Page 1: User Guide
freeGuard Slim Appliances Network Traffic and Security Management User Guide Part No.: FSL100, FSL300M Version: V4R2...
Page 2 Copyright Notice © Copyright 2007 Freedom9 Inc. All Rights Reserved. Under the copyright law, this manual and the software described within cannot be copied in whole or part, without written permission of the manufacturer, except in the normal use of the software to make a backup copy.
Page 3: Table Of Contents
Viewing the Policy Configuration... 1-12 Configuring a Policy ... 1-13 Ch. 2:Freedom9 Network Appliances System Management... 2-1 Using the Console to Manage the Freedom9 Network Appliance ... 2-2 Viewing Console Interface Settings ... 2-2 Setting the Console Display ... 2-2 Setting the Console Timeout...
Page 4 Viewing SSH Settings ... 2-3 Generating New SSH Host Keys ... 2-3 Managing Users for the Freedom9 Network Appliance ... 2-4 Changing Your Administrator Password ... 2-4 About Additional Types of Users... 2-4 Changing the Admin-r Password ... 2-4 Managing Software for the Freedom9 Network Appliance ... 2-6 Storing Software Image Files in Flash Memory ...
Page 5 Viewing the Log Module Settings... 5-3 Viewing the Traffic and Event Log ... 5-4 Admin Mail Server... 5-5 Configuring Freedom9 Network Appliances to Send E-mail Notifications ... 5-5 Deleting the Admin Mail Server... 5-5 Removing E-mail Addresses from the Admin Mail Server ... 5-6 Syslog Management ...
Page 6 DOS ... 5-13 POLICY ... 5-14 SESSION ... 5-14 Reviewing Event Logs... 5-15 Address ... 5-16 Notification ... 5-16 System ... 5-17 ARP... 5-17 Interface ... 5-18 Policies... 5-19 PPP ... 5-20 Route... 5-23 Schedule ... 5-24 Service ... 5-24 SNMP...
Page 7 Monitoring Traffic Using Threshold Alerts ... 7-1 Overview ... 7-1 Network Layout ... 7-1 Scenario Description ... 7-2 Initializing the Freedom9 Network Appliance ... 7-3 Setting Up Alerts ... 7-3 Setting Up the Logging Infrastructure ... 7-4 Setting Up Policies ... 7-4 Analyzing Traffic and Sending Alerts ...
Page 8 SNMP Group... 8-4 Transmission Group (DOT3STATs)... 8-5 Transmission Group (DOT3COLLISION)... 8-5 Configuring SNMP on the Freedom9 Network Appliance ... 8-5 Enabling SNMP on a Specified Interface ... 8-6 Configuring the SNMP Community String... 8-7 Configuring the SNMP Listener Port ... 8-7 Configuring the SNMP System Name...
Page 9 Configuring NAT-Enabled Mode ... 9-8 Configuring Route Mode ... 9-8 Viewing Interface Information... 9-9 Configuring Transparent Mode ... 9-10 Transparent Mode Overview... 9-10 Transparent Mode Simple Deployment... 9-11 Transparent Mode Management... 9-11 Transparent Mode VLAN Filtering... 9-12 Transparent Mode Simple ACL Functions ... 9-14 Advanced Interface Settings...
Page 10 FSL100 User Guide...
Page 11: Getting Started
• Before You Install the FSL100 Appliance • Installing the FSL100 Appliance See also the Quick Start Guide which is provided with your FreeGuard Slim 100 appliance. on page 1-4 on page 1-6 on page 1-7 G E T T I N G S T A R T E D...
Page 12: Document Conventions
• When a CLI command appears within the context of a sentence in this document, it is in bold (except for variables, which are always in italic). For example: “Use the get system command to display general information about the Freedom9 Network appliance.” Variable CLI values are described in...
Page 13: Illustration Conventions
When a WebGUI command appears within the context of a sentence in this document, it is in bold (except for variables, which are always in italic). For example: “Use click on the XXXX command to display general information about the Freedom9 Network appliance.” Figure 1-1 shows the graphics used in illustrations in this guide.
Page 14: Product Description
Introduction to Freedom9 Network Appliances Product Description FreeGuard Slim 100 appliances are compact in-line appliances that manage network traffic flows to optimize and protect network and server infrastructures. Deployed in front of servers or network equipment, the Freedom9 Network appliance is a non-intrusive solution for managing bandwidth abuse or attacks against network infrastructure.
Page 15: Supported Features
Syslog SNMPv2 (trap) SNMP Get Command Line Interface Accompanying Documentation on Software CD For information on configuring and deploying your Freedom9 Network appliance, refer to the following documentation: • Quick Start Guide • User Guide • CLI Reference Guide Table 1-2...
Page 16: Startup Configuration For Slim 300M
• Default policy - Allow Default Behavior • Allow any traffic Before You Install the Freedom9 Appliance Familiarize yourself with the following topics before installing the Freedom9 appliance: • What You Must Know Before You Install the Freedom9 Appliance •...
Page 17: Installing The Appliance
<CAUTION> Room temperature might not be adequate for long term use of the Freedom9 appliance; for optimum environmental requirements for the appliance, refer to the Appliance Specifications on page 1-8. <CAUTION> Be careful of additional hazards, including frayed power cords, wet or moist floors, and missing safety grounds.
Page 18 G E T T I N G S T A R T E D Hyper-Terminal by Hillgraeve Inc. is a suitable terminal emulation program, and is included [NOTE] with most Windows operating systems. The default login credentials are admin and admin. These credentials are case-sensitive. Enter the following settings in the terminal application: •...
Page 19: Led Activity For Slim 100
P a r a m e t e r Power Supply Operational Temperature Storage Temperature Humidity Max Power Consumption Safety Compliance EMC Compliance LED Activity for FSL100 Table 1-8 lists information about the physical interfaces on the SlimLine 100 appliance. Table 1-8 Physical Interfaces Table I n t e r f a c e N a m e eth0 Interface...
Page 20: Slim 300 Appliance Specifications
G E T T I N G S T A R T E D Slim 300M Appliance Specifications This section describes the physical attributes, electrical information and environmental require- ments to properly install and run the Slim 300M appliance. It includes the following topics: •...
Page 21: Slim 300 Console Interface
{password_str} save Default Configuration The freedom9's appliance is configured to monitor a network such as the one displayed in Figure 1-5. In this configuration, the eth0 interface is connected to the inside LAN Switch and the eth1 interface is connected to your Internet router. The eth0 interface is bound to the zone...
Page 22: Configuring The Default Route For Management Traffic
Using the network in Figure 1-5 Freedom9 appliance to use the address of 192.168.2.254 for the default route of all traffic set route 0.0.0.0/0 interface br0 gateway 192.168.2.254 save Optional: To verify the default route settings execute the get route summary command:...
Page 23: Configuring A Policy
G E T T I N G S T A R T E D (Route) set route 0.0.0.0/0 interface br0 gateway 192.168.1.254 Configuring a Policy The default policy behavior is set policy default permitted. Advanced Policy Configuration on page 6-1 for more information about policy configuration. User Guide 1-13...
Page 24 G E T T I N G S T A R T E D User Guide 1-14...
Page 25 System Management This chapter describes the management options for freedom9's appliances, including software management, system management, and user account management. The following topics are included in this chapter: • Using the Console to Manage the freedom9's Appliance • Using SSH to Manage the freedom9's Appliance •...
Page 26: Viewing Console Interface Settings
IP address of 192.168.1.1. After you configure the Freedom9's appliance, you can manage it through the console or by using a secure shell (SSH). This section describes how to work with the console and includes the following topics: •...
Page 27: Enabling Ssh On A Specific Interface
{host-key} Generating New SSH Host Keys The Freedom9 appliance already comes with an SSH host key. Use the exec ssh command to generate an SSH host key: S Y S T E M M A N A G E M E N T...
Page 28: Managing Users For The Freedom9 Network Appliance
Managing Users for the Freedom9 Appliance The Freedom9 appliance has a single global administrator account with the user name admin. This account has the following administrative privileges: • Add, remove, and manage security zones • Assign interfaces to security zones •...
Page 29 Enter the following password information and click Apply. Select the admin-r user. Type old password. Type new password. Confirm new password. S Y S T E M M A N A G E M E N T User Guide...
Page 30: Storing Software Image Files In Flash Memory
On the appliance, enter save software from tftp ip_addr filename mos {pri | sec}, where the ip_addr is the IP address of your computer and filename is the file name of the Freedom9 appliance software. In addition you must specify either the primary or secondary image location (pri | sec).
Page 31: Displaying Current Dns Host Settings
Displaying Current DNS Host Settings To display the current DNS host IP settings, use the get dns command: get dns host settings Using Ping To test connectivity to other hosts connected to the appliance for network connectivity, use the ping command: ping {ip_addr|dom_name} Example: Ping www.yahoo.com ping www.yahoo.com...
Page 32: Saving The Configuration File For Export
Saving the Configuration File for Export To download and save the configuration file from the tftp server, use the save config command: save config from tftp {ip_addr} filename to flash GUI Example: Saving the configuration file for export Select System > Configuration. Click on Download Configuration.
Page 33 GUI Example: View the saved configuration Select System > Configuration. Select the Display Configuration button. S Y S T E M M A N A G E M E N T User Guide...
Page 34: Resetting The Software To Use The Original Filename
Resetting the Software To Use the Original Filename. Using the administration console, use the unset all command to reset the Freedom9 appliance to factory default settings. This command erases the current configuration and returns the configuration file to factory default.
Page 35: Additional System Management Tasks
System > Status Configuring Domain Names To configure the appliance to respond to a specifically configured domain, use the set domain command: set domain freedom9.com Example: Configuring the Domain Name <appliance name> set domain freedom9.com save GUI Example: Configuring the Domain Name <appliance name>...
Page 36: Deleting Domain Names
To delete a previously configured domain name, use the unset domain command: unset domain save Configuring Host Names To configure a host name on the Freedom9 appliance use the set host command: set host appliance Example: Configuring the Host Name <appliance name> set host <appliance name>...
Page 37: Using Network Time Protocol (Ntp)
Using Network Time Protocol (NTP) The appliance uses Network Time Protocol (NTP) to update its internal date and time, and to include the date and time in its log messages. This protocol is required for any policies scheduled. For additional information on schedules, see This section describes how to use NTP with the appliance: •...
Page 38: Viewing Current Ntp Settings
Maintaining Clock Settings with NTP Use the set clock command to ensure that the Freedom9 appliance is configured with the correct date and time: set clock {date [ time ] | dst-off | ntp | timezone number} Use NTP for updates to the clock.
Page 39: Configuring The Clock To Use Ntp
Configuring the Clock to Use NTP To configure automatic updates to the clock through NTP, use the set clock command: set clock ntp Configuring the Time Zone To configure the time zone setting for the clock, use the set clock command. The timezone {number} parameter represents the difference between your local time and standard Greenwich Mean Time.
Page 40: Using Domain Name Service (Dns)
S Y S T E M M A N A G E M E N T Using Domain Name Service (DNS) The Domain Name Service (DNS) host IP address allows the appliance to resolve or match domain names to IP addresses. You must specify a DNS host in order to resolve domain names to IP addresses.
Page 41: Displaying Current Dns Host Settings
Displaying Current DNS Host Settings To display the current DNS host IP settings, use the get dns command: get dns host settings Using Ping To test connectivity to other hosts connected to the appliance for network connectivity, use the ping command: ping {ip_addr|dom_name} Example: Ping www.yahoo.com ping www.yahoo.com...
Page 42 S Y S T E M M A N A G E M E N T User Guide 2-18...
Page 43: Ch. 3: Managing Traffic Flow
Shaping Traffic Flow Overview Freedom9 appliances have the ability to not only monitor, but also to shape (to control the volume of traffic being sent and the rate at which the traffic is being sent) different types of traffic based on bandwidth usage. You can specify a traffic limit based on connection rate, connection bandwidth, or total number of connections.
Page 44: Network Layout
Table 3-1: Shaping Traffic Flow Network Layout Scenario Description Freedom9 appliances can be programmed to deny access to traffic that violates a specified policy. In this scenario, the appliance will be set up to deny traffic when: • normal traffic (http and https) exceeds 100 Mpbs •...
Page 45 Initializing the Appliance Use the following commands in transparent to the rest of the network, and prepare it to monitor traffic. For more information about CLI commands, see the CLI Command Reference Guide provided with your appliance. Table 3-2: Commands to Initialize the Appliance Command unset interface eth0 ip set address "trust"...
Page 46 Specifies the IP Address of the syslog server. This setting should be your log server address. The Freedom9 appliance supports two syslog servers. The second server can be configured using the same command. Sends log messages that match the level "notification"...
Page 47 "notification" for session module to the internal destination. Displays log contents. Example of a displayed log message: Oct 09 15:58:38 2007 Freedom9 id=slimline policy[185] [NOTICE] BW_AGGR_ALERT: alert id 5 for alert <ab- user-alert1> generated for policy : 1 fromsrcIp/srcPort: 69.66.193.246/17411 to destIp/destPort: 192.168.65.149/80...
Page 48: Analyzing And Shaping Traffic
M A N A G I N G T R A F F I C F L O W The following commands in Table 3-5 information about CLI commands, see the CLI Command Reference Guide provided with your appliance. Table 3-5: Commands to Set Up Policies Command set policy id 1 from "untrust"...
Page 49 If the flow does not exist, check the alert information for the policy matching with this packet. • If the connection-rate alert is not specified, the connection rate limit processing is not needed on this packet. • If the connection-rate alert is specified, compute the number of connections which arrived during the last second.
Page 50 M A N A G I N G T R A F F I C F L O W User Guide...
Page 51: Ch. 4: Configuring Attack Prevention
Configuring Attack Prevention Freedom9 network appliances provide security and traffic management solutions for all types of modern network topologies. The AntiDoS feature is specifically designed to protect network infra- structure against DoS and DDoS attacks. This chapter explains how to use the features of the AntiDoS.
Page 52: Valid But Potentially Dangerous Packets
C O N F I G U R I N G A T T A C K P R E V E N T I O N Attacks that fall in this category are syn-fin, tcp-no-flag, Land attack, IP Spoof, IRDP, Teardrop attack, Ping of Death, UDP Bomb, and other unknown IP Protocols.
Page 53: Enabling Ddos Logging
Enabling DDoS Logging Logging messages are generated by logging modules inside the appliance. Logging modules that generate DDoS-related messages are in the policy module, the dos module and the reconn-deter module. All DDoS-related logging is generated at the 'informational' level (meaning that the levels are compatible with the syslog message levels).
Page 54 C O N F I G U R I N G A T T A C K P R E V E N T I O N How to enable Attack Name Category attack prevention Senna-spy port attack set policy global port-attack senna-spy Small-sever...
Page 55 How to enable Attack Name Category attack prevention Icmp-large Valid but set zone potentially {zone_name} dangerous screen icmp- large ip-bad-opt Valid but set zone potentially {zone_name} dangerous screen ip-bad- ip-filter-src Valid but set zone potentially {zone_name} dangerous screen ip-filter- ip-loose-src- Valid but set zone route...
Page 56: Logging Command Index
C O N F I G U R I N G A T T A C K P R E V E N T I O N How to enable Attack Name Category attack prevention syn-fin Malformed Always enabled, or invalid 'set zone packet {zone_name}...
Page 57 Index Logging Command Set log module reconn-deter level information Set log module ip level information Although this feature is always enabled, in order to enable logging, the command has to be enabled by the command: set zone {zone_name} screen syn-fin Although this feature is always enabled, in order to enable logging, the command has to be enabled by the command:...
Page 58 C O N F I G U R I N G A T T A C K P R E V E N T I O N User Guide...
Page 59: Ch. 5: Traffic Flow Reporting
Logging is the process of recording and storing information about a specific event. On the Freedom9 Network appliances, a single activity that occurs, such as denying a packet from passing through a zone is considered an individual event. Since it will be used to protect network infra- structures it becomes extremely important to record all events showing a possible security problem.
Page 60: Log Modules
• Warning Messages—Events that could affect the functionality of the security of the appliances. • Error Messages—Messages that include error conditions that may exist on the Freedom9 network appliance. • Critical Messages—Events that could affect functionality of the Freedom9 Network appliances.
Page 61: Traffic And Event Log Management
Traffic and Event Log Management To get log information from the appliance, at least one destination must be specified. Log destinations include: • Console • Internal • E-mail • Syslog • SSH Log Module Settings Setting Log Modules To enable logging for a specific software module use the set log module command with the software module option, the desired logging level and message destination.
Page 62: Viewing The Traffic And Event Log
Viewing the Traffic and Event Log Freedom9 network appliances have a maximum storage of 2Mb for event logging. In the event that the 2Mb limit is reached, the appliance will over write the oldest event logs and replace them with newer events. All messages logged will include date and time. To view the event log you will use the get log messages command to show the event logs to show all events logged.
Page 63: Admin Mail Server
cli-> : The event logs stored local to the appliance will be erased if the appliance is [NOTE] powered down or rebooted. You should configure a syslog server to collect all logs. GUI Example: View the Traffic and Event Logs Select Reports >...
Page 64: Removing E-Mail Addresses From The Admin Mail Server
Syslog Management Freedom9 network appliances can generate syslog messages specified for delivery to multiple syslog servers. The syslog protocol uses a standard transport mechanism along with a standard format for all messages. This allows multiple network devices to send syslog information that can be formatted into custom reports.
Page 65: Deleting The Syslog Host Ip Address
Deleting the Syslog Host IP Address To delete the syslog host IP address use the unset syslog config command with the IP option. unset syslog config ip Disabling the Syslog Host Log Options To disable the syslog host log option use the unset syslog config ip log and specify the current log option to disable.
Page 66: Reviewing Message Logs
For a alphabetical list of log messages, see Conventions Freedom9 network publications use the following conventions to indicate optional and required elements, variables, and options: • A parameter inside [ ] (square brackets) is optional. This element might appear in the message.
Page 67: Acronyms
Acronyms Freedom9 network publications use the following acronyms to represent various concepts, terms, and standards: 3DES Triple Data Encryption Standard Common Name (X.509 certificate) Certificate Revocation Certificate Revocation List Distinguished Encoding Rule Data Encryption Standard Diffie-Hellmann DHCP Dynamic Host Configuration Protocol...
Page 68 T R A F F I C F L O W R E P O R T I N G Network Address Translation Network Security Officer Network Time Protocol OSPF Open Shortest Path First Perfect Forwarding Secrecy Public Key Authentication PKCS Public Key Cryptography Standards Public Key Infrastructure...
Page 69: Anatomy Of A Message
• The message type displays a code number associated with the severity level. • The message text displays the content of the event message. The event message includes the administrator’s login name when the administrator performed an action. In the example, the administrator login name is Freedom9. Levels Explanation of Levels 0 Emergency Messages on SYN attacks, Tear Drop attacks, and Ping of Death attacks.
Page 70: Traffic Logging
Proposed traffic log format for syslog to support EIQ. 192.168.65.230: <134>Jun 02 12:13:42 2007 Freedom9 policy[117] [IN- FO] proto=1 src=64.62.250.2:0 dst=64.79.127.67:0 packet dropped due to pol- icy deny! Table 5-2 for an explanation of this output log.
Page 71: Traffic Logging Messages
Traffic Logging Messages The following is a list of traffic logging messages. Message ARP entry not found. Meaning No ARP entry Action No recommended action Message ARP table full. Meaning ARP table full Action No recommended action Message TCP SYN flood drop! Meaning TCP SYN flood drop! Action...
Page 72: Policy
T R A F F I C F L O W R E P O R T I N G Meaning IP rate limit exceeded Action No recommended action POLICY Message Packet dropped due to policy not found! Meaning Policy was not found Action No recommended action Message...
Page 73: Reviewing Event Logs
Meaning Failure of insertion in second table Action No recommended action Message Packet dropped due to internal allocation failure! Meaning Internal allocation failure Action No recommended action Message Port translation pool exhausted. Meaning Port translation pool exhausted Action No recommended action Message Route not found: invalid next hop.
Page 74: Address
T R A F F I C F L O W R E P O R T I N G 11:05:19 Time stamp 2007 Year stamp Freedom9 Id=mtsales Device Id pmgr Module name [146] Module process id policy_entry Message text caddr="0x637fe80"...
Page 75: System
Action No recommended action System These messages relate to the administration of the device. Warning Message {admin|admin-r} has logged { on | out } from <ip_addr> Meaning The admin logged on or logged out of the device from a SSH or telnet ses- sion.
Page 76: Interface
T R A F F I C F L O W R E P O R T I N G Notification Message Static ARP entry { added to | deleted from } interface <interface> with IP <ip_address> and MAC <mac_addr> Meaning A static Address Resolution Protocol entry was added to or removed from an interface with a specified IP address and MAC address.
Page 77: Policies
Message Interface <interface> was bound to zone <zone> Meaning An admin bound the named interface to the specified zone. Action No recommended action Message Interface <interface> was bound to zone <zone> Meaning An admin bound the named interface to the specified zone. Action No recommended action Message...
Page 78: Ppp
T R A F F I C F L O W R E P O R T I N G Action Confirm that the action was appropriate, and performed by an authorized admin. <id_num> – The ID number of the access policy. <zone1>...
Page 79 Error Message <name> is not connected Meaning The system was unable to connect to another process, most likely the configuration agent. Message Fail to connect to ifmgr Meaning The attempt to get the connection id for the IF manager while disabling PPP/PPPoE failed. A similar error message exists while enabling PPP/PPPoE however it is a WARNING instead of an ERROR Message...
Page 80 T R A F F I C F L O W R E P O R T I N G Meaning Unable to get IPC id to connect to the if manager. This can happen when inserting the PPP/PPPoE information into the interface structure and when validating the information asso- ciated with a modification request.
Page 81: Route
Message Discarded non-LCP packet when LCP not open Meaning The PPP/PPPoE module has not finished creating a link and is discarding packets not used in constructing the link. Message Discarding proto <number> in phase <number> Meaning The PPP/PPPoE module has not finished creating a link and is discarding packets that aren’t useful in the current phase.
Page 82: Schedule
T R A F F I C F L O W R E P O R T I N G Action No recommended action Schedule The following messages relate to schedules created for use in access policies. Notification Message Schedule <name_str> has been { added | modified | deleted }. Meaning An admin has added, modified, or deleted the specified schedule.
Page 83: Snmp
Action No recommended action SNMP The following messages relate to SNMP. Info Message set snmp community Meaning Successfully set snmp community Action No recommended action Message Set snmp trap host and community Meaning Successfully set snmp trap host and community Action No recommended action Zone...
Page 84 T R A F F I C F L O W R E P O R T I N G User Guide 5-26...
Page 85: About Security Policies
Advanced Policy Configuration This chapter describes how to create and apply security policies. This chapter includes the following topics: • About Security Policies • Configuring Policies • Configuring Address Objects • Configuring Service Objects • Configuring Service Groups • About Schedules About Security Policies A policy allows, denies, or rejects specific traffic based on the source, destination, and service type sent in a single direction between two end points.
Page 86: About Security Policy Types
A D V A N C E D P O L I C Y C O N F I G U R A T I O N Figure 6-1 displays the use of security policies: Figure 6-1 Security Policies About Security Policy Types You can configure three types of policies for the appliance as described in the following sections: •...
Page 87: Configuring Global Policies
Configuring Global Policies Global policies are not assigned to a specific zone and either allow or deny packets to all zones. Use the set zone command and specify global as the zone to create a global policy: set policy global {src_addr} {dst_addr} {srvc} {permit | deny | reject} You must configure the src_addr and dst_addr in the global zone.
Page 88 A D V A N C E D P O L I C Y C O N F I G U R A T I O N P a r a m e t e r D e s c r i p t i o n The netflow action collects, filters, and netflow aggregates data packets.
Page 89: Naming Policies
Service: FTP Naming Policies Use the set policy command with the name option to add a name when you create the policy: set policy name {name_str} from {src_zone} to {dst_zone} {src_addr} {dst_addr} {srvc} permit | deny | reject Use the set policy command with the name option to add a name to an existing policy: set policy id {number} name {name} from {src_zone} to {dst_zone} {src_addr} {dst_addr} {srvc} permit | deny | reject Example: Adding a Name to the Policy From the Previous Example...
Page 90: Disabling Policies
A D V A N C E D P O L I C Y C O N F I G U R A T I O N Action: Permit Source Address: Any Destination Address: Any Service: Any Select Policy > Configuration > Edit (for ID2) Enter the following, then click Apply: Location Action: Deny...
Page 91 • ID • From • To • Src-address • Dst-address • Service • Action • State Use the get policy command with the all option to display all policies in the policy database including global policies in table format: get policy all The table appears with these columns: •...
Page 92: Enable Policy Logging
A D V A N C E D P O L I C Y C O N F I G U R A T I O N The table appears with these columns. • ID • From • To • Src-address •...
Page 93: Configuring Address Objects
set alert conn-bandwidth name cbr-webserver threshold 200 kbps minute action log once set policy id 3 untrust to trust any any smtp permit alert cbr-webserver save See the CLI Guide for more information about the set alert command. Configuring Address Objects Before you can configure any policies to deny or permit access to or from a host or network, you must create address objects and assign them to a zone.
Page 94: Deleting Address Objects
A D V A N C E D P O L I C Y C O N F I G U R A T I O N To create the address objects shown in Create an address object for the IP address 10.0.0.100 using the name John. Create an address object for the IP address 10.0.0.101 using the name Matt.
Page 95: Modifying Address Objects
Modifying Address Objects To modify the name, IP address. or subnet mask of an existing address object, first delete the object, then re-create the object with the new settings. Example: Modify an Address Object Change the name of the address object from MailServer to MailServerNY: unset address trust MailServer set address trust MailServerNY 10.200.0.0/24 save...
Page 96 A D V A N C E D P O L I C Y C O N F I G U R A T I O N set group address {zone} {grp_name} add {adr_obj} The following limitations apply to address groups: •...
Page 97: Deleting Address Groups
Select Objects > Add Address Object. Enter the following, then click Apply: Name: Sales_Subnet IP Address/Netmask: 10.0.3.0/24 Zone: Trust Select Objects > Add Address Group. Enter the following, then click Apply: Name: New_York_Office Zone: Trust Add: Finance_Subnet, Mtkg_Subnet, and Sales_Subnet Deleting Address Groups Use the unset group command with the address option to delete and address group: unset group address {zone} {grp_name}...
Page 98: Configuring Service Objects
A D V A N C E D P O L I C Y C O N F I G U R A T I O N Enter the following, then click Apply: Zone: Trust Edit: New_York_Office Comment: All_Departments Configuring Service Objects Service objects used in policies consist of a transport protocol and an associated port number.
Page 99: Deleting Service Objects
Source Port Low: 1 Source Port High: 65535 Destination Port Low: 23005 Destination Port Low: 23005 Deleting Service Objects Use the unset command to delete an existing service object: unset service {name_str} Modifying Service Objects To modify the values of an existing service object, first delete the object, and then re-create the object with the new settings.
Page 100: Configuring Service Groups
A D V A N C E D P O L I C Y C O N F I G U R A T I O N set service {name_str} timeout {minutes} Use the default service timeout (5 minutes) or specify a new threshold. Example: Changing a service timeout Increase the timeout on the predefined service FTP from 5 minutes to 15 minutes: set service ftp timeout 15...
Page 101: Deleting Service Groups
Example: Creating a Service Group Figure 6-6 Service Groups Use the following commands to create a service group called Web_Service as displayed in 6-6: set group service Web_Services set group service Web_Services add http set group service Web_Services add https set group service Web_Services add dns save GUI Example: Creating a Service Group...
Page 102: Adding Comments To Service Groups
A D V A N C E D P O L I C Y C O N F I G U R A T I O N Example: Modifying a Service Group Modify the service group Web Services to add HTTP and DNS: unset group service Web_Services set group service Web_Services add http set group service Web_Services add dns...
Page 103: Creating Recurring Schedules
set scheduler {name} once start {date} {time} stop {date} {time} comment {text} Table 6-2 explains the parameters in the above command. Table 6-2: set scheduler command (with once option) P a r a m e t e r D e s c r i p t i o n {name} The {name} field assigns a name to the schedule.
Page 104: Adding Schedules To Policies
A D V A N C E D P O L I C Y C O N F I G U R A T I O N P a r a m e t e r D e s c r i p t i o n Use the start option and specify a time to start allow traffic matching the policy to pass...
Page 105: Deleting Schedules
set scheduler “weekend” recurrent sunday start 00:00 stop 23:59 comment “Block weekend Internet access” set scheduler “weekend” recurrent saturday start 00:00 stop 23:59 comment “Block weekend Internet access” set policy from trust to untrust any any any deny schedule weekend save GUI Example: Create a Recurring Schedule Select Objects >...
Page 106: Viewing Schedules
A D V A N C E D P O L I C Y C O N F I G U R A T I O N Viewing Schedules Use the get scheduler command with the once, recurrent or name options to view all configured schedules: get scheduler once get scheduler recurrent...
Page 107: Ch. 7: Monitoring Traffic
Monitoring Traffic Using Threshold Alerts Overview Freedom9 network appliances have the ability to monitor (and shape) different types of traffic based on bandwidth usage. You can set an alert to trigger when anomalous traffic (such as an unusual surge in the number of connections, or a dramatic increase in bandwidth usage) is detected by a particular user.
Page 108: Scenario Description
M O N I T O R I N G T R A F F I C (aggregate bandwidth) or per individual user. You can also distinguish between critical and non-critical traffic, and provide alerts accordingly. Figure 7-1 Scenario for Traffic Monitoring using Threshold Alerts Scenario Description In this scenario, the appliance will be programmed to send alerts when:...
Page 109: Setting Up Alerts
Setting Up Alerts Use the following commands in and to create logs that describe events for review. For more information about CLI commands, see the CLI Command Reference Guide provided with your Freedom9 appliance. Table 7-2: Commands to Set Up Alerts Command set alert conn-rate "cr-user-alert1"...
Page 110: Setting Up The Logging Infrastructure
Use the following commands in Table 7-3 network manager to review. For details about CLI commands, see the CLI Command Reference Guide that comes with your Freedom9 appliance. Table 7-3: Commands to Set Up the Logging Infrastructure Command set syslog enable set syslog config 192.168.65.199...
Page 111 to zone A, you must configure another policy permitting traffic from zone B to zone A. For this scenario, the policy will specify not only which traffic is allowed, but also the action to be taken to alert when traffic or a connection rate reaches certain parameters. The components of a policy are: •...
Page 112: Analyzing Traffic And Sending Alerts
Traffic Analysis Using NetFlow Overview Freedom9 network appliances allow administrators to monitor traffic without interfering with network performance. The appliance is placed in the network in transparent mode, and sends traffic information to a collector using the NetFlow format to be analyzed by specialized software, such as the open-source Ntop software.
Page 113: Network Layout
M O N I T O R I N G T R A F F I C Network Layout The most common existing alternative to monitoring traffic is to turn on NetFlow from the router; however this can affect performance by slowing significantly a network. Table 7-5 shows the original network setup.
Page 114: Setting Up The Netflow Infrastructure
M O N I T O R I N G T R A F F I C Initializing the Appliance Use the following commands in Table 7-7 transparent to the rest of the network. For more information about CLI commands, see the CLI Command Reference Guide provided with your appliance.
Page 115: Setting Up Policies
(inter-zone policy), between interfaces bound to the same zones (intra-zone policies), and between addresses in the Global zone (Global addresses). For example, all traffic will be allowed to pass (since the purpose of using the Freedom9 network appliance in this example is to monitor the flow).
Page 116: Managing Peer-To-Peer Traffic
M O N I T O R I N G T R A F F I C Managing Peer-to-Peer Traffic Freedom9 Network appliances can identify traffic that is specifically peer-to-peer, and either alert management or limit its flow upon reaching a certain threshold. This allows management to address abusive behaviors by certain users.
Page 117: Setting Up The Logging Infrastructure
set interface eth0 transparent set interface eth0 zone trust set interface eth1 transparent set interface eth1 zone untrust set interface br0 ip 192.168.65.31/24 set interface br0 manage http Setting Up the Logging Infrastructure Use the following commands in network manager to review. For more information about CLI commands, see the CLI Command Reference Guide provided with your appliance.
Page 118 M O N I T O R I N G T R A F F I C set alert conn-bandwidth "p2p-cb-alert" threshold 2000 action log always set dpi enable set dpi profile p2p-profile alert p2p-ab- alert set dpi profile p2p-profile add signature arestcp1 alert p2p-cb-alert set dpi profile p2p-profile add signature arestcp2 alert p2p-cb-alert...
Page 119: Setting Up Policies
[NOTE] The process that follows to identify and handle peer-to-peer traffic is as follows: The packet arrives at the interface of the appliance and freedom9 validates whether a flow exists for the packet: • If the flow does not exist, then policy lookup is done on the packet. If the "pdi profile"...
Page 120: Alert Configuration
M O N I T O R I N G T R A F F I C Alert Configuration Policy Alerting To configure the Policy Alert with appropriate values for your network, you must first establish a baseline of typical traffic flows. In order to do this you can run a sniffer on eth0-the interface bound to the Untrust zone-to monitor the number of new connection requests arriving every second for the server sitting on your eth1- the interface bound to the Trust zone.
Page 121: Policy Configurator
Lastly the user can determine whether or not the alert should be generated once or always. When always is selected, the syslog message is sent one time, and a counter is incremented for every interval that goes over the threshold within the alert-record table. Policy Configurator After an alert is configured the user can now tie the alert to a specific policy.
Page 122 M O N I T O R I N G T R A F F I C User Guide 7-16...
Page 123: Snmp Mib Groups
• Transmission group (Ethernet) (.1.3.6.1.2.1.10) (RFC 1643) • SNMP group (1.3.6.1.2.1.11) (RFC 1213) SNMP System Object ID (OID) The SNMP system OID is 1.3.6.1.4.1.29047. The Sub-OIDs for Slim 100 and FlowLine are: Table 8-1 SlimLine and FlowLine Sub IDs Appliance Family...
Page 124: Interface Group
U S I N G S N M P O b j e c t N a m e V a l u e T y p e sysUpTime TimeTicks sysContact DisplayString sysName DisplayString sysLocation DisplayString sysServices DisplayString Interface Group Table 8-3 shows the Interface Group.
Page 125: Ip Address
IP Address Table 8-6 shows the IP Address table. Table 8-6 IP Address O b j e c t N a m e V a l u e T y p e ipAdEntAddr IpAddress ipAdEntIfIndex INTEGER ipAdEntNetMask IpAddress ipAdEntBcastAddr INTEGER ipAdEntReasmMaxSize INTEGER IP Route...
Page 126: Icmp Group Scalars
U S I N G S N M P ICMP Group Scalars Table 8-9 shows the ICMP Group Scalars table. Table 8-9 ICMP Group Scalars O b j e c t N a m e V a l u e T y p e icmpInMsgs Counter32 SNMP Group...
Page 127: Transmission Group (Dot3Stats)
Configuring SNMP on the Appliance The following SNMP attributes can be configured on the appliance. They include: • Community String—Allows the SNMP community string and host to be set on the Freedom9 Networks appliance. • UDP Listening Port—Sets the SNMP listening port on the Freedom9 Networks appliance.
Page 128: Enabling Snmp On A Specified Interface
Type Host: 192.168.1.1 Enabling SNMP on a Specified Interface To allow the SNMP monitoring system to contact and pull the SNMP information from the Freedom9 Network appliance, SNMP must be enabled on that specified interface. set interface {interface name} manage snmp...
Page 129: Configuring The Snmp Community String
Configuring the SNMP System Contact To configure the SNMP system contact use the set snmp contact command and specify the Freedom9 network appliance system contact. set snmp contact {contact_str} Deleting the SNMP System Contact To delete the SNMP system contact use the unset snmp contact command.
Page 130: Viewing The Snmp Settings
U S I N G S N M P Viewing the SNMP Settings To view the SNMP settings use the get snmp command with the settings option. This will display the current SNMP settings. cli-> get snmp settings Listening port: 161 System name: SlimLine Location: Lab Contact: Jon Smith...
Page 131: Viewing The Interface Statistics
In get requests In get nexts In set requests In get responses In traps Out too bigs Out no such names Out bad values Out read onlys Out gen errs get requests Out get nexts Out set requests Out get responses Out traps Silent drops Proxy drops...
Page 132 U S I N G S N M P dos icmp drops 0 | dos frag drops 0 dos udp drops 0 | dos other drops 0 in pkts 71367 | in bytes 6090575 in reassembled pkts 0 | in fragment timeout 0 in short frames 0 | in crc errors 0 in dropped vlans 0 | in arp pkts 157 in icmp pkts 0 | in tcp pkts 1450...
Page 133 GUI Example View the Interface Statistics for the eth0 interface Select Reports > Counters > Hardware. Select the Interface Eth0. Select the Go button. U S I N G S N M P User Guide 8-11...
Page 134 U S I N G S N M P User Guide 8-12...
Page 135: Security Zones
100Mbps and 10Mbps half duplex are not supported. Security Zones Security zones are a logical grouping of physical and logical interfaces on a Freedom9 Networks appliance. A security zone can consist of one physical interface or a group of many physical and logical interfaces.
Page 136 S E C U R I T Y Z O N E S A N D I N T E R F A C E S zone, VLAN 200 and 210. The eth1 interface is configured in Untrust zone. Policies can be written to allow or deny traffic between zones.
Page 137: Creating And Modifying Custom Security Zones
In addition to the four default zones, additional custom zones (refer to to further divide the internal network into more granular segments. Figure 9-4 Custom Security Zones Creating and Modifying Custom Security Zones This section describes how to create, modify, and delete a custom security zone. This section includes the following topics: •...
Page 138 S E C U R I T Y Z O N E S A N D I N T E R F A C E S Example: Deleting the “Sales” Security Zone unset zone sales save GUI Example: Deleting the “Sales” Security Zone Network >...
Page 139: Configuring Interfaces And Subinterfaces
Configuring Interfaces and Subinterfaces To route VLAN traffic through the appliance, a subinterface is required. For every VLAN, a subinterface is configured on the corresponding physical interface of the Freedom9 Networks appliance. This section describes the commands used to configure interfaces, bind them to a security zone, and move them between zones.
Page 140: Moving Interfaces Between Security Zones
S E C U R I T Y Z O N E S A N D I N T E R F A C E S set interface {interface name} zone {name_str} Example: Binding the eth0 Interface to the “Sales” Security Zone set interface eth0 zone sales save GUI Example: Binding the ETH0 Interface to the “Sales”...
Page 141: Deleting Subinterfaces
Once the subinterface is created, use the set interface command to add the subinterface to a zone: set interface {interface name} zone {name_str} Example: Configuring a Subinterface witH IP Address and Zone Use the set interface command to create a subinterface for the VLAN with VLAN id 120 on the physical interface eth0.
Page 142: Configuring Nat-Enabled Mode
S E C U R I T Y Z O N E S A N D I N T E R F A C E S Configuring NAT-Enabled Mode Interfaces configured with NAT-enabled mode translate the source IP address of all traffic to the IP address of the egress interface.
Page 143: Viewing Interface Information
To change the interface mode from NAT Mode to Route Mode, use the set interface (interface [NOTE] name) route. Example: Configure Route Mode Configure route mode on the eth0 and eth1 interfaces of the appliance displayed in Figure 9-7: set interface eth0 route set interface eth1 route save GUI Example: Configuring Route Mode...
Page 144: Configuring Transparent Mode
S E C U R I T Y Z O N E S A N D I N T E R F A C E S • Management Options—Ping, ssh, http, https, snmp • Mode—NAT, route, transparent Use the get interface command to display information on a specific interface: get interface {interface name} Use the get interface all command to display information on all interfaces: get interface all...
Page 145: Transparent Mode Simple Deployment
S E C U R I T Y Z O N E S A N D I N T E R F A C E S protocols can be passed seamlessly through the appliance. While in this mode the appliance can be further configured to bypass various network security functions that in some cases are not desired by the network/security administrator.
Page 146: Transparent Mode Vlan Filtering
Freedom9 network appliance to inspect the VLAN traffic and be on the lookout for the 802.1q header. The Freedom9 network appliance then correlates the q tag to the configured Zone and applies the policy engine to this packet.
Page 147 VLAN 400 : 172.27.16.0/24 VLAN 500: 10.0.200.0/24 Figure 9-9 the Freedom9 network appliance will be in Transparent mode with multiple VLAN interfaces and Zones. This will give an administrator the ability to filter various source/dest ad- dress's/zones based on the VLAN ID.
Page 148: Transparent Mode Simple Acl Functions
Due to the nature of firewalls and packet filters, the option of enabling and disabling various security functions is somewhat limited. The Freedom9 network appliance provides the network ad- ministrator the option to bypass various security functions on the Freedom9 network appliance in order to accommodate their network needs.
Page 149 Ability to bypass/pass Unicast packets unset transparent bypass-unicast This command allows the bridging of non-IP unicast packets. The default behavior of the Freedom9 network appliance is to bypass (i.e., drop) such packets. GUI Example: Pass Unicast packets in Transparent Mode Policy >...
Page 150: Advanced Interface Settings
S E C U R I T Y Z O N E S A N D I N T E R F A C E S Advanced Interface Settings If you choose to use advanced interface settings, you can modify the following elements of the appliance: •...
Page 151 Configuring Address Resolution Protocol (ARP) The Freedom9 network appliance keeps an active list of all hosts directly connected to any physical or logical interface in its ARP table. This table includes the hosts IP address and Media Access Control (MAC) addresses.
Page 152: Enabling Interface Management
Select the following, then click Apply: Management Option: Ping Setting the Interface Speed When you configure the Freedom9 network appliance, the interface auto-negotiates to 1000Mbps. To set the interface to support 100Mbps or 10Mbps, use the set interface command with the speed option.
Page 153: Static Routes
The destination network, interface, and gateway define this route. Networks that are directly attached to an interface on the Freedom9 network appliance have an implicit route automatically created in the routing table. Networks without an implicit route require a static route that identifies the next hop gateway and interface to forward traffic going to the destination network.
Page 154: Deleting Static Routes
R O U T I N G set route 10.0.100.0/24 gateway 10.0.0.100 save GUI Example: Adding a Static Route Select Network > Routing Add Enter the following, then click Apply: Network address: 10.0.100.0 Netmask: 24 Interface: etho0 Gateway: 10.0.0.100 Deleting Static Routes Use the unset route command to delete a static route: unset route {ip_addr/mask} } Modifying Static Routes...
Page 155: Displaying Route Information
Use the set route command to define the default route for all traffic: set route 0.0.0.0/0 interface {interface name} gateway {ip_addr} Example: Setting the Default Route Configure the default route on the appliance in Figure 8.1 to use the eth1 interface and a gateway of 4.4.4.1, which is the IP address of the next hop gateway: set route 0.0.0.0/0 interface eth1 gateway 4.4.4.1 save...
Page 156 R O U T I N G Use the get route command with the prefix option and ip_addr to display route information for a specific IP address: get route ip {ip_addr} GUI Example: Get Route All Select Network > Routing > Route Shows current routing information Figure 10-3 displays an example of the output that appears when you use the get route...
Page 157 DEFINED ERVICES This appendix lists all of the pre-defined services for the Freedom9 network appliance Table A-2. These pre-defined services use the protocol numbers listed in Table A-1: Pre-defined Services Name Protocol DHCP-Relay FINGER FTP-Get FTP-Put GOPHER HTTP HTTPS ICMP-INFO...
Page 158 P R E - D E F I N E D S E R V I C E S Name Protocol SNMP SYSLOG TALK TCP-ANY TELNET TFTP TRACEROUTE UDP-ANY UUCP VDO Live WINFRAME X-WINDOWS Use the protocols listed Table A-2 Table A-2: Protocol Numbers Protocol Protocol Number...
Page 159: Appendix B: Glossary
G L O S S A R Y LOSSARY 1000Base-T: The specification that describes the use of Gigabit Ethernet over copper Cat-5 wire. It defines data rates of 1 Gigabit per second Gb/s over a distance not to exceed 100 meters. Advanced Encryption Standard (AES): An emerging encryption standard that can use a 128- , 192-, or 256-bit encryption key.
Page 160 G L O S S A R Y thentication. ESP is defined as protocol 50. Ethernet: A local area network (LAN) technology developed by Xerox Corporation along with DEC and Intel in the 1970s. Ethernet is a best-effort technology that uses Carrier Sense Multiple Access/ Collision Detection (CSMA/CD) technology.
Page 161 Ethernet address or a node on a LAN. When connected to the Internet, the MAC address tracks the IP address of a node. The Freedom9 network appliance software creates a table that references the MAC address to a known IP address.
Page 162 Subinterface: A logical segment for a physical connection. A subinterface allows administrators to split the bandwidth between multiple networks connected to the same physical port. On the Freedom9 network appliance, the IEEE standard 802.1Q is used to tag and identify the subinter- face.
Page 163: Appendix C: Alphabetic Listing Of Log Messages
A L P H A B E T I C L I S T I N G O F L O G M E S S A G E S LPHABETIC ISTING OF ESSAGES <name> is not connected ... 5-21 {admin|admin-r} has logged { on | out } from <ip_addr>...
Page 164 A L P H A B E T I C L I S T I N G O F L O G M E S S A G E S Failed to enable ppp in spu ... 5-22 Failed to get time of day ... 5-21 Failed to set rtc time...
Page 165 A L P H A B E T I C L I S T I N G O F L O G M E S S A G E S PPP session is <number>... 5-22 PPP: Interface is down ... 5-23 Received short packet ...
Page 166 A L P H A B E T I C L I S T I N G O F L O G M E S S A G E S User Guide...
Page 167: Appendix D: Notification And Safety Statements
Korea: Class A Digital Device Statement The following Class A warning applies to Freedom9 network appliance models that meet the Korean Class A requirement. A 급 기기 (업무용 정보통신기기) 이...
Page 168 This unit must be recycled or discarded according to applicable local and national regulations. Freedom9 Inc. encourages owners of information technology (IT) equipment that is no longer needed to properly recycle it in accordance with all applicable laws, ordinances and regulations.
Page 169 F C C S T A T E M E N T Modifications made to the product, unless expressly approved by Freedom9 Inc, could void the user's authority to operate the equipment. This device complies with Part 15 of the [NOTE] FCC Rules.
Page 170 N O T I F I C A T I O N A N D S A F E T Y S T A T E M E N T S Battery Statement User Guide...

This manual is also suitable for:

Slim 300 Fsl100 Fsl300m

Freedom9 Slim 100 User Manual

Ch. 1: Getting Started

Document Conventions

Introduction to the Appliances

Before You Install the Freedom9 Appliance

Installing the Appliance

Configuring the Appliance

Slim 100 Appliance Specifications

Slim 300 Appliance Specifications

Configuring the Software for Freedom9 Network Appliances

Using the Console to Manage the Freedom9 Network Appliance

Ch. 2:Freedom9 Network Appliances System Management

Using SSH to Manage the Freedom9 Network Appliance

Managing Users for the Freedom9 Network Appliance

Managing Software for the Freedom9 Network Appliance

Resetting and Restarting the Freedom9 Network Appliance

Additional System Management Tasks

Using Network Time Protocol (NTP)

Using Domain Name Service (DNS)

Using Traceroute

Using Ping

Ch. 3: Managing Traffic Flow

Shaping Traffic Flow

What Is Freedom9 Network Antidos?

Ch. 4: Configuring Attack Prevention

Enabling Ddos Prevention

Attack Overview Table

Ch. 5: Traffic Flow Reporting

Top-Talkers

Logging Overview

Logging

Log Module Settings

Admin Mail Server

Syslog Management

Reviewing Message Logs

Reviewing Event Logs

Ch. 6: Advanced Policy Configuration

About Security Policies

Configuring Policies

Configuring Address Objects

Configuring Service Objects

Configuring Service Groups

About Schedules

Ch. 7: Monitoring Traffic

Monitoring Traffic Using Threshold Alerts

Analyzing Traffic and Sending Alerts

Traffic Analysis Using Netflow

Managing Peer-To-Peer Traffic

Alert Configuration

Ch. 8: Using SNMP

SNMP MIB Groups

Enabling SNMP on a Specified Interface

Security Zones

Creating and Modifying Custom Security Zones

Configuring Interfaces and Subinterfaces

Configuring Interface Modes

Configuring Transparent Mode

Transparent Mode Overview

Advanced Interface Settings

Ch. 10: Routing

Static Routes

Setting the Default Route

Displaying Route Information

Appendix A: Pre-Defined Services

Appendix A: Pre-Defined Services

Appendix B: Glossary

Appendix C: Alphabetic Listing of Log Messages

Appendix D: Notification and Safety Statements

Quick Links

User Guide

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Freedom9 Slim 100

Summary of Contents for Freedom9 Slim 100