Page 1 Nortel Switched Firewall 5100 Series Release 2.3.3 User’s Guide and Command Reference part number: 213455-L, October 2005 4655 Great America Parkway Santa Clara, CA 95054 Phone 1-800-4Nortel http://www.nortel.com...
Page 2 FAR 12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995). Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc.
Page 3: Table Of Contents
How to get help 16 Getting help from the Nortel web site 16 Getting help over the telephone from a Nortel Solutions Center 17 Using an Express Routing Code to get help from a specialist 17 Getting help through a Nortel distributor or reseller 17...
Page 4 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Chapter 2: Initial setup 29 Basic requirements 30 Example network 31 Firewall management network 31 SmartCenter Server 32 Smart Portal 32 Trusted network 36 Untrusted network (Internet) 36 Setting up the basic configuration 37...
Page 5 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Chapter 3: Dynamic Host Configuration Protocol 91 DHCP relay agent 92 Configuring for DHCP relay agent 93 Chapter 4: Open Shortest Path First 95 OSPF overview 96 Types of OSPF areas 96...
Page 6 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference VRRP election 119 VRRP failover 120 VRRP failover-based on links 121 MAC address mapping 121 Stateful failover 122 VRRP router parameters 122 Active-standby and active-active 122 Advertisement interval 122 Gratuitous ARP (GARP) 123...
Page 7 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Chapter 6: Layer 2 and Layer 3 Firewalls 189 Overview 190 Configuring Layer 2 bridge mode Firewall 191 Configuring the Firewall software 192 Configuring the Check Point software to support Layer 2 bridge mode 195...
Page 8 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Chapter 10: The Command Line Interface 251 Accessing the Command Line Interface 252 Using the local serial port 252 Defining the remote access list 252 Displaying the access list 252 Adding items to the access list 253...
Page 9 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference DNS Servers Menu 285 Cluster Menu 286 Cluster Host Menu 287 Access List Menu 289 Administrative Applications Menu 290 Telnet Administration Menu 292 SSH Administration Menu 293 SSH Host Keys Menu 294...
Page 10 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference VRRP Bridge 1 Menu 334 VRRP Settings Menu 335 Routes Menu 338 GRE Tunnel 1 Menu 339 OSPF Menu 340 OSPF Area Index Menu 342 OSPF Interface Menu 343 OSPF GRE Tunnel 1 Menu 346...
Page 11 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Appendix B: Backing Up and Cloning Configurations 385 Overview 386 Remote Backup 386 Clone Command 386 Local Backup 386 Backing Up and Cloning 387 Backing Up a Configuration 387 Troubleshooting for Backup 388...
Page 12 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Check Point sends connection failed messages to Firewall 412 Action 413 Check Point synchronization 413 Message appears after checking synchronization status 413 Actions 413 Synchronization status check reveals an interface is down 414...
Page 13: Preface
Preface The Nortel Switched Firewall 5100 Series User’s Guide and Command Reference (213455-L) describes the components and features of the Nortel Switched Firewall 5100 Series system and explains how to perform initial setup, configuration and maintenance when using Release 2.3.3 software.
Page 14: Part 2: Command Reference
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Chapter 4, Open Shortest Path First, provides an overview of the Open Shortest Path First (OSPF) protocol, describes the implementation of OSPF on the Switched Firewall, and includes several OSPF configuration examples.
Page 15: Related Documentation
Browser-Based Users Guide (216383-D) Nortel Switched Firewall 5100 Series 2.3.3 Release Notes (213456-S) The documents are available on the Nortel Technical Support web site at www.nortel.com/support. Typographic conventions The following table describes the typographic styles used in this book. Table 1 Typographic Conventions...
Page 16: How To Get Help
How to get help This section explains how to get help for Nortel products and services. Getting help from the Nortel web site The best way to get technical support for Nortel products is from the Nortel Technical Support web site at www.nortel.com/support.
Page 17: Getting Help Over The Telephone From A Nortel Solutions Center
Getting help over the telephone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support web site, you can get help over the telephone from a Nortel Solutions Center. You must have a Nortel support contract to use the Nortel Solutions Center.
Page 18 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Preface 213455-L, October 2005...
Page 19 Part 1: Getting started This section discusses basic firewall functions, Nortel Switched Firewall components, and features. The following topics are included in this section: New features and basic functions Initial setup DHCP Relay and OSPF Layer 2 and Layer 3 firewall...
Page 20 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Getting started 213455-L, October 2005...
Page 21: Chapter 1: Introduction
HAPTER Introduction The Nortel Switched Firewall is a combination of dedicated hardware and software — hardened OS, security applications, and networking technology. It addresses the needs for security, performance and ease of use. The software is a combination of NSF Single System Image (SSI) software and the ®...
Page 22: Feature Summary
The system uses a versatile, multi-component approach to deliver unparalleled firewall processing power, reliability, and scalability. What’s new in NSF 2.3.3? The following features have been added to the Nortel Switched Firewall Release 2.3.3 since the last major release: Software support Supports Check Point™...
Page 23: Usability Enhancements
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Usability enhancements Nortel Switched Firewall Series 5100 release 2.3.3 provides the following usability enhancements: Monitor history and current information from CLI Current statistics and history are available for the following parameters:...
Page 24: Supported Hardware
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Supported hardware Table 2 shows the model numbers of the hardware platforms supported for NSF 2.3.3. The platforms differ with respect to hardware features and performance. But in all other operational aspects (software, certification, system management, logging and monitoring) the platforms are the same.
Page 25: Performance
300 Mbps 250,000 3200–3600 Nortel Switched Firewall basics Network Elements The following diagram shows a basic network using the Nortel Switched Firewall. Figure 1 Nortel Switched Firewall network elements Nortel Switched Firewall with NSF Remote Check Point SmartCenter Server Console/...
Page 26: The Networks
The Firewall Nortel Switched Firewall The Nortel Switched Firewall is placed in the path between your various trusted, semi- trusted, and untrusted networks. It examines all traffic moving between the connected networks and either allows or blocks that traffic, depending on the security policies defined by the administrator.
Page 27 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Check Point SMART Client software, such as the SmartDashboard, can be installed on one or more administrator workstations on your network. This software usually provides a graphical user interface for creating, modifying, and monitoring firewall policies.
Page 28 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Introduction 213455-L, October 2005...
Page 29: Chapter 2: Initial Setup
SMART Client. Then the Check Point management tools are installed on a workstation. The information in this chapter is based on the assumption that you installed the Nortel Switched Firewall Series 5100 hardware as described in the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-D), including mounting the components, attaching network cables, turning on power, and connecting a console terminal.
Page 30: Basic Requirements
A Check Point license must exist for the Firewall. One subnet must be assigned for internal Nortel Switched Firewall use. This subnet must consist of the following IP addresses: one Management IP (MIP) address an IP address for the Firewall host –...
Page 31: Example Network
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference – Before upgrading the software on the Firewall, you must perform the initial setup procedures as explained in this chapter. Once initial setup is complete, see Chapter 8, Upgrading and reinstalling the software, on page 229 for more information.
Page 32: Smartcenter Server
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The management network port in Figure 2 is configured on port 1. – The MIP address supports firewall clustering with a redundant firewall in a high- availability (active-standby) or active-active failover configuration. For more information, see...
Page 33 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The following figure illustrates the Check Point window with Smart Portal option and user authentication. Figure 3 Check Point Gateway with Smart Portal option Initial setup 213455-L, October 2005...
Page 34 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference To register the Smart Portal user name and password, do the following: From the Manage menu, select Users and Administrators as illustrated in Figure Figure 4 Check Point/Users and Administrators/Administrator Properties/General –...
Page 35 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Select the Admin Auth tab as illustrated in Figure Figure 5 Administrator Properties - smart_portal Click New. Type the login name in the Login entry field. Type password in the Password field and confirm.
Page 36: Trusted Network
Figure 6 Check Point SmartPortal login page Trusted network The IP address range of the Trusted Network is 10.3.0.0/16. The trusted network connects to port 3, Interface 1 (NSF 5109 port 3, Interface 1). The Interface address is 10.3.0.1. Untrusted network (Internet) The IP address of the Firewall default gateway is 172.25.3.23.
Page 37: Setting Up The Basic Configuration
Press <Enter> on the console terminal to establish the connection. The Nortel Switched Firewall login prompt will appear. Enter the default login name (admin) and the default password (admin). If the Nortel Switched Firewall is set to factory defaults, a special Setup utility menu appears.
Page 38 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Enter the port number to be used for the management network. Enter port number for the management network [1-4]*: 1 Enter the host IP address for this Firewall: Enter IP address for this machine: 192.168.1.2 –...
Page 39 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Set your time zone by selecting continent or ocean, then country, then region. For example: Timezone setting 1 - Africa 2 - Americas 3 - Antarctica 4 - Arctic Ocean 5 - Asia...
Page 40 Generate new SSH host keys (yes/no) [yes]: y This may take a few seconds...ok Nortel recommends that you generate a new SSH key in order to maintain a high level of security when connecting to the Nortel Switched Firewall using an SSH client.
Page 41 Re-enter to confirm: <password> Choose whether to enable the Check Point SmartCenter Server on the firewall. Setup gives you the option of configuring your Nortel Switched Firewall with or without a collocated SmartCenter Server. Enabling the SmartCenter Server on the Switched Firewall lets you use the interface without requiring Secure Internal Communications.
Page 42 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference If you chose 1 or 3 in Step 12, you will be prompted to set the Check Point Secure Internal Communication (SIC) one-time password. The SIC password is required later when you establish Secure Internal Communications between an external Check Point SmartCenter server on NSF.
Page 43: Installing The Firewall License
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Installing the Firewall license Once the Setup utility has been used for basic system configuration, the Setup menu is no longer displayed upon subsequent log-ins. Instead, the CLI Main Menu is displayed:...
Page 44: Example
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Example: Expiry date: 01jan2005 Feature string: CPSUITE-EVAL-3DES-NG CK-CHECK-POINT License string: aBXAVeTWHR-FyxKKcdej-QiiS89a6N-isMP6Ywnn – Be sure to enter the information exactly as shown on your specific Check Point license. >> # /cfg/lic/pastelic List of current hosts: 1: 192.168.1.2...
Page 45 The port/interface assignments in the following commands refer to the Example Network in Figure 2 on page Nortel recommends that you assign a descriptive name to each port so that it is easier to remember which port is assigned to a particular interface. Initial setup...
Page 46 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference When configuring interfaces, make sure that each interface IP address is within the same subnet as the network to which it is connected. (Select the Port 3 Menu) >> Main# /cfg/net/port 3 (Name this port for Interface 1) >>...
Page 47: Allowing Smart Client Access To The Firewall
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Verify the interfaces are correctly configured: >> Access List# /info/net/if Interface Information Port VLAN Address Status ==== ==== ======= ====== 10.3.0.1/16 Enabled 172.25.3.10/24 Enabled Allowing SMART Client access to the Firewall The following procedure gives firewall access to a Check Point SMART Client when the SmartCenter Server is enabled on the firewall.
Page 48: Installing Check Point Management Tools
The Windows hosts file should be edited to include the firewall information. This step allows the Check Point management station to recognize the firewall IP address and name. Nortel recommends that you edit the hosts file before you install the Check Point management station software.
Page 49: Installing Check Point Smartcenter Server And Smartconsole
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Installing Check Point SmartCenter Server and SmartConsole This procedure outlines how to install the Check Point management tools (SmartCenter Server and SmartConsole) for VPN-1 Pro NGX with Application Intelligence (R60). Before you begin installation, make sure your management station meets or exceeds the...
Page 50 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Click Next (see Figure Figure 8 Check Point installation accept terms page Click I accept the terms of the license agreement. You may choose either Check Point Enterprise/Pro or Check Point Express, but be sure you...
Page 51 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference When prompted, select New Installation, then click Next (see Figure 10). Figure 10 Check Point Installation type page When prompted, select SmartCenter (optional) and SmartConsole, then click Next (see Figure 11).
Page 52 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference – You can have multiple SMART Clients by installing the SmartConsole components on additional workstations separate from the primary management workstation. For these instances, do not select SmartCenter. When prompted, select Primary SmartCenter, then click Next (see Figure 12).
Page 53 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference At this point, the program installs the SVN Foundation software (standard), SmartCenter (if selected) and SmartConsole components. The installation status is displayed in the Installation Status box (see Figure 14). Figure 14 Installation Status window...
Page 54 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference When prompted, click Next to continue (see Figure 16). Figure 16 Check Point SmartConsole NGX R60 installation page When prompted, specify the SmartConsole components to be installed (see Figure 17). Figure 17 Check Point SmartConsole component installation page Check Point Enterprise/Pro preselects all of the SmartConsole components.
Page 55 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference When prompted, click the Add… button (see Figure 18). Figure 18 Administrator’s Permissions page Enter the login information for SmartCenter administrators (see Figure 19). Figure 19 Add Administrator page Initial setup...
Page 56 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Click OK . Click Next. When prompted, add any remote GUI Clients—also known as SMART Clients (see Figure 20). Figure 20 GUI Clients page Enter localhost, or the host IP address if the GUI client is on the same host as the Smart- Center Server.
Page 57 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference When the Internal CA Status changes to Initialized, click Next (see Figure 21). Figure 21 Certificate Authority page Record the SmartCenter Server fingerprint by clicking Export to file… (see Figure 22).
Page 58: Defining A Firewall Object In The Smartdashboard
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference As a security measure, this fingerprint is required in a subsequent step to ensure that no one can impersonate the administrator. Click Finish to continue. When prompted, reboot the management station (see Figure 23).
Page 59 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Log in using an administrator account (see Figure 24). Figure 24 Check Point log in page Enter one of the user name/password combinations configured during the installation of the Management Server tools during...
Page 60 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Click Approve to verify that the fingerprint is the same as the one obtained during installation of the Management Server tools during Step 24 page Create a new Gateway object to represent the newly installed Firewall.
Page 61 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Define the Firewall object parameters (see Figure 27). Figure 27 Check Point gateway general properties page Enter the following information: Name: If this is a Windows machine, use the name you specified in...
Page 62 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Click the Communication button in the General Properties dialog (see Step 5 page 58). The Communications dialog box appears (see Figure 28). Figure 28 Communications page—uninitialized Enter the Activation Key (the SIC password) and click Initialize.The SmartCenter Server will contact the Firewall and exchange security information.
Page 63 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Get the interfaces for the Firewall object. Select the the Check Point Topology dialog box (see Figure 30). Click Get all members’ topology to retrieve the interfaces you configured on the firewall and the topology information (under the IP Addresses behind interfaces header).
Page 64: Creating A Firewall Policy Test Rule
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Creating a Firewall policy test rule At this point in the initial setup, Nortel recommends a test to ensure that the system components are properly configured. For this test, create a policy rule that will allow any and all traffic to pass through the firewall.
Page 65 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Also change the Track setting to “log” by right-clicking on the “none” setting and selecting “log” as the new track setting from the pop-up list. Push the policies to the Firewall.
Page 66: Creating And Installing Firewall Security Rules
The SmartView Tracker lists all traffic being processed, accepted, dropped, and so on. To confirm that the Nortel Switched Firewall is properly configured, select the SmartView Tracker Active Mode. Use a client station to ping the firewall. If the SmartView Tracker displays an entry for the ping traffic, the configuration is good.
Page 67: Securid Authentication
Command Line Interface (CLI) or the Browser-Based Interface (BBI). For more information about SecurID, see Nortel Switched Firewall Series 5100 Release 2.3.3 Browser-Based Interface User’s Guide, Part number 216383-D. SecurID requires the following:...
Page 68: Topology Of Securid Authentication
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Topology of SecurID authentication Figure 35 illustrates a SecurID authentication on a stand-alone system. Figure 35 SecurID authentication on a stand-alone system Following are the configuration details: iSD1 host IP address = 10.10.1.1 interface 2 (port 2) address1 = 172.25.3.1 for Check Point management station...
Page 69 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Figure 36 illustrates a SecurID authentication on a High Availability (HA) active-standby) system. Figure 36 SecurID authentication on an HA system Following are the configuration details: iSD1 host IP address = 10.10.1.1 iSD2 host IP address = 10.10.1.2...
Page 70: Configuring Rsa Authentication Manager
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Interface 3 (port 3) vrip1 = 10.9.90.200 for external network Interface 4 (port 4) address1 = 200.200.200.3 Interface 4 (port 4) address2 = 200.200.200.4 Interface 4 (port 4) vrip1 = 200.200.200.2 for internal network Check Point management station IP address = 172.25.3.38...
Page 71 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Figure 37 illustrates the Add Agent Host window. Figure 37 Add Agent Host window Resolve the host name and IP address by editing the hosts file in C:\WINNT\system32\drivers\etc. Following is an example of host name and IP address resolution:...
Page 72 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Assign Acting Servers dialog box is depicted in Figure Figure 38 Assign Acting Servers page – All names must be resolved with their IP addresses. From the User menu, select Add User.
Page 73 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Add User window is depicted in Figure Figure 39 Add User page Click Agent Host Activations. The Agent Hosts Activations window appears. The Agent Hosts Activations window is depicted in...
Page 74 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Perform the following steps to create a user group. From the Group menu, click Add Group. The Add Group window appears (see Figure Figure 41 Add Group window Type the group name.
Page 75 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Group Activations window appears (see Figure 43). Figure 43 Group Activations window To import a token, go to the Token menu and import a token range number from the floppy disk.
Page 76 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference To synchronize the Token, perform the following steps: Click Resynchronize Token. The Resynchronize Token window appears (see Figure 45). Figure 45 Resynchronize Token window In the entry field, type the code displayed on the token.
Page 77 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Select Token dialog box appears (see Figure 47). Figure 47 Select Token dialog box Click Select Token from List. Click OK. To generate a configuration file, perform the following steps: Open the Agent Host menu.
Page 78 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Select the agent host to generate the configuration file as depicted in Figure Figure 49 Select Agent Host window Start the RSA ACE server by performing the following steps: Go to Start.
Page 79: Configuring Securid On Nortel Switched Firewalls
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring SecurID on Nortel Switched Firewalls To configure SecurID on NSF, perform the following steps: Import the agent configuration file to NSF. Create the sdopts.rec file. Importing the agent configuration file to NSF The generated configuration file is copied to the ace/data folder on the ACE server.
Page 80: Configuring Partner Rsa Authentication Agent
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Type the IP address of the SecurID interface in the entry field. TIP: The IP address of the SecurID interface is the address of the interface that the ACE server connects to. In an HA environment, the IP address of the SecurID interface is the address of the virtual IP of the interface.
Page 81: Enabling Securid Authentication For Check Point Firewall-1 Users
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Enabling SecurID authentication for Check Point FireWall-1 users To enable SecurID authentication for Check Point FireWall-1 users, perform the following steps: Create a new user group. Create a new user. Add the new user to the new group.
Page 82: Rule Base For Session Authentication With Securid
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference When Standard Sign-on is specified, depending on the rule, subsequent connections can be established without re-authentication. Following is a simple rule set that challenges users by client authentication. Rule Source Destination VPN...
Page 83 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Users must run the Session Authentication Agent on each PC or workstation that requires access through this rule. With session authentication passwords can be cached. Authentication for every connection is not required when passwords are cached. TIP: Caching of passwords is not supported for one-time passwords like SecurID.
Page 84: Vlan Tags
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference VLAN tags Virtual LAN (VLAN) tags configured on a Switched Firewall interface allow the VLAN- configured hosts on that interface to participate as VLAN members. This example describes an Switched Firewall configuration that includes VLANs on a DMZ network.
Page 85: Layer 2 Switch Configuration
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Layer 2 switch configuration To ensure that each of the DMZ areas is privately and securely connected to the Switched Firewall, the following configuration steps must be taken on the layer 2 switches: Configure DMZ access ports on the layer 2 switch as members of the corresponding VLAN.
Page 86 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Type DMZ1-WWW in the name box. Type 192.168.0.1 in the IP address box. To create a network object for the public web server in DMZ-2, perform the following steps: Right-click the Network Topology window.
Page 87: Switched Firewall Configuration
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Switched Firewall configuration Below is a dump of the Switched Firewall configuration for the example in Figure 51 on page /cfg /cfg/sys /cfg/sys/time tzone "America/Montreal" /cfg/sys/time/ntp /cfg/sys/dns /cfg/sys/cluster mip 10.10.1.10 /cfg/sys/cluster/host 1 ip 10.10.1.6...
Page 88: Initial Setup
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/port 1 name "Host Port" autoneg on speed 0 mode full /cfg/net/port 2 name none autoneg on speed 0 mode full /cfg/net/port 3 name none autoneg on speed 0 mode full...
Page 89 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/adv /cfg/net/adv/route gateway 0.0.0.0 /cfg/net/adv/route/ospf rtrid 0.0.0.0 spf “5, 10” ena n Identical /cfg/../../../ospf configurations for if 1, 2, 3, 33 /cfg/net/adv/route/ospf/if 1 aindex 0 prio none cost none hello 10...
Page 90 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Initial setup 213455-L, October 2005...
Page 91: Chapter 3: Dynamic Host Configuration Protocol
“generic” file name to be booted, the address of the default gateway, and so forth). Nortel DHCP relay agent eliminates the need to have DHCP/BOOTP servers on every subnet. It allows the administrator to reduce the number of DHCP servers deployed on the network and to centralize them.
Page 92: Dhcp Relay Agent
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference DHCP relay agent DHCP is described in RFC 2131, and the DHCP relay agent supported on the Nortel Switched Firewall is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68.
Page 93: Configuring For Dhcp Relay Agent
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring for DHCP relay agent To enable the Nortel Switched Firewall to be the DHCP forwarder, you need to configure the DHCP server IP addresses on the firewall. You must enable DHCP relay on the interface connected to the client subnet.
Page 94 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configure DHCP server information. >> # /cfg/net/dhcprl/server 1 (Set IP address of 1st DHCP server) >> DHCP Server 1# addr 10.1.1.1 (Enable the DHCP server) >> DHCP Server 1# ena (Set IP address of 2nd DHCP server) >>...
Page 95: Chapter 4: Open Shortest Path First
HAPTER Open Shortest Path First The Nortel Switched Firewall 2.3.3 supports the Open Shortest Path First (OSPF) routing protocol. This implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. The following sections discuss current OSPF support: OSPF overview on page 96.
Page 96: Ospf Overview
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference OSPF overview OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. All routing devices maintain link information in their own Link State Database (LSDB). The LSDB for all routing devices within an area is identical but is not exchanged between different areas.
Page 97: Types Of Ospf Routing Devices
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Transit Area—an area that allows area summary information to be exchanged between routing devices. The backbone (area 0) and any area that is not a stub area or an NSSA are...
Page 98: Neighbors And Adjacencies
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Autonomous System Boundary Router (ASBR)—a router that acts as a gateway between the OSPF domain and non-OSPF domains, such as RIP, BGP, and static routes (see Figure 54). Figure 54 OSPF domain and an autonomous system...
Page 99: The Link-State Database
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Because of the overhead required for establishing a new DR in case of failure, the hello process also elects a Backup Designated Router (BDR). The BDR is adjacent to all other neighbors (including the DR).
Page 100: Authentication
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Authentication OSPF also allows packet authentication and uses IP multicast when sending and receiving packets. This ensures less processing on routing devices that are not listening to OSPF packets. Internal versus external routing...
Page 101: Nsf 2.3.3 Ospf Implementation
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference NSF 2.3.3 OSPF implementation The following sections describe details on the OSPF implementation in the Nortel Switched Firewall: Configurable parameters on page 101 Defining areas on page 102 Interface cost on page 104...
Page 102: Defining Areas
AS are reachable. Up to 17 OSPF areas (0-16) can be connected to an Nortel Switched Firewall cluster. To configure an area, the OSPF number must be defined and then attached to a network interface on the Nortel Switched Firewall.
Page 103: Using The Area Id To Assign The Ospf Area Number
For example, the following commands could be used to configure IP interface 14 for a presence on the 10.10.10.1/24 network, to define OSPF area 1 using index 2 on the Nortel Switched Firewall, and to attach the area to the network: (Select menu for IP interface 14) >>...
Page 104: Interface Cost
Dynamically—OSPF protocol configures the lowest IP interface IP address as the router ID. This is the default. To use a dynamic router ID after having set it statically, set the router ID to 0.0.0.0 and reboot the Nortel Switched Firewall. Open Shortest Path First...
Page 105: Authentication
Authentication OSPF protocol exchanges are authenticated so that only trusted devices can participate. The Nortel Switched Firewall 2.3.3 supports simple authentication (type 1 plain text passwords) and MD5 authentication (encrypted data and passwords) among neighboring routing devices in an area.
Page 106: Gre Tunnel Support
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference GRE Tunnel support NSF 2.3.3 supports Generic Routing Encapsulation (GRE) on all Firewalls. GRE is a point-to- point tunneling protocol that takes packets from one network system and places them inside frames from another network system in a peer-to-peer configuration.
Page 107: Ospf Configuration Examples
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference OSPF configuration examples A summary of the basic steps for configuring OSPF on the Nortel Switched Firewall is listed here. Detailed instructions for each of the steps is covered in the following sections: Configure IP interfaces.
Page 108 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Use the following procedure to configure OSPF support as shown in Figure Configure IP interfaces on each network that will be attached to OSPF areas. In this example, two IP interfaces are needed: one for the backbone network on 10.10.7.0/24 and one for the transit area network on 10.10.12.0/24.
Page 109: Example 2: Configuring Gre Tunnel
Example 2: configuring GRE Tunnel Figure 56 shows two Nortel Switched Firewalls, NSF- California and NSF-New York configured for GRE tunneling support. The two firewalls are configured to tunnel OSPF packets in a GRE tunnel, so other routers on the internet do not need to learn about OSPF.
Page 110 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configure GRE tunnel 1 on NSF-California. (Select GRE tunnel 1 ) >> Main# /cfg/net/gre 1 (Assign a name for GRE 1) >> GRETunnel 1# name tunnel_one (Assign Physical Interface for GRE 1) >>...
Page 111: Avoiding Loops In The Gre Tunnel
Configure Check Point GUI for GRE support. To support GRE on the firewall, you need special configurations and rules from Check Point. For more information, refer to the document, 5100_OSPFWithGre.doc available on the Nortel web site. Avoiding loops in the GRE Tunnel Design the network carefully to ensure that packets do not get into a loop in the GRE tunnel.
Page 112 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The results in the table reveal a loop because data packets—on the GRE tunnel end point, 50.1.1.2 subnet, and the OSPF subnet, 20.0.0.0 subnet— have the same destination. /i/n/gre >> #...
Page 113: Example 3: Configuring Failover
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Example 3: configuring failover Figure 57 shows two Nortel Switched Firewalls, NSF#1 and NSF#2 configured for failover. The two firewalls on the OSPF network are configured for failover on the management, client, and server interface.
Page 114 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Refer to Setting up the basic configuration on page 37 and specify the firewall IP address as 10.10.1.1 and MIP IP address as 10.10.1.10. Log in to firewall NSF#2 and use the setup utility to join the cluster.
Page 115 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configure VRRP on the server interface. >> Main# /cfg/net/if 4/addr1 200.200.200.1 >> Main# /cfg/net/if 4/addr2 200.200.200.2 >> Main# /cfg/net/if 4/mask 255.255.255.0 >> Main# /cfg/net/if 4/port 4 >> Main# /cfg/net/if 4/ ena y >>...
Page 116 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Start the Check Point SmartDashboard tool and configure the following: 15a) Create a new Gateway cluster (Cluster name: Cluster_Gateway; Cluster IP address:10.8.90.200; Enable Firewall-1). 15b) Add the two firewalls as cluster members to Cluster_Gateway.
Page 117: Chapter 5: Redundant Firewalls
Configuring VRRP active-standby failover on page 125 Configuring VRRP active-active failover on page 145 Configuring Check Point ClusterXL failover on page 160 Establishing trust on redundant Firewalls on page 185 Synchronizing Nortel Switched Firewalls on page 186 213455-L, October 2005...
Page 118: Vrrp On The Switched Firewall
– VRRP on the Nortel Switched Firewall is a custom implementation that deviates from RFC 2338 in some details. The VRRP router controlling the IP addresses associated with the virtual router is called the active master, and it forwards packets intended for these IP addresses.
Page 119: Active Master Determination
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference (see Setting up the basic configuration on page 37). The general order for configuring redundant Switched Firewalls is presented in Installing the redundant Switched Firewall on page 128. Clustered firewalls act as virtual routers in a redundant relationship using VRRP. In a active- standby (high-availability) configuration, only one firewall passes traffic, while the redundant firewall is a dedicated backup.
Page 120: Vrrp Failover
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Active link is down. Port is down. High traffic spreads advertisement packets beyond the specified adint interval. A device on the virtual router LAN blocks the advertisement packets or ARP traffic.
Page 121: Vrrp Failover-Based On Links
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference VRRP failover-based on links Link failures decrement the internal priority value that VRRP maintains for both Switched Firewalls. A link failure is defined as a loss of link at the VRRP interface.
Page 122: Stateful Failover
VRRP router parameters are defined globally using the CLI (VRRP Settings Menu on page 335) or the BBI (see the Network / VRRP form in the Nortel Switched Firewall 5100 Series BBI User’s Guide). The following parameters are used to configure VRRP:...
Page 123: Gratuitous Arp (Garp)
Virtual router interface parameters are defined per virtual router at the VRRP Interface Menu (see page 330) or the Network/Interfaces/Update (Add or Modify) form in the Nortel Switched Firewall 5100 Series BBI User’s Guide. Before you configure them, you must first configure the interface IP parameters at the Interface Menu...
Page 124: Advanced Failover Check
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Real Router IP addresses. The IP addresses you enter for addr1 and addr2 (cfg/net/if) at the Interface Menu becomes the real router IP addresses. Other real interface parameters including the port must be filled in as well.
Page 125: Configuring Vrrp Active-Standby Failover
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring VRRP active-standby failover VRRP and the addition of a redundant Switched Firewall to the cluster make it possible to configure an effective, high-availability network that reduces the chance that a single point of failure can bring down the system.
Page 126: Configuration Overview
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuration overview The network topology for a typical active-standby (high-availability) network with Switched Firewalls is shown in Figure Figure 58 Active-Standby failover configuration This example uses layer 2 switches to supply redundant feeds to the firewalls (hubs may also be used for the same purpose).
Page 127: Requirements
The redundant Switched Firewall must be identical to the existing Switched Firewall. You cannot mix different models or software versions in the same cluster. For example, you cannot mix a 5109 and 5114; but you can mix a 5109 and a 5111-NE1. Similarly, you can mix a 5114 and a 5114-NE1.
Page 128: Installing The Redundant Switched Firewall
See the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C). Connect the power cable for the redundant Switched Firewall, but do not turn it on yet. Attach power as described in the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-C).
Page 129: Configuring The Redundant Switched Firewall
Firewalls. – The Nortel Single System Image (SSI) maps the Switched Firewall configuration across both firewalls in the cluster. That is, whatever you had configured for firewall NSF#1 previously is mapped to firewall NSF#2 and any changes you add when logged into firewall NSF#1 are mapped to firewall NSF#2.
Page 130 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configure the VRRP interfaces on both Switched Firewalls. Log on to firewall NSF#1 as the administrator and configure the interfaces. >> Main# /cfg/net/if 2/addr1 100.1.1.1 >> Main# /cfg/net/if 2/addr2 100.1.1.2 >> Main# /cfg/net/if 2/mask 255.255.255.0 >>...
Page 131 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Enable the failover type for the cluster. (Enable active-standby failover) >> Main# /cfg/net/vrrp/ha y (Enable active-active failover) >> Main# /cfg/net/vrrp/aa y – If you are configuring active-active failover, then modify the second virtual IP address ) in Step 5 from 0.0.0.0 to a specific value.
Page 132 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Enter the Check Point License. >> # /cfg/lic/pastelic List of current hosts: 1: 172.25.3.1 2: 172.25.3.2 Choice: 1 Enter the entire license string :cplic put 10.10.1.4 10Mar2005 puZgqs4cF-wUJedwq5z-8ZinqozZ3-oM4yzMhib cpmp-eval-1-3des-ng CK- C40A2ED769CE –...
Page 133: Configuring Check Point Software For Active-Standby
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring Check Point software for active-standby Use the following procedure to configure Check Point software for active-standby mode. Enter the IP address of the external interface as shown in Figure Check Point Gateway Cluster IP address should be the IP addresses of the external interface (/cfg/net/if<#>/addr1 or /cfg/net/if<#>/addr2).
Page 134 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Perform the following steps to select Cluster Members and to verify the firewalls in the cluster (see Figure 60). Figure 60 Gateway Cluster Properties—Cluster Members Redundant Firewalls 213455-L, October 2005...
Page 135 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference 2a) Check for third party configuration (see Figure 61). Figure 61 Gateway Cluster Properties—Third party configuration – For more information about third party configuration, refer to the NGX ClusterXL User Guide, Working with OPSEC Certified Clustering Products.
Page 136 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference 2b) To enable synchronization, select 1st Synch from the Network Objective list on the Edit Topology page (see Figure 62). Figure 62 Edit Topology 2c) Click Get all members’ topology (see Figure 62).
Page 137 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Ensure that the Automatic ARP configuration check box on the NAT page is not checked. Do not let Check Point handle ARP in Active-Standby mode (see Figure 63). Figure 63 Global Properties—Network Address Translation Add your defined rule and push the policy.
Page 138 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference If you are using Check Point SmartDefence TTL fingerprint scrambling, set TTL to 255 as shown in Figure Figure 64 Check Point SmartDashboard—SmartDefense—TTL page The remaining configuration in the cluster object can be set up according to your requirements.
Page 139: Configuration Dump For Vrrp Active-Standby Failover
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuration dump for VRRP active-standby failover /* Configuration dump taken Tue Oct 18 18:10:54 IST 2005 /* Version 2.3.3.0_R60 /cfg/. /cfg/sys/. /cfg/sys/time/. tzone "Asia/Calcutta" /cfg/sys/time/ntp/. /cfg/sys/dns/. /cfg/sys/cluster/. /cfg/sys/cluster/host 1/. /cfg/sys/cluster/host 2/.
Page 140 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference alarms n rcomm public /cfg/sys/adm/snmp/users/. /cfg/sys/adm/snmp/hosts/. /cfg/sys/adm/snmp/system/. /cfg/sys/adm/snmp/adv/. trapsrcip auto /cfg/sys/adm/audit/. vendorid "1872 (alteon)" vendortype 2 ena false /cfg/sys/adm/audit/servers/. /cfg/sys/adm/auth/. timeout 10s fallback on ena false /cfg/sys/adm/auth/servers/. /cfg/sys/log/. debug n srcip auto /cfg/sys/log/syslog/.
Page 141 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/port 2/. name none autoneg on speed 0 mode full /cfg/net/port 3/. name none autoneg on speed 0 mode full /cfg/net/port 4/. name none autoneg on speed 0 mode full /cfg/net/port 5/.
Page 142 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/if 2/vrrp/. vrid 11 ip1 100.1.1.100 ip2 0.0.0.0 /cfg/net/if 3/. addr1 200.1.1.1 addr2 200.1.1.2 mask 255.255.255.0 vlanid 0 port 4 mgmt n ena y /cfg/net/if 3/vrrp/. vrid 192 ip1 200.1.1.100 ip2 0.0.0.0 /cfg/net/vrrp/.
Page 143 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/ospf/if 3/. aindex 0 prio none cost1 none cost2 200 hello 10 dead 40 trans 1 retra 5 auth none ena n /cfg/net/ospf/if 4/. aindex 0 prio none cost1 none cost2 200...
Page 144 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/ospf/redist/defaultgw/. metric 10 t1 ena n /cfg/net/parp/. enable n /cfg/net/parp/list/. /cfg/net/dhcprl/. ena n /cfg/net/dhcprl/if 2/. ena n /cfg/net/dhcprl/if 3/. ena n /cfg/net/dhcprl/if 4/. ena n /cfg/net/dhcprl/if 5/. ena n /cfg/fw/. ena y /cfg/fw/sync/.
Page 145: Configuring Vrrp Active-Active Failover
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring VRRP active-active failover The network topology for a typical active-active network with Switched Firewalls is shown in Figure 65. The following topics are addressed in this section: Configuration overview on page 126...
Page 146 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Figure 65 is a diagram of an active-active failover configuration. Figure 65 Active-active failover configuration Figure 65, the network configuration uses separate routers and separate layer 7 switches to supply separate data feeds for the firewall hosts. The synchronization connection on port 2...
Page 147: Requirements
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference (addr1) on port 4. When link 2 fails, NSF#2 takes over all of NSF#1’s interfaces and sends out GARP messages to remote caches. Now NSF# 2 is the active master on all interfaces and handles all of NSF#1’s traffic.
Page 148: Configuring The Redundant Switched Firewall
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring the redundant Switched Firewall Configuring the redundant Switched Firewall on page 129. Configuring Check Point software Use the following procedure to configure Check Point software. On the Gateway Cluster Properties General Properties page, type the IP address for the...
Page 149 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference 1a) To view the members of the gateway cluster, select Cluster Members from the Gateway Cluster Properties list . Figure 67 Cluster Members—Gateway Cluster members list Redundant Firewalls 213455-L, October 2005...
Page 150 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Select 3rd Party Configuration from the Gateway Cluster Properties list and check for proper third party configuration. (see Figure 68). Figure 68 Gateway Cluster Properties—3rd Party Configuration – For more information about third party configuration, refer to the NGX ClusterXL User Guide, Working with OPSEC Certified Clustering Products.
Page 151 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference From the Gateway Cluster Properties list, select the Edit Topology page and enable Synchronization (see Figure 69). Figure 69 Edit Topology Redundant Firewalls 213455-L, October 2005...
Page 152 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Select Global Properties/FireWall/NAT and ensure that the Automatic ARP configuration check box is not checked (see (Figure 70). Do not let Check Point handle ARP in Active-Active mode. Figure 70 Global Properties—NAT Add your defined rule and push the policy.
Page 153 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference If you are using Check Point SmartDefence TTL fingerprint scrambling, then set TTL to 255 as shown in Figure Figure 71 Check Point SmartDashboard—SmartDefense—TTL The remaining configuration in the cluster object can be set up according to the customer’s requirements.
Page 154: Configuration Dump For Vrrp Active-Active Failover
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuration dump for VRRP active-active failover /* Configuration dump taken Tue Oct 18 18:19:31 IST 2005 /* Version 2.3.3.0_R60 /cfg/. /cfg/sys/. /cfg/sys/time/. tzone "Asia/Calcutta" /cfg/sys/time/ntp/. /cfg/sys/dns/. /cfg/sys/cluster/. /cfg/sys/cluster/host 1/. /cfg/sys/cluster/host 2/.
Page 155 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference level none access d events n alarms n rcomm public /cfg/sys/adm/snmp/users/. /cfg/sys/adm/snmp/hosts/. /cfg/sys/adm/snmp/system/. /cfg/sys/adm/snmp/adv/. trapsrcip auto /cfg/sys/adm/audit/. vendorid "1872 (alteon)" vendortype 2 ena false /cfg/sys/adm/audit/servers/. /cfg/sys/adm/auth/. timeout 10s fallback on ena false /cfg/sys/adm/auth/servers/.
Page 156 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/port 1/. name "Host Port" autoneg on speed 0 mode full /cfg/net/port 2/. name none autoneg on speed 0 mode full /cfg/net/port 3/. name none autoneg on speed 0 mode full /cfg/net/port 4/.
Page 157 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/if 2/. addr1 100.1.1.1 addr2 100.1.1.2 mask 255.255.255.0 vlanid 0 port 3 mgmt y ena y /cfg/net/if 2/vrrp/. vrid 11 ip1 100.1.1.100 ip2 100.1.1.200 /cfg/net/if 3/. addr1 200.1.1.1 addr2 200.1.1.2 mask 255.255.255.0...
Page 158 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/ospf/if 2/. aindex 0 prio none cost1 none cost2 200 hello 10 dead 40 trans 1 retra 5 auth none ena n /cfg/net/ospf/if 3/. aindex 0 prio none cost1 none cost2 200...
Page 159 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/ospf/redist/. /cfg/net/ospf/redist/connected/. metric 10 t1 rmap 0 ena n /cfg/net/ospf/redist/static/. metric 10 t1 rmap 0 ena n /cfg/net/ospf/redist/defaultgw/. metric 10 t1 ena n /cfg/net/parp/. enable n /cfg/net/parp/list/. /cfg/net/dhcprl/. ena n /cfg/net/dhcprl/if 2/.
Page 160: Configuring Check Point Clusterxl Failover
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring Check Point ClusterXL failover Check Point ClusterXL is used for clustering and load sharing functionality. ClusterXL is Check Point implementation of failover. For more information about ClusterXL, refer to the Check Point documentation.
Page 161 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Figure 72 is a diagram of a ClusterXL configuration. Figure 72 Configuring ClusterXL ClusterXL Server 100.1.1.150 gw 200.1.1.100 200.1.1.100 (Cluster IP) NSF#2 NSF#1 Eth0 172.25.3.2/24 (Management) 100.1.1.100 Eth0 172.25.3.1/24 (Management) Eth1 10.10.1.2/24 (Sync) Eth1 10.10.1.1/24 (Sync)
Page 162: Configuration Check List On The Management Station
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuration check list on the management station Using the SmartDashboard tool on the management station, do the following: Decide on the cluster-IP address for the interfaces that you want to publish to other devices as gateway or routes.
Page 163: Step-By-Step Configuration Procedure
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Step-by-step configuration procedure Use the following procedure to configure the management station: Select the Host Node General Properties page and perform the following steps: 1a) Create a host node for SSI-MIP (see Figure 73).
Page 164 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference 1b) Establish the security policy on the Check Point SmartDashboard (see Figure 74). Figure 74 Check Point SmartDashboard—Security Redundant Firewalls 213455-L, October 2005...
Page 165 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference 1c) Specify the Cluster IP address of the external interface and select the ClusterXL check box (see Figure 75). Figure 75 Gateway Cluster Properties—General Properties Redundant Firewalls 213455-L, October 2005...
Page 166 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Click Communication (see Figure 76). Figure 76 Cluster Member Properties General—key 1 Provide the activation key (see Figure 77). Click Initialize. (see Figure 77). Figure 77 Communication—Activation Key Redundant Firewalls 213455-L, October 2005...
Page 167 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Communication window appears showing the Trust state (Figure 78). Figure 78 Communication Figure 78 the Trust state shows “Trust established”. TIP: If trust is not established, there is no communication between the management station and the Firewall.
Page 168 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference From the Gateway Cluster Properties menu, select Topology. The Edit Topology page appears (see Figure 79). Figure 79 Edit Topology Select eth0. Click OK. Redundant Firewalls 213455-L, October 2005...
Page 169 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Interface Properties window appears (see Figure 80). See Figure Figure 82, and Figure for examples of the Interface Properties for eth1, eth2, and eth3. Figure 80 Interface Properties—General eth0 Redundant Firewalls...
Page 170 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Figure 81 Interface Properties—General eth1 Figure 82 Interface Properties—General eth2 Redundant Firewalls 213455-L, October 2005...
Page 171 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Figure 83 Interface Properties—General eth3 Click Communication (see Figure 84). Figure 84 Cluster Member Properties—General Redundant Firewalls 213455-L, October 2005...
Page 172 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Provide the activation key (see Figure 85). Click Initialize (see Figure 85). Figure 85 Communication—Activation Key The Communication window, indicating the Trust state, appears (see Figure 86). Figure 86 Communication window—Trust state Figure 86 the Trust state is “Trust established”.
Page 173 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The DN details appear in the Cluster Members property window. Select the Topology tab (see Figure 87). Figure 87 Edit Topology Redundant Firewalls 213455-L, October 2005...
Page 174 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Figure 88 Interface Properties—General eth0 Figure 89 Interface Properties—General eth1 Redundant Firewalls 213455-L, October 2005...
Page 175 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Figure 90 Interface Properties—General eth2 Figure 91 Interface Properties—General eth3 Redundant Firewalls 213455-L, October 2005...
Page 176 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference On the Gateway Cluster Properties—ClusterXL page, select Load Sharing for ClusterXL properties (see Figure 91). Figure 92 Gateway Cluster Properties—Cluster XL Redundant Firewalls 213455-L, October 2005...
Page 177 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Advanced Load Sharing Configuration window appears (see Figure 93). Figure 93 Advanced Load Sharing Configuration Figure 94 Edit Topology Redundant Firewalls 213455-L, October 2005...
Page 178 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Enable proxy ARP (Figure 95). Figure 95 Global Properties—NAT Complete the remaining configuration to add the necessary rules and push the policy to the firewalls. Make sure the sync is up by running cphaprob stat.
Page 179: Configuration Dump For Check Point Clusterxl Failover
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuration dump for Check Point ClusterXL failover This section shows the configuration dump for Figure 72 on page 161. Note the following items in the dump: Sync is enabled. VRRP (ha/aa) is not enabled.
Page 180 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/adm/ssh/. ena n /cfg/sys/adm/ssh/sshkeys/. /cfg/sys/adm/ssh/sshkeys/knownhosts/. /cfg/sys/adm/web/. /cfg/sys/adm/web/http/. port 80 ena y /cfg/sys/adm/web/ssl/. port 443 ena n tls y sslv2 y sslv3 y /cfg/sys/adm/web/ssl/certs/. /cfg/sys/adm/web/ssl/certs/serv/. /cfg/sys/adm/web/ssl/certs/ca/. /cfg/sys/adm/snmp/. ena y model v2c level auth...
Page 181 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/log/syslog/. /cfg/sys/log/ela/. ena n addr 0.0.0.0 sev err /cfg/sys/log/arch/. email none smtp 0.0.0.0 int 1 0 size 0 /cfg/sys/user/. expire 0 /cfg/sys/user/adv/. /cfg/sys/ups/. type usb snmphost 0.0.0.0 snmpport 161 snmpcomm none level 5 master 0.0.0.0...
Page 182 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/if 2/. addr1 10.10.1.1 addr2 10.10.1.2 mask 255.255.255.0 vlanid 0 port 2 mgmt n ena y /cfg/net/if 2/vrrp/. vrid 1 ip1 0.0.0.0 ip2 0.0.0.0 /cfg/net/if 3/. addr1 100.1.1.1 addr2 100.1.1.2 mask 255.255.255.0...
Page 183 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/routes/. /cfg/net/ospf/. rtid1 0.0.0.0 rtid2 0.0.0.0 spf 5 10 ena n /cfg/net/ospf/if 2/. aindex 0 prio none cost1 none cost2 200 hello 10 dead 40 trans 1 retra 5 auth none ena n /cfg/net/ospf/if 3/.
Page 184 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/ospf/redist/static/. metric 10 t1 rmap 0 ena n /cfg/net/ospf/redist/defaultgw/. metric 10 t1 ena n /cfg/net/parp/. enable n /cfg/net/parp/list/. /cfg/net/dhcprl/. ena n /cfg/net/dhcprl/if 2/. ena n /cfg/net/dhcprl/if 3/. ena n /cfg/net/dhcprl/if 4/.
Page 185: Establishing Trust On Redundant Firewalls
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Establishing trust on redundant Firewalls The ability to establish trust—Secure Internal Communication (SIC)—on redundant firewalls is required so that you can push policies to them from the Check Point SmartCenter Server.
Page 186: Managing Through The Vrrp Interface
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Managing through the VRRP interface If the Nortel Switched Firewalls are connected to the management server through a VRRP interface, then you may not be able to establish SIC and push the policy.
Page 187 Use OPSEC’s monitoring tool to get the cluster status >> Firewall Maintenance# From the Check Point SmartDashboard, update the firewall interface information. page 136. From the Check Point SmartDashboard, re-install the security policies on both Nortel Switched Firewalls. Redundant Firewalls 213455-L, October 2005...
Page 188 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Redundant Firewalls 213455-L, October 2005...
Page 189: Chapter 6: Layer 2 And Layer 3 Firewalls
Layer 2 and Layer 3 Firewalls When you use NSF 2.3.3 you can configure your firewall in bridge mode. This chapter describes how to configure the Nortel Switched Firewall for Layer 2 and Layer 3 firewalls. Overview on page 190...
Page 190: Overview
– Layer 2 and Layer 3 firewalls are not supported on the NSF 5109 model. NSF 2.3.3 supports two modes: Layer 2 and Layer 3 firewall. The procedures to configure Layer 2 or Layer 3 firewall differ only in the configuration of the bridge interface IP addresses.
Page 191: Configuring Layer 2 Bridge Mode Firewall
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring Layer 2 bridge mode Firewall To configure a Layer 2 bridge mode Firewall, you must create a Layer 2 bridge and then add physical ports to the bridge. You can create up to 25 bridges and add any physical port other than SSI management port to these bridges.
Page 192: Configuring The Firewall Software
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring the Firewall software Figure 96 shows the network topology for configuring a Layer 2 bridge mode firewall. NSF#1 and NSF#2 are configured for a layer 2 bridge mode firewall. The Layer 2 bridge is configured on interfaces eth2 and eth3 on ports 3 and 4.
Page 193 Layer 3 mode. – Nortel recommends defining multiple interfaces with VRRP. If a single interface is configured as in Layer 2-Layer 3 mode, then failure of the interface breaks the cluster and stops the functioning of Layer 2 firewall.
Page 194 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Verify Layer 2 bridge configuration. – Make sure the bridge address is 0.0.0.0. An IP address is not required for a pure Layer 2 bridge interface. >> Network Configuration# /info/net/bridge Bridge Information...
Page 195: Configuring The Check Point Software To Support Layer 2 Bridge Mode
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring the Check Point software to support Layer 2 bridge mode Use the following procedure to configure the Check Point software to support Layer 2 bridge mode. To configure the cluster to include Switched Firewall, NSF#1 and Switched Firewall, NSF#2, perform the following steps: 1a) Select General Properties from the Gateway Cluster Properties menu.
Page 196 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference 1g) In the Check Point Products area, select the following: Firewall SmartView Monitor. 1h) Click OK. From the Gateway Cluster Properties menu, select Cluster Members. The Gateway Cluster Properties—Cluster Members page appears (see Figure 98).
Page 197 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Cluster Member Properties page appears (see Figure 99). Figure 99 Cluster Member Properties Repeat steps 2 through 4 for Switched Firewall NSF#2. Layer 2 and Layer 3 Firewalls 213455-L, October 2005...
Page 198 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference From the Gateway Cluster Properties menu, select Topology. The Edit Topology page appears (see Figure 100). TIP: Check Point cannot identify a pure Layer 2 bridge device because the bridge interface does not hold a valid IP address.
Page 199 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference To configure the synchronization network, perform the following steps: 6a) From the Gateway Cluster Properties menu, select 3rd Party Configuration. The 3rd Party Configuration page appears. (see Figure 101). 6b) In the Specify Cluster operating mode area, select High Availability.
Page 200 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Check Point disables address spoofing on bridge ports unless they are manually added to the configuration (eth2 and eth3 are bridge ports). Figure 102 Gateway Cluster Properties NSF cluster—Topology Click Edit Topology.
Page 201 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference 8a) Edit the topology for the cluster. Figure 103 Edit Topology 8b) Click OK. Layer 2 and Layer 3 Firewalls 213455-L, October 2005...
Page 202: Configuring A Layer 3 Firewall
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring a Layer 3 Firewall When you use Nortel Switched Firewall 2.3.3 you can configure a Layer 3 mode Firewall using the CLI or the BBI. To configure a Layer 3 Firewall, use the following procedures:...
Page 203 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Figure 104 shows the network topology for configuring a Layer 3 Firewall. Figure 104 Configuring Layer 3 Firewall Host 5 Host 6 Firewall console Management Station 172.16.2.147 router L2 switch External 192.168.1.6...
Page 204 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference To configure Layer 3 bridging firewall, use the following procedure on NSF#1 and then on NSF#2. Configure basic firewall configuration on Switched Firewall, NSF#1. In the initial setup of the firewall, (see...
Page 205 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Verify Layer 3 firewall configuration. >> Network Configuration# /info/net/bridge Bridge Information Id Ports Vlan Bridge Address VRRP Address VRID Status == ==== ==== ========== ========= ==== ====== 1: 172.16.5.5/24 1: 172.16.5.1 Enabled 2: 172.16.5.6/24...
Page 206: Configuring The Check Point Software To Support A Layer 3 Firewall
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuring the Check Point software to support a Layer 3 Firewall Use the following procedure to configure the Check Point software to support a Layer 3 Firewall. To Configure the cluster to include Switched Firewall, NSF#1 and Switched Firewall, NSF#2, perform the following steps.
Page 207 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference 1g) In the Check Point Products area, select the following: Firewall SmartView Monitor. 1h) Click OK. From the Gateway Cluster Properties menu, select Cluster Members. The Gateway Cluster Properties—Cluster Members page appears (see Figure 106).
Page 208 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Cluster Member Properties page appears (see Figure 107) Figure 107 Cluster Member Properties. Type the IP Address for NSF#1 in the IP Address field. TIP: Select Get Address to browse for, and select, the IP Address.
Page 209 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference TIP: Check Point identifies a Layer 3 device because the bridge interface holds a valid IP address. Figure 108 Edit Topology Manually add the cluster IP address for the bridge interface with VRRP IP addresses (172.16.5.1/255.255.255.0) for the NSF cluster.
Page 210 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference To configure synchronization network, perform the following steps. 7a) From the Gateway Cluster Properties menu, select 3rd Party Configuration. The 3rd Party Configuration page appears (see Figure 109). 7b) In the Specify Cluster operating mode section, select High Availability.
Page 211 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference To configure topology for the cluster, perform the following steps: 8a) From the Gateway Cluster Properties menu, select Topology. The Gateway Cluster Properties—Topology page appears (see Figure 110). 8b) Select Enable Extended Cluster Anti-Spoofing.
Page 212 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference 9a) Edit the topology for the cluster. Figure 111 Edit Topology 9b) Click OK. Layer 2 and Layer 3 Firewalls 213455-L, October 2005...
Page 213: Configuration Issues
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configuration issues Nortel Switched Firewall does not support Spanning Tree Protocol. A pure Layer 2 bridge does not show in “traceroute.” All ports participating in the bridge should be in the same VLAN. Nested bridge is not supported and a bridge cannot have different VLAN tags.
Page 214 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Layer 2 and Layer 3 Firewalls 213455-L, October 2005...
Page 215: Chapter 7: Applications
HAPTER Applications This chapter describes several applications including Check Point applications that Nortel Switched Firewall 2.3.3 supports: Uninterruptible Power Supply on page 216 RADIUS authentication on page 221 VPN support on page 223 ISP redundancy on page 225 User Authority on page 226...
Page 216: Uninterruptible Power Supply
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Uninterruptible Power Supply Nortel Switched Firewall (NSF) 2.3.3 supports the American Power Corporation (APC) Unin- terruptible Power Supply (UPS) daemon. When you use NSF 2.3.3 you can monitor power with a battery meter.
Page 217 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Figure 112, Figure 113 on page 218, and Figure 114 on page 219 show three different UPS configurations. Figure 112 shows the Switched Firewall configured for UPS support in a basic stand-alone mode using the USB port.
Page 218 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Figure 113 shows the Switched Firewall configured for UPS support in a Master-Slave mode using the USB port. Figure 113 Configuring UPS in master–slave mode using the USB port UPS device...
Page 219 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Enable UPS Monitor. (Enables APC UPS monitor) >> # /cfg/sys/ups/ena Figure 114 shows the Switched Firewall configured for UPS support in a Master-Slave mode using the Ethernet port through SNMP: Figure 114 Configuring UPS in master–slave mode using SNMP...
Page 220: Displaying Ups Configuration
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Specify the SNMP host for the UPS device. >> # /cfg/sys/ups/snmphost Current value: 0.0.0.0 (Set IP address of SNMP UPS) Enter IP address of the UPS: Specify the SNMP port for the UPS device.
Page 221: Radius Authentication
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference RADIUS authentication When using the Nortel Switched Firewall 2.3.3 you can log in to the firewall using RADIUS authentication. The RADIUS client on the Switched Firewall forwards the RADIUS message to a single or multiple RADIUS servers configured for authentication. RADIUS authentication applies to both stand-alone and cluster configurations.
Page 222 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configure the RADIUS server. >> # /cfg/sys/adm/auth/servers >> RADIUS Authentication Servers# add (Specify RADIUS server IP address) IP address to add: 30.30.30.30 Port (default is 1812): (Specify shared secret value of...
Page 223: Vpn Support
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference VPN support Nortel Switched Firewall 2.3.3 includes support for Virtual Private Networks (VPN) with IPSEC. With support for VPN with IPSEC you can use the Check Point VPN feature to process traffic through the Switched Firewall from external clients or sites running third-party VPN software.
Page 224 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference On the VPN Advanced page, select the appropriate options for your system (Figure 116). Figure 115 Gateway Cluster Properties General Figure 116 Gateway Cluster Properties—VPN Advanced Applications 213455-L, October 2005...
Page 225: Isp Redundancy
For more information about VPN support, refer to the Check Point documentation. ISP redundancy Nortel Switched Firewall 2.3.3 guarantees reliable Internet connectivity by allowing a single or clustered Switched Firewall to connect to the Internet through redundant Internet Service Provider (ISP) links.
Page 226: User Authority
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference User Authority The User Authority feature in the Nortel Switched Firewall provides centralized management of user authentication and authorization. User authority provides a unified, secure communication layer for authenticating users to eBusiness applications.
Page 227 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configure user authority Server on the firewall module. Configure user authority web access FP3 installed on top of Microsoft IIS (webserver) 4.0 or 5.0 in Windows 2000 or Windows NT server.
Page 228 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Applications 213455-L, October 2005...
Page 229: Chapter 8: Upgrading And Reinstalling The Software
Upgrading and reinstalling the software The Nortel Switched Firewall relies on the software running on the Firewall, as well as on the Check Point management devices. From time to time, it may become necessary to upgrade one or more of the software components. This chapter describes the different types of software upgrades and provides detailed procedures as necessary.
Page 230: Compatibility
The following versions of software are required for this release: Nortel Switched Firewall 5100 series Single System Image (SSI), Release 2.2.X or higher The SSI resides on the firewall and includes the Firewall OS and built-in Check Point firewall software.
Page 231: Types Of Upgrade
There are three major classes of software upgrades that may be required for maintaining the Nortel Switched Firewall: ones that affect the Nortel Switched Firewall SSI; ones that target only the Nortel Switched Firewall’s built-in Check Point firewall software; and ones that are installed on Check Point management stations.
Page 232: Check Point Management Station Upgrades
Management Station Hotfix Upgrade and reinstall images Nortel Switched Firewall provides three images of the software: .iso, .img, and .pkg: The .pkg image is installed from an ftp/tftp/scp/sftp server using the /boot/software/download command. The .pkg image installs it in parallel with the existing version.
Page 233: Loading The New Software
Activating the software on page 235 Loading the new software To install a minor or major release upgrade on your Nortel Switched Firewall, you need the following: CLI access using the local console terminal or to the Firewall host IP address through a remote Telnet or SSH connection.
Page 234 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Access can be accomplished through the local serial port, or remote Telnet or SSH (Secure Shell) connection. Note, however, that Telnet and SSH connections are disabled by default, and if desired, must be manually configured after you have set up the firewall. For more...
Page 235: Activating The Software
Activating the software The Nortel Switched Firewall can hold up to two versions of the same major software release simultaneously (for example, version 2.2.7 and version 2.3.3). To view the current software status, use the /boot/software/cur command. When a new version of the software is...
Page 236: Stand-Alone Upgrade
After you activate the unpacked software version (which causes the Nortel Switched Firewall to reboot), the software version is marked as permanent. The software version previously marked as permanent will then be marked as old.
Page 237: Cluster Upgrade
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference In this example, version 2.3.3.0 is now operational and survives a restart of the system, while the software version previously indicated as permanent is now marked as old. Perform a Get Topology operation.
Page 238 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Activate the new (unpacked) version software and do not disturb the system until it reboots: >> Main# /boot/software >> Software Management# activate 2.3.3.0_R60 Confirm action 'activate'? [y/n]: y Activate ok, relogin Restarting system.
Page 239 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Active-Active >> Main# /info/net/vrrp/status Host 10.10.1.193 > > Group1 VRRP Master > 20.20.20.1 > 30.30.30.1 > Group2 VRRP Backup > 20.20.20.2 > 30.30.30.2 > Host 10.10.1.194 > Group2 VRRP Master >...
Page 240: Reinstalling Software
There are two methods of reinstalling software on the firewall. Using the .iso image of the software Nortel recommends this method to copy the .iso version of the software on a CD ROM and boot from it. This reinstall removes the current configuration and reimages the firewall.
Page 241: Using The Img Image
– Step 4 sets the policy on the Nortel Firewall to deny all by default. For this step to work, you must provide access to your tftp/ftp server. To do this, use the /maint/diag/fw/unldplcy command, but exercise caution; the command provides access to all.
Page 242 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The host name or IP address of the FTP/SCP/SFTP server. If you choose to specify the host name, the DNS parameters must have been configured. For more information, see the DNS Servers Menu on page 285.
Page 243 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference If the Firewall has not been previously configured for network access, you must provide information about network settings such as IP address, network mask, and gateway IP address. After the new boot image has been installed, the Firewall will reboot and you can log in again when the login prompt appears.
Page 244 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Upgrading and reinstalling the software 213455-L, October 2005...
Page 245: Chapter 9: Basic System Management
HAPTER Basic system management This chapter explains how to access system management features on the Nortel Switched Firewall. Management access is required for collecting system information, configuring system parameters beyond initial setup, establishing security policies, and monitoring policy effectiveness. Management tools...
Page 246: Users And Passwords
To enable better system management and user accountability, four levels of user access have been implemented on the Nortel Switched Firewall. The default user names and password for each access level are listed in Table 5.
Page 247 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 5 User access levels (Continued) User Name Password Description and Tasks Performed The root login is available only through a local console terminal. The root root ForgetMe user has complete internal access to the operating system and software.
Page 248 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Basic system management 213455-L, October 2005...
Page 249 Part 2: Command reference This section provides detailed information about all Command Line Interface (CLI) commands and menu items, organized in the same way as the CLI. The section starts with listing the global commands, which can be used at any menu prompt, and then explains the remaining commands hierarchically: Accessing the Command Line Interface The Main Menu...
Page 250 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Command reference 213455-L, October 2005...
Page 251: Chapter 10: The Command Line Interface
The Command Line Interface The Command Line Interface (CLI) is the most direct method for viewing information about the Nortel Switched Firewall. In addition, you can use the CLI for performing all levels of system configuration. The CLI is text-based, and can be viewed using a basic terminal. The various commands are logically grouped into a series of menus and sub-menus.
Page 252: Accessing The Command Line Interface
259). Defining the remote access list The Nortel Switched Firewall can be managed remotely using Telnet, SSH, or the BBI. For security purposes, access to these features is restricted through the remote access list. The remote access list allows the administrator to specify IP addresses or address ranges that are permitted remote access to the system.
Page 253: Adding Items To The Access List
Apply the changes: >> Access List# apply Using Telnet A Telnet connection allows convenient management of the Nortel Switched Firewall from any workstation connected to the network. Telnet access provides the same management options as those available through the local serial port.
Page 254: Enabling Telnet Access
– Telnet is not a secure protocol. All data (including the password) between a Telnet client and the Nortel Switched Firewall is unencrypted and unauthenticated. If secure remote access is required, consider using Secure Shell (SSH) (see Using Secure Shell on page 255).
Page 255: Starting The Telnet Session
259. Using Secure Shell A Secure Shell (SSH) connection allows convenient and secure management of the Nortel Switched Firewall from any workstation connected to the network. SSH access provides the same management options as those available through the local serial port.
Page 256 >> SSH Administration# apply If necessary, generate new SSH keys. During the initial setup of the Switched Firewall, Nortel recommends that you select the option to generate new SSH host keys. This is required to maintain a high level of security when connecting to the Nortel Switched Firewall using a SSH client.
Page 257: Starting The Ssh Session
Starting the SSH session Remote SSH access requires a workstation with SSH client software. To establish an SSH connection with the Nortel Switched Firewall, run the SSH program on your workstation by issuing the following SSH command: ssh -l <user name> <host IP address>...
Page 258: Using The Command Line Interface
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Using the Command Line Interface Basic operation Using the CLI, Nortel Switched Firewall administration is performed in the following manner: The administrator selects from a series of menu and sub-menu items, and modifies parameters to create the desired configuration.
Page 259: The Main Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Main Menu After initial system setup is complete and the user performs a successful connection and login, the Main Menu of the CLI is displayed. Table 6 shows the Main Menu with administrator...
Page 260: Multiple Administration Sessions
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Multiple administration sessions It is possible to have more than one CLI or BBI administrator session open at the same time. Although each concurrent administrator session is independent, when configuration changes are saved to the Single Software Image (SSI) that is shared by the firewall, the saved changes affect all users.
Page 261 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 7 Global CLI commands Command Action Find the IP address or host name of a network device. The format is as fol- nslookup lows: nslookup <host name|IP address> In order to use this command, you must have configured the firewall to use a DNS server.
Page 262: Command Line History And Editing
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Command Line history and editing Using the CLI, you can retrieve and modify previously entered commands with just a few keystrokes. The following options are available globally at the command line:...
Page 263: Command Line Shortcuts
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Command Line shortcuts Command stacking As a shortcut, you can type multiple commands on a single line separated by forward slashes ( / ). You can connect as many commands as required to access the menu option that you want.
Page 264 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Command Line Interface 213455-L, October 2005...
Page 265: Chapter 11 Command Reference
HAPTER Command reference Main Menu After initial system setup is complete and the user performs a successful connection and login, the Main Menu of the CLI is displayed. [Main Menu] info - Information Menu - Configuration Menu boot - Boot Menu maint - Maintenance menu diff...
Page 266 279 for menu items. boot The Boot Menu is used for upgrading Nortel Switched Firewall software and for reboot- ing, if necessary. The Boot Menu is accessible using an administrator login. page 365 for menu items.
Page 267 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 9 Main Menu (Continued) Command Syntax and Usage validate This global command is used to validate pending configuration changes made during your current administration session. This command does not include pending changes being made by other CLI or BBI administrator sessions that are running at the same time.
Page 268 You can then open the configuration dump file in your text edi- tor, copy the information, and paste it to the CLI window. When pasted, the configuration content is batch processed by the Nortel Switched Fire- wall. The pasted commands are entered as pending, and any included private keys are decrypted.
Page 269: Information Menu
- Dump all the current configuration under info menu capacity - Display the capacity of the system The Information Menu is used for displaying information about the current status of the Nortel Switched Firewall. Table 10 Information Menu (/info) Command Syntax and Usage...
Page 270 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 10 Information Menu (/info) (Continued) Command Syntax and Usage host This command displays runtime information for the specified Firewall host. Information includes CPU usage, hard disk usage of the log partition, and status of important applica- tions such as web server, Check Point Firewall, SNMP, and Inet server.
Page 271 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 10 Information Menu (/info) (Continued) Command Syntax and Usage fwmon This command replicates Check Point fw monitor command which is used to monitor FW-1/VPN-1 traffic. You can specify the timeout value when you take the capture and the log can be displayed on the console or uploaded to an USB memory stick or a remote device through an ftp/sftp/scp/tftp connection.
Page 272 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 10 Information Menu (/info) (Continued) Command Syntax and Usage about This command displays the system information such as the hardware type, os-version, Check Point version, firewall version, firewall policies configured on the system, SIC state, licenses configured on the system, and the Check Point sync status.
Page 273: Info_Host Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /info/host Info_host Menu [info_host Menu] status - Show runtime information link - Show physical ports link status ether - Show ethernet stats syslog - Show syslog entries This menu provides configuration, status, and statistics information about the host’s runtime, link, ethernet, and syslog parameters.
Page 274: Info/Monitor
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /info/monitor info_monitor Menu [info_monitor Menu] curdata - Show current data histdata - Show history data The monitor menu provides two commands for viewing current and historical data. Table 12 Info_Monitor Menu (/info/monitor)
Page 275 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Information Menu shows the interface, route and VRRP details. Table 13 Info_net Menu (/info/net) Command and Usage This command displays the Management IP information and interface details including ID, IP address and netmask, port assignment, operational status, and VLAN number.
Page 276: Bridge 1 Information Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /info/net/bridge Bridge 1 Information Menu The Bridge Information Menu displays the bridge ID, ports, VLAN, IP address (for Layer 3 firewall), status and ageing information about the configured bridge interfaces /info/net/route...
Page 277 This command displays status and configuration information about the configured OSPF interfaces. This command displays all OSPF routes contained in the Forwarding Information-Base (FIB) advertised by the Nortel Switched Firewall. This includes routes which have been redistributed from other protocols. ospf Displays the current configuration for all of the OSPF setup parameters.
Page 278: Vrrp Information Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /info/net/vrrp VRRP Information Menu [info_net_vrrp Menu] status - Show VRRP status - Show VRRP configuration The VRRP Information Menu displays information about the status and configuration of VRRP. Table 16 VRRP Information Menu (/info/net/vrrp)
Page 279: Configuration Menu
- Miscellaneous Settings Menu dump - Dump configuration on screen for copy-and-paste The Configuration Menu is used for configuring the Nortel Switched Firewall. Some commands are available only from the administrator login. Table 17 Configuration Menu (/cfg) Command Syntax and Usage The System Menu is used for configuring system-wide parameters.
Page 280 CLI. When pasted, the content is batch processed by the Nortel Switched Firewall. To view the pending configuration changes resulting from the batch processing, use the diff command.
Page 281: System Menu
The Access List Menu is used to restrict remote access to Nortel Switched Firewall man- agement features. You can add, delete, or list trusted IP addresses that are allowed Tel- net, Secure Shell (SSH), or Browser-Based Interface (BBI) access to the system. If the access list is not configured, users will not be able to access remote management features even when those features are otherwise enabled.
Page 282 313 for menu items. user The User Menu is used to add, modify, delete, or list Nortel Switched Firewall user accounts, and change passwords. page 318 for menu items. This menu is used for configuring the UPS support for the cluster.
Page 283: Date And Time Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/time Date and Time Menu [Date and Time Menu] date - Set system date time - Set system time tzone - Set Timezone - Configure NTP servers The Date and Time Menu is used to set the system date, time, and time zone options.
Page 284: Ntp Servers Menu
This command lets you add an NTP server. The NTP server with the specified IP address will be added to the list of NTP servers used to synchronize the Nortel Switched Firewall system clock. A number of NTP servers (at least three) should be available in order to compensate for any discrepancies among the servers.
Page 285: Dns Servers Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/dns DNS Servers Menu [DNS Servers Menu] list - List all values - Delete a value by number - Add a new value insert - Insert a new value move - Move a value by number The DNS Servers Menu lets you change Domain Name System (DNS) parameters.
Page 286: Cluster Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/cluster Cluster Menu [Cluster Menu] host - Cluster Host Menu The Host Information Menu allows you to configure the Firewall’s host IP address. Table 22 Cluster Menu (/cfg/sys/host) Command Syntax and Usage host <cluster host number>...
Page 287: Cluster Host Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/cluster/host <cluster host number> Cluster Host Menu [Cluster Host 1 Menu] name - Set system name hwplatform - Display hardware platform halt - Halt the host reboot - Reboot the host...
Page 288 /boot/delete command on page 365. – Nortel recommends that, after deleting a host, you get the topology using the SmartDashboard and push the policies to the operational host. Then use the Setup utility to join the cluster. Command reference...
Page 289: Access List Menu
- Delete a value by number - Add a new value The Nortel Switched Firewall can be managed remotely using Telnet, SSH, or the BBI. For security purposes, access to these features is restricted through the access list. The access list allows the administrator to specify IP addresses or address ranges that are permitted remote access to the system.
Page 290: Administrative Applications Menu
292 for menu items. The SSH Administration Menu is used to enable or disable Secure Shell (SSH) for remote access to the Nortel Switched Firewall management CLI. This menu is also used for generating SSH host keys. page 293 for menu items.
Page 291 The SNMP Administration Menu is used to control Simple Network Management Proto- col (SNMP) read access and to enable or disable SNMP event and alarm messages for the Nortel Switched Firewall. This menu is also used for defining SNMP information, permission levels, and traps.
Page 292: Telnet Administration Menu
The Telnet Administration Menu is used to enable or disable remote Telnet access to the Nortel Switched Firewall CLI. By default, Telnet access is disabled. Depending on the severity of your security policy, you may enable Telnet access and restrict it to one or more trusted clients.
Page 293: Ssh Administration Menu
- SSH host keys menu The SSH Administration Menu is used to enable or disable Secure Shell (SSH) for remote access to the Nortel Switched Firewall management CLI. This menu is also used for generating SSH host keys. An SSH connection allows secure management of the Nortel Switched Firewall from any workstation connected to the network.
Page 294: Ssh Host Keys Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/adm/ssh/sshkeys SSH Host Keys Menu [SSH Host Keys Menu] generate - Generate new SSH host keys for the cluster show - Show current SSH host keys for the cluster knownhosts - SSH known host keys menu The SSH Host Keys Menu is used to generate and manage SSH host keys.
Page 295: Ssh Known Host Keys Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/adm/ssh/sshkeys/knownhosts SSH Known Host Keys Menu [SSH Known Host Keys Menu] list - List known SSH keys of remote hosts - Delete known SSH host key by index - Add a new SSH host key...
Page 296: Web Administration Menu
The Web Administration Menu is used to configure the Browser-Based Interface (BBI). The BBI allows for refined, intuitive remote management of the Nortel Switched Firewall using a web browser. The BBI can be configured to use HTTP (non-secure), HTTPS with Secure Socket Layer (SSL), or both.
Page 297: Http Configuration Menu
HTTP access and refine the list of trusted clients. – HTTP is not a secure protocol. All data (including passwords) between an HTTP client and the Nortel Switched Firewall is unencrypted and unauthenticated. If secure remote access is required, see the SSL Configuration Menu on page 298.
Page 298: Ssl Configuration Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/adm/web/ssl SSL Configuration Menu [SSL Configuration Menu] port - Set SSL port number - Enable SSL - Disable SSL - Set TLS sslv2 - Set SSL version 2 sslv3 - Set SSL version 3...
Page 299: Certificate Management Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 32 SSL Configuration Menu (/cfg/sys/adm/web/ssl) (Continued) Command Syntax and Usage sslv2 y|n This command enables or disables SSL Version 2. sslv3 y|n This command enables or disables SSL Version 3.
Page 300: Server Certificate Management Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/adm/web/ssl/certs/serv Server Certificate Management Menu [Server Certificate Management Menu] - Generate certificate request - this erases old key - Export certificate request list - List server certificates - Delete a server certificate - Add a server certificate The Server Certificate Management Menu is used to administer SSL server certificates.
Page 301: Ca Certificate Management Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/adm/web/ssl/certs/ca CA Certificate Management Menu [CA Certificate Management Menu] list - List CA certificates - Delete a CA certificate - Add a CA certificate The CA Certificate Management Menu is used to administer SSL external Certificate Authority (CA) certificates.
Page 302: Snmp Administration Menu
- SNMP System Information Menu - Advanced SNMP Options Menu The Nortel Switched Firewall software supports elements of the Simple Network Management Protocol (SNMP). If you are running an SNMP network management station on your network, you can read NSF configuration information and statistics using the following SNMP...
Page 303 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 36 SNMP Administration Menu Options (/cfg/sys/adm/snmp) (Continued) Command Syntax and Usage level auth|priv This command is used only when usm is selected. It is used to specify the desired degree of SNMP USM security: auth: Verify the SNMP user password before granting SNMP access.
Page 304: Snmp Users Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 36 SNMP Administration Menu Options (/cfg/sys/adm/snmp) (Continued) Command Syntax and Usage system The SNMP System Information Menu is used to configure basic identification informa- tion such as support contact name, system name, and system location.
Page 305: Trap Hosts Menu
(and confirmation): password the user must enter for access. encryption string (and confirmation): if the level encrypt option is used on the SNMP Administration Menu (/cfg/sys/adm/snmp), the encryption string is used to encode SNMP traffic between the user and the Nortel Switched Firewall. /cfg/sys/adm/snmp/hosts Trap Hosts Menu...
Page 306: Snmp System Information Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 38 Trap Hosts Menu Options (/cfg/sys/adm/snmp/hosts) (Continued) Command Syntax and Usage add <trap host IP address> <port number> <community string> <trap user> This command lets you add an SNMP trap host. The trap host with the specified IP address will receive any enabled SNMP messages from the Firewall.
Page 307: Advanced Snmp Settings Menu
The IP address of the outgoing interface is used. This is the default. unique: The IP address of the individual Nortel Firewall is used. mip: The IP address of the cluster MIP is used. This setting is useful with applications (such as some versions of HP OpenView) that expect devices to be limited to only one IP address.
Page 308: Audit Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/adm/audit Audit Menu [Audit Menu] servers - RADIUS Servers Menu vendorid - Set vendor id for audit attribute vendortype - Set vendor type for audit attribute - Enable server - Disable server The Audit menu is used for configuring a RADIUS server to receive log messages about commands executed in the CLI or the Web User Interface.
Page 309 The default vendor type value is set to 2. Tip! Finding audit entries in the RADIUS server log can be made easier by defining a suitable string in the RADIUS server dictionary (for example, Nortel-NSF-Audit-Trail) and mapping this string to the vendor type value.
Page 310: Radius Audit Servers Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/adm/audit/servers Radius Audit Servers Menu [Radius Audit Servers Menu] list - List all values - Delete a value by number - Add a new value insert - Insert a new value...
Page 311: Authentication Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/adm/auth Authentication Menu [Authentication Menu] servers - RADIUS Authentication Servers menu timeout - Set RADIUS server timeout fallback - Use local password as fallback - Enable RADIUS Authentication - Disable RADIUS Authentication The Authentication menu is used to configure RADIUS authentication.
Page 312: Radius Authentication Servers Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/adm/auth/servers Radius Authentication Servers Menu [Radius Authentication Servers Menu] list - List all values - Delete a value by number - Add a new value insert - Insert a new value...
Page 313: Platform Logging Menu
Table 45 Platform Logging Menu (/cfg/sys/log) Command Syntax and Usage syslog The System Logging Menu is used to configure syslog servers. The Nortel Switched Firewall software can send log messages to specified syslog hosts. page 314 for menu items.
Page 314: System Logging Menu
This command is used to enable or disable specialized debugging log messages. This is disabled by default and should be enabled only as directed by Nortel Technical Support. srcip auto|uniqe|mip This command is used to configure which source IP address will be used with logs gen- erated from the Switched Firewall.
Page 315: Ela Logging Menu
Check Point SmartCenter Server for display through the Check Point SmartView Tracker. ELA configuration requires steps at both the Nortel Switched Firewall and at Check Point SmartCenter Server. For configuration details, see...
Page 316 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The ELA Logging Menu has the following options: Table 47 ELA Logging Menu (/cfg/sys/log/ela) Command Syntax and Usage This command is used to enable the ELA feature. When enabled, system log messages will be sent to the Check Point SmartCenter Server.
Page 317: Log Archiving Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/log/arch Log Archiving Menu [Log Archiving Menu] email - Set e-mail address to send log smtp - Set SMTP server address - Set log archive interval size - Set maximum size of archived log The Log Archiving Menu is used to archive log files when the file reaches a specific size or age.
Page 318: User Menu
- Edit a user - Advanced User Configuration Menu The User Menu is used to add, modify, delete, or list Nortel Switched Firewall user accounts, and change passwords. There are three default user accounts which cannot be deleted: admin, oper, and root. See Users and passwords on page 246 for information about default passwords and privileges.
Page 319 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 49 User Menu (/cfg/sys/user) (Continued) Command Syntax and Usage del <user name> This command lets you delete user accounts. Only the admin user can perform this action. Of the three default users (admin, oper, and root), only the oper user can be deleted.
Page 320: User User_Name Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/user/edit <user name> User user_name Menu [User user_name Menu] password - Login password groups - Groups The User (user name) Menu is used to change passwords and assign group privileges for the user account specified by the user name.
Page 321: Ssh User Admin Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/user/adv/user <user name> SSH User Admin Menu [SSH User Admin Menu] name - Set Full name of User pubkey - Set RSA/DSA Public Key for User - Enable User Account - Disable User Account - Remove SSH User The SSH User Admin Menu allows you to create an SSH account on the Switched Firewall.
Page 322: Groups Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/user/edit <user name>/groups Groups Menu [Groups Menu] list - List all values - Delete a value by number - Add a new value Table 52 Groups Menu (/cfg/sys/user/edit/groups) Command Syntax and Usage...
Page 323: Apc Ups Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/sys/ups APC UPS Menu [APC UPS Menu] type - Set UPS type snmphost - Set IP address of SNMP UPS snmpport - Set port used by SNMP UPS snmpcomm - Set SNMP community string of the UPS...
Page 324 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 53 APC UPS Menu (/cfg/sys/ups) (Continued) Command Syntax and Usage master <IP address> This command lets you specify which Switched Firewall in the cluster should be the master to communicate with the UPS system. When the UPS type is selected as “USB,”...
Page 325: Network Configuration Menu
To view menu items, see page 327. – The 5106 and 5114 have four ports. The 5109 has six ports. if <interface number [1-255]> This command displays the Interface menu for the selected Interface. To view menu items, see page 328.
Page 326 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 54 Network Configuration Menu (/cfg/net) (Continued) Command Syntax and Usage routes The Routes Menu is used to add, delete, or list static routes. The Firewall uses these routes to route packets within the attached networks.
Page 327: Port Menu
The SC fiber optic connectors are for attaching Gigabit Ethernet (1000Base-SX) segments to the port. The RJ-45 copper connector are for attaching 10/100 Mbps Ethernet (10Base-T or 100Base-TX) segments. For physical port specifications and LED behavior, see the Nortel Switched Firewall 5100 Series Hardware Installation Guide. Table 55 Port Menu (/cfg/net/port) Command Syntax and Usage name <port name>...
Page 328: Interface Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 55 Port Menu (/cfg/net/port) (Continued) Command Syntax and Usage speed <port speed> This command is used to set the link speed of the port. Enter the port speed as an integer representing Mb/second.
Page 329 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference – A network device attached to a Firewall port must be configured to use an IP interface as its default gateway to direct traffic through the Firewall. Do not use the host IP address or any IP address in the Firewall subnet as the default gateway for a network.
Page 330: Vrrp Interface Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 56 Interface Menu (/cfg/net/if) (Continued) Command Syntax and Usage port <interface port number> This command is used to assign a port to this IP interface. Only one port may be assigned to an interface.
Page 331 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference With VRRP, the redundant interfaces form a virtual router. The interface IP address (/cfg/net/if <interface number>/addr1) becomes the real IP address for both hosts, though it is only active on the active master. Two additional virtual sub-addresses (ip1 and ip2) must be assigned to the interface: ip1 represents host 1 and ip2 represents host 2.
Page 332: Bridge 1 Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/bridge <bridge number> Bridge 1 Menu [Bridge 1 Menu] addr1 - Set IP address-1 addr2 - Set IP address-2 mask - Set Subnet mask vlanid - Set VLAN tag id ageing...
Page 333: Bridge 1 Ports Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 58 Bridge Menu (/cfg/net/bridge) (Continued) Command Syntax and Usage ports This command is used to assign a port to this bridge interface. page 333 for menu items. vrrp The VRRP Bridge Menu is used for configuring an interface for high-availability when redundant hosts are in a cluster.
Page 334: Vrrp Bridge 1 Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 59 Bridge Ports Menu options (/cfg/net/bridge/ports) (Continued) Command Syntax and Usage add <port #> This command lets you add a new port to the bridge interface. insert <index number> <IP address>...
Page 335: Vrrp Settings Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 60 VRRP Bridge Menu options (/cfg/net/bridge/vrrp) Command Syntax and Usage vrid <virtual router ID (1-255)> This command assigns an ID for the virtual router interface. The vrid on this interface must be configured the same for both the active master and the backup.
Page 336 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference – Both Firewall hosts in the cluster must have the same configuration. Table 61 VRRP Settings Menu (/cfg/net/vrrp) Command Syntax and Usage ha y|n This command is used to enable (y) or disable (n) high-availability VRRP. Two iSD hosts, must be installed and configured for you to enable HA and apply the setting.
Page 337 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 61 VRRP Settings Menu (/cfg/net/vrrp) (Continued) Command Syntax and Usage gbcast <2-100> This command displays the present Gratuitous Broadcast (gbcast) value and allows you to change it. The gbcast value sets the interval between GARP messages that are sent by the active master to ensure that all end-hosts have the correct MAC address/IP address mapping.
Page 338: Routes Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/routes Routes Menu [Routes Menu] list - List all values - Delete a value by number - Add a new value insert - Insert a new value move - Move a value by number The Routes Menu is used to add, delete, or list static routes.
Page 339: Gre Tunnel 1 Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/gre <gre_tunnel number> GRE Tunnel 1 Menu [GRE Tunnel 1 Menu] name - Set GRE Tunnel name phyif - Set Physical Interface number remoteaddr - Set Remote IP address host1 - Host 1 tunnel settings...
Page 340: Ospf Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 63 GRE Settings Menu (/cfg/net/gre) (Continued) Command Syntax and Usage This command disables this GRE tunnel. This command removes this GRE tunnel from the configuration. /cfg/net/ospf OSPF Menu [OSPF Menu]...
Page 341 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference For more information about OSPF, see Chapter 4, Open Shortest Path First.” Table 64 OSPF Menu (/cfg/net/ospf) Command Syntax and Usage aindex <area index (1-16)> The OSPF Area Index Menu is used for defining OSPF area numbers and parameters.
Page 342: Ospf Area Index Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 64 OSPF Menu (/cfg/net/ospf) (Continued) Command Syntax and Usage This command globally turns on OSPF. This command globally turns off OSPF. /cfg/net/ospf/aindex <area index> OSPF Area Index Menu [OSPF Area Index 1 Menu]...
Page 343: Ospf Interface Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 65 OSPF Area Index Menu (/cfg/net/ospf/aindex) (Continued) Command Syntax and Usage This command disables this area. This command deletes this area index from the configuration. /cfg/net/ospf/if <interface number> OSPF Interface Menu...
Page 344 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference – The hello interval (hello), dead interval (dead), transmit interval (trans) and retransmit interval (retra) must be the same on all OSPF routing devices within an area. Using incompatible values could keep adjacencies from forming and could stop or loop routing updates Table 66 OSPF Interface Menu (/cfg/net/ospf/if>)
Page 345 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 66 OSPF Interface Menu (/cfg/net/ospf/if>) (Continued) Command Syntax and Usage retra <time interval (1-65535)> This command sets the time interval, in seconds, between each transmission of LSAs to adjacencies on this interface. The default value is five seconds. This value must be the same on all routing devices within the area.
Page 346: Ospf Gre Tunnel 1 Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/ospf/gre <tunnel number> OSPF GRE Tunnel 1 Menu [OSPF GRE Tunnel 1 Menu] aindex - Set area index prio - Set interface router priority cost1 - Set Cost for first 5100...
Page 347 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 67 OSPF GRE Tunnel Interface Menu Options (/cfg/net/ospf/gre) Command Syntax and Usage cost1 <output cost (1-65535)> This command sets the cost of output routes on this interface. Cost is used in calculating the shortest path tree throughout the AS.
Page 348 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 67 OSPF GRE Tunnel Interface Menu Options (/cfg/net/ospf/gre) Command Syntax and Usage auth none password This command sets the authentication type for this interface: none turns off OSPF authentication. password turns on plain text password authentication. The password is set using the key option.
Page 349: Route Redistribution Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/ospf/redist Route Redistribution Menu [Route Redistribution Menu] connected - Connected Route Redistribution Menu static - Static Route Redistribution Menu defaultgw - Default Gateway Redistribution Menu The Route Redistribution Menu is used to redistribute static and default gateway routes via OSPF.
Page 350: Ospf Connected Route Redistribution Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/ospf/redist/connected OSPF Connected Route Redistribution Menu [OSPF Connected Route Redistribution Menu] metric - Set Metric assigned to connected routes rmap - Set OSPF Connected Redistribute RMAP Number - Enable redistribution of connected routes...
Page 351: Ospf Static Route Redistribution Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/ospf/redist/static OSPF Static Route Redistribution Menu [OSPF Static Route Redistribution Menu] metric - Set Metric assigned to connected routes rmap - Set OSPF Static Redistribute RMAP Number - Enable redistribution of connected routes - Disable redistribution of connected routes The OSPF Static Route Redistribution Menu is used to redistribute static routes into OSPF.
Page 352: Ospf Default Gateway Route Redistribution Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/ospf/redist/defaultgw OSPF Default Gateway Route Redistribution Menu [OSPF Default Gateway Route Redistribution Menu] metric - Set Metric assigned to connected routes - Enable redistribution of connected routes - Disable redistribution of connected routes The OSPF Default Gateway Route Redistribution Menu is used to redistribute default gateway routes into OSPF.
Page 353: Proxy Arp Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/parp Proxy Arp Menu [Proxy Arp Menu] list - Proxy ARP List Menu enable - Set Proxy ARP enable/disable The Proxy Arp Menu is used to configure IP addresses that the cluster will ARP for. The feature allows the Switched Firewall to respond to ARP requests intended for devices behind the firewall, including VLAN and VRRP interfaces.
Page 354: Proxy Arp List Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/parp/list Proxy Arp List Menu [Proxy ARP List Menu] list - List all values - Delete a value by number - Add a new value The Proxy ARP List Menu is used to add, delete, or list IP addresses which the cluster Proxy ARPs for.
Page 355: Dhcp Relay Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/dhcprl DHCP Relay Menu [DHCP Relay Menu] - DHCP Relay Interface Menu server - DHCP Server Menu - Enable DHCP Relay - Disable DHCP Relay clrlocsts - Clear local DHCP Relay stats The DHCP Relay Menu is used to configure DHCP relay commands for .
Page 356 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/dhcprl/if <number> DHCP Relay Interface <number> Menu [DHCP Relay Interface 1 Menu] - Allow DHCP Relay on Interface - Disable DHCP Relay on Interface The DHCP Relay Interface Menu is used to configure DHCP Relay requests into the network.
Page 357 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/net/dhcprl/server <number> DHCP Server <number> Menu [DHCP Server 1 Menu] addr - Set DHCP Server IP address vrrpg - Set Affinity to vrrp group for AA configuration - Enable DHCP Server...
Page 358: Firewall License Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/lic Firewall License Menu [Firewall License Menu] list - List detailed status of current IPs and Licenses - Delete firewall license - Add firewall license pastelic - Paste firewall license The Firewall License Menu is used for pre-configuring Check Point licenses for the Firewall.
Page 359: Firewall Configuration Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/fw Firewall Configuration Menu [Firewall Configuration Menu] - Enable Firewall - Disable Firewall - Reset Check Point SIC. sync - Sync Configuration Menu portal - Portal Configuration Menu client - SMART Clients...
Page 360 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 78 Firewall Configuration Menu (/cfg/fw) (Continued) Command Syntax and Usage portal Smart Portal sets, changes, or adds Smart Portal numbers. Smart Portal communicates with Smart Client through HTTPS on default port 4433.
Page 361: Sync Configuration Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/fw/sync Sync Configuration Menu [Sync Configuration Menu] - Enable Sync - Disable Sync The Sync Configuration Menu is used to enable/disable session state synchronization for clustered Firewalls in a redundant configuration. This allows for a stateful failover to the backup Nortel Firewall when the active Nortel Firewall fails.
Page 362: Portal Configuration Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /cfg/fw/portal/ Portal Configuration Menu [Portal Configuration Menu] portno - Set Smart Portal port number Smart portal communicates with the SMART Client through https on default port number 4433. This CLI command is used to change the default port number to any user-defined port number in the range 1024 to 65534.
Page 363: Smart Clients Menu
Table 81 SMART Clients Menu (/cfg/fw/client) Command Syntax and Usage list Displays the list of SMART Clients with access to the Nortel Switched Firewall manage- ment server. del <index value> Allows you to delete a specified member from the SMART Clients list.
Page 364: Smartupdate Configuration Menu
SmartUpdate utility. SmartUpdate is an optional module for VPN- 1/Firewall-1 that automatically distributes software applications and updates for Check Point and OPSEC Certified products (such as the Nortel Firewall). You can also use SmartUpdate to manage product licenses.
Page 365: Boot Menu
- Reboot the iSD delete - Delete the iSD The Boot Menu is used for upgrading Nortel Switched Firewall software and for rebooting, if necessary. The Boot Menu is only accessible using an administrator login. Table 84 Boot Menu (/boot)
Page 366 - Get a new software package via CD-ROM - Remove downloaded (unpacked) releases patch - Software Patches Menu The Software Management Menu is used to load, activate, or remove Nortel Switched Firewall software upgrade packages. Table 85 Software Management Menu (/boot/software) Command Syntax and Usage This command displays the software status of the particular Firewall to which your cur- rent Telnet, SSH, or a console terminal is connected.
Page 367: Software Patches Menu
- Download software patch from FTP server uninstall - Remove software upgrade package The Software Patches Menu is used to install or remove small Nortel Switched Firewall software patches (rpm files). Table 86 Software Patches Menu (/boot/software/patch) Command Syntax and Usage This command lists the names of the NSF software patches currently installed.
Page 368: The Maintenance Menu
The Maintenance Menu is used for administering OSPF logs and technical support dumps, loading Firewall policies, and testing the synchronization network between hosts in a cluster. Diagnostics logs or stats can only be done at the request of Nortel Technical Support. Table 87 Maintenance Menu (/maint) Command Syntax and Usage The Firewall Maintenance Menu allows you to load and unload Check Point policy.
Page 369: Firewall Maintenance Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Table 87 Maintenance Menu (/maint) (Continued) Command Syntax and Usage cplog This command provides a .tgz file of the Check Point logs. This command allows you to modify the password for the SmartCenter Server. This command works if you have enabled CP SmartCenter Server on the firewall during the initial configuration.
Page 370 This command is used to unload the current firewall policies. – Unloading the firewall policies allows all traffic to pass through the Nortel Fire- wall. Remember to push your firewall policies from the Check Point SmartDashboard after you have re-established trust.
Page 371 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /maint/tsdump Tech Support Dump Menu [Tech Support Menu] dump - Create a tech support dump - FTP tech support dump to an FTP server - SCP tech support dump to SCP server...
Page 372: Backup Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /maint/backup Backup Menu [Backup Menu] local - Backup the system configuration to local folder remote - Backup the system configuration to ftp/tftp/scp/sftp server usbstick - Backup the system configuration to a USB...
Page 373: Ospf Debug Menu
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference /maint/ospf OSPF Debug Menu [OSPF Debug Menu] events - Set log OSPF generic events - Set log OSPF ISM events - Set log OSPF LSA events - Set log OSPF NSM events...
Page 374 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Command reference 213455-L, October 2005...
Page 375 Part 3: Appendices Appendix A, Event Logging API Appendix B, Backing Up and Cloning Configurations Appendix C, Common tasks Appendix D, Troubleshooting Appendix E, Software licenses 213455-L, October 2005...
Page 376 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Appendices 213455-L, October 2005...
Page 377 For information about configuring and administering OPSEC applications in Check Point, refer to your complete Check Point Firewall-1 NGX documentation. ELA configuration requires steps at both the Check Point SmartCenter Server and at the Nortel Switched Firewall. For each Firewall, you must create a new OPSEC application at the Check Point SmartCenter Server, and initialize Secure Internal Communication (SIC).
Page 378: Configure The Check Point Smartcenter Server
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configure the Check Point SmartCenter Server Open the Check Point SmartDashboard to create an ELA OPSEC application for the Firewall. To create a new OPSEC application, use the following procedure. From the Check Point SmartDashboard main page, do the following (see...
Page 379 118): Provide an identifier in the Name field to use when pulling the certificate to the Firewall. Refer to the Nortel Switched Firewall in the Host field. Select User Defined from the Vendor list. Check ELA in the Client Entries list.
Page 380 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference To initialize Secure Internal Communication (SIC), do the following (see Figure 119): Click Communication. Type an Activation Key in the entry field. TIP: Use the Activation Key when you pull the certificate to the Firewall.
Page 381 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Install Policy page appears (see Figure 121). Select the object. Click OK. Figure 120 Check Point SmartDashboard—Install Figure 121 Install Policy page – If the Check Point antispoofing feature is not enabled, a warning message appears.
Page 382: Configure The Firewall
315. Log on to the BBI using the host IP address. For more information about the BBI, see Nortel Switched Firewall 5100 Series Release 2.3.3 Browser-Based Interface User’s Guide, Part number 216383-D. Select the Cluster/ELA form and define the general settings (see Figure 122).
Page 383 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference To get the Distinguished Name (DN) of the server, go to the Check Point SmartDashboard and do the following:. Double click the SmartCenter Server icon. The Check Point Gateway—General Properties page appears.
Page 384: The Check Point Smartview Tracker
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Set the Client SIC Name to match the name specified when creating an OPSEC application in the Check Point SmartDashboard. TIP: Map each host to a unique OPSEC application. In the example, host 10.10.1.1 is set to the OPSEC application “ela1.”...
Page 385: Backing Up And Cloning
PPENDIX Backing Up and Cloning Configurations This appendix describes how to perform cluster backup and cloning on the Nortel Switched Firewall 5100 Series for Release 2.3.3. Overview on page 386 Backing Up and Cloning on page 387 Backing Up a Configuration on page 387...
Page 386: Remote Backup
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Overview Remote Backup You can back up the configuration to or from a remote FTP/TFTP/SCP/SFTP server using the CLI interface (/maint/backup/remote). You can restore the configuration from a remote FTP/TFTP/SCP/SFTP server using the clone command from the root login.
Page 387: Backing Up And Cloning
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Backing Up and Cloning In this scenario, two NSF 5100 Series Firewalls are configured in a high–availability setup. The Check Point rules are framed, the gateway cluster is formed, and the policies are installed on both the Firewalls.
Page 388: Troubleshooting For Backup
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Troubleshooting for Backup If the output is Upload failed, check the following scenarios: When using TFTP, a file with the same name as the configuration file should exist on the TFTP server.
Page 389 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference If both Firewalls are not active, disable sync (/cfg/fw/sync/dis/apply), wait two minutes and again enable sync (/cfg/fw/sync/ena/apply). This automatically reboots both Firewalls. After the system is up again, check the sync status with the cphaprob stat command.
Page 390 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Backing Up and Cloning Configurations 213455-L, October 2005...
Page 391 PPENDIX Common tasks This appendix describes procedures for the most common management tasks. Installing a new image from CD-ROM on page 392 Enabling USB support on page 393 Mounting a floppy disk on the Firewall on page 397 Mounting a CD-ROM on the Firewall on page 398 Mounting the USB port on page 399 Tuning Check Point NGX performance on page 400 Reading system memory information on page 402...
Page 392: Installing A New Image From Cd-Rom
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Installing a new image from CD-ROM Obtain an Nortel Switched Firewall bootable CD and put it in the Firewall CD-ROM drive. Reboot the Firewall. When prompted, log in as root (no password is necessary).
Page 393: Enabling Usb Support
USB-based UPS feature require USB support. This section describes how to enable the USB port in the BIOS for the Nortel Switched Firewall 5109 and 5114 hardware platforms only.
Page 394: Enabling The Usb Support In The Bios
Connect a monitor and a keyboard connected to your NSF 5100 Series firewall. Refer to the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-D) for more information about how to connect a monitor and keyboard to your NSF 5100 Series firewall.
Page 395 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The Configuration/Setup Utility screen is displayed in Figure 126. Figure 126 Configuration/Setup Utility screen Select the Devices and I/O Ports option. The Devices and I/O Ports screen is displayed in Figure 127.
Page 396 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Use the right arrow to toggle the settings and enable the USB port as shown in Figure 128. Figure 128 Devices and I/O Ports—USB Setup Press <Esc> twice. Pressing the escape key twice exits both the USB Setup Menu and the Configuration/Setup Utility.
Page 397 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Verify if USB support is enabled in the BIOS. Verify USB support on the Firewall on page 393. Mounting a floppy disk on the Firewall The following procedure can be used for mounting a floppy disk to read or write files on the Firewall.
Page 398: Mounting A Cd-Rom On The Firewall
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Mounting a CD-ROM on the Firewall The following procedure can be used for mounting a CD-ROM to read files on the Firewall. Insert a CD-ROM into the Firewall. Log in as root.
Page 399: Mounting The Usb Port
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Mounting the USB port Typically, all uploads and downloads automatically occur on USB ports. When you request for an upload or download, the USB port is mounted and dismounted automatically after the file is copied.
Page 400: Tuning Check Point Ngx Performance
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Tuning Check Point NGX performance Connection parameters To tune connection parameters, perform the following steps: Right-click the firewall object on the Check Point SmartDashboard. Select Edit. Open the Logs and Masters Capacity Optimization tab.
Page 401: Nat Parameters
/cfg/fw/ena – The Switched Firewall automatically restarts Firewall-1 services unless you use the command to disable the unit. For that reason, Nortel recommends that you do /cfg/fw/dis not use the cpstop/cpstart commands at the management station to disable/enable the firewall.
Page 402: Reading System Memory Information
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Re-enable the firewall: >> /cfg/fw/ena Start the SMART Client. Reinstall the policies and download them to the Firewall using the SMART Client. Reading system memory information General Linux memory information: free or vmstat <seconds> or cat /proc/meminfo or top...
Page 403 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference On the Linux host enter the DSA key generate commands: [test@Phantom test]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/test/.ssh/id_dsa): tkey tkey already exists.
Page 404 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Create an SSH account on the firewall. Log onto the firewall and enter the user (account) name information: >> Main# /cfg/sys/user/adv/user Enter user name: test Creating SSH User test ------------------------------------------------------------ [SSH User test Menu]...
Page 405 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Enter the Linux host network and network mask into the firewall access list: >> Main# /cfg/sys/accesslist/add Enter network address: 33.1.1.0 Enter netmask: 255.255.255.0 >> Access List# apply **NOTE** Telnet and Web (HTTP) are enabled.
Page 406 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Common tasks 213455-L, October 2005...
Page 407 PPENDIX Troubleshooting This appendix provides solutions for problems that you may encounter using the Nortel Switched Firewall. Failed to establish trust between SmartCenter Server and Firewall on page 408 Managing licenses on page 409 Re-establishing SIC on page 410 Cannot download policy on Firewall on page 411...
Page 408: Failed To Establish Trust Between Smartcenter Server And Firewall
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Failed to establish trust between SmartCenter Server and Firewall In this scenario, the user is unable to establish trust between the SmartCenter Server and the Firewall. – This scenario assumes you are logged into a SmartCenter Server that is installed on a separate workstation.
Page 409: Managing Licenses
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Enter the following command to see if the firewall is enabled in the configuration: /cfg/fw/cur (or) /info/host/status The following steps require you to be logged into the firewall as the root user.
Page 410: Installing A License On An Nt Workstation
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Where is the IP address of the license; for example, ip_address 172.21.9.200_module.lic Installing a license on an NT workstation Ordinarily, you should use SmartUpdate to maintain licensing on the SmartCenter Server.
Page 411: Cannot Download Policy On Firewall
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Establish SIC at the firewall by entering these commands: >> Main # /cfg/fw/sic <Example host IP> Enter the Host IP Address :192.168.1.2 Enter new Check Point SIC Password : Confirm password: This operation may take a while to complete and traffic can be interrupted for 5 minutes.
Page 412: Poor Performance With Other Devices
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Poor performance with other devices In this scenario, you see poor performance when using the Nortel Switched Firewall with another network device such as a router. Actions From the Nortel Switched Firewall console, manually configure the link parameters for the port(s) suspected of poor performance.
Page 413: Action
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Action Increase the session limit on the management station. Refer to Tuning Check Point NGX performance on page 400. Check Point synchronization Use the Check Point Sync function to enable or disable session state synchronization between clustered firewalls in a redundant configuration.
Page 414: Synchronization Status Check Reveals An Interface Is Down
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Synchronization status check reveals an interface is down Scenario: After you complete the previous actions, the synchronization status check reveals the following: Cluster Mode Sync only (OPSEC) Number Unique Address Firewall...
Page 415: Vrrp Configuration Tips
Ping iSD host 1’s virtual router IP address from iSD host 2 (or vice versa). If unsuccessful, troubleshoot cabling and make sure port LEDs for your model are properly lighted. See “Port LED Indicators” in the Nortel Switched Firewall 5100 Series Hardware Installation Guide (216382-D).
Page 416: Vrrp: Active Master Backup Fails
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference VRRP: active master backup fails In this scenario, the active master fails, but failover doesn’t take place. A likely cause is loss of trust between the firewall and the SmartCenter Server.
Page 417: Vrrp: Both Masters Are Active
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference VRRP: both masters are active In this scenario, both the master and the backup have assumed the active role. This may be because the firewall policy on the cluster does not permit VRRP multicast packets, which are...
Page 418: Configure Mandatory Ip Addresses
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Configure mandatory IP addresses If the following message appears in an active-active high availability scenario, Interface 1 has 0.0.0.0 address.Configure mandatory IP addresses then, configure the real IP addresses (addr1 and addr2) in the Interface menu.
Page 419 PPENDIX Software licenses The Nortel Switched Firewall includes software which is covered by the following licenses. 213455-L, October 2005...
Page 420: Apache Software Licence
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Apache software licence The Apache Software License, Version 1.1 Copyright (c) 2000 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the...
Page 421: Mod_Ssl License
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference mod_ssl license LICENSE The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The detailed license information follows. Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
Page 422: Openssl And Ssleay Licenses
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference OpenSSL and SSLeay licenses LICENSE ISSUES The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses.
Page 423 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Original SSLeay license Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscape’s SSL.
Page 424: Php License
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference PHP license The PHP License, version 2.02 Copyright (c) 1999, 2000 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the...
Page 425: Smtpclient License
Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference SMTPclient license LICENSE SMTPclient—simple SMTP client Copyright (C) 1997 Ralf S. Engelschall, All Rights Reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation;...
Page 426 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference GNU General Public License GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Page 427 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program).
Page 428 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
Page 429 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation.
Page 430 Nortel Switched Firewall 2.3.3 User’s Guide and Command Reference Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type ‘show w’. This is free software, and you are welcome to redistribute it under certain conditions; type 'show c' for details.

This manual is also suitable for:

5111 5100 series 5111-ne1 5114-ne1 5106 5114

Nortel 5109 User's Manual And Command Reference

Preface

Chapter 1: Introduction

Chapter 2: Initial Setup

Chapter 3: Dynamic Host Configuration Protocol

Chapter 4: Open Shortest Path First

Chapter 5: Redundant Firewalls

Chapter 6: Layer 2 and Layer 3 Firewalls

Chapter 7: Applications

Chapter 8: Upgrading and Reinstalling the Software

Chapter 9: Basic System Management

Chapter 10: The Command Line Interface

CHAPTER 11 Command Reference

Appendix A: Event Logging API 377

Appendix B: Backing up and Cloning Configurations 385

Appendix C: Common Tasks 391

Quick Links

Related Manuals for Nortel 5109

Summary of Contents for Nortel 5109