Related Manuals for 3Com 3CR16110-95
Summary of Contents for 3Com 3CR16110-95
-
Page 1: User Guide
SuperStack ® Firewall User Guide SuperStack 3 Firewall 3CR16110-95 SuperStack 3 Firewall Web Site Filter 3C16111 http://www.3com.com/ Part No. DUA1611-0AAA02 Published August 2001... - Page 2 Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.
-
Page 3: Table Of Contents
Automatic IP Address Sharing and Configuration Introduction to Virtual Private Networking (VPN) Virtual Private Networking NSTALLING THE ARDWARE Before You Start Positioning the Firewall Rack Mounting the Units Securing the Firewall with the Rubber Feet Firewall Front Panel Firewall Rear Panel... - Page 4 Using a Single Static IP Address Using Multiple Static IP Addresses Using an IP Address provided by a PPPoE Server Using a Static IP address provided by a DHCP Server Configuring LAN Settings Automatic LAN Settings Entering information about your LAN...
- Page 5 Specifying When Filtering Applies Filtering Web Sites using a Custom List Setting up Trusted and Forbidden Domains Changing the Message to display when a site is blocked Updating the Web Filter Checking the Web Filter Status Downloading an Updated Filter List...
- Page 6 Using the Firewall with the NBX 100 Business Telephone System DVANCED ETTINGS Automatic Proxy/Web Cache Forwarding Deploying the SuperStack 3 Webcache as a Proxy of the Firewall Specifying Intranet Settings Installing the Firewall to Protect the Intranet Configuring the Firewall to Protect the Intranet...
- Page 7 Using the Firewall with Check Point Firewall-1 Configuring the IRE VPN Client Configuring the Firewall Configuring the IRE VPN Client for use with the Firewall Setting up the GroupVPN Security Association Installing the IRE VPN Client Software Configuring the IRE VPN Client...
- Page 8 LAN Users Cannot Access the Internet Firewall Does Not Save Changes Duplicate IP Address Errors Are Occurring Machines on the WAN Are Not Reachable Troubleshooting the Firewall VPN Client The IKE Negotiation on the VPN Client Restarting the Firewall with Active VPN Tunnel...
- Page 9 ONCEPTS Introduction to TCP/IP IP and TCP IP Addressing Network Address Translation (NAT) Limitations of Using NAT Dynamic Host Configuration Protocol (DHCP) Port Numbers Well Known Port Numbers Registered Port Numbers Private Port Numbers Virtual Private Network Services Introduction to Virtual Private Networks...
- Page 10 ECHNICAL UPPORT Online Technical Services World Wide Web Site 3Com Knowledgebase Web Services 3Com FTP Site Support from Your Network Supplier Support from 3Com Returning Products for Repair NDEX EGULATORY OTICES...
-
Page 11: About This Guide
Firewall and how to install and use the SuperStack 3 Web Site Filter. The Firewall acts as a secure barrier to protect a private LAN from hacker attacks from the Internet. It can also be used to control the access that LAN users have to the Internet. -
Page 12: How To Use This Guide
Appendix B Cable Specifications. Appendix C Information about obtaining Technical Support. Appendix D Conventions Table 2 and Table 3 list conventions that are used throughout this guide. Table 2 Notice Icons Icon Notice Type Description Information note Information that describes important features or instructions. -
Page 13: Terminology
DoS Attacks — Denial of Service Attacks. An attempt to stop one of your services running, such as a Web or FTP server. There are several kinds of DoS attacks. IP address — The Internet Protocol address is the network layer address of a device assigned by the user or network administrator of an IP network. - Page 14 IP Spoof — A type of DoS attack. An IP spoof uses a fake IP address to bypass security settings which may bar access from the real IP address.
-
Page 15: Feedback About This User Guide
Group Security Association but require an additional unique password for accounting and access. SYN Flood — A type of DoS attack. This is where a client opens a connection with a server but does not complete it. If the server queue fills up with partially-open connections, no other clients can make genuine connections to that server. -
Page 16: Registration
BOUT UIDE Part Number DUA1611-0AAA02 Page 24 Do not use this e-mail address for technical support questions. For information about contacting Technical Support, see Appendix A. Registration To register your Firewall point your web browser to http://www.3com.com/ssfirewall click on Hardware Registration and follow the instructions. -
Page 17: I Getting Started
ETTING TARTED Chapter 1 Introduction Chapter 2 Installing the Hardware Chapter 3 Quick Setup for the Firewall... -
Page 19: Introduction
Firewall? network security system with all hardware and software pre-installed. This allows it to act as a secure gateway for all data passing between the Internet and the LAN. The purpose of the Firewall is to allow a private Local Area Network (LAN) to be securely connected to the Internet. -
Page 20: Firewall And 3Com Network Supervisor
NTRODUCTION The Demilitarized Zone (DMZ) port is used for public servers, such as Web or FTP servers. Machines attached to this port are visible from the WAN port, but are still protected from hacker attacks. Users on the secure LAN port can also access servers on the DMZ port. -
Page 21: Firewall Features
2 Click on the Policy button, after the Management screen appears. 3 Click on the User Privileges tab. 4 Add a user to the Current Privileges list. Enter the user name in the User field. 5 Click on Remote Access and click Update Privileges. - Page 22 LAN. This is known as stateful packet inspection. Users on the LAN have access to all resources on the Internet that are not blocked by any of the filters.
-
Page 23: Web Url Filtering
See “Filter Settings” on page 162 for more information. You can create a list of all forbidden URLs to which you want to restrict access. Alternatively, you can restrict access to the Internet to certain trusted URLs. -
Page 24: High Availability
It can also track key events such as the top 25 most accessed Web sites, or the top 25 users of Internet bandwidth. You can also set up the Firewall to send an alert message through e-mail when a high-priority concern, such as a hacker attack, is detected. -
Page 25: Introduction To Virtual Private Networking (Vpn)
Introduction to Virtual Private Networking (VPN) NAT automatically translates multiple IP addresses on the private LAN to one public address that is sent out to the Internet. It enables the Firewall to be used with broadband modems such as the OfficeConnect Cable Modem, and with low cost Internet accounts where only one IP address is provided by the ISP. - Page 26 1: I HAPTER NTRODUCTION terminating device at the other end of the tunnel must be using the same level and type of encryption. See “Configuring Virtual Private Network Services” on page 123 for more details.
-
Page 27: Installing The Hardware
Appendix A of this User Guide. AVERTISSEMENT: Avant d’installer le Firewall, lisez les informations relatives à la sécurité qui se trouvent dans l’Appendice A de ce guide. VORSICHT: Bevor Sie den Firewall hinzufügen, lesen Sie die Sicherheitsanweisungen, die in Anhang A in diesem Handbuch aufgeführt sind. -
Page 28: Positioning The Firewall
Water or moisture cannot enter the case of the unit. Air flow around the unit and through the vents in the side of the case is not restricted. 3Com recommends that you provide a minimum of 25.4 mm (1 in.) clearance to each side of the unit. -
Page 29: Securing The Firewall With The Rubber Feet
Remove the self-adhesive pads from the underside of unit, if already fitted. 1 Place the unit the right way up on a hard, flat surface with the front facing towards you. 2 Locate a mounting bracket over the mounting holes on one side of the unit (refer to Figure 3). - Page 30 10BASE-T or 100BASE-TX port. 2 DMZ Port - Use a Category 5 cable with RJ-45 connectors. Use this port to connect the Firewall to any workstation, server, or network device that has a 10BASE-T or 100BASE-TX port.
-
Page 31: Firewall Rear Panel
This LED flashes for about 90 seconds while self-test is running, and also when restarting. If you have installed a 3Com RPS unit with the Firewall and the RPS has a fault, the Power LED will flash to warn you. Once the fault on the RPS has been rectified, the Power LED will stop flashing. -
Page 32: Attaching The Firewall To The Network
Servers etwork Servers Never connect two ports on the Firewall to the same physical network. For example, never connect the LAN and DMZ ports into the same device as this bypasses all firewall functions. - Page 33 CAUTION: Do not switch the Firewall off and on quickly. After switching it off, wait approximately five seconds before switching it on again. 7 Make sure that the Link LEDs are on for all ports that are connected. If not, see Chapter 12 for troubleshooting information.
- Page 34 Chapter 11 for information about the Web Site Filter and Network Access Policy Rules. At frequent intervals, check the Firewall for the following: The Alert LED is not continuously lit — if it is, there are problems on your network. The case vents are not obstructed.
-
Page 35: Quick Setup For The Firewall
Installation Wizard asks you questions about your network and configures the Firewall so that it works in your network. If you later move your Firewall to another network and want to use the Installation Wizard to configure the Firewall you can activate the Installation Wizard manually. -
Page 36: Setting Up A Management Station
1 Note the IP address and subnet mask of the Management Station. You will need to return your Management Station to these settings when you have finished using the Installation Wizard. 2 Change the IP address to a value within the Firewall’s default subnet. This will be a value between but not 192.168.1.1... -
Page 37: Setting The Password
Setting the Password Choose an administration password end enter it in the New Password and Confirm New Password fields. This will be use in conjunction with the User Name when logging on to the Firewall in the future. admin... -
Page 38: Setting The Time Zone
Figure 8 Set Password Screen Click the Next button to continue. Setting the Time Select the Time Zone appropriate to your location and click the Next Zone button to continue. The Time Zone you choose will affect the time recorded in the logs. -
Page 39: Configuring Wan Settings
Settings allocated an address for its WAN port. If the Firewall has been allocated an IP address then it will attempt to configure itself automatically. See “Automatic WAN Settings” below. If the Firewall has not been allocated an IP address then it will prompt you for the settings it requires. -
Page 40: Manual Wan Settings
If the Installation Wizard is unable to detect an automatic address server Settings on the WAN Port or if the WAN port is not connected it will display a dialog box informing you of this and offer the choice of: Connecting your Firewall (if not already connected) and restarting the Installation Wizard. -
Page 41: Using A Single Static Ip Address
Configuring WAN Settings Using a Single Static IP Address — This address must be taken by the Firewall’s WAN port to allow devices connected to the LAN port to communicate with devices connected to the WAN port. Network Address Translation (NAT) will be enabled. -
Page 42: Using Multiple Static Ip Addresses
This may be a router, LAN modem or other device and must be in the same subnet as the WAN IP address of the Firewall. 3 Enter any DNS servers external to your network in the order that you want them to be accessed. - Page 43 This must be in the same address range as the WAN IP Address. 4 DNS Server Address — Enter the IP address of your ISP’s DNS server in this field. This will be used to resolve machine names to IP addresses. If you have access to additional DNS Servers, enter them in the Optional Second DNS Server Address and Optional Third DNS Server Address fields.
-
Page 44: Using An Ip Address Provided By A Pppoe Server
Figure 15 below. Figure 15 Configuring the Firewall’s PPPoE settings Enter the User Name and Password as supplied by your ISP and click the Next button to proceed to the final part of the configuration. See “Configuring LAN Settings”... -
Page 45: Entering Information About Your Lan
If you are using NAT the Fill in information about your LAN screen will about your LAN appear as shown in Figure 16 below. If you are not using NAT this screen will not appear as these settings will be the same as the WAN settings. -
Page 46: Confirming Firewall Settings
Figure 17 below. Figure 17 Configuring the Firewall’s DHCP Server If you want to use the Firewall as a DHCP server to automatically provide IP addresses for the computers on your LAN click the enable DHCP server box and set the range of addresses you want it to allocate. - Page 47 Confirming Firewall Settings Figure 18 Firewall Configuration Summary If you want to keep a hard copy of this page click the Print This Page button. To accept the settings click the Next button. To change the configuration of the Firewall click the Back button.
- Page 48 Click the Restart button to complete the configuration of the Firewall using the Installation Wizard. The Firewall will take under a minute to restart during which time the Power/Self test LED will flash. When the Power/Self test LED stops flashing the Firewall is ready for use.
-
Page 49: Configuring The Firewall
ONFIGURING THE IREWALL Chapter 4 Basic Settings of the Firewall Chapter 5 Setting up Web Filtering Chapter 6 Using the Firewall Diagnostic Tools Chapter 7 Setting a Policy Chapter 8 Advanced Settings Chapter 9 Configuring Virtual Private Network Services Chapter 10... - Page 51 Chapters 4 to 10 describe in detail, each of the management operations available from the Firewall’s web interface. You can access these operations using a Web browser. Refer to Figure 20 below for menu structure details of the Web interface of the Firewall. Figure 20 Tree Diagram of the menu structure...
-
Page 52: Examining The Unit Status
Chapter 10 — “Configuring High Availability” describes the functions available in the High Availability menu of the Web interface. These functions allow you to set up a second SuperStack 3 Firewall as a live backup should your Firewall fail. Examining the Unit... -
Page 53: Setting The Administrator Password
Setting the From the General screen, select Set Password. A window similar to that in Administrator Figure 22 displays. If you are setting the password for the first time, the Password default password is “password”. Change the administrator password to keep the Firewall secure. -
Page 54: Setting The Inactivity Timeout
Select your time zone from the drop-down list box at the top of the screen. If you cannot find your time zone in the list, you should set this to the one with the same offset from GMT as is used at your location. - Page 55 Manual Time Set To set the time manually enter the date and time in the boxes at the bottom of the screen. Set the time in 24-hour clock, and use four digits...
-
Page 56: Changing The Basic Network Settings
Choose NAT Enabled if you want to use a single IP address for accessing the Internet, or if you do not have an IP address allocated by your ISP for each machine that requires access to the Internet. NAT provides anonymity to machines on the LAN by connecting the entire network to the Internet using a single IP address. -
Page 57: Specifying The Lan Settings
For the LAN settings, specify: Settings Firewall LAN IP Address. This is the IP address that is given to the Internet Firewall and used to access it for configuration and monitoring. Choose a unique IP address from the LAN address range. -
Page 58: Specifying The Wan/Dmz Settings
Connect/Disconnect Pressing the Connect button in the Network Addressing Mode Section will initiate a PPPoE session. If all fields have been entered correctly, the Firewall will connect to the Internet. You can terminate a PPPoE session by pressing the Disconnect button. -
Page 59: Specifying The Dns Settings
The DMZ is located between the local network and the Internet. Servers on the DMZ are publicly accessible, but they are protected from attacks such as SYN Flooding and Ping of Death. Use of the DMZ port is optional and you do not have to connect it. -
Page 60: Setting Up The Dhcp Server
From Address box and the ending address in the To Address box. You can specify up to 64 address ranges. Each of the servers on the DMZ needs a public IP address. Obtain these IP addresses from your ISP. Usually, the ISP can also supply information on setting up public Internet servers. -
Page 61: Global Options
LAN or if manual addressing is used on the LAN computers. Lease Time This is the amount of time that the IP address is leased, or given to the client machine before the DHCP server attempts to renew that address. If the client still requires the use of the IP address, the DHCP Server grants the client the use of that IP address for the same amount of time. -
Page 62: Dynamic Ranges
ASIC ETTINGS OF THE IREWALL Subnet Mask Enter the Subnet mask for your network. This value will be given out by the DHCP server and will be used by client devices to determine the extent of your network. Domain Name... -
Page 63: Static Entries
IP address. For example, client machines running Web or FTP servers require static addresses. To create a static IP address to be assigned to a requesting client, type an IP address and the Ethernet (MAC) address of the client machine in the appropriate boxes and click Update. -
Page 64: Using The Network Diagnostic Tools
1 Select DNS Name Lookup from the Choose a diagnostic tool menu. 2 Type the host name to lookup in the Look up the name box and click Go. The Firewall then queries the DNS server and displays the result at the bottom of the screen. - Page 65 1 Select Find Network Path from the Choose a diagnostic tool menu. 2 Type the IP address of the device and click Go. The test takes a few seconds to complete. If the network path is incorrect, check the intranet, static route, and DMZ settings.
- Page 66 Packet Trace requires an IP address. Use the Firewall’s DNS Name Lookup tool to find the IP address of a host. 1 Enter the IP address of the remote host in the Trace on IP address box, and click Start.
-
Page 67: Setting Up Web Filtering
The menu is broken up into five sections shown in the user interface as tabs. To access a command click on Filter on the left hand side of the screen and then on the appropriate tab. This following sections are covered in this chapter:... -
Page 68: Restricting The Web Features Available
Restricting the Web The following is a list of the web features that you can control using the Features Available Web Filter. To allow your network to access a category leave the checkbox unchecked. -
Page 69: Setting Blocking Options
Web Proxy When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server. This feature disables access to proxy servers located on the WAN. It has no effect on those located on the LAN. -
Page 70: Specifying When Filtering Applies
This function allows you to block specific web sites, or restrict access to a using a Custom List list of approved web sites. This is in addition to the Web Site Filter. and overrides the more general Web Site Filter categories. -
Page 71: Setting Up Trusted And Forbidden Domains
Filtering Web Sites using a Custom List Figure 30 Custom List Window You can add or remove web sites from the Custom List. For example, if a local radio station runs a contest on its Web site that is disrupting normal classroom Internet use, a school’s Technology Coordinator can easily add... -
Page 72: Changing The Message To Display When A Site Is Blocked
Click this check box to make the Firewall allow Java, ActiveX and cookies from sites on the Trusted Domains list to the LAN. In certain cases, it may be desirable to allow Java, ActiveX or cookies from sites that are known and trusted. -
Page 73: Updating The Web Filter
Web Site Filter, you can specify that it is updated automatically every week for one year. It is important to note that host names, and not IP addresses, are used for all Internet filtering functions two reasons:... -
Page 74: Downloading An Updated Filter List
Automatic Download Check this box to enable automatic, weekly updates to the Web Site Filter. Also, select the day of the week and the time of the day to download the new list. A valid Web Site Filter subscription is required. -
Page 75: Blocking Websites By Using Keywords
Blocking Websites by using Keywords Blocking Websites Click Filter and then select the Keywords tab. A window similar to that in by using Keywords Figure 32 displays. Figure 32 Keywords Window You can block Web URLs that contain specified keywords. This functions as a second line of defense against objectionable material. -
Page 76: Configuring User Consent Settings
Acceptable Use Policy before you allow them to browse the Web any further. Click Filter, and then select the Consent tab. A window similar to that in Figure 33 displays. Figure 33 Consent Window... -
Page 77: Mandatory Filtered Ip Addresses
Internet with or without filtering. Create this page in HTML. It may contain the text from, or links to your company’s Acceptable Use Policy (AUP). You must include in this page links to two pages contained in the Firewall which, when selected, tell the Firewall if the user wishes to have filtering enabled or disabled. - Page 78 (Mandatory Filtering field. You must include a link in this page to: 192.168.1.254/iAcceptFilter.html If you have changed the IP address or the Firewall use the IP Address of the Firewall instead of 192.168.1.254. Click the Update button to save your changes.
-
Page 79: Using The Firewall Diagnostic Tools
Tools menu. Each menu is broken up into sections shown in the user interface as tabs. To access a command click on either Log or Tools on the left hand side of the screen and then on the appropriate tab. -
Page 80: Viewing The Log
Administrator logins Successful/unsuccessful loading of the Web Site Filter Viewing the Log To view the log click Log and then select the View Log tab. A window similar to that in Figure 34 displays. Figure 34 View Log Window The log is usually displayed as a list in a table, but may appear differently depending on the browser used. - Page 81 If the packet was ICMP, the number in parentheses is the ICMP code. The address information is usually preceded by the name of the service described by either the TCP or UDP port, or the ICMP type in quotation marks.
-
Page 82: Changing Log And Alert Settings
If the log message calls the attack ”probable”, contact the ISP to see if they can track down the source of the attack. In either case, the LAN and DMZ are protected and you do not need to take further steps. -
Page 83: Sending The Log
Internet. If you leave this box blank, log and alert messages are not sent via e-mail. Send Log To This is the e-mail address to which log files are sent and must be a fully qualified address, for example, . Once sent, the log username@3Com.com... -
Page 84: Changing The Log Automation Settings
If the weekly option is selected, then also specify which day of the week the e-mail is to be sent. If the weekly or daily option is selected and the log fills up, it is automatically e-mailed to the... -
Page 85: Selecting The Categories To Log
Changing Log and Alert Settings When log overflows In some cases, the log buffer may fill up, which can happen if there is a problem with the mail server and the log cannot be successfully e-mailed. By default the Firewall overwrites the log and discards its contents. As a security measure, you can choose to shut down the Firewall, which prevents any further traffic from traveling through without being logged. -
Page 86: Alert Categories
Alerts are events, such as an attack, which may warrant immediate attention. When an event generates an alert, a message is immediately sent to the e-mail account defined in the Send alerts to box on the Log Settings window (see page 82). -
Page 87: Generating Reports
Top 25 most accessed Web sites Top 25 users of bandwidth by IP address Top 25 services that consume the most bandwidth Click Log and then select the Reports tab. A window similar to that in Figure 36 displays. Figure 36 Reports Window... -
Page 88: Viewing Report Data
URL for the 25 most accessed Web sites and the number of hits to that site during the current sample period. Use the Web Site Hits report to ensure that the majority of Web access is to sites considered applicable to the primary business function. If leisure, sports, or other similar sites are on this list, it may signal the need to change or more strictly enforce the organization’s Acceptable Use Policy. -
Page 89: Restarting The Firewall
Acceptable Use Policy. Restarting the To restart the Firewall: Firewall 1 Click Tools and select the Restart tab. A window similar that in Figure 37 displays. Figure 37 Restart Window 2 Click Restart SuperStack 3 Firewall. 3 Click Yes to confirm the restart and send the restart command to the Firewall. -
Page 90: Managing The Firewall Configuration File
OOLS When the Front Panel Power LED stops flashing you can refresh your browser. To reset the Firewall clearing it of all settings see “Resetting the Firewall” on page 162 for details. Managing the The Configuration tool allows you to save and restore the configuration Firewall settings of the Firewall. -
Page 91: Importing The Settings File
Figure 39 Import Window 2 Click Browse to find a file which was previously saved using Export. You may need to set File type to *.* to be able to see the.exp file you exported. 3 Once you have selected the file, click Import. -
Page 92: Exporting The Settings File
IREWALL IAGNOSTIC OOLS Exporting the You can save the Firewall configuration settings to a file on a local system Settings File and then reload those settings. 1 Click Export. A window similar to that in Figure 40 displays. Figure 40 Export Window 2 Choose the location to save the settings file. - Page 93 The Firewall checks to see if new firmware is available for download on a weekly basis. If there is a new firmware release, you can configure the Firewall to send an e-mail notification to the address in the Send log to box.
- Page 94 Figure 43 Firmware Upload Window 3 Click Browse... and select the firmware file you have downloaded from the 3Com FTP site to a local hard drive or server on the LAN. 4 Click Upload to begin the upload. Make sure that your Web browser supports HTTP uploads.
- Page 95 Upgrading the Firewall Firmware interrupted this way, it may result in the Firewall not responding to attempts to log in. If your Firewall does not respond, see Chapter 12, “Troubleshooting Guide”. 5 Restart the Firewall for the changes to take effect.
- Page 96 6: U HAPTER SING THE IREWALL IAGNOSTIC OOLS...
-
Page 97: Setting A Policy
The menu is broken up into sections shown in the user interface as tabs. To access a command click on Policy on the left hand side of the screen and then on the appropriate tab. This following sections are covered in this chapter:... -
Page 98: Amending Network Policy Rules
LAN cannot access servers of that type on the Internet. The default value is enabled. When the Warning Icon is displayed to the right of the check box, there is a Custom Rule in the Rules tab section that modifies the behavior of the listed Network Access Rule. -
Page 99: Changing Netbios Broadcast Settings
Changing Policy Services DMZ In Checkbox If you are using the DMZ port on the Firewall access to the protocol is not permitted from the Internet to the DMZ when this check box is cleared. When the service is selected, users on the Internet can access all hosts on the DMZ via that protocol. -
Page 100: Enabling Stealth Mode
IPSec packets are being blocked check the Over IPSec box. Setting the Network Connection Inactivity Timeout If a connection to a server outside the LAN remains idle for more than 5 minutes (default value), the Firewall closes the connection. This is done for security purposes. -
Page 101: Adding And Deleting Services
Adding and Deleting Services Adding and If a protocol is not listed in the Services window, you can add the service. Deleting Services Click Policy, and then select the Add Service tab. A window similar to that in Figure 45 displays. - Page 102 7: S HAPTER ETTING A OLICY The new service appears in the list box to the right, along with its numeric protocol description. Note that some well-known services add more than one entry to the list box. Adding a Custom Service To add a custom service: 1 From Add a known service drop-down list, select Custom Service.
-
Page 103: Editing Policy Rules
The Current Network Policy Rules table is an extension of the Services display covered in “Changing Policy Services” on page 97. In this display you will see the default rules and any rules you have created. You can use this screen to fine-tune services and add exceptions. - Page 104 3 A single IP address is more specific than an IP address range. Action The Action for a rule can be set to either Allow or Deny traffic across the Firewall. For security reasons common protocols are often denied and more specific rules created to describe where these protocols are used legitimately.
- Page 105 To deactivate a rule clear the checkbox. Edit (no column heading) To Edit the settings for a rule click on the icon of a pencil and paper for the rule you want to edit. Clicking on the icon will bring up the Edit Rule window where you can make the changes you need.
-
Page 106: Adding A New Rule
OLICY Adding a New Rule To add a new rule click on the Add New Rule button and fill in the fields that you want to change. To keep the field general rather than use a specific value leave the field at its default value. - Page 107 Including non-alphanumeric ASCII characters in words, such as so#n&c Passwords are case sensitive. 4 Choose the privileges to be enabled for the user by selecting one or both check boxes. Two options are available: Remote Access Unrestricted access to the LAN from a remote location on the Internet.
-
Page 108: Establishing An Authenticated Session
Establishing an Authenticated Sessions allow a user on the Internet to access the LAN Authenticated without restrictions, or allow a user on the LAN to access the Internet Session without restrictions, bypassing the Web Site Filters. Make sure that the Web browser software being used to establish an authenticated session support Java, JavaScript or ActiveX scripting. -
Page 109: Setting Management Method
Method Click the button labeled Policy on the left side of the browser window and then click the tab labeled Management at the top of the window. A window similar to the following displays. Figure 48 Policy Management Window The first step in setting up the management of the Firewall, is selecting the managing method to be used. -
Page 110: Selecting Remote Management
Internet. If you wish to use NBX System phones on the WAN or DMZ ports of the Firewall, then you must open a specific port on the Firewall. Do this by following these simple steps: 1 Access the Web interface from a Web browser. -
Page 111: Advanced Settings
Advanced menu. The menu is broken up into sections shown in the user interface as tabs. To access a command click on Filter on the left hand side of the screen and then on the appropriate tab. This following sections are covered in this chapter:... -
Page 112: Deploying The Superstack 3 Webcache As A Proxy Of The Firewall
The Firewall can also be used to forward all Web (HTTP) traffic to a Web Cache on the network. The Web Cache can be placed either on the WAN or the DMZ side of the Firewall. The installation is the same as for a Proxy Server. See below. - Page 113 1 Install the Webcache as described in the Superstack 3 Webcache User Guide (DUA1611-5AAA0x) taking into account any safety information. a Install the Webcache on a Hub or Switch connected to the DMZ port of the Firewall. Use the LAN port of the Webcache for this connection.
-
Page 114: Specifying Intranet Settings
HTTP requests for external URLs and will forward the traffic to the Webcache. Specifying Intranet In some cases, it is desirable to prevent access to certain resources by Settings unauthorized users on the LAN. For example, a school’s administration office may be placed behind the Firewall to restrict access to its computers by users in the Student Computer Lab. -
Page 115: Installing The Firewall To Protect The Intranet
Intranet 1 Connect the Ethernet port labeled LAN on the front of the Firewall to the network segment that will be protected against unauthorized access. 2 Connect the Ethernet port labeled WAN on the front of the Firewall to the rest of the network. - Page 116 Firewall’s LAN port. Use this method in cases such as a small accounting office in a large LAN, where it may be easier to identify the small number of machines with restricted access rather than the larger number of machines on the corporate network.
-
Page 117: Setting Static Routes
Click Update to save the configuration. Specified address ranges are attached to the LAN link — Select this when it is easier to specify which devices are on the LAN. If a machine’s IP address is not specified, all communications through the Firewall for that machine are blocked. - Page 118 8: A HAPTER DVANCED ETTINGS Figure 53 Isolating a network using a second router To configure static routes click Advanced and then select the Static Routes tab. A window similar to that in Figure 54 displays. Figure 54 Static Routes Window...
-
Page 119: Setting Up One-To-One Nat
Setting up One-to-One NAT The IP Address and Subnet on the Firewall’s LAN port are shown at the top of the window. See “Specifying the LAN Settings” on page 57 to change these settings. DMZ/WAN The IP addresses of the DMZ, if appropriate, and WAN ports are shown. - Page 120 LAN Server You cannot include the Firewall WAN IP Address in a range. To set up One-to One NAT click Advanced, and then select the One-to-One NAT tab. A window similar to that in Figure 55 displays. Ensure that NAT is enabled before configuring One-to-One NAT. See “Setting the Network Addressing Mode”...
- Page 121 Private Range Begin Type the beginning IP address of the private address range being mapped in the Private Range Begin box. This is the IP address of the first machine being made accessible from the Internet. Do not include the Firewall WAN IP Address in any range.
- Page 122 8: A HAPTER DVANCED ETTINGS...
-
Page 123: Configuring Virtual Private Network Services
The menu is broken up into sections shown in the user interface as tabs. To access a command click on VPN on the left hand side of the screen and then on the appropriate tab. This following sections are covered in this chapter:... -
Page 124: Changing The Global Ipsec Settings
Unique Firewall Identifier The Unique Firewall Identifier is used to identify the Firewall within a network. To change the value enter a string of numbers and letters in the Unique Firewall Identifier field and click Update. The Unique Firewall Identifier defaults to the serial number of the Firewall. -
Page 125: Viewing The Current Ipsec Security Associations
Firewalls. Enable this check box if “Fragmented IPSec packet dropped” messages appear in the Event Log. Click the Update button to save your changes. Viewing the Current The Current IPSec Security Associations section of the VPN Summary... -
Page 126: Adding/Modifying Ipsec Security Associations
Secret) is the default keying mode and offers more security than a Manual Key. Manual Key does not offer as high a level of security as IKE but is compatible with a wider range of VPN devices. This option is not available when using GroupVPN. -
Page 127: Security Policy
If the client does not have a fixed IP address leave this field blank. This field is not available when using GroupVPN and should be left blank if you are setting up a SA for VPN clients which do not have a fixed IP address. Security Policy The options in the Security policy area of the screen relate to the current Security Association being created/modified. - Page 128 VPN negotiation time. This setting is not available if the IPSec Keying Mode is set to Manual Key. SA Life time (secs) The SA Life time (secs) field allows you to specify the number of seconds you want a Security Association to last before new encryption and authentication keys must be exchanged.
- Page 129 Configuring a VPN Security Association The Incoming SPI and Outgoing SPI are only used when Manual Keying is employed. These fields do not appear when using IKE as your IPSec Keying Mode. Encryption Method The Firewall supports seven encryption methods for establishing a VPN...
- Page 130 Select your preferred method from the Encryption Method drop-down box. Shared Secret A shared secret is a predefined field that the two endpoints of a VPN tunnel use to set up an IKE SA. This field can be any combination of...
-
Page 131: Setting The Destination Network For The Vpn Tunnel
VPN tunnel. Enter your chosen shared secret in the Shared Secret field. This setting is not available if the IPSec Keying Mode is set to Manual Key. Encryption Key The Encryption Key is a hexadecimal number that is used to encrypt the VPN tunnel when using Manual Keying. -
Page 132: Configuring The Firewall To Use A Radius Server
To enter a non-contiguous range enter the each block of addresses separately. Deleting a Network Range To delete a network range click on the icon of the trash can next to the range you want to delete and confirm your decision when asked. Editing a Network Range To edit a network range click of the icon of the pencil and paper next to the range you want to edit. -
Page 133: Changing Radius Server Details
Secondary Server fields. Name or IP Address Enter the DNS name or IP address of your RADIUS server in the Name or IP Address field. Using the name of the server allows you to change its address without reconfiguring the Firewall. -
Page 134: Using The Firewall With Check Point Firewall-1
Since VPN standards are still evolving, different vendor's implementations are not always fully interoperable. Ideally, a firewall should be adaptable to support all of the VPN products it may encounter, but not all do. The VPN features of the Firewall provide interoperability with many different vendors. - Page 135 Select External for the Location Option h Press the OK button when finished. 3 For easier management, you should create a group and place all objects that are protected by the remote Firewall in that group. a Press the New button and select the Group option.
- Page 136 The Encryption Key and SPI Key number must match the settings on the remote Firewall for the VPN to work. 6 Now you must create a rule to allow the Check Point Firewall to exchange IPSEC packets with the remote Firewall.
-
Page 137: Configuring The Firewall
11 Press the OK button when finished with the IPSec properties and press the OK button when finished with the Encryption properties. 12 From the Policy menu, select Install to activate the security policy. The VPN tunnel will function once the remote Firewall has been configured with a corresponding security association. -
Page 138: Setting Up The Groupvpn Security Association
“Configuring the Firewall to use a RADIUS Server” on page 132. 4 If you do not have a RADIUS server or do not wish to use your RADIUS server to authenticate users ensure that the Require XAUTH/RADIUS checkbox is not ticked. -
Page 139: Installing The Ire Vpn Client Software
Configuring the IRE VPN Client for use with the Firewall Installing the IRE VPN Client Software 1 Insert the CD that came with the Firewall into your CD-ROM Drive. 2 Go to the VPN CLIENT directory on the CD.s 3 Double-Click and follow the VPN client Setup program's setup.exe... - Page 140 ERVICES 5 Close the Security Policy Editor saving changes when prompted. 6 Delete the export file from the hard drive if it was previously copied there. The client is now set up to access your network safely across the Internet.
-
Page 141: Configuring High Availability
Availability menu. The menu is broken up into sections shown in the user interface as tabs. To access a command click on High Availability on the left hand side of the screen and then on the appropriate tab. This following sections are covered in this chapter:... -
Page 142: Network Configuration For High Availability Pair
Firewalls together as this will compromise the security of your network. All Firewall ports being used must be connected together with a hub or switch. Each Firewall must have a unique LAN IP Address on the same LAN subnet. If each Firewall has a unique WAN IP Address for remote management, the WAN IP Addresses must be in the same subnet. -
Page 143: Configuring High Availability On The Primary Firewall
Configuring High Click the High Availability button on the left side of the Firewall browser Availability on the window, and then click the Configure tab at the top of the window. A Primary Firewall window similar to the following displays. -
Page 144: Configuring High Availability On The Backup Firewall
Firewalls in the High Availability pair. To do this: 1 Log into the primary Firewall. Click the Tools button on the left side of the browser window and then click the Configuration tab at the top of the window. -
Page 145: Making Configuration Changes
Making Configuration Changes 4 Log into the backup Firewall. Click the Tools button on the left side of the browser window, and then click the Configuration tab at the top of the window. Next, click the Import button. 5 Click the Browse button and select the file that was previously saved using the Export button. -
Page 146: Checking High Availability Status
Availability status page for the High Availability pair. To view the High Availability status window, it is necessary to log into the primary Firewall’s LAN IP Address. Click the High Availability button on the left side of the browser window and then click the Configuration tab at the top of the window. -
Page 147: E-Mail Alerts Indicating Status Change
Idle. If the backup has taken over for the primary, this window will indicate that the backup is currently Active. In the event of a failure in the primary Firewall, you may access the Web interface of the backup Firewall at the primary Firewall’s LAN IP Address or at the backup Firewall’s LAN IP Address. -
Page 148: Forcing Transitions
Firewall. This may be accomplished by disconnecting the active Firewall’s LAN port, by shutting off power on the currently active unit, or by restarting it from the Web interface. In all of these cases, heartbeats from the active Firewall will be interrupted, which will force the currently Idle unit to become Active. - Page 149 Forcing Transitions CAUTION: If the Preempt Mode checkbox has been checked for the primary Firewall, the primary unit will take over operation from the backup unit after the restart is complete.
- Page 150 10: C HAPTER ONFIGURING VAILABILITY...
-
Page 151: Dministration And Troubleshooting
DMINISTRATION AND ROUBLESHOOTING Chapter 11 Administration and Advanced Operations Chapter 12 Troubleshooting Guide... -
Page 153: Administration And Advanced Operations
Web Site Filter SuperStack 3 Firewall with enhanced Internet filtering capabilities. It can control access from the LAN to thousands of Web sites that might be deemed inappropriate for business use. Twelve selectable Web site categories are provided so Internet access can be tailored to the needs of the organization. - Page 154 DMINISTRATION AND DVANCED PERATIONS In evaluating a site for inclusion in the list, the team consider the effect of the site on a typical twelve year old searching the Internet unaccompanied by a parent or educator. Any easily accessible pages with graphics, text or audio which fall within the definition of the categories below will be considered sufficient to place the source in the category.
- Page 155 Satanic/Cult: Satanic material is defined as: Pictures or text advocating devil worship, an affinity for evil, or wickedness. A cult is defined as: A closed society, often headed by a single individual, where loyalty is demanded, leaving may be punishable, and in some instances, harm to self or others is advocated.
-
Page 156: Activating The Web Site Filter
The Firewall’s serial number is printed on the bottom of the Firewall and is also displayed at the top of the Status window in the Web interface. 4 In the Activation Key box, type the key supplied with the Web Site Filter. 5 Click Activate. -
Page 157: Using Network Access Policy Rules
Internet to an internal Notes server. Is the intent of the rule to allow or deny traffic? What is the flow of the traffic: from the LAN to the Internet, or from the Internet to the LAN? List which IP services will be affected. -
Page 158: Understanding The Rule Hierarchy
From the Service menu, select the IP protocol, as defined by item 4 in the “Using Network Access Policy Rules” on page 157. If the protocol is not listed, it is necessary to first define it in the Add Service window. c Source There are three parameters to configure for the Source item. -
Page 159: Examples Of Network Access Policies
1 For the Action, choose Deny. 2 From the Service list, choose NNTP. If the service is not listed in the menu, add it in the Add Service window. 3 Select LAN from the Source Ethernet list. 4 Since all computers on the LAN are to be affected, enter in the Source Addr. - Page 160 Range End box. 5 Select WAN from the Destination Ethernet list. 6 Since the intent is to allow a ping only to the Firewall, enter the Firewall’s LAN IP Address in the Destination Addr. Range Begin box. 7 Click Add Rule.
- Page 161 IKE negotiations. Protocols/Services to Filter Although the Firewall is shipped in a safe mode by default, the user can alter the Policy Rules and potentially cause the Firewall to be vulnerable to attacks. Therefore, before any modifications are made, the user should be aware of which services are of most risk to the private LAN.
-
Page 162: Resetting The Firewall
Firewall, but also erases the current copy of the firmware from the unit. For this reason, 3Com recommends that you save your firewall settings on a regular basis, and that you also have a copy of the latest firmware available locally. A copy is available on the companion... -
Page 163: Resetting The Firewall
Resetting the Firewall To reset the Firewall: 1 Disconnect the power from the Firewall. 2 Using a blunt pointed object, fully press in the reset button on the back panel. 3 Whilst holding this button in, reconnect the power to the unit. -
Page 164: Direct Cable Connection
Make sure that you are using the browser that supports HTML uploads, otherwise you cannot upload the firmware. 2 In the box labeled Please select a firmware file, type in the full file and path name of the firmware image that you want to upload to the unit. -
Page 165: Direct Connection Instructions
Administrator Password. Though this is more an academic than a practical issue, using the Direct Connection option to set the password for the first time may be advisable if this is a concern. Direct Connection To connect a management station directly to the firewall follow the steps Instructions below. - Page 166 11: A HAPTER DMINISTRATION AND DVANCED PERATIONS...
-
Page 167: Troubleshooting Guide
Make sure that all equipment is switched on. Switch off the Firewall, wait approximately 5 seconds, and then switch it back on. Wait for the Power LED to stop flashing (approximately 90 seconds). CAUTION: The contents of the log are lost when resetting the Firewall. If you are trying to diagnose a repeating problem examine the log before resetting the Firewall. -
Page 168: Power Led Flashes Continuously
Diagrams” on page 187 for more information. Try replacing the cable with a known good cable. Try using a standard CAT-5 cable. If the problem is on the LAN or DMZ port, try setting the Uplink/Normal switch to the alternative position. -
Page 169: Lan Users Cannot Access The Internet
Click Reload or Refresh in the Web browser and try again. For security reasons, the Firewall sends a slightly different Authentication page each time you log in to the Web interface. If the password you use does not allow access to the Firewall, it might be because the browser is displaying a cached copy of the page instead of the current page. -
Page 170: Machines On The Wan Are Not Reachable
VPN Client Viewer will display detailed error messages. To access the Log Client Viewer, select and right click on the icon in the Windows Task Bar and then select Log Viewer. To view Log messages, try to initiate a VPN session, either by attempting to log into the remote Firewall Web interface, or by pinging a machine on the remote network. -
Page 171: Restarting The Firewall With Active Vpn Tunnel
A easy way to restart the negotiation on the client side is to click on the floppy disk icon at the top of the Security Policy Editor screen. -
Page 172: Frequently Asked Questions About Pppoe
Frequently Asked Why are ISPs using PPPoE in their broadband services? Questions about The theory is that PPPoE makes it easier for the end user of broadband PPPoE services to connect to the Internet by simulating a Dial-up connection. The ISP realizes significant advantages because much of the existing Dial-up infrastructure (billing, authentication, security, etc.) can be used... -
Page 173: Firewall And
IREWALL AND ETWORKING ONCEPTS Chapter 13 Types of Attack and Firewall Defences Chapter 14 Networking Concepts... -
Page 175: Types Of
The consequences of an attack range from the loss of few seconds of time on a web server or network to the crash of a server. In the worst case the attacker can learn enough about your company infrastructure and exploit its vulnerabilities to crash any server at will. -
Page 176: Syn Flood Attack
The results of a smurf attack range from slowing of the network to the crashing of the victim devices. Firewall Response as Amplifier: Spoofed IP address is detected and packet is dropped. -
Page 177: Port Scanning
Firewall Response: None - the Firewall will allow port scanning but will log all port scans to aid diagnosis. Ports not in use will be disabled by the Firewall. IP Spoofing IP Spoofing is a method of masking the identity of an intrusion by making it appear that the traffic came from a different computer. - Page 178 13: T HAPTER YPES OF TTACK AND IREWALL EFENCES...
-
Page 179: Networking Concepts
Internet. IP Addressing To become part of an IP network, a network device must have an IP address. An IP address is a unique number that differentiates one device from another on the network to avoid confusion during communication. - Page 180 There are three classes of IP addresses: A, B, and C. Like a main business phone number that one can call and then be transferred through interchange numbers to an individual’s extension number, the different classes of IP addresses provide for varying levels of interchanges or subnetworks and extensions or device numbers.
- Page 181 The subnet mask used for the network typically corresponds to the class of IP address assigned. If the IP address is Class A, use a subnet mask of . Class B addresses use a subnet mask of , and 255.0.0.0...
-
Page 182: Network Address Translation (Nat)
If you use some other arbitrary range, then there is the chance that the range is actually in use by someone else on the Internet. If this is the case, you will not be able to access their sites from your LAN. -
Page 183: Dynamic Host Configuration Protocol (Dhcp)
A DHCP server provides a dynamic, “leased” address to a DHCP client. This means that the client will be able to use the provided IP address for a certain period of time. The DHCP server will not give this address to a different client during the lease period, thus ensuring that there are no address conflicts. -
Page 184: Port Numbers
Numbers can be used by ordinary user processes or programs executed by ordinary users. While the IANA cannot control uses of these ports, it does list uses of these ports as convenience. The Registered Ports are in the range 1024–49151. -
Page 185: Introduction To Virtual Private Networks
Data that is intended for delivery to a remotely connected site is automatically encrypted using the VPN’s accelerated cryptographic processor. The data is delivered via the Web and decrypted at the intended destination. -
Page 186: Basic Vpn Terms And Concepts
Accessing Machines Using Private Addressing behind NAT When NAT (Network Address Translation) is enabled, remote users are not able to access hosts on the LAN unless the host is designated a Public LAN Server for that specific protocol. Since the VPN Tunnel terminates inside the LAN, remote users will be able to access all computers that use private IP addresses on the LAN. - Page 187 Asymmetric cryptography is often referred to as public key cryptography. With public key, each user gets a pair of keys, one called the public key and the other called the private key. The private key is always linked mathematically to the public key to be kept secret. All communications involve only public keys;...
- Page 188 3Com's ARCFour Key must be exactly 16 characters long and is comprised of hexadecimal characters. Valid hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f. Security Parameter Index (SPI) The SPI is used to establish a VPN tunnel. The SPI is transmitted from the remote Firewall to the local Firewall.
- Page 189 The SPI must be unique, is from one to eight characters long, and is comprised of hexadecimal characters. Valid hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f. The range from “0” to “ff” inclusive, is reserved by the Internet Engineering Task Force (IETF) and are not allowed for use as an SPI.
- Page 190 14: N HAPTER ETWORKING ONCEPTS...
-
Page 191: Appendices
PPENDICES Appendix A Safety Information Appendix B Technical Specifications and Standards Appendix C Cable Specifications Appendix D Technical Support Index Regulatory Notices... -
Page 193: A Safety Information
WARNING: To ensure compliance with international safety standards, only use the power adapter that is supplied with the unit. WARNING: The socket outlet must be near to the unit and easily accessible. You can only remove power from the unit by disconnecting the power cord from the outlet. -
Page 194: Wichtige Sicherheitshinweise
AFETY NFORMATION WARNING: There are no user-replaceable fuses or user-serviceable parts inside the unit. If you have a physical problem with the unit that cannot be solved with problem solving actions in this guide, contact your supplier. WARNING: Disconnect the power adapter before moving the unit. -
Page 195: Consignes Importantes De Sécurité
Consignes Importantes de Sécurité VORSICHT: Es sind keine von dem Benutzer zu ersetzende oder zu wartende Teile in dem Gerät vorhanden. Wenn Sie ein Problem mit dem Switch haben, das nicht mittels der Fehleranalyse in dieser Anleitung behoben werden kann, setzen Sie sich mit Ihrem Lieferanten in Verbindung. - Page 196 AFETY NFORMATION AVERTISSEMENT: L’appareil fonctionne à une tension extrêmement basse de sécurité qui est conforme à la norme CEI 950. Ces conditions ne sont maintenues que si l'équipement auquel il est raccordé fonctionne dans les mêmes conditions. AVERTISSEMENT: Il n’y a pas de parties remplaceables par les utilisateurs ou entretenues par les utilisateurs à...
-
Page 197: Echnical Pecifications And Tandards
Depth: 230 mm (9.0 in.) Height: 44 mm (1.7 in.) or 1 U Weight: 2.55 kg (5.6 lb) Mounting: Free standing, or 19in. rack mounting using the mounting kit supplied Capacity Maximum Number of Simultaneous IP Connections: 30,000 Maximum Number of Security Associations: 1,000... - Page 198 ISO/IEC 8802-3, IEEE 802.3, ICSA Firewall Certification Safety UL1950, EN 60950, CSA 22.2 #950, IEC 950 EN55022 Class A, EN 50082-1, FCC Part 15 Part Class A, ICES-003 Class A, VCCI Class A, EN 55024, CNS 13438 Class A Environmental...
-
Page 199: Cable Specifications
Figure 66 and Figure 67 below show the pin connections when using a straight through Category 5 cable. This is the standard cable used for Ethernet and Fast Ethernet. Figure 66 Connecting the Firewall to a hub or switch using a straight through cable Firewall... - Page 200 Category 5 cable. It is not necessary to use a crossover cable with your Firewall as the Normal/Uplink switch beside each port serves the same purpose. Figure 68 Connecting the firewall to a hub or switch using a crossover cable Firewall Network Device...
-
Page 201: Technical Support
Knowledgebase is updated daily with technical information discovered by 3Com technical support engineers. This complimentary service, which is available 24 hours a day, 7 days a week to 3Com customers and partners, is located on the 3Com Corporation World Wide Web site at:... -
Page 202: 3Com Ftp Site
3Com FTP Site Download drivers, patches, software, and MIBs across the Internet from the 3Com public FTP site. This service is available 24 hours a day, 7 days a week. To connect to the 3Com FTP site, enter the following information into... - Page 203 Diagnostic error messages Details about recent configuration changes, if applicable Here is a list of worldwide technical telephone support numbers. These numbers are correct at the time of publication. Refer to the 3Com Web site for updated information. Country Telephone Number...
-
Page 204: Returning Products For Repair
525 201 0004 Peru 511 241 1691 Uruguay 525 201 0004 Venezuela 525 201 0004 From the following countries, you may call the toll-free numbers; select option 2 and then option 2: Austria 0800 297468 Belgium 0800 71429 Denmark 800 17309... - Page 205 Returning Products for Repair Country Telephone Number Fax Number U.S.A. and Canada 1 800 NET 3Com 1 408 326 7120 (1 800 638 3266) (not toll-free) Enterprise Customers: 1 800 876 3266...
- Page 206 D: T PPENDIX ECHNICAL UPPORT...
- Page 207 DoS diagram authenticated management session deleting authentication services updating users users automatic IP address sharing and configuration Demilitarised Zone Port automatic LAN settings demilitarized zone port automatic WAN settings Denial of Service Attacks Denial of Service attacks IP Spoofing...
- Page 208 LAN settings configuring WAN settings manual WAN settings setting password factory defaults, restoring 92, 162 Installation Wizard Welcome Screen features installing automatic IP address sharing and using the rubber feet configuration Internet firewall security filtering 23, 153 Internet filtering filtering, overview...
- Page 209 23, 103 keyword creating field examples hierarchy Network Address Translation network configuration diagram port Network News Transfer Protocol static route settings network protocols. See protocols users Network Supervisor, 3Com LAN settings network supplier support configuring Network Time Protocol using Installation Wizard...
- Page 210 PPPoE setting protocols admin password proxy Web server clock public servers, DMZ port password using Installation Wizard setting up a Management Station settings, reloading quick setup setup, quick siting the Internet Firewall software, upgrading specifications rack mounting technical RADIUS...
- Page 211 The Learning Company configuring tools using Installation Wizard diagnostics Web features, restricting DNS Name Lookup web filtering Packet Trace web management interface, access lost Ping web proxy, disabling top Web site hits Web Site Filter troubleshooting activating Alert LED subscribing...
- Page 212 NDEX...
- Page 213 If this equipment does cause interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient the receiving antenna.