Page 1 Blaze 2100 User Guide Version 3R2...
Page 2 COPYRIGHT NOTICE © Copyright 2007 Freedom9 Inc. ALL RI GHTS RESERV ED. Under the copyright law, this manual and the software described within can not be copied in whole or part, without written permission of the manufacturer, except in the normal use of the software to make a backup copy.
Page 3: Table Of Contents
What you must know for Installation 2-1 Installing the freeGuard Blaze 2100 2-2 Connecting the Power 2-2 Connecting the freeGuard Blaze 2100 to Other Network Devices 2-2 Configuring the freeGuard Blaze 2100 2-3 Configuring the Software 2-5 3 Security Zones and Interfaces 3-1...
Page 4 RADIUS Backup Server 3-29 Alternate Connection Methods 3-33 PPPoE: Point-to-Point Protocol over Ethernet 3-33 4 System Management 4-1 Using the Console to Manage the freeGuard Blaze 2100 4-1 About Console Cable Requirements 4-2 Accessing the Console 4-2 Re-enabling the Console Interface 4-3...
Page 5 Setting the Software as Primary or Secondary 4-9 Saving the Configuration File for Export 4-9 View the Running Configuration 4-10 View the Saved Configuration 4-10 Resetting and Restarting the freeGuard Blaze 2100 4-11 Resetting the Appliance 4-11 Resetting the Software 4-11 Restarting the freeGuard Blaze 2100 4-11...
Page 6 Preventing Network Port Attacks 5-5 Configuring the freeGuard Blaze 2100 to Defend Against DoS and DDoS Attacks 5-6 Configuring ICMP Flood Prevention 5-7 Configuring UDP Flood Prevention 5-7 Configuring SYN Flood Prevention 5-7 Configuring FIN Flood Prevention 5-8 Configuring IP Fragment Prevention 5-9...
Page 7 TCP Connection 6-16 UDP Group Scalars 6-17 UDP Listener 6-17 SNMP Group 6-17 Transmission Group (DOT3STATs) 6-18 Transmission Group (DOT3COLLISION) 6-19 Configuring SNMP on the Security Appliance 6-19 Enabling SNMP on a Specified Interface 6-20 Configuring the SNMP Community String 6-21 Configuring the SNMP Listener Port 6-21 Configuring the SNMP System Name 6-21 Deleting the SNMP System Name 6-21...
Page 8 Replay Protection 7-33 View a VPN Tunnel 7-33 8 Routing 8-1 Static Routes 8-1 Adding Static Routes 8-2 Deleting Static Routes 8-3 Modifying Static Routes 8-3 Setting the Default Route 8-4 Displaying Route Information 8-4 Routing Information Protocol (RIP) 8-6 Configuring RIP 8-7 Enabling and Disabling RIP on Interfaces 8-8 Disable Route Summarization 8-8...
Page 9 Configuring Service Objects 9-18 Viewing Predefined Service Objects 9-18 Configuring Custom Service Objects 9-18 Deleting Service Objects 9-19 Modifying Service Objects 9-19 Configuring Service Timeouts 9-20 Configuring Service Groups 9-20 Creating Service Groups 9-21 Deleting Service Groups 9-22 Removing Service Objects from Groups 9-22 Modifying Service Groups 9-22 Adding Comments to Service Groups 9-23 About Schedules 9-23...
Page 10 12 PKI and X.509/Digital Certificates 12-1 About Public Key Infrastructure and X.509/Digital Certificates 12-1 PKI Basics 12-2 A typical Digital Certificate 12-3 Self-signed certificate 12-4 CLI Commands 12-4 Generating a Self-Signed Certificate 12-4 Creating a Certificate Request 12-5 Importing a certificate 12-6 Using a Certificate for a VPN tunnel 12-6 A Pre-defined Services A-1 B Glossary B-1...
Page 11: Introduction
Security Appliance has the capability to protect network hosts from wide ranging and high volume attacks meant to take network resources offline. Features available on the freeGuard Blaze 2100 include: • Stateful packet inspection • IPsec VPN •...
Page 12: Browser-Based Graphical User Interface (Webgui) Conventions
(except for variables, which are always in italic). For example: “Use the get system command to display general information about the freeGuard Blaze 2100.” Variable CLI values are described in Table 1-1: Variable CLI Values Used in This Guide...
Page 13: Illustration Conventions
I N T R O D U C T I O N About Document Conventions ILLUSTRATION CONV ENTIONS Figure 1-1 shows the graphics used in illustrations in this guide. Figure 1-1: Illustration Conventions Version 3R2 Security Appliance User Guide...
Page 14 I N T R O D U C T I O N About Document Conventions Security Appliance User Guide Version 3R2...
Page 15: Getting Started
Blaze 2100 is connected to the power outlet. <CAUTION> use of the freeGuard Blaze 2100; for optimum environmental requirements for the freeGuard Blaze 2100, refer to the Security Appliance Specifications Guide. <CAUTION> cords, wet or moist floors, and missing safety grounds.
Page 16: Connecting The Power
To connect the power: On the freeGuard Blaze 2100, plug the DC connector end of the power cable into the DC power receptacle on the back of the appliance. Plug the AC adapter end into a surge protected AC power source.
Page 17: Configuring The Freeguard Blaze 2100
Figure 2-1: Connecting the freeGuard Blaze 2100 to other Network Devices CONFIGURING THE FREEGUARD BLAZE 21 00 After you supply power to the freeGuard Blaze 2100, use the console interface to initially configure the card. Table 2-1 the freeGuard Blaze 2100.
Page 18 Blaze 2100. Connect the other female DB9 connector to a serial interface on a laptop or desktop machine. To access the freeGuard Blaze 2100 console interface, launch a terminal emulation program. [NOTE] emulation program, and is included with most Windows operating systems.
Page 19: Configuring The Software
Configure the freeGuard Blaze 2100 to protect a network like that displayed in connected to the eth0 interface to use the freeGuard Blaze 2100 as their default gateway to the Internet. In this configuration, the eth0 interface is connected to the inside LAN Switch and the eth1 interface is connected to your Internet router.
Page 20 G E T T I N G S T A R T E D Installing the freeGuard Blaze 2100 zone trust allows you to manage access control between the zones. Figure 2-2: Network Protection Use the set interface command to assign the zone, IP address and...
Page 21 C O N F I G U R I N G N E T W O R K A D D R E S S T R A N S L A T I O N ( N A T ) To configure the freeGuard Blaze 2100 to support a large number of...
Page 22 G E T T I N G S T A R T E D Installing the freeGuard Blaze 2100 Optional: to verify the default route settings execute the get route summary command: C O N F I G U R I N G A P O L I C Y F R O M T R U S T T O U N T R U S T The default policy behavior is to not allow traffic to or from any zone that does not match a policy.
Page 23 G E T T I N G S T A R T E D Installing the freeGuard Blaze 2100 (Policy) set policy from trust to untrust any any any permit Version 3R2 Security Appliance User Guide...
Page 24 G E T T I N G S T A R T E D Installing the freeGuard Blaze 2100 Security Appliance User Guide Version 3R2 2-10...
Page 25: Security Zones And Interfaces
ECURITY ONES AND This chapter describes how to configure zones, interfaces, modes of operation and advanced interface settings for the security appliance. This chapter includes the following topics: • Security Zones • Creating and Modifying Custom Security Zones • Configuring Interfaces and Subinterfaces •...
Page 26 S E C U R I T Y Z O N E S A N D I N T E R F A C E S Security Zones added in the DMZ zone: VLAN 200 and 210. The eth1 interface is configured in the untrust zone.
Page 27 • DMZ—The DMZ zone is commonly used to segment publicly accessible servers from the local area network (LAN) and WAN. • Global—The global zone is used to apply policies independent of zones. Figure 3-3 and untrust. The trust zone is configured for the LAN and the untrust zone is configured for the WAN.
Page 28: Creating And Modifying Custom Security Zones
S E C U R I T Y Z O N E S A N D I N T E R F A C E S Creating and Modifying Custom Security Zones C R E A T I N G A N D M O D I F Y I N G C U S T O M .
Page 29: Blocking Within A Zone
Zone Name: Sales [NOTE] zone until you unbind it from the interface. For information about interface commands, refer to BLOCKING WITHIN A ZONE By default, all hosts within a security zone are allowed to communicate with each other. Intrazone blocking disables host-to-host communication within a security zone.
Page 30: Viewing Zone Configurations
S E C U R I T Y Z O N E S A N D I N T E R F A C E S Creating and Modifying Custom Security Zones Block Intra-Zone Communication VIEWING ZONE CONFIGURATIONS Use the get zone command to display information on all security zones. The following information appears for each zone: •...
Page 31: Configuring Interfaces And Subinterfaces
For every VLAN, a subinterface is configured on the corresponding physical interface of the appliance. Ethernet interfaces on the freeGuard Blaze 2100. Figure 3-6: Ethernet interface locations This section describes the commands used to configure interfaces, bind them to a security zone, and move them between zones.
Page 32: Binding Interfaces To A Security Zone
S E C U R I T Y Z O N E S A N D I N T E R F A C E S Configuring Interfaces and Subinterfaces E X A M P L E : C O N F I G U R I N G T H E E T H 0 I N T E R F A C E W I T H T H E I P A D D R E S S 1 0 .
Page 33: Moving Interfaces Between Security Zones
Zone Name: Sales MOVING INTERFACES BETWEEN SECURITY ZONES Unbinding an interface removes the interface from the assigned zone and places it into the zone specified in the set interface command. To move an interface from one assigned zone to another, use the set interface command and assign the interface to the new zone.
Page 34: Deleting Subinterfaces
S E C U R I T Y Z O N E S A N D I N T E R F A C E S Configuring Interfaces and Subinterfaces [NOTE] Once the subinterface is created, use the set interface command to add the subinterface to a zone: E X A M P L E : C O N F I G U R I N G A S U B I N T E R F A C E W I T H I P A D D R E S S A N D Z O N E...
Page 35: Configuring Interface Modes
G U I E X A M P L E : D E L E T I N G T H E S U B I N T E R F A C E E T H 0 . 1 2 0 Network >...
Page 36: Configuring Route Mode
S E C U R I T Y Z O N E S A N D I N T E R F A C E S Configuring Interface Modes the egress interface. In this case, the new translated source IP address is 128.196.10.2.
Page 37: Viewing Interface Information
[NOTE] use the set interface (interface name) route. E X A M P L E : C O N F I G U R E R O U T E M O D E Configure route mode on the eth0 and eth1 interfaces of the appliance displayed in G U I E X A M P L E : C O N F I G U R I N G R O U T E M O D E Network >...
Page 38 S E C U R I T Y Z O N E S A N D I N T E R F A C E S Configuring Interface Modes • IP address/subnet—The IP address and subnet assigned to the interface. •...
Page 39: Configuring Transparent Mode
When the freeGuard Blaze 2100 is configured to run in Transparent mode the device is configured with the same network on both interfaces. In this mode the freeGuard Blaze 2100 functions like a layer 2 switch or bridge. As packets traverse through the firewall they will do so without...
Page 40 Internet address. The host then performs an arp for its default gateway and sends the packet to the router 10.0.0.1. The freeGuard Blaze 2100 inspects the outgoing request and runs the packet through its Policy engine. Due to the permit policy created earlier, this packet will be left intact and allowed out through the eth1 interface of the freeGuard Blaze 2100.
Page 41 In addition to configuring the br0 management interface, a default route is required to be configured in order for the freeGuard Blaze 2100 to communicate to host/s that are outside its immediate network subnet. For example if SNMP or SSH is required from a host that is somewhere on the Internet, the freeGuard Blaze 2100 will need a route configured to the default gateway.
Page 42 2100 can be deployed in such environments and be utilized as a VLAN policy enforcer. The freeGuard Blaze 2100 can be placed directly between the VLAN switch/trunk and the external VLAN router, it can then intercept/recognize various VLAN tagged packets and apply zone based policies to these types of traffic.
Page 43 VLAN/Zone Table Zone: ManageNet Zone: Engineering Zone: Lab Zone: Sales the freeGuard Blaze 2100 will be in Transparent mode set interface eth0 ip 0.0.0.0/0 set interface eth0 transparent set interface eth0 zone trust set interface eth1 ip 0.0.0.0/0 Configuring Interface Modes...
Page 44 S E C U R I T Y Z O N E S A N D I N T E R F A C E S Configuring Interface Modes Security Appliance User Guide 3-20 set interface eth0 transparent set interface eth1 zone untrust set interface br0.5 ip 10.2.1.1/24 set interface br0.5 zone ManageNet set interface br0.5 manage ssh/ping...
Page 45 Ability to bypass/pass MPLS packets This command will allow MPLS packets to traverse the freeGuard Blaze 2100. The default function of the freeGuard Blaze 2100 is to bypass (i.e., drop) such packets. G U I E X A M P L E : P A S S M P L S P A C K E T S I N T R A N S P A R E N T M O D E Policy >...
Page 46: Advanced Interface Settings
Ability to bypass/pass non-ip Broadcast/Multicast traffic This command will bypass (i.e., drop) non-ip broadcast and multicast packets. The default behavior of the freeGuard Blaze 2100 is to pass (i.e. allow) such packets. G U I E X A M P L E : P A S S N O N - I P B R O A D C A S T P A C K E T S I N T R A N S P A R E N T M O D E Check the Non-IP Broadcast option and click Apply.
Page 47: Configuring Maximum Transmission Unit (Mtu) Settings
• Disabling Interface Management • Setting the Interface Speed CONFIGURING MAXI MUM TRANSMISSI ON UNIT (MTU) SE TTINGS The Maximum Transmission Unit (MTU) is the largest IP datagram that can be transferred using a specific link. If a packet exceeds the MTU size set on a specific interface, the network device can fragment the packet or, if permitted, send a Path MTU request to the host in question.
Page 48: Configuring Address Resolution Protocol (Arp)
E X A M P L E : C H A N G I N G T H E E T H 0 I N T E R F A C E S T A T E T O “ U P ” CONFIGURING ADDRE SS RES OLUTI ON PROTOCOL (ARP) The freeGuard Blaze 2100 keeps an active list of all hosts directly connected to any physical or logical interface in its ARP table. This table includes the hosts IP address and Media Access Control (MAC) addresses.
Page 49: Enabling Interface Management
D E L E T I N G S T A T I C A R P E N T R I E S Use the unset arp command to remove a static ARP entry: S E T T I N G T H E A R P T I M E O U T The default timeout for all ARP entries is 5000 seconds.
Page 50: Setting The Interface Speed
Authentication Using RADIUS SE TTI NG THE I NTERFACE SP EE D When you configure the freeGuard Blaze 2100, the interface auto- negotiates to 1000Mbps. To set the interface to support 100Mbps or 10Mbps, use the set interface command with the speed option.
Page 51: Authentication Using Radius
completion of user authentication. The following example illustrates the Challenge-Response authentication mode with RADIUS Figure 3-11: RADIUS Challenge Response Message Exchange User tries to establish a VPN Tunnel with the security appliance The security appliance prompts the remote user for a username and password. User provides his username and password to the security appliance.
Page 52: Radius Client Attributes
S E C U R I T Y Z O N E S A N D I N T E R F A C E S Authentication Using RADIUS User VPN Client acknowledges. RADIUS CLIENT ATTRIBUTES To allow the RADIUS client to interact with the RADIUS server the proper attributes must be configured on both the RADIUS client and server.
Page 53: Radius Backup Server
C O N F I G U R I N G T H E R A D I U S S H A R E D S E C R E T To configure the RADIUS shared secret use the set auth-server radius command with the secret option.
Page 54 S E C U R I T Y Z O N E S A N D I N T E R F A C E S Authentication Using RADIUS server option if the primary RADIUS server were to fail and become unresponsive.
Page 55 Figure 3-12 following attributes: Figure 3-12: Configuring a Primary and Secondary RADIUS Server Auth_name: security Primary RADIUS server IP—10.0.0.250 Secondary RADIUS server IP—10.0.0.251 RADIUS Shared Secret—password RADIUS Timeout—5 RADIUS Port—1850 RADIUS Retry—3 RADIUS SRC-Interface—eth0 To configure the following RADIUS attributes follow these steps:set auth- server security server-name 10.0.0.250 Version 3R2 S E C U R I T Y Z O N E S A N D I N T E R F A C E S...
Page 56 S E C U R I T Y Z O N E S A N D I N T E R F A C E S Authentication Using RADIUS G U I E X A M P L E : C O N F I G U R I N G A P R I M A R Y A N D S E C O N D A R Y R A D I U S S E R V E R System >...
Page 57: Alternate Connection Methods
........... . A L T E R N A T E C O N N E C T I O N M E T H O D S PP PoE: POI NT-TO-POI NT P ROTO COL OVE R E THE RNET PPPoE lets Internet Service Providers (ISPs) use their existing Radius...
Page 58 S E C U R I T Y Z O N E S A N D I N T E R F A C E S Alternate Connection Methods Every TCP/IP connection that a host in the Trust zone makes to the Untrust zone automatically goes through the PPPoE encapsulation process.
Page 59 S E C U R I T Y Z O N E S A N D I N T E R F A C E S Alternate Connection Methods Select Interface: PPPoE Version 3R2 Security Appliance User Guide 3-35...
Page 60 S E C U R I T Y Z O N E S A N D I N T E R F A C E S Alternate Connection Methods Security Appliance User Guide Version 3R2 3-36...
Page 61: System Management
F R E E G U A R D B L A Z E 2 1 0 0 You must perform initial configuration of the freeGuard Blaze 2100 using the console interface. After you configure the freeGuard Blaze 2100 for the first time, you can manage it through the console or using a secure shell (SSH).
Page 62: About Console Cable Requirements
Blaze 2100. To access the console: Connect the female 2x5 header of the modem cable to the freeGuard Blaze 2100. Connect the other female DB9 connector to a serial interface on the laptop or desktop machine.
Page 63: Re-Enabling The Console Interface
Version 3R2 Using the Console to Manage the freeGuard Blaze 2100 If you log into the freeGuard Blaze 2100 for the first time, use Information for long commands might display incorrectly if the unset console disable...
Page 64: Setting The Console Timeout
S Y S T E M M A N A G E M E N T Using SSH to Manage the freeGuard Blaze 2100 E X A M P L E : S E T T I N G T H E C O N S O L E P A G E D I S P L A Y T O 5 0...
Page 65: Enabling Ssh On A Specific Interface
To view users who log in using SSH or to view the host key currently used for SSH, use the get ssh command: Version 3R2 Using SSH to Manage the freeGuard Blaze 2100 set ssh enabled interface {interface name} set interface eth0 manage ssh save set ssh enabled interface eth0.100...
Page 66: Managing Users For The Freeguard Blaze 2100
........... . B L A Z E 2 1 0 0 The freeGuard Blaze 2100 has a single global administrator account with the user name “admin.” This account has the following administrative privileges: •...
Page 67: About Additional Types Of Users
........... . F R E E G U A R D B L A Z E 2 1 0 0 Before you upgrade the freeGuard Blaze 2100 software, make sure that you have the following: •...
Page 68: Storing Software Image Files In Flash Memory
• You saved the newest software image to the TFTP server. STORI NG S OF T WARE I MA GE FILES IN FLASH MEMORY The freeGuard Blaze 2100 can store the following software image files in flash memory: • New software image •...
Page 69: Saving Mos Software To Flash Memory Using Tftp
G U I E X A M P L E : S A V I N G T H E C O N F I G U R A T I O N F I L E F O R E X P O R T System > Configuration Type the TFTP Server Address Version 3R2 Managing Software for the freeGuard Blaze 2100 save software from tftp ip_addr filename mos {pri | sec} save software from tftp ip_addr filename...
Page 70: View The Running Configuration
S Y S T E M M A N A G E M E N T Managing Software for the freeGuard Blaze 2100 Type the File Name Select the save configuration button E X A M P L E : S A V I N G T H E C O N F I G U R A T I O N F I L E F O R E X P O R T The following example saves the configuration file to a server at IP address 192.168.0.3 from the eth0 interface with the filename...
Page 71: Resetting And Restarting The Freeguard Blaze 2100
You can use one of the following methods to reset the appliance to its default configuration: • If you have management access to the freeGuard Blaze 2100, use the unset all command to reset the appliance back to factory defaults.
Page 72: Additional System Management Tasks
A D D I T I O N A L S Y S T E M M A N A G E M E N T T A S K S This section describes the additional system management options available through the freeGuard Blaze 2100 management interface. This section includes the following topics: •...
Page 73 S Y S T E M M A N A G E M E N T Additional System Management Tasks get system get system ++ system information --------------------- -- build version ... vf2112v2r1b17 -- build date ... Tue May 16 18:29:03 UTC 2006 -- system uptime ...
Page 74 S Y S T E M M A N A G E M E N T Additional System Management Tasks -- test copper ext-loopback .. passed G U I E X A M P L E : V I E W I N G S Y S T E M I N F O R M A T I O N System >...
Page 75: Deleting Aliases
To view a previously created alias, use the get alias command: CONFIGURING DO MAIN NAMES To configure the freeGuard Blaze 2100 to respond to a specifically configured domain, use the set domain command: E X A M P L E : C O N F I G U R I N G T H E D O M A I N N A M E M T A P P L I A N C E G U I E X A M P L E : C O N F I G U R I N G T H E D O M A I N N A M E M T A P P L I A N C E Network >...
Page 76: Configuring Host Names
Using Network Time Protocol (NTP) CONFIGURING HO ST NAMES To configure a host name on the freeGuard Blaze 2100 use the set host command: E X A M P L E : C O N F I G U R I N G T H E H O S T N A M E M T T A P P L I A N C E G U I E X A M P L E : C O N F I G U R I N G T H E H O S T N A M E M T A P P L I A N C E Network >...
Page 77: Configuring Ntp Settings
CONFIGURING THE NTP UPDATE INTERVAL The freeGuard Blaze 2100 performs an NTP update at regular intervals to check the current date and time. The default NTP interval is 60 minutes. To configure the NTP update interval, use the set ntp server command.
Page 78: Deleting Ntp Server Ip Entries
To initiate a manual NTP update, use the exec ntp command: MAINTAINING CLOCK SETTINGS WITH NTP Use the set clock command to ensure that the freeGuard Blaze 2100 is configured with the correct date and time: Use NTP for updates to the clock.
Page 79: Configuring The Clock To Use Ntp
U S I N G D O M A I N N A M E S E R V I C E ( D N S ) The Domain Name Service (DNS) host IP address allows the freeGuard Blaze 2100 to resolve or match domain names to IP addresses. You must specify a DNS host in order to resolve domain names to IP addresses.
Page 80: Deleting Dns Host Ip Addresses
S Y S T E M M A N A G E M E N T Using Domain Name Service (DNS) E X A M P L E : S E T T I N G T H E P R I M A R Y D N S H O S T I P A D D R E S S A S 2 0 6 .
Page 81: Displaying Current Dns Host Settings
DISPLAYING CURRENT DNS HOST SETTINGS To display the current DNS host IP settings, use the get dns command: ........... . U S I N G P I N G To test connectivity to other hosts connected to the freeGuard Blaze 2100 for Internet connectivity, use the ping command:...
Page 82 S Y S T E M M A N A G E M E N T Using Traceroute Security Appliance User Guide Version 3R2 4-22...
Page 83: Attack Detection And Prevention
This chapter describes different types of denial of service (DoS) and distributed denial of service (DDoS) attacks that can affect the freeGuard Blaze 2100. It also describes how you can prevent such attacks and how to configure attack prevention options. This chapter includes the following topics: •...
Page 84: Attack Stages
A T T A C K D E T E C T I O N A N D P R E V E N T I O N Attack Stages • To gain control of the firewall access control list. .
Page 85 Table 5-1 attacks that the security appliance can detect and defend against. Table 5-1: Network and operating system-specific attacks Attack Name Back Orifice Attack Inikiller Attack IP Spoof ICMP Router Discovery Protocol (IRDP) Netbus Attack NetSpy Attack Senna Spy Attack Striker Attack Sub Seven Attack: Port Scan...
Page 86: About Denial Of Service (Dos And Ddos) Attacks
A T T A C K D E T E C T I O N A N D P R E V E N T I O N About Denial of Service (DoS and DDoS) Attacks A B O U T D E N I A L O F S E R V I C E ( D O S A N D .
Page 87: Preventing Network Port Attacks
........... . P R E V E N T I N G N E T W O R K P O R T A T T A C K S Using the global zone, you can configure the security appliance with additional port attack prevention that will be enabled or disabled on the...
Page 88 A T T A C K D E T E C T I O N A N D P R E V E N T I O N Configuring the freeGuard Blaze 2100 to Defend Against DoS and DDoS Check All...
Page 89: Configuring The Freeguard Blaze 2100 To Defend Against Dos And Ddos Attacks
Configuring the freeGuard Blaze 2100 to Defend Against DoS and DDoS Attacks CONFIGURING ICMP FLOOD PREVENTION To configure the rate limit for ICMP traffic for a specific zone, use the set zone command with the icmp-flood attack-threshold option. This enables you to set limits (per second) on the number of ICMP packets allowed through that zone to a specific host.
Page 90: Configuring Fin Flood Prevention
A T T A C K D E T E C T I O N A N D P R E V E N T I O N Configuring the freeGuard Blaze 2100 to Defend Against DoS and DDoS Use the set zone command with the syn-flood attack threshold...
Page 91: Configuring Ip Fragment Prevention
Configuring the freeGuard Blaze 2100 to Defend Against DoS and DDoS Attacks CONFIGURING IP FRAGME NT PREVENTION To limit the number of fragmented IP packets a specific interface can receive per second, use the set zone command with the ip-frag...
Page 92: Additional Attack Detection And Prevention
A T T A C K D E T E C T I O N A N D P R E V E N T I O N Additional Attack Detection and Prevention A D D I T I O N A L A T T A C K D E T E C T I O N A N D .
Page 93: Viewing Attack Settings
G U I E X A M P L E : V I E W I N G A T T A C K S E T T I N G S O N U N T R U S T Z O N E Network >...
Page 94 A T T A C K D E T E C T I O N A N D P R E V E N T I O N Viewing Attack Settings Security Appliance User Guide Version 3R2 5-12...
Page 95: Logging
OGGING This Chapter describes the options available for event logging, storing and receiving logs and Simple Network Management Protocol (SNMP). • Logging • Logging Levels • Log Modules • Traffic and Event Log Management • Log Module Settings • Admin Mail Server •...
Page 96 L O G G I N G Log Modules behavior and attacks. The security appliance uses the categories listed below to categorize the different events: • Information Messages—Information messages regarding the general operation of the security appliance. • Notification Messages—Messages related to normal events, including administration changes.
Page 97 • RIP • SNMP • DoS • IP • RIP • FUB • SRMMGR ........... . T R A F F I C A N D E V E N T L O G M A N A G E M E N T To get log information from the security appliance at least one destination must be specified.
Page 98 L O G G I N G Log Module Settings G U I E X A M P L E : S E T T H E L O G M O D U L E F O R A R P U S I N G T H E L O G L E V E L A L L W I T H A D E S T I N A T I O N O F T H E C O N S O L E .
Page 99: Log Module Settings
VIEWING THE TRAFFIC AND EVENT LOG The security appliance has maximum storage of 2Mb for event logging. In the event that the 2Mb limit is reached the security appliance will over write the oldest event logs and replace them with newer events. All messages logged will include date and time.
Page 100: Admin Mail Server
L O G G I N G Admin Mail Server [NOTE] erased if the appliance is powered down or rebooted. You should configure a syslog server to collect all logs. G U I E X A M P L E : V I E W T H E T R A F F I C A N D E V E N T L O G S Reports >...
Page 101: Deleting The Admin Mail Server
G U I E X A M P L E : S E N D I N G E - M A I L M E S S A G E S T O T H E A D M I N I S T R A T O R O F T H E S E C U R I T Y A P P L I A N C E U S I N G T H E S M T P S E R V E R I P 1 0 .
Page 102: Deleting The Syslog Host Ip Address
L O G G I N G Syslog Management E X A M P L E : C O N F I G U R E B O T H T R A F F I C A N D E V E N T M E S S A G E S T O B E S E N T U S I N G S Y S L O G T O A S E R V E R A T I P A D D R E S S 1 0 .
Page 103: Syslog Message Format
SY SLOG ME SS AGE FORMAT When the security appliance generates and sends syslog messages for delivery to the syslog server, the format for the messages is standard. SYS LOG MES SAGE SAMPLE: Table 6-1 Table 6-1: Syslog Message Format Field Example Jun 02 12:13:54...
Page 104: Snmp Mib Groups
L O G G I N G SNMP MIB Groups Table 6-1: Syslog Message Format Field Example src=64.62.250.2:0 dst=64.79.127.67:0 packet dropped due to policy deny ........... . S N M P M I B G R O U P S Simple Network Management protocol (SNMP) is a protocol used by network management systems for monitoring network attached devices...
Page 105 SY STEM G ROUP Table 6-2 Table 6-2: System Group Object Name sysDescr sysObjectID sysUpTime sysContact sysName sysLocation INTERFACE GROUP Table 6-3 Table 6-3: Interface Group ifNumber ifTableLastChange ADDRESS TRANSLATION GROUP Table 6-4 Table 6-4: Address Translation Group Object Name atIfIndex atPhysAddress atNetAddress...
Page 106: Ipaddress
L O G G I N G SNMP MIB Groups I P GRO UP Table 6-5 Table 6-5: IP Group Object Name ipForwarding ipDefaultTTL ipInReceives ipInHdrErrors ipInAddrErrors ipForwDatagrams ipInUnknownProtos ipInDiscards ipInDelivers ipOutRequests ipOutDiscards ipOutNoRoutes ipReasmTimeout ipReasmReqds ipReasmOKs ipReasmFails ipFragOKs ipFragFails ipFragCreates I P AD D RE SS Table 6-6...
Page 107: Ip Route
Table 6-6: IP Address Table ipAdEntIfIndex ipAdEntNetMask ipAdEntBcastAddr ipAdEntReasmMaxSize I P ROU T E Table 6-7 Table 6-7: IP Route Table ipRouteDest ipRouteIfIndex ipRouteMetric1 ipRouteMetric2 ipRouteMetric3 ipRouteMetric4 ipRouteNextHop ipRouteType ipRouteProto ipRouteAge ipRouteMask ipRouteMetric5 ipRouteInfo Version 3R2 Object Name Value Type INTEGER IpAddress INTEGER...
Page 108: Ip Net To Media
L O G G I N G SNMP MIB Groups IP NE T TO ME DI A Table 6-8 Table 6-8: IP Net to Media Table ipNetToMediaIfIndex ipNetToMediaPhysAddress ipNetToMediaNetAddress ipNetToMediaType Security Appliance User Guide 6-14 shows the IP Net to Media Table Object Name Value Type INTEGER...
Page 109: Icmp Group Scalars
I CMP GROUP S CALARS Table 6-9 Table 6-9: ICMP Group Scalars icmpInMsgs icmpInErrors icmpInDestUnreachs icmpInTimeExcds icmpInParmProbs icmpInSrcQuenchs icmpInRedirects icmpInEchos icmpInEchoReps icmpInTimestamps icmpInTimestampReps icmpInAddrMasks icmpInAddrMaskReps icmpOutMsgs icmpOutErrors icmpOutDestUnreachs icmpOutTimeExcds icmpOutParmProbs icmpOutSrcQuenchs icmpOutRedirects icmpOutEchos icmpOutEchoReps icmpOutTimestamps icmpOutTimestampReps icmpOutAddrMasks icmpOutAddrMaskReps Version 3R2 shows the ICMP Group Scalars Table Object Name Value Type...
Page 110: Tcp Group Scalars
L O G G I N G SNMP MIB Groups TCP GROUP SCALARS Table 6-10 Table 6-10: ICMP Group Scalars tcpRtoAlgorithm tcpRtoMin tcpRtoMax tcpMaxConn tcpActiveOpens tcpPassiveOpens tcpAttemptFails tcpEstabResets tcpCurrEstab tcpInSegs tcpOutSegs tcpRetransSegs tcpInErrs tcpOutRsts TCP CONNECTION Table 6-11 Table 6-11: TCP Connection Table tcpConnState tcpConnLocalAddress tcpConnLocalPort...
Page 111: Udp Group Scalars
UDP GROUP SCALARS Table 6-12 Table 6-12: UDP Scalars Table udpInDatagrams udpNoPorts udpInErrors udpOutDatagrams UDP LI STENER Table 6-13 Table 6-13: UDP Listener Table udpLocalAddress udpLocalPort SNMP GROUP Table 6-14 Table 6-14: SNMP Group Table snmpInPkts snmpOutPkts snmpInBadVersions snmpInBadCommunityNames snmpInBadCommunityUses snmpInASNParseErrs snmpInTooBigs snmpInNoSuchNames...
Page 112: Transmission Group (Dot3Stats)
L O G G I N G SNMP MIB Groups Table 6-14: SNMP Group Table (Continued) snmpInBadValues snmpInReadOnlys snmpInGenErrs snmpInTotalReqVars snmpInTotalSetVars snmpInGetRequests snmpInGetNexts snmpInSetRequests snmpInGetResponses snmpInTraps snmpOutTooBigs snmpOutNoSuchNames snmpOutBadValues snmpOutGenErrs snmpOutGetRequests snmpOutGetNexts snmpOutSetRequests snmpOutGetResponses snmpOutTraps snmpEnableAuthenTraps snmpSilentDrops snmpProxyDrops TRANSMIS SI ON GROUP (DOT3S TATS ) Table 6-15 Table 6-15: Transmission Group (DOT3STATS Table) dot3StatsIndex...
Page 113: Transmission Group (Dot3Collision)
Table 6-15: Transmission Group (DOT3STATS Table) dot3StatsFCSErrors dot3StatsSingleCollisionFrames dot3StatsMultipleCollisionFrames dot3StatsSQETestErrors dot3StatsDeferredTransmissions dot3StatsLateCollisions dot3StatsExcessiveCollisions dot3StatsInternalMacTransmitErrors dot3StatsCarrierSenseErrors dot3StatsIndex dot3StatsAlignmentErrors TRANS MI SSI ON GRO UP (DOT3CO LLI SI ON) Table 6-16 Table 6-16: Transmission Group (DOT3COLLISION Table) dot3CollCount dot3CollFrequencies C O N F I G U R I N G S N M P O N T H E S E C U R I T Y .
Page 114: Enabling Snmp On A Specified Interface
L O G G I N G Configuring SNMP on the Security Appliance • System Name—Allows the administrator to set the SNMP system name. • System Location—Sets the security appliance system location. • System Contact—Sets the SNMP system contact. G U I E X A M P L E : C O N F I G U R E S N M P S E T T I N G S Logging >...
Page 115: Configuring The Snmp Community String
Manage option: SNMP E X A M P L E : T O D I S A B L E S N M P O N T H E E T H 0 I N T E R F A C E G U I E X A M P L E : T O D I S A B L E S N M P O N T H E E T H 0 I N T E R F A C E Network >...
Page 116: Deleting The Snmp Location
L O G G I N G Configuring SNMP on the Security Appliance DE LE TING THE S NM P L OCA T IO N To delete the SNMP location, use the unset snmp location command. CONFIGURING THE SNMP SYSTEM CONTACT To configure the SNMP system contact use the set snmp contact command and specify the security appliance system contact.
Page 117: View The Snmp Statistics
VI EW THE SNMP S TATI STI CS To view the SNMP statistics use the get snmp command with the statistics option. This will display the current SNMP statistics. Version 3R2 Configuring SNMP on the Security Appliance cli-> get snmp statistics In pkts Out pkts In bad versions...
Page 118: Viewing The Interface Statistics
L O G G I N G Configuring SNMP on the Security Appliance G U I E X A M P L E : V I E W T H E S N M P S T A T I S T I C S Logging >...
Page 119 L O G G I N G Configuring SNMP on the Security Appliance in reassembled pkts 0 | in fragment timeout 0 in short frames 0 | in crc errors 0 in dropped vlans 0 | in arp pkts 157 in icmp pkts 0 | in tcp pkts 1450 in udp pkts 0 | in vlan pkts 0 in gre pkts 0 | in esp pass-thru pkts 0...
Page 120 L O G G I N G Configuring SNMP on the Security Appliance G U I E X A M P L E : V I E W T H E I N T E R F A C E S T A T I S T I C S F O R T H E E T H 0 I N T E R F A C E Reports >...
Page 121: Virtual Private Networks
IRTUAL RIVATE This chapter describes the different modes and configuration options available for a virtual private network (VPN). This chapter includes the following topics: • Virtual Private Networks • Configuring Manual Key VPN Implementations • Configuring Internet Key Exchange • Advanced VPN Configuration Options .
Page 122: About Ip Security (Ipsec)
V I R T U A L P R I V A T E N E T W O R K S Virtual Private Networks Figure 7-1: VPN Connectivity ABOUT IP SECURITY (IPSEC) IPsec is a suite of protocols developed by the Internet Engineering Task Force (IETF) to enable secure exchange at the IP level.
Page 123 V I R T U A L P R I V A T E N E T W O R K S Virtual Private Networks Figure 7-2: VPNs Using Transport Mode T U N N E L M O D E In tunnel mode (refer to Figure 7-3), all data is encrypted including the...
Page 124 V I R T U A L P R I V A T E N E T W O R K S Virtual Private Networks Figure 7-3: Using Tunnel Mode The AH protocol provides data integrity, authentication, and anti-replay protection. The AH protocol uses a secret key and a hash function— either Message Digest (MD5) or Secure Hash Algorithm-1 (SHA-1)—to authenticate the packet with a checksum calculation or hash-based message authentication code (HMAC).
Page 125: The Diffie-Hellman Group
or MD5 provides authentication. Use the following encryption algorithms to encrypt: • Data Encryption Standard (DES)—Uses either a 40- or 56-bit encryption algorithm. • Triple DES (3DES)—Uses a more powerful version of DES encryption. Encrypts the date in three rounds with a 168-bit key. •...
Page 126: Site-To-Site Vpn Requirements
VPN functionality. Figure 7-4: Site-to-Site VPN Creating a VPN tunnel between multiple freeGuard Blaze 2100 appliances requires the following configuration: • The static IP address is assigned to the eth1 interface on each of the appliances.
Page 127: Configuring Manual Key Vpn Implementations
C O N F I G U R I N G M A N U A L K E Y V P N ........... . I M P L E M E N T A T I O N S In a manual key implementation, the VPN tunnel is configured with a static set of encryption keys and authentication keys.
Page 128: Creating Security Policy With The Vpn Tunnels
Parameter Authentication Key—Hexadecimal value (32 characters in length). The local network attached to the freeGuard Blaze 2100. Network to which the VPN tunnel will terminate. set policy top name {name_str} from {zone} to {zone} {remote network} {local network} {service} tunnel vpn {name_str} explains these parameters in this command.
Page 129 Table 7-3: Policy Requirements for Manual Key VPN (Continued) {service} tunnel vpn {name_str} [NOTE] policy that allows encryption and decryption on ingress traffic and another policy that allows encryption and decryption on egress traffic. Figure 7-5: Example of Manual Key VPN Table 7-4: Example of Encryption and Authentication Settings Manual Key Encryption...
Page 130 V I R T U A L P R I V A T E N E T W O R K S Configuring Manual Key VPN Implementations • Create address objects for the local and remote end points. • Define the remote gateway and SPI to be used, refer to •...
Page 131 G U I E X A M P L E : M A N U A L K E Y V P N I M P L E M E N T A T I O N , N E W Y O R K O F F I C E Interfaces Network >...
Page 132 V I R T U A L P R I V A T E N E T W O R K S Configuring Manual Key VPN Implementations VPN > Manual Key Edit Enter the following, then click Apply: Tunnel Name: to_sanfrancisco Gateway IP: 4.4.4.1 Outgoing interface: eth1 Local SPI: 1230...
Page 133 Source Zone: Trust Destination Zone: Untrust Source Address: NYO Destination Address: San Francisco Service: Any Tunnel VPN From: SF Policy > Configuration Edit: Enter the following, then click Apply: Enable Policy Location: Top Action: Tunnel Source Zone: Untrust Destination Zone: Trust Source Address: San Francisco Destination Address: NYO Service: Any...
Page 134 V I R T U A L P R I V A T E N E T W O R K S Configuring Manual Key VPN Implementations Routing Policies: G U I E X A M P L E : M A N U A L K E Y V P N I M P L E M E N T A T I O N , S A N F R A N C I S C O O F F I C E Interfaces Network >...
Page 135 IP Address/Netmask: 10.0.0.0/24 Zone: Trust Objects > Address Objects > Add Object Enter the following, then click Apply: Name: New York IP Address/Netmask: 192.168.100.0/24 Zone: Untrust VPN > Manual Key Edit Enter the following, then click Apply: Tunnel Name: to_newyork Gateway IP: 4.4.4.1 Outgoing interface: eth1 Local SPI: 1230...
Page 136: Deleting Manual Key Vpn Tunnels
V I R T U A L P R I V A T E N E T W O R K S Configuring Manual Key VPN Implementations Policies Policy > Configuration Edit Enter the following, then click Apply: Enable Policy Location: Top Action: Tunnel Source Zone: Trust...
Page 137: Modifying Manual Key Vpn Tunnels
MODIFYING MANUAL KEY VPN TUNNELS To modify a manual key VPN tunnel, first delete the tunnel using the unset vpn command and then add the tunnel again with the appropriate changes using the set vpn command. E X A M P L E : M O D I F Y I N G A M A N U A L K E Y V P N T U N N E L Use the unset vpn command to change the name of the VPN tunnel previously created on an appliance from to_newyork to sales_office: .
Page 138 V I R T U A L P R I V A T E N E T W O R K S Configuring Internet Key Exchange Table 7-5 Table 7-5: Required Phase 1 and Phase 2 IKE Proposal Settings Tunnel Name IPSec Gateway Pre-Shared Secret...
Page 139: Configuring An Ike Tunnel Using A Pre-Shared Secret
Figure 7-6 Figure 7-6: IKE VPN Using a Pre-Shared Secret Table 7-6 Table 7-6: IKE Encryption and Authentication Settings Parameter Encryption Authentication DH Group SA Lifetime Pre-shared Secret CONFIGURING AN IKE TUNNEL USING A PRE-SHARED SECRET Setting up a VPN tunnel using IKE requires the following steps: •...
Page 140 V I R T U A L P R I V A T E N E T W O R K S Configuring Internet Key Exchange • Create policies to allow traffic to ingress and egress though the newly created VPN tunnel. E X A M P L E : N E W Y O R K O F F I C E U S I N G I K E Interfaces Addresses...
Page 141 Routing Policies G U I E X A M P L E : N E W Y O R K O F F I C E U S I N G I K E Interfaces Network > Interface > Edit (for ethernet0) Enter the following, then click Apply: Zone Name: Trust IP Address/Netmask: 192.168.100.1/24...
Page 142 V I R T U A L P R I V A T E N E T W O R K S Configuring Internet Key Exchange Objects > Address Objects > Add Object: Enter the following, then click Apply: Name: sf_destination IP Address/Netmask: 10.0.0.0/24 Zone: Untrust VPN >...
Page 143 Enter the following, then click Apply: Network Address: 0.0.0.0 Netmask: 0 Interface: eth1 Gateway: 162.198.10.254 Policies Policy > Configuration Edit Enter the following, then click Apply: Enable Policy Location: Top Action: Tunnel Source Zone: Trust Destination Zone: Untrust Source Address: ny_local Destination Address: sf_destination Service: Any Tunnel VPN From: SF...
Page 144 V I R T U A L P R I V A T E N E T W O R K S Configuring Internet Key Exchange Tunnel VPN From: SF E X A M P L E : S A N F R A N C I S C O O F F I C E U S I N G I K E Interfaces Addresses Routing...
Page 145 G U I E X A M P L E : S A N F R A N C I S C O O F F I C E U S I N G I K E Interfaces Network > Interface > Edit (for ethernet0) Enter the following, then click Apply: Zone Name: Trust IP Address/Netmask: 10.0.0.0/24...
Page 146 V I R T U A L P R I V A T E N E T W O R K S Configuring Internet Key Exchange VPN > Phase 1 Proposal Edit Enter the following, then click Apply: Name: encryptaesp1 Authentication Method: PSK DH Group: Group-5 Encryption Algorithm: aes-128...
Page 147 Policies Policy > Configuration Edit Enter the following, then click Apply: Enable Policy Location: Top Action: Tunnel Source Zone: Trust Destination Zone: Untrust Source Address: sf_local Destination Address: ny_destination Service: Any Tunnel VPN From: SF Policy > Configuration Edit Enter the following, then click Apply: Enable Policy Location: Top Action: Tunnel...
Page 148 V I R T U A L P R I V A T E N E T W O R K S Configuring Internet Key Exchange M O D I F Y I N G A N I K E V P N T U N N E L To modify an IKE VPN tunnel you must first delete the tunnel information and re-add the tunnel with the appropriate changes.
Page 149: Transparent Mode Vpn Deployment
TRANSPARENT MODE VPN DEPLOYMENT [NOTE] Transparent Mode on page 3 - Figure 7-7 transparent mode. Figure 7-7: VPN in Transparent Mode 10.0.0.0/24 Eth0: 0.0.0.0 Eth1: 0.0.0.0/0 VF4000 Management IP: Workstation A IP 10.0.0.110 10 0 0 250 Figure 7-7 also terminate VPN between two sites. Configuration Elements Trust Zone Untrust Zone...
Page 150 V I R T U A L P R I V A T E N E T W O R K S Configuring Internet Key Exchange Configuration Elements External Router IP Default Route C O N F I G U R A T I O N O F V F A Security Appliance User Guide 7-30 VF4000 A...
Page 151 C O N F I G U R A T I O N O F V F B Version 3R2 V I R T U A L P R I V A T E N E T W O R K S Configuring Internet Key Exchange set interface br0 ip 172.16.10.100/24 set interface br0 zone untrust...
Page 152 V I R T U A L P R I V A T E N E T W O R K S Advanced VPN Configuration Options ........... . A D V A N C E D V P N C O N F I G U R A T I O N O P T I O N S Some advanced options are available, but not always required to be configured for each tunnel.
Page 153: Advanced Vpn Configuration Options
[NOTE] REPLAY PROTE CTI ON Replay protection allows the freeGuard Blaze 2100 to check the sequence numbers of the VPN packets, to determine if the packet has been received or not. If the packet does not fit into a specific number sequence the packet will dropped.
Page 154 V I R T U A L P R I V A T E N E T W O R K S Advanced VPN Configuration Options V I E W I K E G A T E W A Y Using the get ike gateway command you can view the current IKE information including current id, gateway name, gateway id, mode and proposal information.
Page 155: Routing
OUTING This chapter describes the routing options available for configuration on the security appliance. This chapter includes the following topics: • Static Routes • Setting the Default Route • Displaying Route Information • Routing Information Protocol (RIP) • Configuring RIP •...
Page 156 R O U T I N G Static Routes 10.0.100.0/24 network. The static route identifies 10.0.0.100 as the gateway address for all traffic going to the 10.0.100.0/24 network. Figure 8-1: Using a Static Route ADDING STATIC ROUTES Use the set route command with the gateway and interface options to add a static route: E X A M P L E : A D D I N G A S T A T I C R O U T E In the network described in...
Page 157 Interface: etho0 Gateway: 10.0.0.100 DELETING STATIC ROUTES Use the unset route command to delete a static route: MODIFYING STATIC ROUTES To modify an existing static route, first delete the route and then add a new route entry with the desired route changes. E X A M P L E : M O D I F Y I N G A S T A T I C R O U T E Modify the gateway on a previously created static route from 10.0.0.100 to 10.0.0.20:...
Page 158 R O U T I N G Setting the Default Route ........... . S E T T I N G T H E D E F A U L T R O U T E If a specific route for traffic is unknown to a server or a routing table, the default route forwards all traffic to the default interface you define.
Page 159 Figure 8-2 the get route command. Figure 8-2: Get Route Command Output get route Dest-Routes for <> ----------------------------------------------------------------------------- C - Connected S - Static A - Auto-Exported I - Imported R - RIP P - Permanent iB - IBGP eB - EBGP O - OSPF E1 - OSPF external type 1 E2 - OSPF external type 2 ----------------------------------------------------------------------------- -----------------------------------------------------------------------------...
Page 160 R O U T I N G Routing Information Protocol (RIP) Figure 8-3 the get route command with the ip_addr option. Figure 8-3: Get Route Command with ip_addr option Output get route 192.168.65.0/24 Dest-Routes for <> ----------------------------------------------------------------------------- C - Connected S - Static A - Auto-Exported I - Imported R - RIP P - Permanent iB - IBGP eB - EBGP O - OSPF E1 - OSPF external type 1 E2 - OSPF external type 2 -----------------------------------------------------------------------------...
Page 161 By default, RIP is disabled. Virtual Router (VR) is currently not supported; thus there is only one instance of RIP running at one time on a freeGuard Blaze 2100. This section describes the following basic steps to configure RIP on a freeGuard Blaze 2100: •...
Page 162 R O U T I N G Enabling and Disabling RIP on Interfaces E N A B L I N G A N D D I S A B L I N G R I P O N ........... . I N T E R F A C E S By default, RIP is disabled on all interfaces and you must explicitly enable it on an interface.
Page 163 RIP Version 2 packets, you can enable RIP authentication on an interface. The freeGuard Blaze 2100 VPN/Firewall supports two modes of authentication on an interface for which RIP authentication is enabled: plain text authentication and MD5 authentication. The default authentication in every RIP Version 2 packet is none.
Page 164 R O U T I N G Accepting Packets with Non-Zero Reserved Fields nonzero values in the fields that must be zero. This default behavior implements RIP v1/2 specifications. Security Appliance User Guide Version 3R2 8-10...
Page 165: Policy Configuration
The source zone, destination zone, and order of a policy within the database are important. The freeGuard Blaze 2100 software assigns each policy an ID number which numerically orders all policies in ascending order.
Page 166: About Security Policy Types
P O L I C Y C O N F I G U R A T I O N About Security Policies If the source and destination zones are the same, then the CARD2-G software searches intrazone policies first. If there is no match, then the software searches global policies.
Page 167 If Server B initiates an HTTP connection, the appliance drops the packet, since no configured policy allows any HTTP requests from the untrust zone to the trust zone. Figure 9-2: Interzone Policy C O N F I G U R I N G I N T R A Z O N E P O L I C I E S Intrazone policies control traffic to and from all hosts within the same zone.
Page 168 P O L I C Y C O N F I G U R A T I O N Configuring Policies [NOTE] among hosts on a zone is allowed. Figure 9-3: Intrazone Policy C O N F I G U R I N G G L O B A L P O L I C I E S Global policies are not assigned to a specific zone and either allow or deny packets to all zones.
Page 169: Configuring Policies
• Reordering Polices • Disabling Policies • Re-enabling Policies • Deleting Policies • Viewing Policies CREATING POLICI ES The service type, location of end points, and policy action are the primary elements of a policy. Use the set policy command to create a policy: Table 9-1 Table 9-1: Addresses and Zones {src_zone}, {dst_zone}...
Page 170: Naming Policies
P O L I C Y C O N F I G U R A T I O N Configuring Policies • Enable Policy • About E X A M P L E : C R E A T E A P O L I C Y Allow FTP traffic from the eth1 interface in the untrust zone to a server with IP address 4.4.4.4 on the eth0 interface in the trust zone: G U I E X A M P L E : C R E A T E A P O L I C Y...
Page 171: Reordering Polices
Use the set policy command with the name option to add a name to an existing policy: E X A M P L E : A D D I N G A N A M E T O T H E P O L I C Y F R O M T H E P R E V I O U S E X A M P L E G U I E X A M P L E : A D D I N G A N A M E T O T H E P O L I C Y F R O M T H E P R E V I O U S E X A M P L E...
Page 172: Disabling Policies
Destination Address: Any Service: FTP By default, the freeGuard Blaze 2100 software assigns a newly created policy a policy ID and adds it to the bottom of the policy list. To restrict FTP traffic from trust to untrust Policy 2 reordered in front of Policy 1.
Page 173: Re-Enabling Policies
RE-ENABLING POLICI ES Use the unset policy command with the disable option to enable a policy that has been set to disable: DELETING POLICIES Use the unset policy command with the id option to delete a policy by specifying a policy number: VI EWI NG POLI CI ES You can display policies using the get policy command: This displays all policies in the policy database (with the exception of...
Page 174 P O L I C Y C O N F I G U R A T I O N Configuring Policies • Src-address • Dst-address • Service • Action • State Use the get policy command with the id option to display a specific policy: This command returns the following information about the policy with the specified ID number:...
Page 175: Enable Policy Logging
• State Use the get policy command with the global option to display all global policies in the policy database in table format: The table appears with these columns. • ID • From • To • Src-address • Dst-address • Service •...
Page 176: Creating Address Objects
P O L I C Y C O N F I G U R A T I O N Configuring Address Objects • Creating Address Groups • Adding Objects to an Address Group • Deleting Address Groups • Adding Comments to Address Groups CREATING ADDRESS OBJE CTS All address objects bind to a security zone specified during creation.
Page 177: Deleting Address Objects
G U I E X A M P L E : C R E A T I N G A N A D D R E S S O B J E C T Objects > Add Address Object Enter the following, then click Apply: Name: John IP Address/Netmask: 10.0.0.100/32 Zone: Trust...
Page 178: Modifying Address Objects
P O L I C Y C O N F I G U R A T I O N Configuring Address Objects MODIFYING ADDRESS OBJE CTS To modify the name, IP address. or subnet mask of an existing address object, first delete the object, then re-create the object with the new settings.
Page 179: Creating Address Groups
CREATING ADDRESS GROUPS Address groups include multiple address objects. Use the set group command with the address option to create an address group: ADDING OBJECTS TO AN ADDRESS GROUP Use the set group command with the address and add options to add an address object to an address group: The following limitations apply to address groups: •...
Page 180 P O L I C Y C O N F I G U R A T I O N Configuring Address Objects G U I E X A M P L E : C R E A T I N G A N A D D R E S S G R O U P Objects >...
Page 181: Deleting Address Groups
DELETING ADDRESS GROUPS Use the unset group command with the address option to delete and address group: [NOTE] DELETING ADDRESS OBJE CTS FROM AN ADDRESS GROUP Use the unset group command with the address and remove options to remove an address object from an address group: [NOTE] the address group name is not deleted.
Page 182: Configuring Service Objects
P O L I C Y C O N F I G U R A T I O N Configuring Service Objects ........... . C O N F I G U R I N G S E R V I C E O B J E C T S Service objects used in policies consist of a transport protocol and an associated port number.
Page 183: Deleting Service Objects
Name: telnet_custom Source Port Low: 1 Source Port High: 65535 Destination Port Low: 23005 Destination Port Low: 23005 DELETING SERVICE OBJECTS Use the unset command to delete an existing service object: MODIFYING SERVI CE O BJ EC T S To modify the values of an existing service object, first delete the object, and then re-create the object with the new settings.
Page 184: Configuring Service Timeouts
P O L I C Y C O N F I G U R A T I O N Configuring Service Groups Destination Port Low: 24000 Destination Port Low: 24000 CONFIGURING SERVICE TIMEOUTS Set the threshold timeout (in minutes) for a predefined service or custom service using the set service command with the timeout option: Use the default service timeout (5 minutes) or specify a new threshold...
Page 185: Configuring Service Groups
This section describes how to create, modify and delete service groups. The following topics are included in this section: • Creating Service Groups • Deleting Service Groups • Deleting Service Objects • Modifying Service Groups • Adding Comments to Service Groups CREATING SERVICE GROUPS Use the set group command with the service option to create a service group:...
Page 186: Deleting Service Groups
P O L I C Y C O N F I G U R A T I O N Configuring Service Groups G U I E X A M P L E : C R E A T I N G A S E R V I C E G R O U P Objects >...
Page 187: Adding Comments To Service Groups
Remove: Web_Services Objects > Add Service Group Enter the following, then click Apply: Name: Web_Services Add: http, and dns ADDI NG COMMENTS TO SERVI CE GROUPS Use the set group command with the service and comment options to add a comment that describes the address group: [NOTE] group name is not deleted.
Page 188: Creating Recurring Schedules
P O L I C Y C O N F I G U R A T I O N About Schedules Figure 9-2 Table 9-2: One-time Schedule {name} once start stop {date} {time} comment {text} CREATING RECURRING SCHE DULES Use the set scheduler command with the recurrent option to create a schedule object for a recurring event: Figure 9-3 Table 9-3: Recurring Schedule...
Page 189: Adding Schedules To Policies
Table 9-3: Recurring Schedule (Continued) {day} start stop {day} {time} comment {text} A recurrent schedule can accept two sets of start/stop commands. You can use these commands for schedules that are enabled or disabled throughout the day with the exception of a specific period of time: Specify the same schedule name in multiple set scheduler commands to add additional days to the same schedule.
Page 190 P O L I C Y C O N F I G U R A T I O N About Schedules E X A M P L E : C R E A T E A R E C U R R I N G S C H E D U L E Create a recurring schedule to block Internet access on the weekend for all machines on the trust zone: G U I E X A M P L E : C R E A T E A R E C U R R I N G S C H E D U L E...
Page 191: Deleting Schedules
DELETING SCHEDULES To delete a schedule, use the unset scheduler command: VI EWI NG SCHE DULE S Use the get scheduler command with the once, recurrent or name options to view all configured schedules: Version 3R2 unset scheduler {name_str} get scheduler once get scheduler recurrent get scheduler {name_str} P O L I C Y C O N F I G U R A T I O N...
Page 192 P O L I C Y C O N F I G U R A T I O N About Schedules Security Appliance User Guide Version 3R2 9-28...
Page 193: Address Translation
DDRESS RANSLATION This chapter describes the different methods of address translation that you can enable for traffic passing through the appliance. This chapter includes the following topics: • Network Address Translation • Configuring Source Network Address Translation • Source NAT Configurations •...
Page 194: Configuring Source Network Address Translation
PAT translates the original source port to a random source port to maintain the uniqueness of all outbound connections. After an outbound connection is made, the freeGuard Blaze 2100 software enters the combination of the translated source IP address, translated source port, and destination IP address in the session table.
Page 195: Configuring Dynamic Ip (Dip) Pools
CONFIGURING DY NAMIC IP (DIP) POOLS Use dynamic IP (DIP) pools to create a pool of IP addresses to use for source NAT policies. Use the set interface command with the dip option to create a DIP pool of addresses on the egress interface: Addresses in the DIP pool must be on the same subnet as the corresponding egress interface.
Page 196: Configuring Source Nat: Many-To-One With Port Address Translation
A D D R E S S T R A N S L A T I O N Source NAT Configurations CONFIGURING SOURCE NAT: MANY-TO-ONE WITH PORT ADDRESS TRANSLATION In a source NAT many-to-one NAT configuration, all original source IP addresses on a network translate to a single IP address Figure 10-2: Source IP Address Translation with Port Address Translation Use the set policy command with the nat src option to specify source...
Page 197: Configuring Destination Nat And Port Mapping
C O N F I G U R I N G D E S T I N A T I O N N A T A N D P O R T ........... . M A P P I N G Destination NAT can translate a single destination address to a single address (one-to-one), translate one range of destination addresses to a...
Page 198: Destination Nat Configurations
A D D R E S S T R A N S L A T I O N Destination NAT Configurations • Configuring Destination NAT: Many-to-One • Configuring Destination NAT: Many-to-One with Port Mapping • Configuring Destination NAT: Many-to-Many CONFIGURING DE STINATION NAT: ONE-TO-ONE In a one-to-one destination NAT configuration, a single destination address translates to a different address that the security policy specifies (refer to...
Page 199: Configuring Destination Nat: Many-To-One With Port Mapping
CONFIGURING DE STINATION NAT: MANY-TO-ONE WI TH PORT MAPP ING Use the set policy command with the nat dst ip and port options to specify destination NAT from an address group and port to a single address and port: CONFIGURING DE STINATION NAT: MANY-TO-MANY Use the set policy command with the nat dst ip option to specify destination NAT that translates a group of destination addresses to an address from a specified address range:...
Page 200 A D D R E S S T R A N S L A T I O N Destination NAT Configurations the first address from the destination NAT range. The translated addresses maintain consistency. Refer to Figure 10-5 for an example. Figure 10-5: Destination Network Address Translation with Address Shifting Security Appliance User Guide...
Page 201: High Availability
VAILABILITY This chapter describes the High Availability feature. It includes the following topics: • About High Availability • Software Architecture overview • CLI Commands • HA Configuration ........... . A B O U T H I G H A V A I L A B I L I T Y High Availability (HA) provides continuous service to end users when link and/or node failures occur.
Page 202: Cli Commands
H I G H A V A I L A B I L I T Y CLI Commands Primary Node A HA port: EthX Physical IP: IPA Manage IP: IPM Figure 11-1: High Availability Functionality Implemented through Custom Finite State Machines (FSM) .
Page 203: Ha Configuration
........... . H A C O N F I G U R A T I O N C O N F I G U R I N G T H E P R I M A R Y A N D S E C O N D A R Y I P A D D R E S S E S F O R T H E I N T E R F A C E...
Page 204 H I G H A V A I L A B I L I T Y HA Configuration Enter the following address information then click Apply : Type eth0 IP address: 192.168.1.1 Type eth0 Netmask: 24 Type eth0 manage-ip: 192.168.1.101 Network >...
Page 205 [NOTE] G U I E X A M P L E : S E T H A I N T E R F A C E A N D W A N - P O R T F O R N O D E 1 HA >...
Page 206 H I G H A V A I L A B I L I T Y HA Configuration G U I E X A M P L E : S E T H A C O N F I G U R A T I O N S Y N C H R O N I Z A T I O N HA >...
Page 207: Pki And X.509/Digital Certificates
X.509/D This chapter describes the Public Key Infrastructure (PKI) and X.509/Digital Certificates feature. It includes the following topics: • About Public Key Infrastructure and X.509/Digital Certificates • PKI Basics • CLI Commands A B O U T P U B L I C K E Y I N F R A S T R U C T U R E A N D .
Page 208: Pki Basics
P K I A N D X . 5 0 9 / D I G I T A L C E R T I F I C A T E S PKI Basics ........... . P K I B A S I C S PKI arrangements enable users to be authenticated to each other, and to use the information in identity certificates.
Page 209: A Typical Digital Certificate
P K I A N D X . 5 0 9 / D I G I T A L C E R T I F I C A T E S PKI Basics A TYPICAL DI GITAL CERTIFICATE The following figure shows a typical Digital Certificate. Figure 12-2: Typical Digital Certificate The certificate contains: •...
Page 210: Self-Signed Certificate
P K I A N D X . 5 0 9 / D I G I T A L C E R T I F I C A T E S CLI Commands SE LF-S IG NE D CERTIFI CATE A self-signed certificate is an identity certificate that is signed by its own creator.
Page 211: Cli Commands
CREATING A CE RTIFICATE REQUEST To obtain a PKCS10 certificate request based on the key pair generated: The output of the command should provide the certificate request as follows: Version 3R2 P K I A N D X . 5 0 9 / D I G I T A L C E R T I F I C A T E S ======================================================= CN=fw@mistletoetech.com =======================================================...
Page 212: Importing A Certificate
P K I A N D X . 5 0 9 / D I G I T A L C E R T I F I C A T E S CLI Commands The complete output needs to be copied and pasted on a PKCS10 based certificate enrollment webpage or provider to the CA in expected format.
Page 213: A Pre-Defined Services
DEFINED ERVICES This appendix lists all of the pre-defined services defined on the security appliance including the name, protocol, port group, inactivity timeout Version 3R2 Security Appliance User Guide...
Page 214 P R E - D E F I N E D S E R V I C E S and flag id. Pre-defined services use the protocol numbers listed in A-1. Protocols are listed in Table A-1: Pre-defined Services Name Protocol DHCP-Relay FINGER...
Page 215 Table A-1: Pre-defined Services (Continued) Name Protocol POP3 PPTP Real Media RLOGIN SNMP SYSLOG TALK TCP-ANY TELNET TFTP TRACEROUTE UDP-ANY UUCP VDO Live WINFRAME X-WINDOWS Table A-2: Protocols Protocol Protocol Number ICMP Version 3R2 P R E - D E F I N E D S E R V I C E S Port Group Timeout (min) 110 email...
Page 216 P R E - D E F I N E D S E R V I C E S Security Appliance User Guide Version 3R2...
Page 217 LOSSARY 1000Base-T: The specification that describes the use of Gigabit Ethernet over copper Cat-5 wire. It defines data rates of 1 Gigabit per second (Gb/s) over a distance not to exceed 100 meters. Advanced Encryption Standard (AES): An emerging encryption standard that can use a 128-, 192-, or 256-bit encryption key.
Page 218 G L O S S A R Y Default Route: A standard entry in a routing table that enables traffic to be forwarded for destination networks that are not explicitly defined on a specific network device. The normal representation of the default route is 0.0.0.0/0.
Page 219 G L O S S A R Y Extended Authentication (XAUTH): A method to perform user authentication in a separate phase after the IKE authentication or phase 1 exchange. The authentication name must match the XAUTH configuration name in order to allow the user to authentication and permit access.
Page 220 G L O S S A R Y Internet is used as a way to share information including e-mail, files, and newsgroups. Internet Key Exchange (IKE): A method used to exchange keys to encrypt and authenticate data over an unsecured medium, such as the Internet.
Page 221 (LAN). The MAC address commonly refers to the Ethernet address or a node on a LAN. When connected to the Internet, the MAC address tracks the IP address of a node. The freeGuard Blaze 2100 software creates a table that references the MAC address to a known IP address.
Page 222 G L O S S A R Y PPPoE: Point-to-Point Protocol over Ethernet. Used to allow ISPs the use of their existing Radius authentication systems from their Dial-Up service on a Broadband/Ethernet-based service. Remote authentication dial-in user service (RADIUS): provides an authentication, authorization and accounting protocol for applications such as network access or IP mobility.
Page 223 On the freeGuard Blaze 2100, the IEEE standard 802.1Q is used to tag and identify the subinterface. Subnet: A network that shares a common address component. Subnets are defined as all hosts whose IP addresses have the same prefix on a TCP/IP network.
Page 224 G L O S S A R Y Uniform Resource Locator (URL): The standard used to obtain the location of resources or global addresses found on the World Wide Web. Unshielded Twisted Pair (UTP): A standard cable used for telephone lines, UTP is also used for Ethernet connections and is often referred to as 10BaseT.

Freedom9 freeGuard Blaze 2100 User Manual

1 Introduction

2 Getting Started

3 Security Zones and Interfaces

4 System Management

5 Attack Detection and Prevention

6 Logging

7 Virtual Private Networks

8 Routing

9 Policy Configuration

10 Address Translation

11 High Availability

12 PKI and X.509/Digital Certificates

A Pre-Defined Services

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Freedom9 freeGuard Blaze 2100

Summary of Contents for Freedom9 freeGuard Blaze 2100

Table of Contents