GB-OS v6.2 Console Guide

User’s Guide

Global Technology Associates3361 Rouse Road Suite 240

Orlando, FL 32817

Tel: +1.407.380.0220Fax. +1.407.380.6080Email: [email protected]

Web: www.gta.com

GB-OS 6.2®

GBOSCG201606-01

Console

ii

GB-OS Console User’s Guide

Table of Contents

ContentsIntroduction .......................................................................................................................................................................................... 1

About This Guide ………………………………………………………………………………………………………………………… 1Conventions …………………………………………………………………………………………………………………………… 1

Additional Documentation ……………………………………………………………………………………………………………… 1Connecting to the Console Interface ..................................................................................................................................................2Common Tasks .....................................................................................................................................................................................4

Resetting the firewall to factory defaults ……………………………………………………………………………………………… 4Switching the firewall’s active slice …………………………………………………………………………………………………… 4

How do I switch between slices? …………………………………………………………………………………………………… 4Using the Console Interface ................................................................................................................................................................5

Config ……………………………………………………………………………………………………………………………………… 6Configuration Verification ……………………………………………………………………………………………………………… 6Email Configuration …………………………………………………………………………………………………………………… 6Configuration Backup to a USB Device ……………………………………………………………………………………………… 7Restoring a Configuration Backup From a USB Device …………………………………………………………………………… 8System …………………………………………………………………………………………………………………………………… 10

Activation Codes …………………………………………………………………………………………………………………… 10Contact Information ………………………………………………………………………………………………………………… 10Date/Time …………………………………………………………………………………………………………………………… 12Objects ………………………………………………………………………………………………………………………………… 12Address Objects ……………………………………………………………………………………………………………………… 12

Accounts ………………………………………………………………………………………………………………………………… 13Remote Administration ……………………………………………………………………………………………………………… 13Encryption …………………………………………………………………………………………………………………………… 14Generating SSL Certificates ………………………………………………………………………………………………………… 14

Network ………………………………………………………………………………………………………………………………… 15Settings ……………………………………………………………………………………………………………………………… 15Entering the Host Name …………………………………………………………………………………………………………… 15Entering the Default Route ………………………………………………………………………………………………………… 15Defining Network Interfaces ………………………………………………………………………………………………………… 15Aliases ………………………………………………………………………………………………………………………………… 17Timeouts ……………………………………………………………………………………………………………………………… 18NAT …………………………………………………………………………………………………………………………………… 19Inbound Tunnels ……………………………………………………………………………………………………………………… 19Static Address Mapping …………………………………………………………………………………………………………… 20Pass Through ………………………………………………………………………………………………………………………… 21Hosts/Networks ……………………………………………………………………………………………………………………… 21Routing ……………………………………………………………………………………………………………………………… 22RIP …………………………………………………………………………………………………………………………………… 22Static Routes ………………………………………………………………………………………………………………………… 24

Security Policies ………………………………………………………………………………………………………………………… 24Preferences …………………………………………………………………………………………………………………………… 25

Reset to Factory Defaults ……………………………………………………………………………………………………………… 26Tools ………………………………………………………………………………………………………………………………………… 27

Shutdown ……………………………………………………………………………………………………………………………… 27Halt …………………………………………………………………………………………………………………………………… 27Reboot ………………………………………………………………………………………………………………………………… 27

Network Diagnostics …………………………………………………………………………………………………………………… 27Flush ARP Table ……………………………………………………………………………………………………………………… 27Ping …………………………………………………………………………………………………………………………………… 28Trace Route …………………………………………………………………………………………………………………………… 28Interfaces ……………………………………………………………………………………………………………………………… 29

Reports ……………………………………………………………………………………………………………………………………… 30Hardware………………………………………………………………………………………………………………………………… 30

Reference A: User Interface .............................................................................................................................................................. 31Keystroke Commands …………………………………………………………………………………………………………………… 31Navigation …………………………………………………………………………………………………………………………………… 32

Menus …………………………………………………………………………………………………………………………………… 32Buttons ………………………………………………………………………………………………………………………………… 32Entry, Choice, Check, and Item List Fields ………………………………………………………………………………………… 32

1


Introduction

IntroductionGTA Firewall UTM Appliances, powered by GB-OS, are predominantly administered using the platform-independent Web interface. A second user interface, the Console interface, allows the user to default policies in case of a configuration error, recover a GTA Firewall UTM Appliance, reset a misconfigured firewall to defaults and perform basic configuration tasks.The Console interface is a GUI-based interface of hierarchical menus. It operates only on the GTA firewall console; it cannot be accessed in any other way. The Console interface should only be used for basic configuration or for recovery purposes. Comprehensive configuration settings are only available from the Web interface.In this guide, the Console interface is illustrated and described in the order the functions appear in the Console interface menus. Navigation, common keystrokes, menu items and buttons are explained in Reference A: User Interface.

About This GuideThis guide only provides a brief overview when discussing configuration areas. For detailed explanations, examples and walkthroughs, refer to the GB-OS User’s Guide.

ConventionsA few conventions are used in this guide to help you recognize specific elements of the text. If you are viewing this guide in PDF format, color variations may also be used to emphasize notes, warnings and new sections.

Bold Italics EmphasisItalics PublicationsBlue Underline Clickable hyperlink (email address, Web site or in-PDF link)Small CapS On-screen field namesMonospace Font On-screen textCondensed Bold On-screen menus, menu itemsBOLD SMALL CAPS On-screen buttons, links

Organization of the chapters in this guide is according to the Console interface’s menu structure. The exceptions to this rule include the Reference chapters. For the location of specific topics, please see the table of contents.

Additional DocumentationFor additional instructions on installation, registration and setup of a GTA product, see applicable Quick Guides, FAQs or technical papers. For optional features, see the appropriate feature guide. Documentation is included on the CD shipped with new GTA products, and is also available for download from the GTA Web site.

NoteFor the latest documentation, check the GTA Web site for current PDFs.

These manuals and other documentation can also be found on the GTA Web site (www.gta.com). Documents on the Web site are either in plain text (*.txt) or portable document format (*.pdf) which requires Adobe Reader version 7.0 or greater. A free copy of Adobe Reader can be obtained from www.adobe.com.

2


Introduction

Available DocumentationDocument TopicsGB-OS User’s Guide GB-OS features and Web user interface.Mail Proxy Option Guide Email anti-spam and anti-virus filtering optional feature.Web Content Filtering Option Guide Content filtering optional feature.H2A High Availability Option Guide High availability optional feature.GTA VPN Option Guide VPN (virtual private networks) feature.www.gta.com Hardware specifications, current documentation, examples

Connecting to the Console InterfaceThe Console interface is always available on the GTA firewall; access cannot be disabled. The Console interface is accessible using the serial port and a serial cable. To connect to the Console interface, a physical connection between the GTA firewall and either a terminal (using a serial console cable) or a computer with terminal emulation software (using a DB-9 null-modem cable) is required.

GB-2500

1. Connect the GTA firewall to the workstation. To connect to the Console interface, connect your GTA firewall to a PC workstation using the serial port and boot up the firewall. 2. Configure the terminal emulation software. Enter the appropriate settings to emulate the console connections. 3. Enter the firewall administrator’s user name and password.

GTA Firewall

Serial Cable

PC Workstation

Connect to the Console interface using the serial cable included with your GTA firewall’s packaging.

Connecting to the Console Interface

Figure 1.1: Connecting to the Console Interface

3



To connect to the GTA firewall using a computer running terminal emulation software, enter the following settings:

Table 1.1: Connecting to the Console InterfaceField DescriptionEmulation VT-100 or PuTTYPort COM port connected via DB-9 cable to the firewallBaud Rate 38400 (115200 for GB-300 & GB-850 models)Data/Bit Rate 8Parity NoneStop 1Flow Control Hardware

Power on the GTA firewall. Once booted, you will be prompted for the firewall administrator’s user ID and password (defaults are fwadmin). The configuration menu screen (similar to the illustration below) should appear.

Figure 1.2: The Console Interface

4



Common TasksIn most circumstances, the Console interface is used as an effort of last resort. Since configuration options are limited, firewall administrators generally use the Console interface when the Web interface is no longer accessible. Common tasks that are performed include resetting the firewall to factory defaults and switching the firewall’s active slice.

NoteThis chapter only applies to issues that can be resolved using the Console interface. For more troubleshooting issues and solutions, refer to the GB-OS User’s Guide.

Resetting the firewall to factory defaultsGenerally, resetting the firewall to factory defaults should only be performed when all other options have been exhausted. For example, if login information has been irretrievably lost or if it is no longer possible to connect to the Web interface.By resetting to factory defaults, all current configuration data will be erased and the firewall administrator’s user name and password will both become the case-sensitive user name and password fwadmin.

CAUTIONResetting the firewall will cause it to lose current configuration data. The configuration data can only be restored by loading a saved configuration with a known user name and password, or by manually entering the desired settings.

How do I reset my firewall to factory defaults?To reset your firewall to factory defaults, attach either a terminal (using a serial console cable), or a computer with terminal emulation software (using a DB-9 null-modem cable). Power on the GTA firewall. The following will be displayed:GB-OS 6.2.x

loading ...

When the word “loading” appears, immediately press CONTROL-R. The system will begin to load, and configuration and hardware data will appear on screen. Finally, a confirmation question displays:Are you sure you want to reset your firewall configuration?: (“yes” or “no”)

To reset to factory defaults, type the word yes in lower case letters. Typing any other key will reboot the system without resetting to defaults. If there is no input after two minutes, the firewall will continue its boot process.

Switching the firewall’s active sliceThe memory section (“slice”) feature can be used to test a new firewall configuration in production while preserving the current configuration in the other memory slice. Because each slice contains its own configuration, it is possible to roll back your firewall’s settings to a known good configuration.

How do I switch between slices?The memory section (“slice”) feature can be used to test a new firewall configuration in production while preserving the current configuration in the other memory slice. In the following example, memory slice 1 contains the current configuration, and memory slice 2 is used for testing a configuration.

1. Reboot the firewall.

5


Common Tasks

2. Select and boot memory slice 2.

CAUTIONMemory slice 2 will now be your active firewall.

3. Switch to the Web interface to make advanced configuration changes; the currently selected slice will load by default until another is selected.

2. To revert to the last configuration, reboot the firewall using the console interface and select memory slice 1.

NoteThe active slice can also be selected from within the Web interface. See the GB-OS User’s Guide for more information.

Using the Console InterfaceThis chapter provides a walkthrough of the Console interface, providing explanation and instruction on configuration areas. For information on the Console interface’s user interface, refer to Reference A: User Interface.

CAUTIONAny changes made to the configuration will be immediately applied to the firewall.

NoteIf changes are saved in the web interfaces, the Console interface will be automatically logged-out.

Figure 2.1: The Console Interface

6


Common Tasks

ConfigThe Config menu contains commands related to the setup and configuration of the GTA firewall. The Console interface is limited in its configuration options. To properly administer the firewall, use the Web interface.

Figure 2.2: The Config Menu

Configuration VerificationConfiguration Verification will run a system configuration check on the GTA firewall. The check will verify all areas of the firewall’s configuration.After you have configured your GTA firewall, run a configuration verification to ensure that you have a valid configuration. Verification happens every time a section or configuration is saved.To verify your configuration, navigate to Config>Configuration Verification.

Figure 2.3: Verifying the Configuration

Email ConfigurationThe Email Configuration sub-section allows the user to email the firewall’s configuration to the entered recipient. This function is useful for technical support purposes.Email Configuration allows the user to email a copy of the system information to a designated email address.Email Configuration sends an email with these reports:

7


Using the Console Interface

• A Configuration Report• HTML• A Hardware Configuration Report• A Verification Report• A copy of the current routing table• A copy of the current ARP table• Active VPNs• Active Policies• Authenticated ARP Table• Audit Events• Current Statistics• Hardware Summary• Ipsec Tunnels• Mail Proxy Polices, Routes, Statistics• XML

Enter any additional information in the Comment(s) field. To email your firewall’s configuration, navigate to Config>Email Configuration.

Figure 2.4: Emailing the Configuration

Configuration Backup to a USB DeviceRequirements

• A valid support or maintenance contract is required to backup a configuration via the console to a USB device. Restoring a backup via the console from a USB device DOES NOT require a support contract.

• NTFS or FAT32 formatted USB device attached to the firewall.

To backup a configuration file to a USB device:1. Attach a USB device.2. Navigate to Config>Backup>Save.3. The live configuration will be saved to the USB device.

8



Figure 2.5: Saving a Configuration File to a USB Device

Restoring a Configuration Backup From a USB DeviceNoteThe configuration can be restored to Live mode ONLY.

Console restore is always available and DOES NOT require a support contract.To restore a backup from a USB device:

1. Attach the USB device containing the backup configuration file. 2. Navigate to Config>Backup>Restore.

Figure 2.6: Restoring a Configuration from a USB device

3. Select the configuration file to be restored.

9



Figure 2.7: Select a Configuration File

2. If the file is password protected, enter the password in the prompted field. Otherwise, select OK to continue.

Figure 2.8: Restoring a Configuration File

5. The console will verify whether activation codes on the live system match the configuration. A warning dialog will display if the activation codes do not match.

6. Once the configuration has been restored, press any key to reboot the firewall and apply the configuration.

Figure 2.9: Reboot the Firewall to Apply the Configuration

10



SystemThe System menu item contains menu options for configuring activation codes, contact information, the firewall’s date and time, and address objects.

Activation CodesIn Activation Codes, the administrator can enter the GTA firewall’s serial number and optional feature activation codes for options such as H2A High Availability, Content Filtering, Mail Proxy Anti-Spam & Anti-Virus or GTA Mobile VPN Client licenses. Activation codes entered during installation or pre-installed with hardware appliances will also appear.Activation codes are provided with software or feature registration. Enter GTA firewall activation codes by highlighting the selected row and hitting <Return> to edit or <Insert> or the I key to add.Select Save. The system will display a description of what has been activated. If this description is garbled or does not appear, the code has been entered incorrectly or is not correct for the current system or version.To enter activation codes, navigate to Config>System>Activation Codes.

NoteActivation codes will not function without the system serial number entered in the Serial field. GTA Firewall UTM Appliances have the serial number pre-installed. The firewall’s serial number can also be found on the card that shipped with the firewall or in the GTA Online Support Center.

Figure 2.10: Entering Activation Codes

Contact InformationContact Information stores information about the firewall administrator. This information is used by email, reports and list functions.To enter the firewall administrator’s contact information, navigate to Config>System>Contact Information.

11



Figure 2.11: Entering Contact Information

Table 2.1: Contact InformationField Name DescriptionName Enter the firewall administrator’s name.Company Enter the firewall administrator’s company.Email Address Enter the firewall administrator’s email address.Phone Number Enter the firewall administrator’s phone number.Support Email Address Enter the email address to be used for technical support. Default is

[email protected]

12



Date/TimeSince the firewall’s date and local time are used to tag log messages, having the firewall configured to operate on accurate time settings is important. The Date/Time service uses UTC (Universal Time Coordinated) as its default time zone.To set your firewall’s date and time, navigate to Config>System>Date/Time.

Figure 2.12: Setting the Firewall’s Date and Time

Table 2.2: Date/TimeField Name DescriptionDate Enter your the current date as YYYY-MM-DD.Time Enter the current time (in 24 hour format) as HH:MM:SS.

ObjectsUsing objects increases speed and consistency when creating a configuration with GB-OS. A user need only define an address or group of addresses, an interface, or a configuration once, then select the object in each screen where that definition is required. Once the object is created the user will only need to change the object to change the definition in all the locations where it is used.In the Console interface, only address objects are available for configuration. To configure all other objects, it is necessary to log into the Web interface.

Address ObjectsThe address object list displays the name and description of all defined address objects. When using the Console interface, users can reset and save the address objects. Editing or inserting new address objects is not possible.To view or reset the address object list, navigate to Config>System>Objects>Address Objects.

13



Figure 2.13: Address Objects

AccountsThe Accounts section contains configuration screens that display options for remote administration.

NoteAdministration accounts are only configurable via the Web interface. For more information, refer to the GB-OS User’s Guide.

Remote AdministrationRemote Administration controls remote administration via the Web interface, and whether a VPN connection requires User Authentication. The default settings enable remote administration and the ability to apply updates. The Web interface is served on standard TCP port 443 for SSL encryption.To configure remote administration preferences, navigate to Config>Accounts>Remote Administration.

Figure 2.14: Remote Administration

14



Table 2.3: Remote AdministrationField DescriptionWWW (Web Interface)Enabled Enables remote administration for the Web interface. Server Port The TCP port allowing Web administration. SSL encryption default is 443.Encryption A selection for SSL encryption.High SSL encryption is enabled by default. Setting

encryption to <none> will turn off SSL encryption.Zone Specifies the Zone which will be allowed to connect. Source Address Specifies the source address allowed to connect.Policy Compatibility Enabling will preserve settings for those with certificate errors upon upgrade to

GB-OS 6.0.3 and above which result in the loss of web administration. Disabling this option allows the web administration to send CAs imported on the firewall to a connecting client to assist in validating the authenticity of the remote administration certificate.

EncryptionFor additional security, SSL (Secure Sockets Layer) encryption is available. SSL encrypted administration requires a remote access policy with a port that matches the remote administration port (443, by default).SSL certificates include three validity checks:

1. An issuer, or self-issued certificate authority.2. A date, which will be the date of certificate generation.3. A name, which will be the firewall’s host name.

To create a certificate in which the name on the security certificate matches the name on the site, the host name found in Config>Network>Settings must match the name given to the firewall in the DNS Server. If you cannot match the host name, you may instead add the host name to the LMHOST file on Windows computers.

Table 2.4: Encryption LevelsLevel Key Strength DescriptionNone n/a Disables SSL encryptionSSL 168-bit A high level of SSL encryption. Difficult to break.

Generating SSL CertificatesA new certificate may be manually generated by selecting the New SSL CertifiCate button. This generates a new default firewall SSL certificate and will set the firewall’s remote administration certificate to this new default certificate.

15



NetworkThe Network section allows for the configuration of the firewall’s network settings, aliases, timeouts, NAT (Network Address Translation), pass through and routing.

SettingsMuch of the data found in Network Settings will have been entered during installation, including the required protected and external network.To define your network’s settings, navigate to Config>Network>Settings.

Figure 2.15: Network Settings

Entering the Host NameThe host name, defined in the Host name field, is the system name assigned to the GTA firewall and is used to tag log messages. GTA recommends using a fully qualified domain name as the host name for your GTA firewall. A fully qualified domain name is the complete domain name for a specific computer (host) on the network, which is broken down to a host, domain and top-level domain (e.g. firewall.example.com). Host names must be unique. If your network DHCP servers create IP address assignments based on the system name, enter the host name, often assigned by your ISP.

Entering the Default RouteThe default gateway, defined in the Default Route field, is a node on the network that serves as an access point to another network, usually the Internet. Enter the IP address of the selected default route. This value is usually the IP address of the router connecting the network to the Internet and must be on the same logical network as the associated external interface. If your external interface uses PPP or DHCP to obtain an IP address, entering an IP address in the Default Route field is not needed.

Defining Network InterfacesA network interface:

• Assigns a network (represented by an IP address and a subnet mask) to a physical NIC• Designates a network type• Identifies a gateway (default route)

A GTA firewall recommends two logical networks, a protected network and an external network. Additional external and protected logical networks can be added, as well as one or more Private Service Networks (PSN).Defined network interfaces serve as interface objects throughout the configuration, allowing the administrator to reference the interface quickly when configuring the firewall.

16



CAUTIONIf a network interface’s name is changed, but a policy that references it is not updated to refer to the new name, all new connections maintained by the policy will fail to match.

Logical network interfaces that do not use PPP or DHCP configurations require an IP address and subnet mask. If a subnet mask is not entered, the system will attempt to create one based on the network class in CIDR notation, Class C = /24, Class B = /16 or Class A = /8. Doing so helps prevent misconfiguration.When editing a network interface, a table labeled netwoRk InteRfaCe CaRDs will be displayed. The netwoRk InteRfaCe CaRDs table shows information regarding the GTA firewall’s NICs, such as their MAC address and connection.

CAUTIONUse caution when changing the logical names of interfaces; if a logical name does not match a policy, you may lose access to the firewall.

To edit a network interface, highlight the desired interface and hit the Enter key.

Figure 2.16: Editing a Network Interface

Table 2.5: Defining a Network InterfaceField DescriptionName Assign a logical name to identify the network interface. Network interface names

may not use a number as the first character. Gateway Enable this checkbox if you wish to make the logical interface an Internet gateway.NIC The NIC to be used by the defined network interface.Connection AUTO is generally recommended.

Selections are: AUTO: Auto-select the active network connection. UTP_10: Use the unshielded twisted pair interface at 10Mbps. TX_100: Use the unshielded twisted pair interface at 100Mbps.TX_1000: Use the unshielded twisted pair interface at 1000Mbps.

Option Select Default (full- or half-duplex) or Full Duplex.

17



Table 2.5: Defining a Network InterfaceField DescriptionMTU Maximum Transmission Value. Default is 1500.

Incorrect MTUs can cause poor performance.

Interface TypeExternal Select to define the network interface as an external interface.Protected Select to define the network interface as a protected interface.PSN (Private Service Network) Select to define the network interface as an PSN interface.

Network AddressDHCP Dynamic Host Configuration Protocol. DHCP is typically required for cable modem

connections. When selected, the system uses DHCP to obtain an IP address for the specified interface. DHCP may be used on any and all network interfaces.

IP Address Enter the IP address/subnet to assign to the logical interface. Connections using DHCP or PPP do not require an IP address to be entered.

Network Interface CardsNIC The Network Interface Card (e.g., eth0).MAC Address If the device is an Ethernet card, its MAC address will be displayed in this section.

Use to assign a physical interface to a particular logical interface. Record MAC addresses before installation into GB-Ware hardware.

Name The name assigned to the NIC.Connection The NIC’s connection speed.

AUTO: Auto-selects the active network connection. UTP_10: Uses the unshielded twisted pair interface at 10Mbps. TX_100: Uses the unshielded twisted pair interface at 100Mbps.

AliasesAliases allow a network interface to possess multiple IP addresses. An IP alias may be assigned to any network interface.Aliases are especially useful on the external network interface, or if multiple hosts on the PSN or protected network are required for the same service group via a tunnel (e.g. multiple internal Web servers that all serve content to the external network). Aliases used on an external NIC attached to the Internet must be legitimate, registered IP addresses. An alias does not need to have the same subnet as the real IP address, since the GTA firewall will route packets between all networks to which it is logically attached. If the IP alias is on the same logical network as the network interface’s primary IP address, use a subnet mask of 32 bits (255.255.255.255).To configure aliases, navigate to Config>Network>Aliases. The Aliases screen will display all defined aliases. Press Enter to edit an existing alias, or press Insert or the I key to create a new alias.

18



Figure 2.17: Editing an Alias

Table 2.6: Edit AliasField DescriptionName A unique name to identify the alias elsewhere in the firewall’s configuration. Alias

names may not use a number as the first character.Interface The interface that will have an alias applied.IP Address/Netmask IPv4 The IP address of the alias.IP Address/Netmask IPv6 The IP address of the alias.

TimeoutsTimeouts define how long a connection should be idle before it is marked ready to close. The result of a connection reaching its timeout value differs for each IP protocol. For example, TCP has enough information embedded for GB-OS to determine when the connection is ready to close, but with ICMP and UDP, it is generally impossible to determine when a connection is ready to close.To define timeouts, navigate to Config>Network>Preferences.

Figure 2.18: Defining Timeouts

19



Table 2.7: TimeoutsField DescriptionTCPTimeout The time, in seconds, that the firewall will wait before timing out TCP packets.

Default is 600.

Send Keep Alives? If a successfully created, TCP connections remain idle for the timeout period and if this field is disabled, the connection is marked ready to close. If this field is enabled, a Keep Alive packet is sent. If the connection is still valid, the GTA firewall will set the connection idle time to zero. If the connection is invalid, the GTA firewall will see a reset packet indicating this, sent by the client to its server, and will mark the connection ready to close. If no response is received within five minutes, the GTA firewall will mark the connection ready to close. Enabled by default.

Wait for ACK As part of TCP connection creation, the client and server exchange several IP packets. All packets sent from the server will have a bit indicating ACK (acknowledgement) in the header. As part of Stateful Packet Inspection, the GTA firewall keeps a record of seeing this bit. If it is not seen, the remote server may be down. If the idle time is reached without an ACK from the server, the connection is marked ready for close. Default is 30 seconds.

UPD Timeout The time, in seconds, that the firewall will wait before timing out UDP packets. Default is 600.

ICMP Timeout The time, in seconds, that the firewall will wait before timing out ICMP packets. Default is 15.

Default Timeout This is the timeout for any supported protocol other than TCP, UDP or ICMP. After a connection is marked as ready to close, the GTA firewall will wait five seconds before it actually closes the connection. This gives redundant IP packets a chance to clear the GTA firewall without causing false doorknob twist error messages. Default is 600 (10 minutes).

Wait for close If your firewall is experiencing spurious “Inbound Policy” blocks from reply packets, typically from port 80 (the Internet), you may want to increase this value, giving packets from slow or distant connections more time to return before the connection is closed. Default value is 20 seconds.

NATNetwork Address Translation (NAT) translates an IP address behind the firewall to the IP address of the external network interface, disguising the original IP address. NAT is applied in the Console interface using inbound tunnels and static mapping.

Inbound TunnelsInbound tunnels allow external hosts to initiate connections with internal hosts using service groups (e.g. TCP, UDP, ICMP or HTTP). Normally the firewall blocks all inbound traffic to the internal networks. Tunnels allow, for example, computers such as Web (port 80) servers on a PSN to be reached from the Internet.Tunnels can be defined for traffic from either external networks or the PSN. Tunnels are typically used with inbound connections, they are not normally used for traffic inbound from a protected network interface, which is by default allowed access to the other logical network types without use of a tunnel.Tunnels can be created for these inbound connections:

• From an external network interface to a host on a PSN.• From an external network interface to a host on a protected network.• From a PSN interface to a host on a protected network.

Tunnels are defined by an interface and service IP and an internal destination IP address.

20



Only the external destination side of the tunnel is visible. Since tunnels transparently forward the connection using NAT, a user on the external network side will never see the ultimate destination of the tunnel. The tunnel appears to be a service operating on the firewall.If a tunnel originates from an IP alias address, you may need to map the destination host to the IP alias using static address mapping so that secondary connections appear to originate from the same address as the tunnel.To configure inbound tunnels, navigate to Config>Network>NAT>Inbound Tunnels. The Inbound Tunnels screen will display all defined inbound tunnels, if any. Press Enter to edit an existing alias, or press Insert or the I key to create a new alias.

Figure 2.19: Creating an Inbound Tunnel

Table 2.8: Inbound TunnelsField DescriptionDisable A toggle for whether the inbound tunnel should be disabled or not. Default is off.

Description A short description to identify the function of the inbound tunnel.Service Select the IP Protocol to be used by the inbound tunnel.From Select the external destination IP address of the tunnel. To Select the internal destination IP address of the tunnel.Automatic Accept All Policy A toggle for whether the firewall should automatically accept all traffic for the tunnel

regardless of configured policies. Default is enabled.Require Authentication Authentication allows the administrator to require users to authenticate to the

firewall using GBAuth before initiating a connection. Default is off.Hide Source Hides the source of the inbound tunnel connection. Useful for when the GTA

firewall is used on an intranet. Default is off.SYN Cookies A toggle for whether TCP SYN Cookies should be used or not. Default is on.

Static Address MappingStatic address mapping allows an internal IP address or subnet to be statically mapped to an interface during NAT. By default, all IP addresses on the protected networks and PSNs are dynamically assigned to the primary IP address of the outbound network interface. Static address mapping is used when it is desirable to statically assign the IP address used in NAT.To use static address mapping, first assign at least one IP alias to the desired outbound network interface (external network interface or PSN interface).

21



• The target of a map definition must be an IP alias or interface.• Mapping is only associated with outbound packet flow.• Map definitions may be for a single host or a subnet.

To configure static address mapping, navigate to Config>Network>NAT>Static Address Mapping. The Static Address Mapping screen will display all defined static address mappings, if any. Press Enter to edit an existing alias, or press Insert or the I key to create a new alias.

Figure 2.20: Creating a Static Address Mapping

Table 2.9: Static Address MappingField DescriptionFrom (source)Object Select the address object that will be mapped.IP Address If an address object cannot be used, enter the IP address and subnet mask that

will be mapped (e.g., to a map a single IP address, use a subnet mask of /32 (255.255.255.255)) by selecting <USER DEFINED>.

To Interface Select the address object representing the IP address to which the source will be mapped.

Pass ThroughThe Pass Through section contains Hosts/Networks, which specifies an IP address, subnet or network that will not have NAT applied to its traffic.

Hosts/NetworksHosts/Networks specifies an IP address, subnet or network that will not have NAT applied to its traffic. See product specifications for the number of pass through hosts/networks available on a specific model.To configure hosts or networks that will bypass NAT, navigate to Config>Network>Pass Through>Hosts/Networks. The Hosts/Networks screen will display all defined hosts or networks, if any. Press Enter to edit an existing host or network, or press Insert or the I key to create a new host or network definition.

22



Figure 2.21: Defining a Host or Network

Table 2.10: Hosts/NetworksField DescriptionObject Select the address object that will be used as the host member.Address If an address object cannot be used, select <USER DEFINED> as the ObjeCt and

enter the IP address and subnet mask that will be mapped (e.g., to a map a single IP address, use a subnet mask of /32 (255.255.255.255)).

Interface Select the destination interface that should not apply NAT when outbound IP packets are received.

Destination Object Address A selection for the destination IP address of the Hosts/Networks DefinitionAllow Inbound Enable to accept unsolicited IP packets from the specified IP address. Disabled by

default.

RoutingThe Routing section contains RIP, which is used to receive routing tables, and Static Routes, which are used to define static paths between one internal subnet and another.

RIPRIP (Routing Information Protocol) is typically used by routers to receive updated routing tables. RIP is an IP routing protocol that allows broadcasting and/or listening to routing information in order to choose the most efficient route for a packet. Hosts using RIP select the routes that use the fewest hops, or select an alternate path if a route is down or has been slowed by high traffic. RIP is limited to 15 hops; more than that, and the route is flagged as unreachable.

CAUTIONMost smaller network configurations do not benefit from RIP. Before using RIP, be aware that the protocol may decrease performance rather than help small networks and acceptance of RIP sources can compromise network security.

RIP is disabled by default on GB-OS, so routing information to redirect packets is not accepted from external sources. If RIP is enabled, the firewall can receive and/or broadcast routing information for either RIP version 1 or 2.To configure RIP, navigate to Config>Network>Routing>RIP. The RIP screen will display all defined interfaces and their RIP configuration. There are two checkboxes available on the RIP screen, enable and aDveRtIse

23



Default Route. Toggle the enable checkbox to enable the service. Enable the aDveRtIse Default Route checkbox if you wish to do so on any protected network or PSN on which RIP is enabled. Press Enter to edit an existing host or network, or press Insert or the I key to create a new host or network definition.

Figure 2.22: RIP Setup

Table 2.11: Edit RIP InterfaceField DescriptionEnabled Enables the RIP interface.Interface The interface for which RIP is being configured. Not configurable.Input Controls how RIP is implemented. input determines whether any version of RIP

will be accepted from other routers. The choices are:• <1>: Version 1 RIP is accepted or exported.• <2>: Version 2 RIP is accepted or exported.• <Both>: Both version 1 and 2 are used.

Output Controls how RIP is implemented. Output determines whether any version of RIP will be exported or broadcast. The choices are:• <1>: Version 1 RIP is accepted or exported.• <2>: Version 2 RIP is accepted or exported.• <Both>: Both version 1 and 2 are used.

Password Type Type of encryption that will be used. If an encryption is selected, the password field is enabled. Encryption types are: None, Clear and MD5.This only applies to RIPv2

Password Password that must be used to collect routing information through RIPv2.Key ID Pre-shared secret key ID.

This only applies to RIPv2 when MD5 encryption is used.

24



Static RoutesStatic Routes define routing paths between one subnet and another. Static routes supersede the default gateway defined in Config>Network>Settings.Defining a static route is useful when there is a router between different parts of an internal network, creating multiple subnets within your internal network. Without a static route, the firewall routes all traffic, even if it should be directed to a different subnet on the internal network. Traffic will not travel from internal subnets in this case, causing spoofing messages. Static routes solve this problem by diverting internal traffic back to the appropriate internal subnet before it reaches a gateway.Using a static route, the firewall correctly routes internal multi-subnet traffic to other internal IPs.To configure static address mapping, navigate to Config>Network>Routing>Static Routes. The Static Routes screen will display all defined static routes, if any. Press Enter to edit an existing static route, or press Insert or the I key to create a new host or network definition.

Figure 2.23: Static Route Setup

Table 2.12: Configuring Static RoutesField DescriptionNetworkObject IP address(es) whose traffic will be subject to the static route, either by selecting

the appropriate interface object.

IP Address If <USER DEFINED> has been selected for the network’s ObjeCt, enter the address and subnet mask, either in CIDR-based (slash) or dotted decimal notation.

GatewayObject IP address or interface object of the destination/gateway (default route) selected

for this static route.IP Address If <USER DEFINED> has been selected for the gateway’s ObjeCt, enter the address

and subnet mask, either in CIDR-based (slash) or dotted decimal notation.

Security PoliciesPolicies control access to and through the GTA firewall. The implicit rule, “that which is not explicitly allowed is denied,” applies to both outbound and inbound packets. Unless a policy is in place allowing for a situation where a packet is accepted, it will always be denied by default. Country blocking is available in GB-OS 6.1 and above.

25



The Console interface only allows for the defaulting of policy sets. To define security policies, it is required to log in to the Web interface to do so.

PreferencesPolicy preferences allow the firewall administrator to globally define most logging and policy definitions for all defined policies in one location. Logging options for automatic policies, tunnel connections (“opens” and “closes”) and policy blocks may be selected.From the alaRms section the firewall administrator can set the default parameters for alarm notifications. When a policy is matched, an alarm event is activated. Each alarm event increments the alarm count by one. If either the time or number of alarms threshold is exceeded, a notification will be sent documenting all the events. Multiple messages will be sent if the number of events exceeds the maximum count. From the GeneRal section the firewall administrator can enable or disable automatic policies, generate alarms, send email, send an ICMP “service not available” message, or log an event.To set policy preferences, navigate to Config>Security Policies>Preferences.

Figure 2.24: Policy Preferences

Table 2.13: Policy PreferencesField DescriptionGeneralAutomatic Policies Options: Enable/Disable; Log. GTA recommends leaving automatic

policies enabled.Connection Limiting Always enabled. Options: Log, ReportCountry Always enabled. Options: Alarm, ICMP, Log, ReportDeny Address Spoof Always enabled. Options: Alarm, Email, Log. Deny Doorknob Twist Always enabled. Options: Alarm, Email, ICMP, Log.Deny Fragments Options: Enable/Disable, Log. Can be used to block some fragment attacks. GTA

recommends leaving this option disabled.

Deny Invalid Packets Always enabled. Option: Log packets. Deny Unexpected Packets Always enabled. Option: Enable/Disable, Log. Ident Options: Enable/Disable.Stealth Mode Options: Enable/Disable, Log.TCP Syn Cookies Options: Enable/Disable, Log.

26



Table 2.13: Policy PreferencesField DescriptionPolicy Blocks Options: Enable/Disable, Log. Stealth mode has priority over all filters. Tunnel Opens Always enabled. Option: Log, enabled by default. Tunnel Closes Always enabled. Option: Log, enabled by default.

Reset to Factory DefaultsReset to Factory Defaults will reset all GTA firewall configuration parameters back to their original factory settings. This function is exclusive to the Console interface for ultimate security. To reset your GTA firewall, navigate to Config>Reset to Factory Defaults.

CAUTIONResetting your GTA firewall to factory defaults will wipe out all previously configured settings.

Once you have used Reset to Factory Defaults, you must configure your firewall again. For configuring your GTA firewall, please refer to the GB-OS User’s Guide. When the menu item is selected, a pop-up window is displayed which requests confirmation of the reset request. Select the OK button to confirm the command.

27



ToolsThe Tools section contains a number of tools useful for administrating and troubleshooting the firewall’s configuration.

Figure 3.1: The Tools Menu

ShutdownThe Shutdown configuration screen, located at Tools>Shutdown, contains halt and reboot services.

HaltHalt properly shuts down all services, preparing the firewall so it can be powered off. Once halted, the firewall must be restarted from the console interface or be physically reset.To halt the firewall, navigate to Tools>Shutdown>Halt. When the menu item is selected, a pop-up window is displayed which requests confirmation of the halt request. Select the OK button to confirm the command.

RebootReboot restarts the firewall. To reboot the firewall, navigate to Tools>Shutdown>Reboot. When the menu item is selected, a pop-up window is displayed which requests confirmation of the reset request. Select the OK button to confirm the command.

Network DiagnosticsThe Network Diagnostics configuration screen, located at Tools>Network Diagnostics, contains ping and traceroute tests, which are useful for verifying connectivity.

Flush ARP TableThe ARP Table list contains a list of currently known ARP addresses. The list contains the IP address to MAC address translations and the TTL (Time to Live) for each entry. ARP table entries are kept for 20 minutes and are scanned every five (5) minutes to check for expired entries. Once an entry is expired, the firewall will not try to re-map the address for 20 seconds.Flushing the ARP Table will clear the cache of IP addresses resolved by the address resolution protocol and recorded in the ARP table.To flush the ARP Table, navigate to Tools>Network Diagnostics>Flush ARP Table. When the menu item is selected, a pop-up window is displayed which requests confirmation of the reset request. Select the OK button to confirm the command.

28



PingThe ping function executes the network ping connectivity test by using the ICMP protocol. The ping is executed from the GTA firewall, not from your computer. Pinging an IP address is useful for verifying connectivity from the firewall to any target host on the external or internal network.The firewall will attempt to send five ICMP ping packets to the target destination and will display relevant statistics.To ping an IP address or domain name, navigate to Tools>Network Diagnostics>Ping, enter the address into the Host field and select the OK button.

Figure 3.2: Pinging an IP Address

Trace RouteThe trace route function performs a routing trace from the firewall to a designated IP address or domain name. Like PInG, tRaCe Route is useful for testing network connectivity. To determine whether a route to an Internet host is viable, the trace route function launches UDP probe packets with a short time to live (TTL), and then listens for an ICMP “time exceeded” reply from a gateway.When the trace is active, three probes are launched from each gateway, with the output showing the TTL, address of the gateway, and round trip time of each probe.To trace an IP address or domain name, navigate to Tools>Network Diagnostics>Trace Route, enter the address into the Host field and select the OK button.

29



Figure 3.3: Tracing an IP Address

InterfacesThe Interfaces configuration screen, located at Tools>Interfaces, allows a network interface on the firewall to be Enabled (“up” and capable of sending/receiving packets), or <Disabled> (“down” and incapable of sending/receiving packets).

CAUTIONDisabling the network interface on which your computer resides will result in loss of connectivity to the firewall.

To toggle an interface to be enabled or disabled, navigate to Tools>Network Diagnostics>Interface, highlight the selected interface and hit the spacebar.

Figure 3.4: Enabling an Interface

30



ReportsThe Reports section contains the hardware report, which is useful for troubleshooting purposes.

Figure 4.1: The Reports Menu

HardwareThe Hardware Report generates a report of the hardware components detected in your system and is useful in diagnosing hardware problems. If you suspect a hardware problem, generate this report and review the hardware listed. GTA’s technical support staff may also request a current hardware report in order to resolve a GTA firewall issue.To run the hardware report, navigate to Reports>Hardware.

Figure 4.2: Running the Hardware Report

31



Reference A: User InterfaceThe Console interface is a GUI-based interface of hierarchical menus. As the name implies, the Console interface only operates on the GTA firewall console; you can access the interface via a workstation attached to the firewall through the serial port and using a terminal emulator such as PuTTY.The Console interface can only be used to perform limited configuration tasks, as it is primarily used as a fail-safe. It is best suited for administrative tasks when the Web interface is not available.

Figure A.1: The Console Interface

Features:• Physical access control (one access point) when used as the only access to the firewall.• Reset capability.• Fail-safe access to firewall.

Keystroke CommandsAll data entry and interface navigation is done using the keyboard attached to the terminal or workstation running terminal emulation software.

Table A.1: Keystroke CommandsKeystroke Command Description<Esc> Exit/Cancel<F2> Display all list choices<F6> Clear field<F7> Previous field<F8> or <Tab> Next field<F10> Ok/Save<F12> Toggle color display<Del> or <Backspace> Delete or backspace<Spacebar> Toggle choice list / Select highlighted button<Insert> or <I> Insert line item

32



NavigationAlthough the Console interface’s display may vary based upon your method of connection, all variations use the following menus, buttons, fields and lists in navigation.

MenusThere are five top-level menus in the Console interface: Config, Tools, Reports, Exit and Help. Most configuration items are found under the Config menu. Tools useful for troubleshooting your firewall’s configuration are located under the Tools menu. Reports contains the Hardware Report, which generates a report on your firewall’s hardware configuration. Exit includes the command to exit the Console interface, while Help will display the GB-OS version number.Use the keyboard arrow keys to move through the menus and press the <Return> or <Spacebar> key to select the function currently highlighted.

Figure A.2: Menus

ButtonsButtons are fields which appear similar to the Web interface’s buttons; these Console button fields can be selected by pressing <Return> or <Spacebar> when the field is highlighted.

Table A.2: ButtonsKeystroke Command DescriptionSave Saves the configuration screen.Cancel Cancels changes and exits the configuration screen or section.OK Exits the screen, or executes an administrative action.Default Creates configuration settings in the section that conforms to the GTA firewall’s

settings; not factory settings.Send Sends email.

Entry, Choice, Check, and Item List FieldsFields in the Console interface can be data or data entry fields, choice/selection fields, check fields and item list fields.Data fields are represented by either a blank line or a line with a default or placeholder entry (e.g., 0.0.0.0/24) as a data format example. Some fields are prefilled by the system and will be unavailable for data entry.

33



Choice fields offer the user a number of items from which to select the desired entry; scroll through the available selections by pressing the <Space Bar>.Check fields are either enabled [X] or disabled [ ]. Use the <Space Bar> key to toggle a check field.Item List fields represent the items that have been entered in sections with more than one item. See the edit screen for these by highlighting the selected item and pressing <Return>.

34


Copyright

Copyright © 1996-2016, Global Technology Associates, Incorporated (GTA). All rights reserved. Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means

without the prior permission of Global Technology Associates, Incorporated.

Technical Support GTA includes 30 days “up and running” installation support from the date of purchase. See GTA’s Web site for more

information. GTA’s direct customers in the USA should call or email GTA using the telephone and email address below. International customers should contact a local Authorized GTA Channel Partner.

Tel: +1.407.380.0220 Email: [email protected]

Disclaimer Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as

to the software and documentation, including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose. GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifications of the program and contents of the manual without obligation to notify any person or organization of such changes.

Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products.

Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors.

Trademarks & Copyrights GB-OS and GB-Ware are registered trademarks of Global Technology Associates, Incorporated. Global Technology Associates

and GTA are service marks of Global Technology Associates, Incorporated. Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft

Corporation in the United States and/or other countries. Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the

United States and/or other countries. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley. WELF and WebTrends are trademarks of NetIQ. Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United

States and/or other countries. Java software may include software licensed from RSA Security, Inc. Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/. Some products include software developed by the OpenSSL Project (http://www.openssl.org/). All other products are trademarks of their respective companies.

Global Technology Associates, Inc.

3361 Rouse Rd, Suite 240 • Orlando, FL 32817 USA Tel: +1.407.380.0220 • Fax: +1.407.380.6080 • Web: http://www.gta.com • Email: [email protected]

GB-OS v6.2 Console Guide

Documents

Transcript of GB-OS v6.2 Console Guide