Download Print this page
Netgate XG-7100-1U Manual

Netgate XG-7100-1U Manual

Security gateway
Hide thumbs Also See for XG-7100-1U:

Advertisement

Quick Links

Security Gateway Manual
XG-7100-1U
© Copyright 2020 Rubicon Communications LLC
Aug 21, 2020

Advertisement

loading
Need help?

Need help?

Do you have a question about the XG-7100-1U and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Netgate XG-7100-1U

  • Page 1 Security Gateway Manual XG-7100-1U © Copyright 2020 Rubicon Communications LLC Aug 21, 2020...
  • Page 2 CONTENTS 1 Out of the Box 2 How-To Guides 3 References...
  • Page 3 Security Gateway Manual XG-7100-1U This Quick Start Guide covers the first time connection procedures for the Netgate® XG-7100 1U Firewall Appliance and will provide the information needed to keep the appliance up and running. Tip: Before getting started, we recommend downloading the...
  • Page 4 Netgate appliance. Connect the other end to the network connection on the computer. In order to access the webConfigurator, the PC network interface must be set to use DHCP, or have a static IP set in the 192.168.1.x subnet with a subnet mask of 255.255.255.0.
  • Page 5 Security Gateway Manual XG-7100-1U 1.1.2 Logging Into the Web Interface Browse to https://192.168.1.1 to access the web interface. In some instances, the browser may respond with a message indicating a problem with website security. Below is a typical example in Google Chrome. If this message or similar message is encountered, it is safe to proceed.
  • Page 6 Security Gateway Manual XG-7100-1U 1.1.3 Wizard Upon successful login, the following is displayed. 1.1.4 Configuring Hostname, Domain Name and DNS Servers 1.1.5 Hostname For Hostname, any desired name can be entered as it does not affect functionality of the firewall. Assigning a hostname to the firewall will allow the GUI to be accessed by hostname as well as IP address.
  • Page 7 Security Gateway Manual XG-7100-1U 1.1.7 DNS Servers The DNS server fields can be left blank if the DNS Resolver is used in non- forwarding mode, which is the default behavior. The settings may also be left blank if the WAN connection is using DHCP, PPTP or PPPoE types of Internet connections and the ISP automatically assigns DNS server IP addresses.
  • Page 8 Security Gateway Manual XG-7100-1U This depicts the four possible WAN interface types. Static, DHCP, PPPoE and PPTP. One must be selected from the drop-down list. Further information from the ISP is required to proceed when selecting Static, PPPoE and PPTP such as login name and password or as with static addresses, an IP address, subnet mask and gateway address.
  • Page 9 Security Gateway Manual XG-7100-1U 1.1.14 Configuring DHCP Hostname Some ISPs specifically require a DHCP Hostname entry. Unless the ISP requires the setting, leave it blank. 1.1.15 Configuring PPPoE and PPTP Interfaces Information added in these sections is assigned by the ISP. Configure these settings as directed by the ISP...
  • Page 10 Security Gateway Manual XG-7100-1U 1.1.16 Block Private Networks and Bogons When enabled, all private network traffic originating on the internet is blocked. Private addresses are reserved for use on internal LANs and blocked from outside traffic so these address ranges may be reused by all private networks.
  • Page 11 Security Gateway Manual XG-7100-1U A static IP address of 192.168.1.1 and a subnet mask (CIDR) of 24 was chosen for this installation. If there are no plans to connect this network to any other network via VPN, the 192.168.1.x default is sufficient.
  • Page 12 Security Gateway Manual XG-7100-1U 1.1.20 Basic Firewall Configured To proceed to the webConfigurator, make the selection as highlighted. The Dashboard display will follow. 1.1.21 Backing Up and Restoring At this point, basic LAN and WAN interface configuration is complete. Before proceeding, backup the firewall con- figuration.
  • Page 13 Security Gateway Manual XG-7100-1U Click Download Configuration and save a copy of the firewall configuration. This configuration can be restored from the same screen by choosing the backup file under Restore configuration. © Copyright 2020 Rubicon Communications LLC...
  • Page 14 Warning: If your DSL or Cable Modem has a default IP Address of 192.168.1.1, please disconnect the Ethernet cable from the ETH1 port on your XG-7100 1U Netgate Security Gateway before proceeding. You will need to change the default IP Address of the device during a later step in the configuration.
  • Page 15 1. Click Next to start the Setup Wizard. 2. Click Next after you have read the information on Netgate Global Support. 3. On the General Information page, use the following as a guide to configure the firewall.
  • Page 16 Security Gateway Manual XG-7100-1U Fig. 3: Click Next Fig. 4: Type in the DNS Server information and Click Next © Copyright 2020 Rubicon Communications LLC...
  • Page 17 Security Gateway Manual XG-7100-1U Fig. 5: Change the Timezone and Click Next Fig. 6: Default Settings Should be Acceptable. Click Next © Copyright 2020 Rubicon Communications LLC...
  • Page 18 Tip: If your DSL or Cable Modem has a default IP Address of 192.168.1.1, change the IP Address of your XG-7100 1U Netgate Security Gateway to a different subnet, such as 192.168.2.1 with a subnet mask of 24 to avoid an IP Address conflict.
  • Page 19 firewall. Fig. 8: The pfSense Dashboard Section 1 shows important system information such as the model, Serial Number, and Netgate Device ID for this Netgate firewall. Section 2 identifies what version of pfSense software is installed, and if an update is available.
  • Page 20 Click Download configuration as XML and save a copy of the firewall configuration to the computer con- nected to the Netgate firewall. This backup (or any backup) can be restored from the same screen by choosing the backed up file under Restore Configuration.
  • Page 21 See also: Connecting to the Console Port Connect to the console. Cable is required. Tip: To learn more about getting the most out of your Netgate appliance, sign up for a pfSense Training course or browse our extensive Resource Library.
  • Page 22 Security Gateway Manual XG-7100-1U 1.4 Input and Output Ports 1.4.1 Front Side Networking Ports Interface Name Port Name Port Type Port Speed ETH1 RJ-45 1 Gbps ETH2-ETH8 RJ-45 1 Gbps OPT1 SFP+ 10 Gbps OPT2 SFP+ 10 Gbps RJ-45 Ethernet Ports ETH1-8 are switched ports sharing 5 Gbps (2x 2.5 Gbps) to the Intel SoC.
  • Page 23 Security Gateway Manual XG-7100-1U Warning: There is an Intel-supplied driver issue for the C3000, preventing 1Gbps and 10Gbps copper modules from being recognized on the SFP+ ports. Copper modules are not supported. Compatible SFP/SFP+ Modules Below are some general guidelines for compatible SFP/SFP+ modules: •...
  • Page 24 Security Gateway Manual XG-7100-1U Optional 4-Port Intel 1 Gbps Expansion Card Interface Name Port Name Port Type Port Speed OPT3 igb0 RJ-45 1 Gbps OPT4 igb1 RJ-45 1 Gbps OPT5 igb2 RJ-45 1 Gbps OPT6 igb3 RJ-45 1 Gbps Optional 2-Port Intel 1 Gbps Expansion Card...
  • Page 25 Security Gateway Manual XG-7100-1U Warning: A hard reset of the system could cause data corruption and should be avoided. Halt or reboot the system through the console menu or the webConfigurator to avoid data corruption. 1.4.2 Rear Side Other Ports, Buttons, and Indicators •...
  • Page 26 Security Gateway Manual XG-7100-1U e) Protective bonding must be installed in accordance with local national wiring rules and regulations. 1.5.3 FCC Compliance Changes or modifications not expressly approved by the party responsible for compliance could void the user’s au- thority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1.
  • Page 27 Security Gateway Manual XG-7100-1U Deutsch Die Europäische Richtlinie 2002/96/EC verlangt, dass technische Ausrüstung, die direkt am Gerät und/oder an der Verpackung mit diesem Symbol versehen ist, nicht zusammen mit unsortiertem Gemeindeabfall entsorgt werden darf. Das Symbol weist darauf hin, dass das Produkt von regulärem Haushaltmüll getrennt entsorgt werden sollte. Es liegt in Ihrer Verantwortung, dieses Gerät und andere elektrische und elektronische Geräte über die dafür zuständigen und von...
  • Page 28 XG-7100-1U 1.5.8 Declaration of Conformity ˇ Cesky[Czech] NETGATE tímto prohla uje, e tento NETGATE device, je ve shod se základními po adavky a dal ími p íslu n mi ustanoveními sm rnice 1999/5/ES. Dansk [Danish] Undertegnede NETGATE erklærer herved, at følgende udstyr NETGATE device, overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF.
  • Page 29 Alulírott, NETGATE nyilatkozom, hogy a NETGATE device, megfelel a vonatkozó alapvetõ követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak. Íslenska [Icelandic] Hér me l sir NETGATE yfir ví a NETGATE device, er í samræmi vi grunnkröfur og a rar kröfur, sem ger ar eru í tilskipun 1999/5/EC. Italiano [Italian] Con la presente NETGATE dichiara che questo NETGATE device, è...
  • Page 30 Security Gateway Manual XG-7100-1U Slovensky [Slovak] NETGATE t mto vyhlasuje, e NETGATE device, sp a základné po iadavky a v etky príslu né ustanovenia Smernice 1999/5/ES. Svenska [Swedish] Härmed intygar NETGATE att denna NETGATE device, står I överensstämmelse med de väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv 1999/5/EG.
  • Page 31 Security Gateway Manual XG-7100-1U Austin, Texas 78728 legal@netgate.com The arbitration will be conducted by the American Arbitration Association (AAA) under its rules. The AAA’s rules are available at www.adr.org. Payment of all filing, administration and arbitrator fees will be governed by the AAA’s rules.
  • Page 32 Security Gateway Manual XG-7100-1U 1.5.13 Limited Warranty DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY THE PRODUCTS/SERVICES AND ALL INFORMATION, CONTENT, MATERIALS, PRODUCTS (INCLUD- ING SOFTWARE) AND OTHER SERVICES INCLUDED ON OR OTHERWISE MADE AVAILABLE TO YOU THROUGH THE PRODUCTS/SERVICES ARE PROVIDED BY US ON AN “AS IS” AND “AS AVAILABLE” BA- SIS, UNLESS OTHERWISE SPECIFIED IN WRITING.
  • Page 33 CHAPTER HOW-TO GUIDES 2.1 Configuring the Switch Ports See also: For an overview of how the switch ports are set up, see Switch Ports Overview. 2.1.1 Switch Section From the pfSense® webGUI, there is a menu option called Switches under the Interfaces drop-down. This section contains switch specific configuration options.
  • Page 34 Security Gateway Manual XG-7100-1U System Fig. 1: Information on the Marvell 6000 switch LAGGs Fig. 2: Information on members of the switch LAG Ports Information on switchport status and port names. If 802.1q is enabled, this section can also be used to specify the native VLAN ID for each port.
  • Page 35 Security Gateway Manual XG-7100-1U Fig. 3: 802.1q enabled (default) Fig. 4: Port VLAN Mode © Copyright 2020 Rubicon Communications LLC...
  • Page 36 Security Gateway Manual XG-7100-1U Fig. 5: 802.1q enabled (default) Fig. 6: Port VLAN Mode © Copyright 2020 Rubicon Communications LLC...
  • Page 37 Security Gateway Manual XG-7100-1U Interface Assignments Under Interface Assignments, notice LAGG0 (UPLINK) is displayed as an available port but is not enabled in the list of interfaces. This is because the default configuration is only expecting VLAN tagged traffic so the VLAN child interface 4090 and 4091 are enabled instead.
  • Page 38 Security Gateway Manual XG-7100-1U 2.1.3 Switch Configuration Examples Dedicated LAN switch In this scenario, SFP+ port ix0 will be configured as the WAN interface. ETH1-8 will be configured as a LAN switch. For this specific example, I’ll perform the WAN interface reassignment over console. Re-assigning the WAN can be done from the webGUI as well.
  • Page 39 Security Gateway Manual XG-7100-1U Input the same default LAN interface of lagg0.4091 for the LAN interface name and press Enter to complete the interface reassignment: The interface assignments should show like this now: © Copyright 2020 Rubicon Communications LLC...
  • Page 40 Security Gateway Manual XG-7100-1U At this point SFP+ port ix0 is now configured as the WAN interface. The LAN interface is still configured the same as the default. Next, the switch will need to be updated so that ETH1 (previously WAN) acts the same as ETH2-8. This will be done from the webGUI.
  • Page 41 Security Gateway Manual XG-7100-1U For this example, I simply removed VLAN 4090 from the switch with . Now edit the VLAN 4091 entry to include Member 1 as shown below: Next, update the PVID for ETH1 so that it uses VLAN 4091 rather than the old VLAN 4090. To do this, click on the Ports tab and click on the 4090 Port VID to modify it: ©...
  • Page 42 Security Gateway Manual XG-7100-1U Then click on Save: At this point, everything should be configured properly. ETH1-8 will act as a single LAN switch. One final step that should be performed is to remove the old VLAN 4090 from pfSense. So far VLAN 4090 was only removed from the switch.
  • Page 43 Security Gateway Manual XG-7100-1U Two LAN switches In this scenario, the LAN switch from the previous example will be split into two LAN switches. A new LAN network should be created in pfSense first. Similar to the existing LAN interface, another VLAN interface should be used so the switch can segment traffic appropriately.
  • Page 44 Security Gateway Manual XG-7100-1U Also create any necessary firewall rules under Firewall -> Rules. Now that pfSense knows of this new VLAN network, configure the switch so that ETH1-4 use the new network. To do this, go to Interfaces -> Switches -> VLANs and click the Add Tag button. Input the VLAN tag for the new network (same as the VLAN ID configured in the previous steps) and add ETH1-4 and PORT9-10 (uplinks) as members.
  • Page 45 Security Gateway Manual XG-7100-1U Once this is done, delete the untagged members 1,2,3,4 from VLAN group 2 and click the Save button. The final result should look like this: Lastly, update the Port VIDs to use the new 4081 VLAN rather than 4091 on ETH1-4 and click Save:...
  • Page 46 Security Gateway Manual XG-7100-1U Now ETH1-4 act as a switch for the VLAN 4081 LAN and ETH5-8 act as a switch for the VLAN 4091 LAN. Trunking VLAN tagged traffic For expanding on the previous example, let’s assume there is a management VLAN of 4000 where devices are already tagged on this VLAN prior to hitting pfSense.
  • Page 47 Security Gateway Manual XG-7100-1U Untagged traffic on ETH8 will be assigned a VLAN ID of 4091. ETH8 and the uplinks will also accept traffic that has already been tagged with a VLAN ID of 4000 as well. 2.2 Connecting to the Console Port There are times when directly accessing the console is required.
  • Page 48 Security Gateway Manual XG-7100-1U 2.2.2 Connect a USB Cable Next, locate an appropriate USB cable that has a USB Mini-b (5-pin) connector on one end and a regular USB Type A plug on the other end. These cables are commonly used with smaller USB peripherals such as GPS units, cameras, and so on.
  • Page 49 Security Gateway Manual XG-7100-1U Mac OSX The device associated with the system console is likely to show up as /dev/cu.SLAB_USBtoUART. Linux The device associated with the system console is likely to show up as /dev/ttyUSB0. Look for messages about the device attaching in the system log files or by running dmesg.
  • Page 50 Security Gateway Manual XG-7100-1U 2.2.4 Launch a Terminal Program Use a terminal program to connect to the system console port. Some choices of terminal programs: Windows For Windows it is recommended to run PuTTY or SecureCRT. An example of how to configure Putty is below.
  • Page 51 Security Gateway Manual XG-7100-1U Fig. 7: An example of using PuTTY in Windows. © Copyright 2020 Rubicon Communications LLC...
  • Page 52 Security Gateway Manual XG-7100-1U Terminal Settings The settings to use within the terminal program are: Speed 115200 baud, the speed of the BIOS Data bits 8 Parity none Stop bits 1 Flow Control Off or XON/OFF. Hardware flow control (RTS/CTS) must be disabled.
  • Page 53 firmware by selecting Firmware Access as the General Problem and then select Netgate XG-7100 1U for the platform. Make sure to include the serial number in the ticket to expedite access.
  • Page 54 Security Gateway Manual XG-7100-1U Note: Options such as the type of disk partition can be modified through this installation if required. 8. The installer will then prompt to choose the type of system being installed, which pre-configures device-specific defaults. Choose the option that exactly matches the unit being reinstalled. If the model is unknown, check the sticker on the bottom of the unit.
  • Page 55 4. Any hardware damage incurred during this procedure is not covered by the hardware warranty. Note: By default, the M.2 SATA drive will be the first drive recognized by the Netgate® device. pfSense® must be reinstalled on the M.2 SATA drive.
  • Page 56 Security Gateway Manual XG-7100-1U 2. Unplug the Power Supply Connector from the system board, being careful not to flex the board. Fig. 9: Power Supply Connector Location Warning: Be sure to pull from the connector, not the wires. 3. Unplug the fans from the system board, being careful not to flex the board.
  • Page 57 Security Gateway Manual XG-7100-1U Fig. 10: Fan Connector Locations © Copyright 2020 Rubicon Communications LLC...
  • Page 58 Security Gateway Manual XG-7100-1U Fig. 11: Board Screw Locations © Copyright 2020 Rubicon Communications LLC...
  • Page 59 Security Gateway Manual XG-7100-1U Fig. 12: M.2 SATA Slot Location © Copyright 2020 Rubicon Communications LLC...
  • Page 60 Security Gateway Manual XG-7100-1U Fig. 13: M.2 SATA Drive Properly Inserted into the Slot © Copyright 2020 Rubicon Communications LLC...
  • Page 61 Security Gateway Manual XG-7100-1U 7. Push the M.2 SATA drive down until it is parallel with the system board and use the screw to secure the M.2 SATA drive in place. Fig. 14: Secure the M.2 SATA Drive 8. Turn the board over and place it into the chassis. Secure the system board with four (4) board screws.
  • Page 62 Security Gateway Manual XG-7100-1U Fig. 15: M.2 SATA Drive Installed © Copyright 2020 Rubicon Communications LLC...
  • Page 63 Security Gateway Manual XG-7100-1U Fig. 16: Proper Placement of the Lid and L-Bracket © Copyright 2020 Rubicon Communications LLC...
  • Page 64 3. Anti-static protection must be used throughout this procedure. 4. Any hardware damage incurred during this procedure is not covered by the hardware warranty. The XG-7100 PCIe Installation Kit from Netgate includes the components pictured below. Fig. 17: Bracket, Screws, Riser, and Extender When installing an optional expansion card, first install the riser and extender using the riser mounting bracket.
  • Page 65 Security Gateway Manual XG-7100-1U Fig. 18: Lid Screws Fig. 19: Remove the Faceplate © Copyright 2020 Rubicon Communications LLC...
  • Page 66 Security Gateway Manual XG-7100-1U Fig. 20: The L-Bracket and Screw © Copyright 2020 Rubicon Communications LLC...
  • Page 67 Security Gateway Manual XG-7100-1U Fig. 21: Remove the L-Bracket and Screw © Copyright 2020 Rubicon Communications LLC...
  • Page 68 2.6 BIOS Flash Procedure 2.6.1 Update via the GUI Warning: This only works with Netgate systems running pfSense® version 2.3 or greater. 1. To install the package, navigate to System > Package Manager > Available Packages. 2. Click the Install button for the package named Netgate_Coreboot_Upgrade.
  • Page 69 Security Gateway Manual XG-7100-1U Fig. 23: Attach Riser to Bracket © Copyright 2020 Rubicon Communications LLC...
  • Page 70 Security Gateway Manual XG-7100-1U Fig. 24: Align the Riser to the Connector and Insert © Copyright 2020 Rubicon Communications LLC...
  • Page 71 Security Gateway Manual XG-7100-1U Fig. 25: Attach the Bracket to the Chassis © Copyright 2020 Rubicon Communications LLC...
  • Page 72 Security Gateway Manual XG-7100-1U Fig. 26: Line up the Extender with the Riser as shown © Copyright 2020 Rubicon Communications LLC...
  • Page 73 Security Gateway Manual XG-7100-1U Fig. 27: Extender seated into the Riser © Copyright 2020 Rubicon Communications LLC...
  • Page 74 Security Gateway Manual XG-7100-1U Fig. 28: Align Expansion Card with Extender © Copyright 2020 Rubicon Communications LLC...
  • Page 75 Security Gateway Manual XG-7100-1U Fig. 29: Insert Expansion Card © Copyright 2020 Rubicon Communications LLC...
  • Page 76 Security Gateway Manual XG-7100-1U Fig. 30: Secure the Expansion Card with the L-Bracket © Copyright 2020 Rubicon Communications LLC...
  • Page 77 4. When the installation is complete a message will appear saying: pfSense-pkg-Netgate_Coreboot_Upgrade installation successfully completed 5. Now that the package is installed, navigate to System > Netgate Coreboot Upgrade. 6. This page will show you the latest version of Coreboot available and the current version that is running on the system.
  • Page 78 CHAPTER THREE REFERENCES 3.1 Switch Ports Overview 3.1.1 Interface Links In addition to two SFP+ interfaces, there is also an ethernet switch on the XG-7100. There are eight ethernet ports on this switch that are physically accessible - these interfaces are referred to as ETH1-ETH8. In addition to those 8 ports, there are also three additional ports that operate behind the scenes - PORT 0, PORT 9 (ix2), and PORT 10 (ix3).
  • Page 79 Security Gateway Manual XG-7100-1U From the operating systems perspective, there are four physical interfaces present: ix0 - 10Gbps SFP+ ix1 - 10Gbps SFP+ ix2 - 2.5 Gbps (2500-Base-KX, switch link to SoC/CPU) ix3 - 2.5 Gbps (2500-Base-KX, switch link to SoC/CPU) 3.1.2 High Availability...
  • Page 80 Security Gateway Manual XG-7100-1U 3.1.3 Switch LAGG ix2 and ix3 (switch uplink ports 9 and 10), are configured as a load-balanced LAGG. This provides an aggregate uplink capable of 5Gbps for ethernet switchports ETH1-8. This is further demonstrated in the diagram below: When data is received on ETH1-8, the switch is capable of utilizing LAGG to determine whether that data should be sent out of PORT 9 or PORT 10.
  • Page 81 Security Gateway Manual XG-7100-1U VLAN 4090 VLAN 4091 ETH1-8 are configured to act as Access ports. • When data comes into the ETH1 interface, a VLAN tag of 4090 is added to the ethernet frame. • When data comes into interfaces ETH2-8, a VLAN tag of 4091 is added to the ethernet frame.
  • Page 82 3.2 Additional Resources 3.2.1 Netgate Training Netgate training offers training courses for increasing your knowledge of pfSense® products and services. Whether you need to maintain or improve the security skills of your staff or offer highly specialized support and improve your customer satisfaction;...
  • Page 83 Security Gateway Manual XG-7100-1U 3.2.2 Resource Library To learn more about how to use your Netgate appliance and for other helpful resources, make sure to browse our Resource Library. https://www.netgate.com/resources 3.2.3 Professional Services Support does not cover more complex tasks such as CARP configuration for redundancy on multiple firewalls or cir- cuits, network design, and conversion from other firewalls to pfSense software.