional Services 8/26/2013 Global Technology Associates, Inc. 37

Authentication! LDAP! Radius! Firewall User List! Single Sign On 8/26/2013 Global Technology Associates, Inc. 38

Monitoring & Reporting Monitoring System Report Audit Events Log Files Activity Reports Global Technology Associates, Inc.

Monitoring & Reporting Reporting Configuration Reports Graphs Global Technology Associates, Inc.

All reports can be scheduled. Display /download as HTML, MHTML, ZIP, 7 ZIP Report Menu

8/26/2013 42 Global Technology Associates, Inc. Reporting 1. GB-250 Rev B. GB-250 Rev A is not supported on v6.1.0 or later. 2. GB-Ware Enterprise & GB-2500 v6.0.4 and above support Top 50 reporting. For v6.0.0-6.0.3 only Top 25 reporting is available.

Tools Interfaces Network Diagnostics Ping traceroute (tracert) Packet Capture Sniffer Shutdown

Certificates V5.3 & above supports Ability to create Certificate Signing Requests (CSR s) used to get a signed certificate from a Certificate Authority. Certificate Signing CA s. The Firewall CA can be used to create Firewall Administration Certificates Remote User certificates for IPSec and SSL. VPN Certificates for Site to Site IPSec Tunnels. V6.0.3 & above supports using Intermediate & Chained Certificates. Using these will prevent SSL Users from having to accept an untrusted certificate. V6.1.0 Supports Certificate Revocation List (CRL). See Certificate Management Guide for more information on Certificates - http://www.gta.com/ downloads/external/60/general/gb-os_certificate_management.pdf

Live Mode All changes saved are applied to the running firewall. You can only upload the firewall runtimes in live mode. Test Mode Changes saved in test mode are not applied until one goes to Apply and commits the changes to live mode. Used to verify a configuration and make changes to be applied later. Only upload a configuration in Test Mode. Used Different Methods for updating configuration Back Up configuration to test. Make changes ion live mode. Restore test mode if needed. Back up to test mode. Change Configuration in test mode and copy back to live when all changes are complete. Configuration Modes Test and Live Mode

Standard View Only shows the most common used features. Advanced View Shows features/ option a more advanced user would need Configuration Views Standard and Advanced Global Technology Associates, Inc.

Interface Behavior Hidden Configuration until enabled Double clicking a Highlighted Object will bring you to its edit screen. Where am I? Global Technology Associates, Inc.

Time Stamps and Audits Summaries show time of last change of the configuration. Audit shows who made the change and when. Global Technology Associates, Inc.

Verification Verification is run each time a section is updated. Warnings and errors designed to bubble up through the menu. Mouse over displays each verification message.

Verification - Continued System -> Overview: Shows number of errors or warnings. Yellow Flag Warning, generally warning mean there is a configuration problem. And this issue may or may not effect the firewall performance. Red Flag Error, this is a serious condition that may effect firewall performance Each verification flag hyper links to the verification section. Global Technology Associates, Inc.

System Summary There is one complete summary Small summary for each configuration section. Verification Flags bubble up through the summaries and the verification link Global Technology Associates, Inc.

Web Interface Detailed View Standard View - https:// 192.168.71.80/?!!! Detailed View add?detail behind the URL - https:// 192.168.71.80/?details Global Technology Associates, Inc.

Trouble Shooting Provide the firewall configuration Model Serial number If VPN Both Firewall Configurations. If non GTA Please Specify. If mobile client indicate type and user. Relevant tables Arp table Routes Hardware Report Etc Log files (We almost always ask for log files) Key Words - Error Kernel arp Global Technology Associates, Inc.

Firewall Crashes Web Interface Core Dump files If the system crashes you can download the core dump from the firewall by entering the following url in your browser v5.4.2-3 & 6.0.0 https://<fw_ip_address>/cat?/var/scratch/savecore/vmcore.0.gz or by running the following command on a linux system. curl -k -o vmcore.0.gz https://<fw_ip_address>/cat?/var/scratch/ savecore/vmcore.0.gz!! v6.0.1 and above - https://<fw_ip_address>/cat?/var/scratch/savecore/vmcore Global Technology Associates, Inc.

Firewall Crashes Console Core Dump files - Core file menu section on console only displays of firewall has crashed. Requires USB device formatted in FAT32 or NTFS to save file to. Console Log - Provides last messages before the firewall stops or reboots Can be helpful in determining if it is a hardware or software issue. Terminal software usually has an option to increase buffer or log all output. Global Technology Associates, Inc.

Basic Auth Login Not Supported with Internet Explorer.

Trouble Shooting Not Supported Error Problem Firewall Login Fails and browser will display "Not Implemented". Browser sends inefficient 1 byte commands. Effects Chrome, Internet Explorer and Firefox 10. Resolution Upgrade to v6.0.3 or v5.4.3 Use Firefox v9.0 Try removing KB2585542.

References GTA Documents http://www.gta.com/support/ documents/ Certificate Management - http://www.gta.com/ downloads/external/61/general/gb- OS_Certificate_Management.pdf WebNet77 - http://software77.net/geo-ip/

If you require additional assistance or have additional questions please contact GTA Technical Support. Customer Email: support @gta.com Support Line Phone: 1.407.482.6925 Normal Hours 0830-1900 EST U.S. Free User Support http://forum.gta.com 8/26/2013 Global Technology Associates, Inc.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback