1. Manuals
  2. Brands
  3. SafeNet Manuals
  4. Gateway
  5. HighAssurance 4000
  6. User manual

SafeNet HighAssurance 4000 User Manual

High-performance, integrated security appliance
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
HighAssurance
TM
4000 Gateway
T h e F o u n d a t i o n o f I n t e r n e t S e c u r i t y
User's Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the HighAssurance 4000 and is the answer not in the manual?

Questions and answers

Summary of Contents for SafeNet HighAssurance 4000

  • Page 1 HighAssurance 4000 Gateway T h e F o u n d a t i o n o f I n t e r n e t S e c u r i t y User's Guide...
  • Page 2 © 2004 SafeNet, Inc. All rights reserved. SafeNet is a registered trademark and SafeEnterprise and HighAssurance are trademarks of SafeNet, Inc. All other product and company names may be the property of their respective owners. SafeNet, Inc. (800) 533-3958 Sales (800) 545-6608 Customer Support www.safenet-inc.com...

  • Page 3: Table Of Contents

    Contents Chapter 1 Product Overview ........7 Product Features.
  • Page 4 Configure the FTP Client ....... . . 42 Load Software Updates........43 Install Certificates .
  • Page 5 List of Figures Figure 1-1 HA4000 Gateway ......... 7 Figure 3-1 Management Port and Network Management Station on Different Subnets Figure 3-2...
  • Page 6 List of Tables Table 1-1 Front Panel LED Indicators ........9 Table 3-1 SNMP Trap Types .

  • Page 7: Product Overview

    Chapter 1 Product Overview The SafeNet HighAssurance™ 4000 (HA4000) Gateway is a high-performance, integrated security appliance that offers IPSec encryption at multi-Gigabyte rates. Supporting wire speed Gigabit Ethernet, the HA4000 enables secure remote data backup and disaster recovery, data replication, and storage hosting.

  • Page 8: Product Features

    Product Features Product Features Mounts in any standard 19-inch rack or on a tabletop Two Gigabit Ethernet data ports for encrypting and decrypting network traffic with single mode and multimode fiber GBIC interfaces FIPS 140-2 Level 2 compliant, validated by the National Institute of Standards of Technology (NIST) Tamper-evident chassis with no ability to insert probes Hardware-based IPSec encryption processing...

  • Page 9: Led Indicators

    Sample Deployments LED Indicators Table 1-1 shows how to interpret the LEDs on the HA4000 gateway’s front panel. Table 1-1 Front Panel LED Indicators Indicator Light State Definition Power (green) Unit is powered off. Unit is powered on. Remote Yellow (link status) Loss of signal on the remote interface.

  • Page 10: Tunnels

    Management In a branch-to-central office application, data is secured between each branch and the central office. Additionally, a secure tunnel is established between the two branch sites. This configuration can be used to transfer sensitive data between remote sites or to back up remote servers to central storage devices. Tunnels A security tunnel is the network path inside which data is encrypted.
  • Page 11 FIPS 140-2 Level 2 Operation HMAC-SHA1-06 authentication Manual keys or IKE key management Caution MD5 is not a FIPS-approved authentication algorithm. Therefore, using MD5 authentication in a security policy removes the HA4000 from FIPS-compliant operation. Note: Chapter 1. Product Overview...

  • Page 12: Installation

    Chapter 2 Installation Perform the tasks in this chapter in the sequence they are presented. Unpack the Shipping Carton Remove all product components from the shipping carton and compare the contents to the packing list. Keep all packaging in case it is necessary to return the unit.

  • Page 13: Required Hardware

    Required Hardware Air flow Make sure that there is sufficient flow of air around the HA4000 so that safe operation is not compromised. Maintain a clearance of at least three inches (7.62 cm) on each side of the HA4000 gateway to ensure adequate air intake and exhaust.

  • Page 14: Connect The Cables

    Mount the HA4000 in a Rack Connect the Cables Before beginning, make sure that the necessary cables are available. For more information on cabling requirements and specifications, see Appendix C, "Cable Specifications." 1. Connect the HA4000 RS-232 craft port directly to a PC or workstation using a DB-9 null modem cable.
  • Page 15 Mount the HA4000 in a Rack Notes: If you experience a problem during system initialization, go to Chapter 5, "Troubleshooting." Until you configure your security policies, the HA4000 gateway’s default mode of operation passes all packets in the clear. Chapter 2. Installation...

  • Page 16: Configuration

    Chapter 3 Configuration HA4000 management is performed out of band. Use the management interface to configure the device remotely through the command line interface (CLI) and monitor SNMP-based performance. This chapter describes the tasks required to configure the HA4000’s management interface and prepare the device for operation.

  • Page 17: Command Shortcuts

    Configure the Management Port Command Shortcuts Some CLI commands have specific shortcuts. For a list, go to Table 6-1 on page 65. Shortcuts are also included in the detailed information available on each CLI command in Chapter 6, "CLI Command Reference." For other commands, type enough letters to uniquely identify an HA4000 CLI command, and then press Tab.

  • Page 18: Assign Ip Addresses

    Configure the Management Port Note: Usernames and passwords are case-sensitive. 6. At the password prompt, enter the default password, safenet. The password you type does not display. Note: Change the default password when you configure the HA4000 gateway. 7. When you are successfully logged on, the command line prompt displays:...

  • Page 19: Prepare The Device For Operation

    Prepare the Device for Operation Figure 3-1 Management Port and Network Management Station on Different Subnets Example This example configures the default gateway for Router #1 in Figure 3-1. The example enters configuration mode for the management interface, assigns a default gateway IP address, and saves the configuration.

  • Page 20: Assign The Remote Port Ip Address

    Prepare the Device for Operation Assign the Remote Port IP Address The remote port IP address identifies the HA4000 to the untrusted network, typically a WAN, campus LAN, or MAN. Changing the remote port IP address directly affects the HA4000 gateway’s IPSec policies, including the default policies that ship with the HA4000.

  • Page 21: Assign Ike Default Gateway

    Prepare the Device for Operation These are some possible configurations and the associated command: Auto-negotiation Flow Control Command enabled value negotiated auto enable disabled value negotiated auto disable enable disabled disabled auto disable disable Examples Enable auto-negotiation and flow control on the remote port: config-ifRemote>...

  • Page 22: Figure 3-2 Two Remote Ports On The Same Subnet

    Prepare the Device for Operation Figure 3-2 Two Remote Ports on the Same Subnet Routed Network In a routed network, a router is placed between the initiating HA4000 #1 and the WAN. Use the ikeDefaultGateway command on HA4000 #1 (see Figure 3-3) to specify Router R2’s local router port IP address, 192.168.144.100.

  • Page 23: Ike Id Validation For Certificates

    Prepare the Device for Operation Assign Default Gateway for IKE Negotiation on Remote Interface 1. At the config-ifRemote> prompt, enter this command: ikeDefaultGateway {none | <ipAddress>} For parameter descriptions, go to “ikeDefaultGateway” on page 72. 2. Return to configuration mode; enter the exit command. Example This example enters remote interface configuration mode on HA4000 #1 in Figure 3-3, identifies a default gateway, and then returns to configuration mode:...
  • Page 24 Prepare the Device for Operation Example This example enters remote interface configuration mode on the HA4000, disables IKE ID validation, exits configuration mode, and saves the configuration. admin> config t config> interface remote config-ifRemote> ikeIdValidation disable config-ifRemote> exit config> exit admin>...

  • Page 25: Configure The Local Interface

    Prepare the Device for Operation Example This example enters remote interface configuration mode on the HA4000, sets the IKE ID type to Subject Distinguished Name, exits configuration mode, and saves the configuration. admin> config t config> interface remote config-ifRemote> ikeIdTypeToSend sdn config-ifRemote>...
  • Page 26 Prepare the Device for Operation Local Port Auto-negotiation and Flow Control Auto-negotiation and flow control is configured on a per port basis. If the device that the HA4000 is connected to on the local network side does not support auto-negotiation or flow control, disable one or both of these functions on the HA4000 gateway’s local port.

  • Page 27: Figure 3-4 Ha4000 Gateways Connected Back-To-Back (Transparent)

    Prepare the Device for Operation Layer 2 MAC Address Resolution The method that the HA4000 uses to resolve Layer 2 MAC addresses depends on your network configuration. Here are three typical scenarios: Transparent – Two HA4000 gateways are connected back-to-back, with no router between them.

  • Page 28: Figure 3-5 Arp Used To Resolve Layer 2 Mac Addresses

    Prepare the Device for Operation Figure 3-5 ARP Used to Resolve Layer 2 MAC Addresses Gateway In Figure 3-6, the HA4000 #2’s local port is connected to Router R4. The destination station S2 is on a different subnet than HA4000 #2’s local port. To send packets to Station S2, HA4000 #2 uses the macAddrResolutionMechanism command with the gateway attribute to identify the IP address of the default gateway (Router R4’s WAN...

  • Page 29: Configure The Pmtu

    Prepare the Device for Operation Set Layer 2 MAC Address Resolution on the Local Interface 1. At the config-ifLocal> prompt, enter this command: macAddrResolutionMechanism {none | arp | {gateway <ipAddress>}} For parameter descriptions, go to “macAddrResolutionMechanism” on page 77. 2. Return to configuration mode: enter the exit command. Example In this example, a local interface configuration on SG2, the HA4000 enters local interface configuration mode, identifies the default gateway, and then exits local...

  • Page 30: Configure Df Bit Handling

    Prepare the Device for Operation When the HA4000 detects an IP payload that exceeds 1460 bytes, the HA4000 notifies the local device of the required MTU size. Note that the PMTU is a Layer 3-based number, and, therefore, does not include Layer 2 Ethernet header overhead.

  • Page 31: Set Date And Time

    Prepare the Device for Operation Set the DF Bit Handling At the config> prompt, enter this command: dfbit-handling {clear | copy | set} For parameter descriptions, go to “dfbit-handling” on page 70. This command requires a reboot to take effect. When you complete configuring the unit, save the configuration, and then reboot the HA4000.

  • Page 32: Set Session Timer

    Prepare the Device for Operation Set Session Timer A timer can be set to end a session after a specified interval of user inactivity with the session timer command. At the config> prompt, enter this command: session timer cli <number> where number is the number of minutes of inactivity.

  • Page 33: Table 3-1 Snmp Trap Types

    Prepare the Device for Operation Table 3-1 SNMP Trap Types Trap Reports on this information login Successful and unsuccessful log on attempts and log offs. fanStatus Operational status changes of the HA4000 gateway’s two fans. generic Link up, link down, and cold start (reboot). criticalError Critical errors, such as failure of the control board to respond to watchdog errors, which indicates that a reboot has been initiated but is...

  • Page 34: Name The Ha4000

    Prepare the Device for Operation Display Trap Status To display the status of the traps, use the trap list command. It displays all traps and lists their status as enabled or disabled. At the config> prompt, enter this command: snmp-server trap list Example config>...

  • Page 35: Administrative Tasks

    Administrative Tasks Table 3-2 HA4000 SNMP Agent Parameters Parameter Definition System contact person for the HA4000 contact <quoted_string> Device location in the network location <quoted_string> Name for the device name <quoted_string> Example This example uses the snmp-server command to provide identifying information about the HA4000.
  • Page 36 Administrative Tasks Set the Administrator Password 1. Log in as Administrator (username super). 2. Go into configuration mode; enter this command: configure terminal 3. At the config> prompt, enter this command: password 4. Enter the current password. 5. Enter the new password, and then reenter it to confirm it. Example In this example, the Administrator sets the Administrator password and saves the new configuration (password text is not displayed on the monitor):...

  • Page 37: Save The Configuration

    Administrative Tasks Configure the Network Manager Logon 1. Log in as Administrator. 2. Enter configuration mode. 3. At the config> prompt, enter this command: netman login {enable | disable <value>} where <value> is the number of unsuccessful logon attempts permitted (0-99) before the Network Manager logon is disabled.

  • Page 38: Reboot The Ha4000

    Administrative Tasks Reboot the HA4000 The reboot command stops all operations on the HA4000 and begins the boot process, the same process initiated when the power is cycled on the device. Caution Save any configuration changes prior to rebooting the unit; unsaved changes are lost when a reboot occurs.

  • Page 39: View Configurations

    Administrative Tasks Example This example saves the running configuration and reboots the HA4000: admin> copy system:running nvram:config admin> reboot View Configurations The show command displays information about saved and running configurations, IP addresses, and version numbers. This is helpful when troubleshooting. For additional show commands, see Chapter 5, "Troubleshooting."...
  • Page 40 Administrative Tasks Example In this example, the show nvram:config command displays the configuration saved in the HA4000 file system. admin> show nvram:config interface management ip address 192.168.10.10 255.255.255.0 192.168.10.1 ipSec disabled ipSec phase1 3des sha1 86400 ipSec phase2 3des sha1 86400 dpd disabled ipSec phase2 3des sha1 86400 http enabled...

  • Page 41: Maintenance Tasks

    Chapter 4 Maintenance Tasks Perform these maintenance tasks on a regular or as-needed basis: Create a backup copy of the file system. Configure the FTP client for file downloads. Download software updates. Install a certificate on the HA4000. Physically inspect the HA4000. Other tasks are necessary to perform only if you experience problems or want to monitor events on the network for baselining purposes.

  • Page 42: Restore The Backup

    Install Software Updates Restore the Backup If the HA4000’s file system is damaged or corrupted, you can restore it from the backup. 1. Log on as Network Manager. 2. At the admin> prompt, enter this command: copy nvram:fs-backup nvram:fs 3. Reboot the device, enter the reboot command. Install Software Updates Software updates can be downloaded from an FTP server to the HA4000 through the 10/100 Ethernet management port.

  • Page 43: Load Software Updates

    Install Certificates Load Software Updates When a new software image is downloaded, the HA4000 data is not affected. Saved security policies and configurations are preserved. The HA4000 remains operational during software downloads. Note: Before downloading any software update, read the associated release notes for update-specific installation instructions and caveats.

  • Page 44: Install A New Certificate

    Install Certificates When replacing the certificate, make sure to set the HA4000 gateway’s internal clock, as described in “Configure DF Bit Handling” on page 30. The date and time settings are required to track certificate expiration dates. Caution Installing a new certificate on the HA4000 may prevent a browser connection for several hours, because the HA4000 is unaware of time zones.

  • Page 45: Physical Inspection

    HA4000 is located in. For example, a locked equipment closet is more secure than an open server room. SafeNet recommends checking the unit’s physical integrity monthly, at a minimum.

  • Page 46: Audit Log Resources

    Audit Logs Audit Log Resources The audit log is a fixed-length list of entries. When a log file is full, another log file is started. This continues until the specified maximum number of log files is reached. At that point, the information in the first log file is overwritten. Using multiple log files tracks events over a longer period of time, with a RAM utilization tradeoff.
  • Page 47 Audit Logs Attribute Description Traps sent by the HA4000 (critical errors, fan status, logon snmp-trap failures). Secure Shell messages. For technical support diagnostic use. Significant management module messages, including system systemLog errors and policy configuration errors. Where to send the data When an event is enabled, the output can be sent to the terminal, recorded in the log file, or both.
  • Page 48 Audit Logs For parameter and attribute descriptions, go to “log” on page 76. Attributes are case-sensitive. To specify multiple attributes on a single command, insert them in a quoted string (enclosed in quotation marks), as the first example below shows. Logging changes go into effect immediately. Examples This example enables snmp-traps and snmp-packets logging.
  • Page 49 Upload Log Files On occasion, you may need to send log files to a central office or SafeNet Customer Support for analysis or troubleshooting assistance. With a single command—ftp-client—the HA4000 gateway can export log files to an FTP server or display them on a terminal.

  • Page 50: Restore Factory Settings

    Restore Factory Settings 4. At the admin> prompt, enter this command: copy nvram:logs [<number>] {ftp:|terminal} This command sends log files to an FTP host or a terminal. To identify a specific log file (0, 1, 2, …n-1), use the optional number attribute, where number is the number of log files configured on your system.
  • Page 51 Restore Factory Settings When clearing configurations or policies, the factory settings become effective when the device is rebooted. When clearing all settings, the HA4000 automatically reboots. Example This example clears the HA4000’s saved configuration, replaces it with the factory default configuration, and then reboots the device: admin>...

  • Page 52: Troubleshooting

    Failure LED is illuminated. • The device diagnostics detected a severe hardware error during the boot process. Contact SafeNet Customer Support. Alarm LED is illuminated. • The device has detected a policy configuration error.
  • Page 53 Possible Problems and Solutions Table 5-1 HA4000 Troubleshooting (Continued) Category Symptom Explanation and Possible Solutions Browser can’t make a • Verify that the correct management port IP address connection to the HA4000 is being entered for the connection. gateway’s management port. •...
  • Page 54 Possible Problems and Solutions Table 5-1 HA4000 Troubleshooting (Continued) Category Symptom Explanation and Possible Solutions Configuration The device on the WAN side • Set the PMTU size to a number that doesn’t exceed continued (remote port connection) of the MTU of the device with the smallest MTU in the the HA4000 is dropping path.
  • Page 55 Possible Problems and Solutions Table 5-1 HA4000 Troubleshooting (Continued) Category Symptom Explanation and Possible Solutions IPSec Policies Traffic is not processing as • Verify the policy priorities. The policy with the expected. highest priority number is processed first. • Verify the filter information: local and remote IP addresses and subnets, protocol, and port number.

  • Page 56: Diagnostic Commands

    Diagnostic Commands A set of commands is available to assist with diagnosing and troubleshooting unexpected behavior of your HA4000 and security policies. Some of these commands are self-explanatory; enter the others only upon request by SafeNet Customer Support. IPSec Diagnostic Commands Several CLI show commands provide IPSec diagnostic information that is useful when troubleshooting security policies.
  • Page 57 Diagnostic Commands Example ops> show ipSec aesSupport ops> AES is not supported View Discarded Packets The show ipSec discards command displays a summary of the number of discarded and aborted packets. To obtain the reason for the discards, use the all attribute.

  • Page 58: Table 5-4 Ha4000 Security Association Fields

    Diagnostic Commands View SAs The show ipSec sa command displays the active SAs on the HA4000 gateway. In addition to verifying that a specific SA is active on the HA4000, this command also displays its SPI and lifetime. Syntax show ipSec sa Response Table 5-4 describes the fields displayed in the show ipSec sa command response.

  • Page 59: Table 5-5 Spd Selectors

    Diagnostic Commands Response The command response displays precisely what the HA4000 is enforcing and in what order (see Table 5-5). Given a packet with specific selectors, you can determine how the packet will be handled by checking it against the SPD in descending order.
  • Page 60 Diagnostic Commands Example admin> show ipSec spd ----------------------------------------------------------- Security Policy Database Enforcement Order -------------------------------------------------------------------------------------------------------------------- Source Dest Dest Direction Policy Encap? Mask Mask Protocol Address Address Port Port INBOUND IPSEC 10.10.0.0 255.255.0.0 40.40.0.0 255.255.0.0 OUTBOUND IPSEC 40.40.0.0 255.255.0.0 10.10.0.0 255.255.0.0 INBOUND IPSEC 0.0.0.0 0.0.0.0...
  • Page 61 Diagnostic Commands Example admin> show ipSec statistics Transmit LocalIF RemoteIF Total bytes (including CRC) in good pkts Total bytes (including CRC) in good+bad pkts Unicast pkts w/o error Multicast pkts w/o error Broadcast pkts w/o error Flow control pkts w/o error Pkts with bad CRC Pkts dropped due to FIFO underflow Pkts transmitted (good or bad) 64 bytes...

  • Page 62: Show All Commands

    The show all command also lists information about the internal tasks running on the HA4000 gateway. Note: Issue this command only when directed to by SafeNet Customer Support. The output provides a wealth of information that can assist SafeNet Customer Support in diagnosing a problem with your HA4000 or security policies.

  • Page 63: Cli Command Reference

    Chapter 6 CLI Command Reference CLI Overview This chapter explains CLI command syntax conventions and usage, and provides detailed information on each command. Commands are listed in alphabetical order. Command Hierarchy The CLI has three command hierarchy levels: Command mode is the logon hierarchy level. Enter the copy, show, and most maintenance commands are accessed at this level.

  • Page 64: Examples

    CLI Overview Examples show version Enter this command exactly as shown. show version|date Enter one of these: show version show date {log list} | {log <logEvent> terminal|noterminal logfile|noLogFile} This syntax indicates that one of the following is required: log list or log <logEvent>...

  • Page 65: User Types

    CLI Overview User Types The HA4000 has two levels of logon privileges, identified by user type: The Network Manager configures the HA4000. The Network Manager’s username is admin. The Administrator sets passwords and logon restrictions. The Administrator’s username is super. Each command can be entered from one or both user levels;...

  • Page 66: Commands

    Commands Commands autoNegotiateFlowControl Syntax autoNegotiateFlowControl enable | {disable {enable | disable}} Shortcut auto User Type Network Manager Hierarchy Level interface configuration Description Sets auto-negotiation and flow control on the particular HA4000 port (local or remote port). Auto-negotiation is configured first, then flow control. Reboot Required Yes.
  • Page 67 Commands configure Syntax configure terminal Shortcut con t User Type Network Manager and Administrator Hierarchy Level Command Description Enters configuration mode. Reboot Required Usage Guidelines Use this command to enter different configuration modes. copy ftp:fs Syntax copy ftp:fs nvram:fs Shortcut None User Type Network Manager...
  • Page 68 Commands copy nvram:fs Syntax copy nvram:fs nvram:fs-backup Shortcut None User Type Network Manager Hierarchy Level Command Description Creates a backup copy of the HA4000 file system. Reboot Required Usage Guidelines See “Back up the File System” on page 41. copy nvram:fs-backup Syntax copy nvram:fs-backup nvram:fs Shortcut...
  • Page 69 Commands copy nvram:policy Syntax copy nvram:policy {ftp:policy [<filename>]} Shortcut None User Type Network Manager Hierarchy Level Command Description Copies the policy file from the HA4000 gateway’s file system to an FTP host. Parameters filename — specifies the name of the policy file to create on the FTP host.
  • Page 70 Commands Parameters year – 2003 through 2100 month – 01 through 12 day – 01 through 31 hour – 00 through 23 minutes – 00 through 59 seconds – 00 through 59 Reboot Required Usage Guidelines See “Set Date and Time” on page 31. dfbit-handling Syntax dfbit-handling {clear | copy | set}...
  • Page 71 Commands ftp-client Syntax ftp-client <ftp_ipAddress> <ftp_userid> <ftp_password> [<ftp_directory>] Shortcut None User Type Network Manager Hierarchy Level Configuration Description Configures FTP client access to an FTP server for file transfers. Parameters ftp_ipAddress – specifies the IP address of the FTP host. ftp_userid –...
  • Page 72 Commands http Syntax http {enable | disable} Shortcut None User Type Network Manager Hierarchy Level Management interface configuration Description Configures HTTP on the HA4000. Attributes enable – allows HTTP on the HA4000 gateway management port. disable – disallows HTTP on the management port. When HTTP is disabled, the HA4000 gateway uses HTTPS for the Policy Manager Reboot Required...
  • Page 73 Commands ikeIdTypeToSend Syntax ikeIdTypeToSend {ipAddress | sdn | default} Shortcut User Type Network Manager Hierarchy Level Remote interface configuration Description Defines the IKE ID that is sent to the peer gateway during phase 1 IKE negotiation by designating the IKE ID type to be used for the remote port.
  • Page 74 Commands Usage Guidelines See “IKE ID Validation for Certificates” on page 23. interface Syntax interface {local | remote | management} Shortcut int {l | r | m} User Type Network Manager Hierarchy Level Configuration Description Changes configuration mode to allow configuration of the specified interface.
  • Page 75 Commands Reboot Required Local and remote port IP addresses require a reboot or policy reload to take effect. Management port IP addresses take effect immediately. Usage Guidelines See “Assign IP Addresses” on page 18 and “Configure the Local Interface” on page 25. ipSec Syntax ipSec {enable | disable} |...
  • Page 76 Commands Usage None. Guidelines Syntax {[no] log {snmp-packets|snmp-trap|snmp-event|cmbSsh| CCB|Ike|Ssh|systemLog} terminal|noTerminal logFile|noLogFile [quiet|normal|verbose]} | log list Shortcut None User Type Network Manager Hierarchy Level Configuration Description Configures the events to log, or displays the list of available events. Attributes no – disables event logging. This is equivalent to specifying noTerminal and noLogFile.
  • Page 77 Commands Usage Guidelines See “Configure Log File Events” on page 46. log-file Syntax log-file <number> [<size_in_kbytes>] Shortcut None User Type Network Manager Hierarchy Level Configuration Description Configures log file resources. Parameters number – specifies the number, from 2 through 99, of log files.
  • Page 78 Commands Parameters and none – specifies that the HA4000 gateways are Attributes connected back-to-back, with no routers between them. The HA4000 copies the MAC address from the incoming packet. arp – specifies that the destination is on the same subnet as the HA4000 gateway’s local port (if the local port is connected to a Layer 2 switch).
  • Page 79 Commands password Syntax password <carriage return> <password> Shortcut None User Type Administrator Hierarchy Level Configuration Description Sets the Administrator password. Parameters password – character string with at least one alphanumeric character. Passwords are case-sensitive; they are suppressed from displaying when typed. A password can include these special characters: ! @ # $ % ^ * ( ) _ + = - [ ] { } \ | ;...
  • Page 80 Commands pmtu Syntax pmtu <number> Shortcut None User Type Network Manager Hierarchy Level Configuration Description Specifies the maximum transmission unit of the path (end-to-end MTU). Parameters and number – specifies the PMTU size, from 128 Attributes through 12,160 bytes. Normal mode range is 128 through 2944 bytes;...
  • Page 81 Commands Reboot Required Usage Guidelines None. session Syntax session timer cli <number> Shortcut None User Type Network Manager Hierarchy Level Configuration Description Specifies the interval of inactivity before a user is logged out. Parameters and cli – sets the session timer for the CLI. Attributes number –...
  • Page 82 Commands Attributes all – displays a concatenation of the information provided by the show attributes listed below (date through version). For technical support use only. date – displays the internal clock’s date and time settings. http – displays the HTTP state on the management port.
  • Page 83 – specifies that all traps are sent to the specified host. generic, login, fanStatus, criticalError, IPSecPeer – specify traps defined in the SafeNet Customer Support crypto-mib and in “Configure SNMP” on page 32. Reboot Required Usage Guidelines See “Configure SNMP”...
  • Page 84 Commands telnet-server Syntax telnet-server {enable | disable} Shortcut None User Type Network Manager Hierarchy Level Configuration Description Configures telnet access to the HA4000. Parameters and enable – allows the management port to accept a Attributes telnet session to remotely configure the HA4000. Telnet access is enabled by default.

  • Page 85: Appendix A Mib Support

    Appendix A MIB Support The HA4000 gateway supports SNMP v2-c. Supported MIBs include these: MIB II (www.ietf.org/rfc/rfc 1213.txt, limited to these groups): System Group Interfaces Group The HA4000 also uses these proprietary MIBs, which are included on the HA4000 Gateway CD: co-smi-mib: Management Information Structure co-tc.mib: Textual conventions used in HA4000 MIBs co-gigif.mib: Objects related to the gigabit interfaces on the HA4000 (local and...

  • Page 86: Appendix B Product Specifications

    Appendix B Product Specifications Table B-1 System Specifications • Two Gigabit fiber ports Interfaces • 10/100 Mbps auto-sensing LAN port • RS-232C port • 19-inch rack mount design • 4” H x 17” W x 15” D (10.16 cm H x 43.18 cm W x 38.1 cm D) Electrical/Mechanical •...

  • Page 87: Appendix C Cable Specifications

    Appendix C Cable Specifications DB-9 Null Modem Cable Figure C-1 DB-9 Null Model Cable Specifications Table C-1 Null Model Pin Connections 2 RD (Receive Data) 3 TD 3 TD (Transmit Data) 2 RD 5 SG (Signal Ground) 5 SG Appendix C. Cable Specifications...

  • Page 88: Rj-45 Ethernet Straight Through Cable

    RJ-45 Ethernet Straight Through Cable RJ-45 Ethernet Straight Through Cable Figure C-2 RF-45 Ethernet Straight-Through Cable Table C-2 Straight-Through Cable Connections RJ-45 Pin RJ-45 Pin 1 Tx+ 1 Rc+ 2 Tc- 2 Rc- 3 Rc+ 3 Tx+ 6 Tc- 6 Tx- RJ-45 Ethernet Crossover Cable Figure C-3 RJ-45 Ethernet Crossover Cable Appendix C.

  • Page 89: Table C-3 Crossover Cable Connections

    RJ-45 Ethernet Crossover Cable Table C-3 Crossover Cable Connections RJ-45 Pin RJ-45 Pin 1 Rx+ 3 TX+ 2 Rc- 6 Tx- 3 Tx+ 1 Rc+ 6 Tx- 2 Rc- Appendix C. Cable Specifications...

  • Page 90: Appendix D Electrostatic Discharge

    Appendix D Electrostatic Discharge Electrostatic discharge (ESD) can damage electronic components and equipment. ESD occurs when electronic components are improperly handled and can result in complete or intermittent failures. Always follow ESD-prevention procedures when removing and replacing components. To prevent ESD damage, follow these guidelines: Always use an ESD wrist or ankle strap and ensure that it makes skin contact.

  • Page 91: Appendix E Regulatory Information

    Appendix E Regulatory Information Safety/Emissions/Immunity Specifications IEC 60950, 3 Edition (1999) Underwriter Labs Safety CSA-C22.2 No 60950-00 Canadian Safety EN 60950 Safety for participating European nations EN55022: 1998, ANSI C63.4:1992, AS/NZS 3548: FCC Title 47, Part 15, Subpart B, EMC Directive 1997 with Amendments 1 and 2, CNS 13438:1997, 89/336/EEC and ICES-003 and CAN/CSA-CISPR 2296...

  • Page 92: European Notice

    European Notice European Notice Products with the CE Marking comply with both the EMC Directive (89/336/EEC) and the Low Voltage Directive (73/23/EEC) issued by the Commission of the European Community. Appendix E. Regulatory Information...

  • Page 93: Glossary

    Glossary block cipher Type of symmetric (secret key) encryption algorithm that encrypts a fixed length block of plaintext at a time. With a block cipher, the same plaintext block always encrypts to the same ciphertext block, under the same key. action Component of an IPSec rule.
  • Page 94 confidentiality Ensures that the content of the message (user data) has not been encryption revealed. Scrambles and unscrambles data between two communication condition endpoints. The encryption process Filtering component of an IPSec rule. turns an original plaintext message The condition identifies the packets a that anyone can read into an encrypted specified action will be applied to.
  • Page 95 two parties. If the HMAC is correct, it Lightweight Directory Access Protocol proves that it must have been added (LDAP) by the source. Online directory service protocol defined by IETF. An LDAP directory HMAC entry is a group of attributes identified See Hash Message Authentication by a unique distinguished name (DN).
  • Page 96 public key infrastructure (PKI) See public key infrastructure. Use of key pairs, certificates, certificate authorities, and certificate repositories plaintext when using public key cryptography. Original, unencrypted message that anyone can read. policy Set of rules that define levels of security for various types of traffic. The Quick Mode policy identifies classes of traffic and Used during IKE Phase 2 negotiations...
  • Page 97 security association (SA) network devices in a scalable manner. Processing performed on a specific The HA4000 uses SCEP for online packet. It associates security services certificate enrollment. and a key with the traffic to be protected and the remote peer with See Secure Socket Layer.

This manual is also suitable for:

Ha4000

Table of Contents