Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.
Recent software configuration changes and/or network changes Customer Service To contact Enterprise Customer Service online, go to www.symantec.com/techsupp, select the appropriate Global Site for your country, then select the enterprise Continue link. Customer Service is available to assist with the following types of issues:...
Connecting the power cord to models 5640 and 5660 ................23 Connecting an Uninterruptible Power Supply (UPS) ...................23 Updating or restoring the appliance firmware with the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM ...24 Chapter 2 Setting up the appliance and configuring the system Installing and setting up the appliance ........................27...
Page 6
Backing up Symantec Gateway Security 5000 Series v3.0 configurations ........45 Backing up Symantec Gateway Security 5000 Series v2.0.1 configurations ........46 Backing up Symantec Clientless VPN Gateway 4400 Series v5.0 configurations and data files ... 46 Manual backups ..............................47 Backing up cluster information ........................
Page 7
SYN flood protection settings ..........................64 Network interfaces ............................64 SRL ..................................64 Cron jobs ................................64 RemPass ................................64 Post-upgrade tasks for upgraded Symantec Clientless VPN Gateway 4400 Series v5.0 configurations ..64 Access control ..............................64 SecurID authentication .............................65 Windows NT Domain authentication ......................65 Logging ................................65 Service redirect IP address conflicts ......................65...
Page 8
Contents Taking a pro-active stance ........................81 Security policy worksheets ............................81 Defining your organization ..........................81 Collecting hardware information ........................83 Collecting your TCP/IP address ........................84 Defining your allowed TCP/IP services ......................85 Collecting email information for security gateway notifications .............. 86 Defining your Web services ..........................
Model 5640 back panel features Model 5660 back panel features Connecting an Uninterruptible Power Supply (UPS) Updating or restoring the appliance firmware with the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM About the Symantec Gateway Security 5000 Series The Symantec™...
See the Getting Started Guide for more information on software features. Hard drives Symantec Gateway Security 5600 Series models with two hard drives installed run Redundant Array of Inexpensive Disks software (RAID). Table 1-1 describes the Symantec Gateway Security 5000 Series hard disk configurations.
Installing the appliance Installing the Symantec Gateway Security 5600 Series appliance You can install the Symantec Gateway Security 5600 Series appliance as a free-standing unit, or as a rack-mounted unit using mounting brackets or slides. When preparing to install your appliance, refer...
Secure the mounting brackets to the equipment rack. Installing a slide rack-mounted appliance The Symantec Gateway Security 5600 Series has mounting holes on the chassis for use with rack mount slides. The Symantec Gateway Security 5600 Series model 5660 comes with a rack mount slide...
The front panel looks the same on all models, except the model 5620 which has a narrower profile. The initial setup of the Symantec Gateway Security 5600 Series takes place at the appliance front panel, where you enter and modify parameters, such as system and network IP addresses.
The front panel controls are the same on all models. The front panel controls perform dual functions. These functions depend upon whether the Symantec Gateway Security 5600 Series is in initial setup mode or if you are using the system menu to change setup information. The front panel controls...
Page 15
Launch the System Menu when the appliance is in monitoring mode. Also use this button to cancel the current option without completing it. On upgraded Symantec Gateway Security 5400 Series or Symantec Clientless VPN Gateway 4400 Series appliances use the S (Select) button.
Displays the appliance’s Symantec System ID. The Symantec System ID is required to obtain the appliance’s product license. Press the Enter button to return to the system menu once the Symantec System ID is displayed on the LCD screen. Press either the down button or the right button to move to the next menu item.
LCD indicator (stopped). RAID status messages Symantec Gateway Security 5600 Series models with two hard drives installed run Redundant Array of Inexpensive Disks software (RAID). The LCD displays messages about the RAID status of the appliance’s hard drives. RAID software maintains mirrored images on both hard drives to provide uninterrupted operation in the event of disk failure on one of the hard drives.
The back panels of the model 5640 and 5660 are different from model 5620 due to the larger size of the appliance and additional Ethernet ports. All models of the Symantec Gateway Security 5600 Series appliances have ethernet ports which can connect to 10/100/1000Base-T network networks. Some of the Symantec Gateway Security 5600 Series Ethernet ports have higher transmission rates than the normal Ethernet ports.
Ethernet network connection. Connecting model 5620 to the network The Symantec Gateway Security 5600 Series model 5620 back panel provides a total of six 10/100/ 1000 Base-T network connections. Your network connection requirements are based on your site’s network configuration.
Model 5640 back panel features This section describes the back panel features of the Symantec Gateway Security 5600 Series for appliance model 5640. The back panels of the model 5640 and 5660 are different from model 5620 due to the larger size of the appliance and additional, gigabit Ethernet ports.
Model 5660 back panel features This section describes the back panel features of the Symantec Gateway Security 5600 Series for appliance model 5660. The back panel of the model 5660 is different from model 5640 due to the additional slots for Small Formfactor Plugables (SFPs).
Page 22
Provides a connection for a terminal emulator to access the appliance’s Linux operating system locally. Only make changes using the serial console port when instructed by Symantec Technical Support. Making changes to the operating system is not supported. Attention indicator Lights solid red if the appliance needs attention.
The Symantec Gateway Security 5600 Series model 5640 offers eight gigabit Ethernet connections and model 5660 offers six along with four slots for SFPs. See the Symantec Gateway Security 5600 Series Connecting and Configuring for information about configuring the management interface from the appliance front panel LCD.
Installing the appliance Updating or restoring the appliance firmware with the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM Updating or restoring the appliance firmware with the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM The Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM...
Page 25
Installing the appliance Updating or restoring the appliance firmware with the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM While pressing and holding down the Enter button on the front panel do the following: Press the power switch on the appliance to turn on the power.
Page 26
Installing the appliance Updating or restoring the appliance firmware with the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM...
Configuring the appliance with the System Setup Wizard Installing and setting up the appliance The following instructions describe how to install and set up the Symantec Gateway Security 5600 Series appliance for SGMI management from an internal or external network. You can only configure one interface for management from the front panel of the appliance.
Setting up the appliance and configuring the system Installing and setting up the appliance Figure 2-1 5620 back panel layout Table 2-1 Model 5620 back panel description Elements Feature Description Power socket Connection for AC power cord. Master power Turns the appliance on or off. switch Network Accepts a 10/100/1000 Base-T network cable, that allows Ethernet network...
Page 29
Setting up the appliance and configuring the system Installing and setting up the appliance Table 2-2 Models 5640 and 5660 back panel description Elements Feature Description Power socket Connection for AC power cord. Network Accepts a 10/100/1000 Base-T network cable, that allows Ethernet interface network connection.
Page 30
Setting up the appliance and configuring the system Installing and setting up the appliance Press the Up or Down buttons to select a specific VLAN identification number between 1 - 4094. Press the Enter button. If you do not want to configure a VLAN, do the following: Press the Enter button.
If you chose not to configure the SMTP, POP3, HTTP, and FTP traffic options, you must either use the Firewall Rule Wizard or configure them manually from the SGMI Policy > Rules tab. For detailed instructions about how to configure these policies, see the Symantec Gateway Security 5000 Administration Guide.
Page 32
For detailed instructions about using the System Setup Wizard after the initial setup see the Symantec Gateway Security 5000 Administration Guide. Note: If you cancel out of this wizard without completing it, your security gateway will not be ready to operate and you will have to run the System Setup Wizard again.
Page 33
Setting up the appliance and configuring the system Configuring the appliance with the System Setup Wizard In the License and Warranty Agreement window, read the agreement and then do one of the following: To accept the license and warranty agreement, and to proceed with the System Setup Wizard, click Accept.
Page 34
Setting up the appliance and configuring the system Configuring the appliance with the System Setup Wizard For instructions on how to permanently unlock the LCD panel, see the Symantec Gateway Security 5000 Series Administration Guide. 21 To change the administrator password, do the following:...
Page 35
Setting up the appliance and configuring the system Configuring the appliance with the System Setup Wizard DHCP Client check To enable DHCP on the outside interface, check DHCP Client. DHCP is only available when eth1 is configured as an outside interface.
Page 36
Setting up the appliance and configuring the system Configuring the appliance with the System Setup Wizard Text box Type the domain names of the email sources, separated by commas. Apply antivirus Check to scan SMTP mail for viruses. scanning Apply Antispam Check to filter SMTP mail for spam.
LiveUpdate. Once you have completed the Symantec Gateway Security 5600 Series System Setup Wizard the first time, you can access it again from the SGMI Tools menu option and edit any system information.
Page 38
Setting up the appliance and configuring the system Configuring the appliance with the System Setup Wizard In the Temporary Files Settings dialog box, click View Applications. In the Java Application Cache Viewer, on the User tab, highlight the application that is identified by the URL that you used to connect to the appliance.
Symantec Gateway Security 5000 Series v2.0.1 or Symantec Gateway Security 5000 Series v3.0 appliances while on site, or to do so remotely. If you are on site, the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM lets you upgrade or update the security gateway using a computer connected directly to the appliance.
Symantec Gateway Security 5000 Series Software Update Version 3.0.1 CD_ROM You can use this media to upgrade from Symantec Gateway Security 5000 Series v2.0.1, or to update from Symantec Gateway Security 5000 Series v3.0. You can upgrade from Symantec Clientless VPN Gateway 4400 Series v5.0 to Symantec Gateway Security 5000 Series v3.0.1 using the Symantec...
42. Requirements for the local upgrade and update If you plan to upgrade or update on site using the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM, the requirements for the computer running the OS restore program are as follows: An industry-standard computer with a BIOS that lets you boot from a IDE CD-ROM.
Refer to the Symantec Technical Support Web site to ensure that you have the latest downloads. Upgrade and update preparation How you plan for the upgrade or update to Symantec Gateway Security 5000 Series v3.0.1 depends on whether you plan to upgrade or update locally using the Symantec Gateway Security 5000 Series Software and Restore Image Version 3.0.1 CD-ROM, or if you want upgrade or update remotely using...
To remotely upgrade a security gateway currently running Symantec Gateway Security 5000 Series v2.0.1 to Symantec Gateway Security 5000 Series v3.0.1, you must be able to connect to the security gateway using SRL. To log on to the gateway using SRL, you must supply the shared secret configured...
Maintenance Agreement. For additional Symantec Gateway Security 5000 Series v3.0 licenses, or to replace any prior version licenses you own that are not covered by an active Maintenance Agreement, contact your local reseller.
47. To back up configuration files from the SGMI In the Symantec Gateway Security 5000 Series v3.0 SGMI, on the File menu, click Backup. In the Backup dialog box, in the Password text box, type a backup/restore password. In the Verify password text box, retype the password, and then click OK.
To back up Symantec Gateway Security 5000 Series v2.0.1 configurations, you use the Symantec Gateway Security 5000 Series v2.0.1 SGMI to save the configurations to a location off the security gateway, such as the hard drive of the computer you use to access the SGMI. After upgrading the security gateway, you can restore these configurations to the security gateway.
Select the file. Click OK. If you are using the Symantec Clientless VPN Gateway 4400 Series v5.0 internal database (LDAP data file), you must back up and restore the LDAP data file separately. It is not considered part of your clientless VPN gateway configuration.
Page 48
/var/lib/sg/backup/zebra/zebra.conf /var/lib/sg/zebra/ospfd.conf /var/lib/sg/management/edit/zebra/ospfd.conf /var/lib/sg/backup/zebra/ospfd.conf /var/lib/sg/zebra/ripd.conf /var/lib/sg/management/edit/zebra/ripd.conf /var/lib/sg/backup/zebra/ripd.conf cman.ora Oracle connection manager FTP from security gateway configuration file. Used to /usr/raptor/oracle_netprxy/network/admin configure SQL traffic. Other Symantec Gateway Security 5000 Series v2.0.1 manually configured information is automatically backed up and restored.
Security gateways that are members of a cluster cannot be upgraded or updated to Symantec Gateway Security 5000 Series v3.0.1 while they are members of the cluster. You must remove the security gateway from the cluster before performing the upgrade or update. Before you remove the security gateway from the cluster, you must backup the cluster configuration information.
To download the entire kit to the Symantec Gateway Security 5000 Series v2.0.1 or Symantec Gateway Security 5000 Series v3.0 appliance Log on to the Symantec Gateway Security v2.0.1 or Symantec Gateway Security 5000 Series v 3.0 appliance command-line interface as the root user.
Once the kit is completely downloaded to the Symantec Gateway Security 5000 Series v2.0.1, or Symantec Gateway Security 5000 Series v3.0 appliance, you can run the utility. In this procedure, you select one configured interface on the Symantec Gateway Security 5000 Series v2.0.1 or Symantec Gateway Security 5000 Series v3.0 appliance to access the appliance after completing the upgrade or...
14 When you are prompted to begin by the following message, type Y to began the upgrade, type N to stop. Ready to begin Symantec Gateway Security 5000 Series V 3.0 to V 3.0.1 Upgrade? [Y]es or [N]o: If you typed y, the upgrade or update begins. The appliance starts the process, and then reboots when it is finished.
See“Running the System Setup Wizard” on page 31. Factory reset If you perform a factory reset of the appliance after the upgrade or update, it returns to Symantec Gateway Security 5000 Series v3.0.1. “Using the LCD system menu” on page 14.
14 When the reboot has completed, log on to the SGMI again. Restoring license files After you upgrade or update to Symantec Gateway Security 5000 Series v3.0.1, you must restore the license files. The license files must be present on your management computer.
Support messages are only included in the detail upgrade report. Both reports are available in the Symantec Gateway Security 5000 Series v3.0.1 SGMI, and as an HTML file which you can retrieve from the appliance using FTP or SSH. You have access to these reports until the next upgrade, or until you do a factory reset or OS restore.
Authentication sequences are also replaced by authentication schemes in Symantec Gateway Security 5000 Series v3.0.1. An authentication sequence is a specific type of authentication method in Symantec Gateway Security 5000 Series v2.0.1. An authentication sequence combines any number of other authentication methods.
5000 Series v3.0.1 Administration Guide. Bellcore S/Key authentication S/Key authentication methods in Symantec Gateway Security 5000 Series v2.0.1 are replaced by new internal authentication in Symantec Gateway Security 5000 Series v3.0.1. The upgrade report states that users are migrated from Bellcore S/Key to the new internal authentication.
If you use SecurID authentication with Symantec Gateway Security 5000 Series v2.0.1, you must replace the SecurID node secret in Symantec Gateway Security 5000 Series v3.0.1. The first time the security gateway contacts the SecurID server, the server responds with a hashed client authentication file named SecurID.
The second message is inserted into a file that replaces the one containing the virus. In Symantec Gateway Security 5000 Series v2.0.1, if you did not want to include either message, you could replace all text in the message field with space characters.
After upgrading, verify that the new response actions are appropriate. Antispam mail sender (bad senders list) In Symantec Gateway Security 5000 Series v2.0.1, the mail sender line pattern matching configured in the SMTP proxy uses a regular expression. Symantec Gateway Security 5000 Series v3.0.1 uses wildcard expressions.
Page 61
Upgrading appliance software and migrating configurations Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations Table 3-4 Content filtering categories (Continued) Symantec Gateway Symantec Gateway Description Security 5000 Series Security 5000 Series v2.0.1 categories v3.0.1 categories Drugs Drugs/Non-medical Sites that provide information on growth, distribution, and advocacy of drugs for nonmedical use (typically mood-altering).
URL whitelist/blacklist In Symantec Gateway Security 5000 Series v2.0.1, you can configure the URL whitelist to act as a blacklist through an advanced option, httpd.urlblacklist. If you use this advanced option, upgrading sets the Allow/Deny URL list setting based on the option’s value:...
Post-upgrade tasks for upgraded Symantec Gateway Security 5000 Series v2.0.1 configurations MIME types whitelist/blacklist In Symantec Gateway Security 5000 Series v2.0.1, you can configure the MIME types blacklist to act as a whitelist through an advanced option, httpd.mimeblacklist. If you use this advanced option, then upgrading sets the Allow/Deny MIME types list setting based on the option’s value:...
For information about SSH, see the Symantec Gateway Security 5000 Series v3.0 Administration Guide. Cron jobs If you have set up cron jobs on Symantec Gateway Security 5000 Series v2.0.1 to automatically back up log files periodically, you must reconfigure these cron jobs manually after the upgrade is complete.
Active Directory. Logging To retain Symantec Clientless VPN Gateway 4400 Series v5.0 log files, you must back them up before you upgrade. The Symantec Gateway Security 5000 Series v3.0.1 log viewer does not show logs from previous product versions. To view Symantec Clientless VPN Gateway 4400 Series v5.0 log files, you must either maintain a Symantec Clientless VPN Gateway 4400 Series v5.0 appliance to use the log...
Symantec Gateway Security 5000 Series v3.0.1 reserves some object names. If a Symantec Clientless VPN Gateway 4400 Series v5.0 object is named with a Symantec Gateway Security 5000 Series v3.0.1 reserved name, then SCVG_ is prepended to the name. For example, RADIUS is converted to SCVG_RADIUS.
Page 67
Upgrading appliance software and migrating configurations Post-upgrade tasks for upgraded Symantec Clientless VPN Gateway 4400 Series v5.0 configurations Table 3-5 Reserved object names (Continued) Object Reserved name auth server pamproxy (case-insensitive) auth server sequence (case-insensitive) auth sequence / scheme dynamic (case-insensitive)
When you migrate a Symantec Enterprise Firewall v8.0 configuration to Symantec Gateway Security 5000 Series v3.0.1, after the migration you should make adjustments to your rules if you changed interface names or IP addresses.
To assign network interfaces Set up the new Symantec Gateway Security 5000 Series v3.0.1 appliance, and then run the System Setup Wizard. Do not select the restore option in the System Setup Wizard.
Page 70
Ensure the mapped interfaces are correct, so you can log on to your appliance with the SGMI after it reboots. To migrate Symantec Enterprise Firewall v8.0 configuration files In the Symantec Gateway Security 5000 Series v3.0.1 SGMI, on the File menu, click Restore. In the Restore Wizard panel, click Standalone gateway. Click Next.
Getting started with your 30-day grace period All features included with Symantec Gateway Security 5000 Series are enabled for a 30-day grace period to give you time to obtain and install the necessary license files. The 30-day grace period begins when you initially install and startup the appliance.
Complete the license file organization worksheet Gather your serial number certificates The first step in the process is to gather all your serial number certificates. Symantec provides evidence of your purchase using a serial number certificate. Check with your sales representative to understand how your certificates are sent.
The license file will only activate the product’s features on the machine with the same Symantec System ID provided during registration. Note: The Symantec System ID is case sensitive. All letters in the Symantec System ID must be capitalized.
Preparing to obtain license files Obtaining the Symantec System ID You can obtain the Symantec System ID from the system menu on the LCD screen of the appliance or from the SGMI. To obtain the Symantec System ID from the appliance’s LCD On the front panel of the appliance, press the Enter button to select the LCD system menu.
Page 75
First contact name: Certificate number: Email: Appliance serial number: Phone: Symantec System ID number: FAX: Email licenses to: Second contact name: Your company name: Email: Phone: FAX: Symantec Gateway Security 5000 Series products Part code: Product description: License serial number:...
When your license files are emailed to you, the subject line of the email shows the serial number used to request the license file. The message in the email shows the Symantec System ID of the appliance to which the license belongs. You should create a separate folder for each appliance, in an accessible location on your network, with the folder name based on the Symantec System ID of the appliance.
If there were no errors found, click Next. If there were errors found, you must click Close. Please call Symantec Technical Support for assistance. On the Confirm License Installation panel, verify that all of the features and node limits you want are uploaded, and to install them on the appliance, click Next.
Obtaining and installing licenses Viewing licensed features On the License Installation Complete panel, click Close. 10 Reboot the appliance for licenses to take affect. Viewing licensed features You can view the installed licensed features or the 30-day grace period status of your appliance using the SGMI System >...
Networking and applications software Information in files and databases The firewall component of Symantec Gateway Security 5000 Series is the main tool for enforcing access security gateway access, allowing you to define a set of rules that allow or deny access to specific resources throughout your network.
Developing a security plan Educating users What external users will have access to your network? Where will they come from and where do you want to allow them to go? During what hours? For what period of time? Do you intend to implement a service network? Do you intend to implement a de-militarized zone (DMZ)? What types of services do you want to allow for external users and hosts? What type of authentication will you require for external users? (Strong authentication is...
Developing a security plan Security policy worksheets For instance, if you plan to limit Web services to a single server during specific hours, let this be known to the affected groups and users. If you plan to pass all email through a dedicated server, or if external users will be disallowed from accessing certain systems by Telnet, consider passing these changes along before implementation.
Page 82
Developing a security plan Security policy worksheets Name of the primary administrator: ____________________________________ Table A-1 to list all persons involved in administering the system. Table A-1 Administrator names Name Email Phone Mobile phone ______________________ ______________________ ______________________ ______________________ ______________________ ______________________ ______________________ ______________________ ______________________ ______________________...
Developing a security plan Security policy worksheets 15 Do you have other Symantec security gateways on your network now? _____ Yes _____ No 16 If Yes, what version? ________________________________ 17 Do you plan to combine security gateways in clusters for high availability and load balancing?
Developing a security plan Security policy worksheets Will you be using Symantec Client VPN? _____ Yes _____ No Collecting your TCP/IP address It is important to think about the TCP/IP requirements for your site. This includes information about running Domain Name Services (DNS), types and names of domains on your network, and making a list of protocols used that need to pass through your security gateway.
Developing a security plan Security policy worksheets Do you use DHCP to dynamically obtain network addresses? _____ Yes _____ No 10 List the address ranges you currently use in your network. ____________________________________________________________ ____________________________________________________________ 11 List the protocols you use in your network. ____________________________________________________________ ____________________________________________________________ 12 Will you be using network news services (NNTP)?
Developing a security plan Security policy worksheets If yes, list its name and IP address. _____ Mail relay host: ________________ _____ IP address: ______________________ List any mail programs that you use internal to your network (for example, Microsoft Outlook): ___________________________________________________________________ Defining your Web services Use the following section to define information about your Web services.
Developing a security plan Security policy worksheets Table A-4 Special services names (Continued) Service name Service port Service type Server name number (UDP/TCP) _______________________ _______________________ _______________________ _______________________ _______________________ _______________________ _______________________ _______________________ _______________________ _______________________ Access lists Table A-5 to list those entities and users to which you plan to write rules to allow access through the security gateway.
Developing a security plan Security policy worksheets Table A-6 User identification (Continued) User name Group name Client VPN Clientless VPN _______________________ _______________________ _____________ __________ _______________________ _______________________ _____________ __________ _______________________ _______________________ _____________ __________ Do you want the security gateway to keep a record of user passwords for protected resources (single sign-on)? _____ Yes _____ No...
Page 90
Developing a security plan Security policy worksheets If your network includes VLANs, use Table A-9 to list the IP addresses to which they are routed. Table A-9 Security gateway host internal and external IP addresses VLAN IP address ______________________ ______________________ ______________________ ______________________ ______________________...
Page 91
76 System Setup Wizard 32 removing 77, 78 configuration files uploading 77 backing up from Symantec Gateway Security v3.0 45 viewing 78 connecting license serial number model 5620 to network 19 obtaining 72 model 5620 uninteruptible power supply (UPS) 20...
Page 92
87 temp 14 traffic 14 transmit 14 Web activity 14 obtaining, license file 16 Symantec Clientless VPN Gateway v5.0, upgrading to Symantec of 84 Gateway Security v3.0.1 40 Symantec System ID 73 Syn flood protection 64 system information 16...