Deployment Guide: Routing Mode with No DMZ

Similar documents
SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

Unified Threat Management

CHAPTER 7 ADVANCED ADMINISTRATION PC

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

The Administration Tab - Diagnostics

Installation and Configuration Guide

IP806GA/GB Wireless ADSL Router

Analyzer Quick Start Guide

Configuring the SMA 500v Virtual Appliance

Installation Procedure Red Hat 7 with Netscape 6

Installation Procedure Red Hat 7 with Netscape 6

F.A.Q for TW100-S4W1CA

SonicWALL / Toshiba General Installation Guide

Unified Threat Management

Unified Threat Management

RX3041. User's Manual

High Availability Deployment

UIP1869V User Interface Guide

Wireless-G Router User s Guide

Broadband Router DC-202. User's Guide

Barracuda Link Balancer

Broadband Router. User s Manual

Installation Procedure Windows 2000 with Internet Explorer 5.x & 6.0

Collector Quick Start Guide

SOHO 6 Wireless Installation Procedure Windows XP with Internet Explorer 5.x & 6.0

Installation and Configuration Guide

Installation Procedure Windows 95/98/ME with Internet Explorer 5.x & 6.0

Installation Procedure Windows NT with Netscape 4.x

6.1. Getting Started Guide

Installing Cisco StadiumVision Director Software from a DVD

Downloaded from manuals search engine

SonicWALL SSL-VPN 2000 Security Appliance Getting Started Guide

Getting Started Guide

SonicOS Release Notes

Contents. 2 NB750 Load Balancing Router User Guide YML817 Rev1

WIALAN Technologies, Inc. Unit Configuration Thursday, March 24, 2005 Version 1.1

ARCSERVE UDP CLOUD DIRECT DISASTER RECOVERY APPLIANCE VMWARE

Peplink Balance Multi-WAN Routers

SonicOS Enhanced Release Notes

Broadband Router User s Manual. Broadband Router User s Manual

SonicOS Enhanced Release Notes

Deploy the ExtraHop Discover 3100, 6100, 8100, or 9100 Appliances

Recovery Procedure for Cisco Digital Media Manager 5.2

F5 WANJet 200. Quick Start Guide. Quick Start Overview

Networking Guide for Redwood Manager

SonicWALL TZ 150 Getting Started Guide

DSL/CABLE ROUTER with PRINT SERVER

HOME AUTOMATION, INC. Model 93A00-1. Serial Server. User s Manual

System Setup. Accessing the Administration Interface CHAPTER

Model:BL-WR Mbps Wireless N Router

AirLive RS Security Bandwidth Management. Quick Setup Guide

Multi-Homing Broadband Router. User Manual

Pexip Infinity and Amazon Web Services Deployment Guide

Click on Close button to close Network Connection Details. You are back to the Local Area Connection Status window.

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

SoHo 401 VPN. Shared Broadband Internet Access VPN Gateway 3-Port Switching Hub, DMZ Port. Quick Install Guide

Lab 7.5.1: Basic Wireless Configuration

LevelOne. User's Guide. Broadband Router FBR-1402TX FBR-1403TX

Installation. ProSAFE Wireless Controller Model WC7500 and Model WC7600

Connection to the OS32C

Gigaset Router / en / A31008-E105-B / cover_front_router.fm / s Be inspired

CounterACT 7.0 Single CounterACT Appliance

VMware ESX ESXi and vsphere. Installation Guide

Setting Up Hardware Failover

The following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models

TZ 170 Quick Start Guide

Conceptronic C100BRS4H Quick Installation Guide. Congratulations on the purchase of your Conceptronic 4-ports Broadband Router.

SUPERSTACK 3 FIREWALL FIRMWARE VERSION RELEASE NOTES

ADSL Modem. User Guide AM300. Model No. WIRED

MRD-310 MRD G Cellular Modem / Router Web configuration reference guide. Web configuration reference guide

ZyWALL 10W. Internet Security Gateway. Quick Start Guide Version 3.62 December 2003

SRA Virtual Appliance Getting Started Guide

TCP/IP CONFIGURATION 3-6

Deploy the ExtraHop Discover Appliance 1100

4-Port Broadband user manual Model

Moxa Remote Connect Server Software User s Manual

IBM Proventia Network Mail Security System. Administrator Guide. Version 1.6. IBM Internet Security Systems

Broadband Router DC 202

Deploy the ExtraHop Trace 6150 Appliance

A Division of Cisco Systems, Inc. ADSL Modem. User Guide WIRED AM200. Model No.

Comodo Korugan Software Version 1.8

NetExtender for SSL-VPN

Upgrading from TrafficShield 3.2.X to Application Security Module 9.2.3

AXIS Camera Station S20 Appliance Series AXIS Camera Station S2008 Appliance AXIS Camera Station S2016 Appliance AXIS Camera Station S2024 Appliance

EdgeConnect for Amazon Web Services (AWS)

8.9.2 Lab: Configure an Ethernet NIC to use DHCP in Windows Vista

Plus-X I/O Units. Manual Supplement Configuring Units with and without DHCP

4-Port Cable/DSL Router DX-E401. Product Name [French] Product Name [Spanish] USER GUIDE GUIDE DE L UTILISATEUR GUÍA DEL USUARIO

Introduction... 3 Features... 3 Minimum Requirements... 3 Package Content... 3 Get to know the Broadband Router... 4 Back Panel... 4 Front Panel...

Chapter 3 LAN Configuration

WL5041 Router User Manual

ADSL Router Quick Setup Guide

SonicWALL NSA Getting Started Guide

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

Network Planning and Implementation

LevelOne FBR-1405TX. User s Manual. 1 PORT BROADBAND ROUTER W/4 LAN Port. Version: 1.0

MAC Address Filtering Setup (3G18Wn)

LKR Port Broadband Router. User's Manual. Revision C

FusionHub. Evaluation Guide. SpeedFusion Virtual Appliance. Version Peplink

SonicWALL TZ 150 Wireless. Getting Started Guide

Transcription:

Deployment Guide: Routing Mode with No DMZ March 15, 2007 Deployment and Task Overview Description Follow the tasks in this guide to deploy the appliance as a router-firewall device on your network with one internal network only and no DMZ. This guide assumes you want to perform the initial appliance configuration first in a predeployment environment, and then move the appliance to the live production network. Important: For information on transparent mode deployments, SiteProtector deployments, VPN deployments, or high availability deployments, see the other deployment guides located at http://www.iss.net/support/documentation/ docs.php?product=38&family=12. Tasks This deployment requires the following tasks: Task Verify Requirements on page 3 Connect to Proventia Setup Assistant on page 6 Initialize the System with Proventia Setup Assistant on page 7 Connect to Proventia Manager on page 9 Install Licenses on page 10 Install Updates on page 11 Configure Automatic Updates on page 14 Create Full System Backup on page 15 Table 1: Tasks for deploying in routing mode with no DMZ 2007 Internet Security Systems, Inc. All rights reserved worldwide. 1

Task Configure Appliance Access on page 16 Configure Internal Interface (eth0) on page 18 Configure External Interface (eth1) on page 19 Configure Internal DHCP Server on page 23 Configure Firewall Access Policies on page 26 Deploy Antispam, Antivirus, and Web Filter Protection on page 29 Save Policies and Move to Live Production Network on page 30 Table 1: Tasks for deploying in routing mode with no DMZ 2

Verify Requirements Verify Requirements PC requirements You will need a PC to download your product licenses from ISS and to access the firsttime setup utility on your new appliance. The PC must have Internet Explorer 6 or later and be configured to obtain its IP configuration automatically. Detailed instructions on how to check your PC s IP configuration are included in this topic. License requirements If you have not already done so, obtain your product licenses as described the Welcome Kit and Order Confirmation Email you received from ISS or go directly to the License Registration Web site for instructions: https://www1.iss.net/cgi-bin/lrc Important: Once you have your product licenses, save them to an easily accessible location such as your PC or a removable USB drive. Keep in mind that the PC will not have access to network shares once connected to the appliance. If you need further assistance with licenses, contact our license support center: Email: licenses@iss.net Online: www.iss.net/support Network connection requirements You will need to connect the appliance to a network connection that provides Internet access and supports automatic IP configuration. The appliance uses the connection to get important initial updates from ISS. You can use the same network connection you used to obtain your licenses. Important: If your network connection does not support automatic IP configuration or if you are deploying the appliance in transparent mode, then you must provide the appliance with the following settings to use the network connection: IP address subnet mask default gateway nameserver DNS suffix Note: You can use the same settings assigned to your PC or contact your network administrator for the settings. DNS suffix requirements You will need the DNS suffixes used on your network connection. Cable requirements You will need the following cables for initial configuration: Red Ethernet crossover cable (included) Power cable (included) Standard Ethernet crossover cable (not included) 3

Deployment Guide: Routing Mode with No DMZ Detailed instructions Follow the steps below to verify that your PC and network connection support automatic IP configuration and to gather the required DNS suffixes you will need during initial setup: Note: If your PC and network connection do not support automatic IP configuration, record your static IP settings as described in this task. Note: Exact steps vary depending on your Windows version and display settings. The steps listed are for Windows Classic interface. 1. On the PC, select Start Settings Network Connections. 2. Right-click Local Area Connection, and then click Properties. 3. Double-click Internet Protocol (TCP/IP). 4. If your screen looks like Figure 1, then go to Step 5. If your screen looks like Figure 2, then write down your specific IP address, subnet mask, default gateway, and preferred DNS nameserver. Next, select Obtain an IP address automatically and Obtain DNS server address automatically. Go to Step 5. Figure 1: Automatic IP configuration Figure 2: Static IP configuration 4

Verify Requirements 5. Click the Advanced button. 6. Select the DNS tab, and then write down the DNS suffixes listed under Append these suffixes (in order). Figure 3: DNS search path settings 7. Click OK to close Advanced TCP/IP Settings. 8. Click OK to close Internet Protocol (TCP/IP) Properties. 9. Close network connections. 5

Deployment Guide: Routing Mode with No DMZ Connect to Proventia Setup Assistant Introduction The Proventia Setup Assistant is a Web-based utility that gives you access to the system for the first time and helps you configure the new appliance. It is typically used one time only for initial configuration. You will perform all other appliance configuration and administration in Proventia Manager or in SiteProtector once the device is deployed. Procedure To connect to Proventia Setup Assistant: 1. Connect the red Ethernet cable from the Internal port to your PC. 2. Connect the standard Ethernet cable from the External port to your Internet connection. 3. Connect the power cable from the power port to a power outlet. 4. Switch on the appliance. 5. Wait for the appliance to fully boot. 6. Start Internet Explorer. 7. Type the default IP address of the appliance, and press ENTER: https://192.168.123.123 8. When the security alert appears, click Yes. Tip: Click Run, Yes, or Accept on any other alerts or messages that appear. 9. At the Proventia Local Management Interface login prompt, type admin for the username and admin for the password, and then click OK. 10. Wait while the setup utility is loaded. When you see the Welcome screen, you are connected to Proventia Setup Assistant and ready to start the initial configuration. 6

Initialize the System with Proventia Setup Assistant Initialize the System with Proventia Setup Assistant Procedure To initialize the system with Proventia Setup Assistant: Note: Keep the default settings where indicated. If you are unsure about how to configure a specific setting, click Cancel to stop the process. For more information on the policies described in this topic and instructions on how to customize the policies once the appliance is deployed, see the Policy Configuration Guide. 1. On the Welcome screen, click Next. 2. On the End User License Agreement screen, select I Accept, and then click Next. 3. On the Linux End User License Agreement screen, select I Accept, and then click Next. 4. On the Mode screen, select Routing, and then click Next. 5. On the Routing Mode Configuration screen, review the settings, and then click Next. 6. On the Hostname screen, enter a fully qualified domain name, and then click Next. 7. On the Internal Interface screen, keep the default settings, and then click Next. 8. On the External IP Type screen, keep the default DHCP setting, and then click Next. Important: If your network connection does not support automatic IP configuration, select Static IP, click Next, and then enter a static IP address, subnet mask, default gateway, and DNS server. You can use the same static settings assigned to your PC. Note: PPPoE is typically not used during initial configuration. 9. On the External Interface (eth1) screen, keep the default setting, and then click Next. Important: If you are using static IP settings, then you must enter the static IP for at least one nameserver. 10. On the DNS Search Path screen, enter the DNS suffixes used on your network, and then click Next. 11. On the DHCP Server screen, keep the default settings, and then click Next. 12. On the Appliance Management Access screen, accept the default setting, and then click Next. 13. On the Time Zone screen, select your time zone, and then click Next. 14. On the Date and Time screen, enter the date and time, and then click Next. 15. On the Root Password screen, set the password, and then click Next. 16. On the Administrator Password screen, set the password, and then click Next. Tip: Select Same As Root. 17. On the Proventia Manager Password, set the password, and then click Next. Tip: Select Same As Root. 18. On the Bootloader screen, select Disable, and then click Next. Tip: Enable the bootloader password if you want to require users to enter the root password before they can change boot settings. 19. On the Settings Review screen, scroll through and review the settings, and then click Finish. 7

Deployment Guide: Routing Mode with No DMZ 20. When you see the Setup Complete window, click End Assistant Session, and then click Yes. 21. Close Internet Explorer. 22. Wait while the appliance applies the settings and fully reboots. When the appliance reboots, you are ready to connect to Proventia Manager where you can finish the initial configuration process. 8

Connect to Proventia Manager Connect to Proventia Manager Repairing or resetting the connection Before you can connect to Proventia Manager, you must repair or reset the connection between the PC and the appliance as described: If your PC normally has... Then Automatic IP configuration Static IP configuration 1. Select Start Settings Network Connections. 2. Right-click the Local Area Connection, and then select Repair. 1. Select Start Settings Network Connections. 2. Right-click the Local Area Connection, and then select Properties. 3. Double-click Internet Protocol (TCP/IP). 4. Select Use the following IP address, and then enter your static settings. 5. Select Use the following DNS server addresses, and then enter your static nameserver addresses. 6. Click OK to close Internet Protocol (TCP/IP) Properties. 7. Close network connections. Table 2: How to repair or reset your connection Connecting to Proventia Manager To connect to Proventia Manager: Note: After some configuration tasks in this guide, the appliance will automatically reboot and end your session. Use this procedure to reconnect to Proventia Manager. 1. On the PC connected to the appliance, start Internet Explorer. 2. Type the default IP address of the appliance, and then press ENTER: https://192.168.123.123 3. When the security alert appears, click Yes. Tip: Click Run, Yes, or Accept on any other alerts or messages that appear. 4. At the login, type admin for the username, type your Proventia Manager password, and then click OK. 5. On the Welcome screen, select No, continue without the Getting Started Help., and then click Next. When you see the Home page in Proventia Manager, you are connected. 9

Deployment Guide: Routing Mode with No DMZ Install Licenses Procedure To install your product license keys: 1. In the upper-right corner of Proventia Manager, find the Important System Message, and then click Install License: 2. Click Browse, select the license file, click Open, and then click Upload. Tip: Licenses are issued as xml files. 3. Repeat Step 2 to upload each license. Tip: The licenses might not appear on the Licensing page until after you have uploaded all of your license keys. 10

Install Updates Install Updates Procedure To install important security updates that were released since your appliance was shipped: Important: Install the updates in the order listed in this procedure. Note: This procedure assumes the appliance has Internet access. 1. In Proventia Manager, select Maintenance Updates Status. 2. Click the Find Updates button. 3. Wait while the system contacts ISS for updates. 4. When the Update Status page displays, click Download Updates. 5. Wait while the system downloads the updates to the appliance. 11

Deployment Guide: Routing Mode with No DMZ 6. Click Install Now for Intrusion Prevention. 7. Wait while the system installs the update. 8. When the Update Status page reappears, click Install Now for Antivirus. 9. Wait while the system installs the update. 10. When the Update Status page reappears, click Install Now for Firmware. 11. At the confirmation prompt, click OK. 12. When you see the following alert, close Internet Explorer. If you have multiple instances of Internet Explorer running, close them all. This action ends your session 12

Install Updates with Proventia Manager. You will need to reconnect to Proventia Manager after the firmware update is finished. 13

Deployment Guide: Routing Mode with No DMZ Configure Automatic Updates Procedure To configure automatic product updates: 1. In Proventia Manager, select Maintenance Updates Automatic Settings. 2. Select the Update Settings tab. 3. In the Security Updates section, select Automatically Download and Automatically Install. Tip: These settings force the system to automatically install antivirus and intrusion prevention updates which are released often to address the latest security threats. These updates run in the background and do not take the system offline. 4. In the Web Filter & Antispam Database Updates section, select Automatically Update Web Filter and Antispam Database. Tip: Enable automatic database updates only if are going to deploy Antispam and Web filter protection. Database updates run in the background and do not take the system offline. 5. In the Firmware Updates section, select Automatically Download. Tip: These settings do not force the system to automatically install firmware updates, but the system will download firmware updates as they become available. After downloading a firmware update, the system will alert you and give you the option to install or disregard the firmware update. 6. Click Save Changes. 14

Create Full System Backup Create Full System Backup Procedure To create a full system backup: Note: The full system backup is a complete image of the system, including all the updates you have installed and settings you have configured. The full system backup is similar to a system restore point and provides an easy way to restore the system without having to reinstall all the initial updates. Keep in mind that you can store only one full system backup on the appliance at a time. 1. In Proventia Manager, select Maintenance Backup and Recovery. 2. Select the Full Backup tab, and then click Create System Backup. 3. Follow the onscreen instructions to end your session and close Internet Explorer. 15

Deployment Guide: Routing Mode with No DMZ Configure Appliance Access Important By default, you can access the appliance from any computer with an IP address on the same subnetwork as the appliance s internal interface (eth0). If this setting meets your requirements, then you can skip this task. Otherwise, follow the steps in this procedure to configure appliance access settings based on your requirements. Procedure To configure appliance access: Recommendation: Do not delete the default SysEth0Range setting. 1. In Proventia Manager, select Configuration System Appliance Access. 2. On the Appliance Access Configuration page, click the Add icon. 3. Type a description, and then define the address or networks than can access the appliance: If you want to allow access from a... Static IP address Address name Dynamic address name Range of static IP addresses Then... 1. Select Single IP Address, and then select Static Address. 2. Type the IP address, and then click OK. 1. Select Single IP Address, and then select Address Name. 2. Select an entry, and then click OK. 1. Select Dynamic Address Name. 2. Select an entry, and then click OK. 1. Select Address Range, and then select Static Address Range. 2. Type the IP address range, and then click OK. 16

Configure Appliance Access If you want to allow access from a... Address range name Dynamic address range name Then... 1. Select Address Range, and then select Address Name Range. 2. Select an entry, and then click OK. 1. Select Address Range, and then select Dynamic Address Range Name. 2. Select an entry, and then click OK. 4. Do not save changes yet, but go to the next task. 17

Deployment Guide: Routing Mode with No DMZ Configure Internal Interface (eth0) Procedure To configure the internal interface (eth0) for deployment: Note: This interface will be connected to your internal network. 1. In Proventia Manager, select Configuration System Network Interfaces. 2. Select the Internal Interfaces tab. 3. Highlight the eth0 interface line, and then click the Edit icon. 4. Do the following: Verify the Enabled checkbox is selected. Verify eth0 is selected. Enter the IP address and Subnet Mask. Use the following tips to help you configure the interface: If you are... replacing an existing router-firewall device installing the appliance as a new device Then... use the same internal interface IP address and subnet mask currently assigned to the device you are replacing. designate an appropriate IP address and subnet mask from your internal network. Verify the Primary Management Interface option is unchecked. 5. Click OK. 6. Do not save changes yet, but go to the next task. 18

Configure External Interface (eth1) Configure External Interface (eth1) Introduction This topic explains how to configure the external interface for deployment. This interface will be connected to the Internet or other external network. This topic covers the following types of external interface configuration: DHCP (automatic through a DHCP server) Static PPPoE (automatic through an Internet Service Provider) How to configure the interface How you configure the external interface depends on your requirements: If you are replacing an existing router-firewall device, then use the same settings currently assigned to the existing device s external interface. If you are installing the appliance as a new device, then identify the network connection that you are going to connect to the external interface, and determine how the connection assigns IP addresses. This information determines what information you will need when you configure the external interface. If the connection assigns IP addresses automatically, no information is required. If the connection requires a static IP address, obtain the static IP address, subnet mask, default gateway, and nameserver. If the connection assigns IP addresses using PPPoE, obtain the username and password required from your Internet Service Provider. Using DHCP To configure the external interface to obtain an IP address using DHCP: 1. In Proventia Manager, select Configuration System Network Interfaces. 2. Select the External Interfaces tab. 3. Do the following: Verify the Enabled checkbox is selected. Verify the Host Name. Verify the Primary Management Interface option is unchecked. 4. In the IP Address section, verify the DHCP option is selected. 19

Deployment Guide: Routing Mode with No DMZ 5. If you want to replicate the MAC address of another device on the eth0 port, then select Enable MAC cloning and enter the MAC address. 6. In the DNS section, verify the Use Dynamic Settings option is selected. 7. In the DNS Search Path section, verify that the DNS suffixes listed are correct. To add a DNS suffix, click the Add icon, and enter the domain name. 8. Do not save changes yet, but go to the next task. Using PPPoE To configure the external interface to obtain an IP address using PPPoE: Note: Most of the settings required in this procedure are provided by your ISP. 1. In Proventia Manager, select Configuration System Network Interfaces. 2. Select the External Interfaces tab. 3. Do the following: Verify the Enabled checkbox is selected. Verify the Host Name. Verify the Primary Management Interface option is unchecked. 20

Configure External Interface (eth1) 4. In the IP Address section, select PPPoE from the drop-down list. 5. Type the User Name and Password required to obtain IP addresses from your PPPoE server. 6. Do the following optional tasks as needed: Select On Demand link activation type if your PPPoE-based network connection is not continuous, meaning it is active only when requested. Verify the Clamp MSS option is selected. Enter the Service Name only if your ISP requires this information. 7. In the DNS section, verify the User Dynamic Settings option is selected. 8. In the DNS Search Path section, verify the DNS suffixes are correct. To add a DNS suffix, click the Add icon, and enter the domain name. 9. Do not save changes yet, but go to the next task. 21

Deployment Guide: Routing Mode with No DMZ Static To configure the external interface with a static IP configuration: 1. In Proventia Manager, select Configuration System Network Interfaces. 2. Select the External Interfaces tab. 3. Do the following: Verify the Enabled checkbox is selected. Verify the Host Name. Verify the Primary Management Interface option is unchecked. 4. In the IP Address section, select Static, and then type the IP Address, Subnet Mask, and Default Gateway. 5. In the DNS section, verify the Use Dynamic Settings option is selected. 6. In the DNS Search Path section, verify the DNS suffixes are correct. To add a DNS suffix, click the Add icon, and enter the domain name. 7. Do not save changes yet, but go to the next task. 22

Configure Internal DHCP Server Configure Internal DHCP Server Introduction This topic explains how to configure or disable the internal DHCP server. This server functions like any other DHCP server in that it automatically configures IP settings for devices on your internal network. How to configure the server Whether you deploy the internal DHCP server and how you configure the server depends on your network requirements. Use the following tips to help you configure the DHCP server: Note: The server is enabled by default on a new appliance so that your PC can connect to the appliance for initial configuration. If you already have DHCP servers on your network to assign IP settings to devices on the internal network, then you can disable the server. If you want to use the internal DHCP server, then you need to configure the server so that it assigns appropriate IP settings to the devices on your internal network. If there are devices on your internal network that need a static IP address, then you can reserve static IP addresses for the devices. Configuring the server To configure the internal DHCP server to assign IP addresses to devices on your internal network: 1. In Proventia Manager, select Configuration System DHCP. 2. Select the DHCP Server tab. 3. In the first section, do the following: Verify the DHCP Server Enabled option is selected. Verify the Lease Time is appropriate for your network. Lease time is how long a host can keep an IP address once assigned. 4. If you want the server to assign domain name suffixes to your network devices, then enter the correct suffixes in the Domain Name Suffix box. 5. In the Address Ranges section, do the following: Click the Add icon. Enter the IP Address Range, Subnet Mask, and Gateway IP Addresses. 23

Deployment Guide: Routing Mode with No DMZ Click OK. Tip: Use the following tips to help you configure the server: If you are... Replacing an existing DHCP server Deploying the DHCP server in addition to the ones already deployed on your network Deploying the server as a new DHCP server Then... Replicate the settings from your existing DHCP server. Enter an IP address range different from the one currently being managed by the existing server. Keep the default settings unless they conflict with your IP subnetting requirements; in that case, change the settings as needed. 6. In the DNS section, keep the default Use Default setting unless you want to manually assign nameservers to the hosts on your internal network. In that case, select Specify Settings, and then enter the IP addresses of the nameservers. 7. In the Static Address Assignments, do the following to permanently lease IP addresses to hosts on your internal network: Note: This task is optional. Click the Add icon. Enter the Host Name, MAC Address, and IP Address. 24

Configure Internal DHCP Server Click OK. 8. In the WINS Configuration section, enter the IP addresses of your WINS servers. These servers allow the network to convert NetBIOS names to IP addresses. Note: This task is optional. 9. Do not save changes yet, but go to the next task. Disabling the DHCP server To disable the internal DHCP server: 1. In Proventia Manager, select Configuration System DHCP. 2. Select the DHCP Server tab. 3. Uncheck the DHCP Server Enabled checkbox. 4. Do not save changes yet, but go to the next task. 25

Deployment Guide: Routing Mode with No DMZ Configure Firewall Access Policies Introduction This topic explains how to configure firewall access policies. Default firewall access policies The appliance comes with the following default firewall access policies enabled. These policies are appropriate for most deployments: Note: You can edit the policies or add custom policies at any time in Proventia Manager or in SiteProtector. Allow outbound traffic from the internal network (eth0) to any destination Allow all outbound traffic from self to any destination Allow DHCP requests to self Allow ICMP ping to self from internal network (eth0) DMZ firewall access policies If you are deploying the appliance with a DMZ, then you must create two additional firewall access policies with the following settings prior to deployment: Policy Allow DMZ to access the Internet and other internal networks This policy will allow hosts on the DMZ to connect to other hosts in your secure internal network (eth0) and to other others on the Internet. Settings Action = Allow Log Enabled = Yes Protocol = Any Source Address = DMZ subnet Source Port = Any Destination Address = Any Destination Port = Any Table 3: DMZ firewall access policies 26

Configure Firewall Access Policies Policy Allow access to the DMZ from the Internet This policy will allow users on the Internet to connect to a host inside your secure DMZ. Settings Action = Allow Log Enabled = Yes Protocol = Any Source Address = Any Source Port = Any Destination Address = SysEth1IP (network object or IP address of the external interface) Destination Port = Any Table 3: DMZ firewall access policies (Continued) Configuring firewall access policies To configure firewall access policies: 1. In Proventia Manager, select Configuration Firewall. 2. Select the Access Policy tab. 3. Click the Add icon. 4. Set the Rule Order. 5. Verify the Rule Guid. 6. Verify the Enabled option is selected. 7. Select the Action (Allow or Reject). 8. Select Log Enabled to log events associated with this rule. 9. Type a Comment (description) for the rule. 10. Select the following tabs, and then complete them as needed: Tab Protocol Source Address Source Port Description Select one of the following: Any Protocol Name Protocol Number Select one of the following: Any Self Single IP Address Address Range Network Address / Network Bits (CIDR) Specify Network Objects Tip: Click the Add icon to create a network object. Select one of the following: Any Single Port Port Range 27

Deployment Guide: Routing Mode with No DMZ Tab Protocol Destination Address Destination Port Description Select one of the following: Any Protocol Name Protocol Number Select one of the following: Any Self Single IP Address Address Range Network Address / Network Bits (CIDR) Specify Network Objects Tip: Click the Add icon to create a network object. Select one of the following: Any Single Port Port Range Specify Network Objects Tip: Click the Add icon to create a network object. 11. Do not save changes yet, but go to the next task. 28

Deploy Antispam, Antivirus, and Web Filter Protection Deploy Antispam, Antivirus, and Web Filter Protection Introduction This topic explains how to deploy basic antispam, antivirus, and Web filter protection. It does not explain how to customize or tune policies for these modules. For that information, see the Multi-Function Security Policy Configuration Guide. Note: Antispam, antivirus, and Web filter are optional. Deploying antispam, antivirus, and Web filter To deploy antispam, antivirus, and Web filter protection: 1. In Proventia Manager, select Configuration Antispam. 2. Select the Protection Settings tab, and then select Spam Detection Enabled. 3. Select Configuration Antivirus. 4. On the Basic Configuration tab, select the Antivirus Module Enabled checkbox. 5. Select Configuration Web Filter Web Filter Settings. 6. On the Protection Settings tab, select the Web Filter Module Enabled checkbox. 7. Do not save changes yet, but go to the next task. 29

Deployment Guide: Routing Mode with No DMZ Save Policies and Move to Live Production Network Saving policies It is important to understand that once you save your policies you will not be able to access the appliance again until you physically move it to the live production network, connect the cables, and boot the system. To save your policies, click Save Changes in Proventia Manager. This action will end your session with Proventia Manager and lock you out of the appliance temporarily until the appliance is operational on the production network. Moving the appliance into production The physical move to the live production network will require some network downtime, so schedule the move to occur during a low usage time and factor in time to rack mount the appliance if needed. To move the appliance to production: 1. Switch off the appliance. 2. Disconnect the appliance and cables from your setup or configuration environment as described: Disconnect the red Ethernet cable from the Internal port to your PC. Disconnect the standard Ethernet cable from the External port to your Internet connection. Disconnect the power cable from the power port to a power outlet. 3. Move the device to its location on the production network and rack mount the device if needed. 4. Reconnect the cables as described: Connect a standard Ethernet cable from the Internal port to your internal network. Connect a standard Ethernet cable from the External port to your Internet connection. Connect additional standard Ethernet cables from the internal ports to your internal networks including your DMZ if needed. Connect the power cable from the power port to a power outlet. 5. Switch on the appliance. Tuning policies and routine maintenance See the following publications for additional assistance: For information on how to customize policies, see the Policy Configuration Guide. For information on how to perform routine maintenance such as backups, see the Administrator Guide. 30

31

Deployment Guide: Routing Mode with No DMZ 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback