8/3/2019 Console Guide 5.4
1/43
Users Guide
Global Technology Associates
3505 Lake Lynda Drive Suite 109Orlando, FL 32817
Tel: +1.407.380.0220
Fax. +1.407.380.6080Email: [email protected]
Web: www.gta.com
GB-OS5.4
GBOSCG201009-01
Console
8/3/2019 Console Guide 5.4
2/43
8/3/2019 Console Guide 5.4
3/43ii
GB-OS Console Users Guide
Table of Contents
Table of Contents
Introduction. 1
About.This.Guide. 1
Conventions 1
Additional.Documentation. 1
Connecting.to.the.Console.Interface.3
Common.Tasks.5
Resetting.the.rewall.to.factory.defaults. 5
Switching.the.rewalls.active.slice. 6
HowdoIswitchbetweenslices? 6
Using.the.Console.Interface. 7
Cong. 8
CongurationVerication 8
EmailConguration 9
System 10
ActivationCodes 10
ContactInformation 11
Date/Time 12
Objects 13
AddressObjects 13
Accounts 14
RemoteAdministration 14
Encryption 15
GeneratingSSLCerticates 15
Network 16
Settings 16
EnteringtheHostName 16
EnteringtheDefaultRoute 16
DeningNetworkInterfaces 16
Aliases 19
Timeouts 20
NAT 21
InboundTunnels 21
StaticAddressMapping 23
PassThrough 24
Hosts/Networks 24
Routing 25RIP 25
StaticRoutes 27
SecurityPolicies 28
Preferences 28
ResettoFactoryDefaults 29
Tools. 30
Shutdown 30
Halt 30
Reboot 30
NetworkDiagnostics 30
FlushARPTable 30
Ping 31
TraceRoute 31
Interfaces 32
Reports. 33
Hardware 33
Reference.A:.User.Interface.34
Keystroke.Commands. 35
Navigation. 35
Menus 35
Buttons 36
Entry,Choice,Check,andItemListFields 36
8/3/2019 Console Guide 5.4
4/43
8/3/2019 Console Guide 5.4
5/43
8/3/2019 Console Guide 5.4
6/431
GB-OS Console Users Guide
Introduction
IntroductionGTA Firewall UTM Appliances, powered by GB-OS, are predominantly administered using the platform-
independent Web interface. A second user interface, the Console interface, allows the user to default
policies in case of a conguration error, recover a GTA Firewall UTM Appliance, reset a miscongured
rewall to defaults and perform basic conguration tasks.
The Console interface is a GUI-based interface of hierarchical menus. It operates only on the GTArewall console; it cannot be accessed in any other way. The Console interface should only be used for
basic conguration or for recovery purposes. Comprehensive conguration settings are only available
from the Web interface.
In this guide, the Console interface is illustrated and described in the order the functions appear in the
Console interface menus. Navigation, common keystrokes, menu items and buttons are explained in
Reference A: User Interface.
About This GuideThis guide only provides a brief overview when discussing conguration areas. For detailed explanations,
examples and walkthroughs, refer to the GB-OS Users Guide.
ConventionsA few conventions are used in this guide to help you recognize specic elements of the text. If you are
viewing this guide in PDF format, color variations may also be used to emphasize notes, warnings and
new sections.
Bold Italics Emphasis
Italics Publications
Blue Underline Clickable hyperlink (email address, Web site or in-PDF link)
Small CapS On-screen eld names
Monospace Font On-screen text
Condensed Bold On-screen menus, menu items
BOLD.SMALL.CAPS On-screen buttons, links
Organization of the chapters in this guide is according to the Console interfaces menu structure. The
exceptions to this rule include the Reference chapters. For the location of specic topics, please see the
table of contents.
Additional DocumentationFor additional instructions on installation, registration and setup of a GTA product, see applicable
Quick Guides, FAQs or technical papers. For optional features, see the appropriate feature guide.
Documentation is included on the CD shipped with new GTA products, and is also available for
download from the GTA Web site.
Note
For the latest documentation, check the GTA Web site for current PDFs.
These manuals and other documentation can also be found on the GTA Web site (www.gta.com).
Documents on the Web site are either in plain text (*.txt) or portable document format (*.pdf) which
requires Adobe Reader version 7.0 or greater. A free copy of Adobe Reader can be obtained from www.
adobe.com.
http://www.gta.com/http://www.adobe.com/http://www.adobe.com/http://www.adobe.com/http://www.adobe.com/http://www.gta.com/8/3/2019 Console Guide 5.4
7/432
GB-OS Console Users Guide
Introduction
Available Documentation
Document Topics
GB-OS Users Guide GB-OS features and Web user interface.
GB Commander Product Guide GB Commander for GTA rewalls.
GTA Reporting Suite Product Guide GTA Reporting Suite stand-alone reporting software.
Mail Sentinel Option Guide Email anti-spam and anti-virus ltering optional feature.
Surf Sentinel Content Filtering Option Guide Content ltering optional feature.
H2A High Availability Option Guide High availability optional feature.
GTA VPN Option Guide VPN (virtual private networks) feature.
www.gta.com Hardware specications, current documentation, examples
https://www.gta.com/https://www.gta.com/8/3/2019 Console Guide 5.4
8/433
GB-OS Console Users Guide
Connecting to the Console Interface
Connecting to the Console InterfaceThe Console interface is always available on the GTA rewall; access cannot be disabled. The Console
interface is accessible using the serial port and a serial cable. To connect to the Console interface, a
physical connection between the GTA rewall and either a terminal (using a serial console cable) or a
computer with terminal emulation software (using a DB-9 null-modem cable) is required.
GB-2000
1. Connect the GTA firewall to the workstation.To connect to the Console interface, connect your GTA firewall
to a PC workstation using the serial port and boot up the firewall.
2. Configure the terminal emulation software.
Enter the appropriate settings to emulate the console connections.
3. Enter the firewall administrators user name and password.
GTA Firewall
Serial Cable
PC Workstation
Connect to the Console interface using the serial cable included
with your GTA firewalls packaging.
Connecting to the Console Interface
Figure 2.1: Connecting to the Console Interface
8/3/2019 Console Guide 5.4
9/434
GB-OS Console Users Guide
Connecting to the Console Interface
To connect to the GTA rewall using a computer running terminal emulation software, enter the following
settings:
Table 2.1: Connecting to the Console Interface
Field Description
Emulation VT-100 or PuTTY
Port COM port connected via DB-9 cable to the rewall
Baud Rate 38400
Data/Bit Rate 8
Parity None
Stop 1
Flow Control Hardware
Power on the GTA rewall. Once booted, you will be prompted for the rewall administrators user ID
and password (defaults are fwadmin ). The conguration menu screen (similar to the illustration below)
should appear.
Figure 2.2: The Console Interface
8/3/2019 Console Guide 5.4
10/435
GB-OS Console Users Guide
Common Tasks
Common TasksIn most circumstances, the Console interface is used as an effort of last resort. Since conguration
options are limited, rewall administrators generally use the Console interface when the Web interface is
no longer accessible. Common tasks that are performed include resetting the rewall to factory defaults
and switching the rewalls active slice.
Note
This chapter only applies to issues that can be resolved using the Console interface. For more troubleshootingissues and solutions, refer to the GB-OS Users Guide.
Resetting the firewall to factory defaultsGenerally, resetting the rewall to factory defaults should only be performed when all other options havebeen exhausted. For example, if login information has been irretrievably lost or if it is no longer possibleto connect to the Web interface.
By resetting to factory defaults, all current conguration data will be erased and the rewalladministrators user name and password will both become the case-sensitive user name and passwordfwadmin.
CAUTION
Resetting the rewall will cause it to lose current conguration data. The conguration data can only be restoredby loading a saved conguration with a known user name and password, or by manually entering the desired
settings.
How do I reset my firewall to factory defaults?To reset your rewall to factory defaults, attach either a terminal (using a serial console cable), or acomputer with terminal emulation software (using a DB-9 null-modem cable).
Power on the GTA rewall. The following will be displayed:
GB-OS 5.3.x
loading ...
When the word loading appears, immediately press CONTROL-R. The system will begin to load, andconguration and hardware data will appear on screen. Finally, a conrmation question displays:
Are you sure you want to reset your rewall conguration?: (yes or no)
To reset to factory defaults, type the word yes in lower caseletters. Typing any other key will reboot thesystem without resetting to defaults. If there is no input after two minutes, the rewall will continue itsboot process.
8/3/2019 Console Guide 5.4
11/436
GB-OS Console Users Guide
Common Tasks
Switching the firewalls active sliceThe memory section (slice) feature can be used to test a new rewall conguration in production whilepreserving the current conguration in the other memory slice. Because each slice contains its own
conguration, it is possible to roll back your rewalls settings to a known good conguration.
How do I switch between slices?The memory section (slice) feature can be used to test a new rewall conguration in production whilepreserving the current conguration in the other memory slice. In the following example, memory slice 1contains the current conguration, and memory slice 2 is used for testing a conguration.
1. Reboot the rewall.
2. Select and boot memory slice 2.
CAUTION
Memory slice 2 will now be your active rewall.
3. Switch to the Web interface to make advanced conguration changes; the currently selected
slice will load by default until another is selected.
4. To revert to the last conguration, reboot the rewall using the console interface and selectmemory slice 1.
Note
The active slice can also be selected from within the Web interface. See the GB-OS Users Guidefor more
information.
8/3/2019 Console Guide 5.4
12/437
GB-OS Console Users Guide
Using the Console Interface
Using the Console InterfaceThis chapter provides a walkthrough of the Console interface, providing explanation and instruction on
conguration areas.
CAUTION
Any changes made to the conguration will be immediately applied to the rewall.
Note
For information on the Console interfaces user interface, refer to Reference A: User Interface.
Figure 4.1: The Console Interface
8/3/2019 Console Guide 5.4
13/438
GB-OS Console Users Guide
Using the Console Interface
ConfigThe Cong menu contains commands related to the setup and conguration of the GTA rewall. The
Console interface is limited in its conguration options. To properly administer the rewall, use the Web
interface.
Figure 4.2: The Cong Menu
Configuration VerificationConguration Verication will run a system conguration check on the GTA rewall. The check will verify all
areas of the rewalls conguration.
After you have congured your GTA rewall, run a conguration verication to ensure that you have a
valid conguration. Verication happens every time a section or conguration is saved.
To verify your conguration, navigate to Cong>Conguration Verication.
Figure 4.3: Verifying the Conguration
8/3/2019 Console Guide 5.4
14/439
GB-OS Console Users Guide
Using the Console Interface
Email ConfigurationThe Email Conguration sub-section allows the user to email the rewalls conguration to the entered
recipient. This function is useful for technical support purposes.
Email Conguration allows the user to email a copy of the system information to a designated email
address.
Email Conguration sends an email with these reports:
A Conguration Report
HTML
A Hardware Conguration Report
A Verication Report
A copy of the current routing table
A copy of the current ARP table
Active VPNs
Active Policies
Authenticated ARP Table
Audit Events
Current Statistics
Hardware Summary
Ipsec Tunnels
Mail Sentinel Polices, Routes, Statistics
XML
Enter any additional information in the Comment(s) eld.
To email your rewalls conguration, navigate to Cong>Email Conguration.
Figure 4.4: Emailing the Conguration
8/3/2019 Console Guide 5.4
15/4310
GB-OS Console Users Guide
Using the Console Interface
SystemThe System menu item contains menu options for conguring activation codes, contact information, the
rewalls date and time, and address objects.
Activation Codes
In Activation Codes, the administrator can enter the GTA rewalls serial number and optional feature
activation codes for options such as H2A High Availability, Surf Sentinel, Mail Sentinel Anti-Spam & Anti-Virus or GTA Mobile VPN Client licenses. Activation codes entered during installation or pre-installed
with hardware appliances will also appear.
Activation codes are provided with software or feature registration. Enter GTA rewall activation codes
by highlighting the selected row and hitting to edit or or the I key to add.
Select Save. The system will display a description of what has been activated. If this description is
garbled or does not appear, the code has been entered incorrectly or is not correct for the current
system or version.
To enter activation codes, navigate to Cong>System>Activation Codes.
Note
Activation codes will not function without the system serial number entered in the Serial eld. GTA Firewall UTMAppliances have the serial number pre-installed. The rewalls serial number can also be found on the card that
shipped with the rewall or in the GTA Online Support Center.
Figure 4.5: Entering Activation Codes
8/3/2019 Console Guide 5.4
16/431
GB-OS Console Users Guide
Using the Console Interface
Contact Information
Contact Information stores information about the rewall administrator. This information is used by email,
reports and list functions.
To enter the rewall administrators contact information, navigate to Cong>System>Contact Information.
Figure 4.6: Entering Contact Information
Table 4.1: Contact Information
Field Name Description
Name Enter the rewall administrators name.
Company Enter the rewall administrators company.
Email Address Enter the rewall administrators email address.
Phone Number Enter the rewall administrators phone number.
Support Email Address Enter the email address to be used for technical support. Default is
8/3/2019 Console Guide 5.4
17/4312
GB-OS Console Users Guide
Using the Console Interface
Date/Time
Since the rewalls date and local time are used to tag log messages, having the rewall congured
to operate on accurate time settings is important. The Date/Time service uses UTC (Universal Time
Coordinated) as its default time zone.
To set your rewalls date and time, navigate to Cong>System>Date/Time.
Figure 4.7: Setting the Firewalls Date and Time
Table 4.2: Date/Time
Field Name Description
Date Enter your the current date as YYYY-MM-DD.
Time Enter the current time (in 24 hour format) as HH:MM:SS.
8/3/2019 Console Guide 5.4
18/431
GB-OS Console Users Guide
Using the Console Interface
Objects
Using objects increases speed and consistency when creating a conguration with GB-OS. A user need
only dene an address or group of addresses, an interface, or a conguration once, then select the
object in each screen where that denition is required. Once the object is created the user will only need
to change the object to change the denition in all the locations where it is used.
In the Console interface, only address objects are available for conguration. To congure all other
objects, it is necessary to log into the Web interface.
Address ObjectsThe address object list displays the name and description of all dened address objects. When using
the Console interface, users can reset and save the address objects. Editing or inserting new address
objects is not possible.
To view or reset the address object list, navigate to Cong>System>Objects>Address Objects.
Figure 4.11: Address Objects
8/3/2019 Console Guide 5.4
19/4314
GB-OS Console Users Guide
Using the Console Interface
AccountsThe Accounts section contains conguration screens that display options for remote administration.
Note
Administration accounts are only congurable via the Web interface. For more information, refer to the GB-OSUsers Guide.
Remote Administration
Remote Administration controls remote administration via the Web interface, and whether a VPN connection
requires User Authentication. The default settings enable remote administration and the ability to apply
updates. The Web interface is served on standard TCP port 443 for SSL encryption.
To congure remote administration preferences, navigate to Cong>Accounts>Remote Administration.
Figure 4.12: Remote Administration
Table 4.6: Remote Administration
Field Description
WWW (Web Interface)
Enabled Enables remote administration for the Web interface.
Server Port The TCP port allowing Web administration. SSL encryption default is 444.
Encryption A selection for the level of SSL encryption. All levels of SSL encryption are enabled
by default. Setting encryption to will turn off SSL encryption.
Automatic All A selection for whether automatic policies should be enabled for all interfaces.
Automatic Protected A selection for whether automatic policies should be enabled for the protected
interface.
8/3/2019 Console Guide 5.4
20/431
GB-OS Console Users Guide
Using the Console Interface
EncryptionFor additional security, SSL (Secure Sockets Layer) encryption is available. SSL encrypted
administration requires a remote access policy with a port that matches the remote administration port
(443, by default).
SSL certicates include three validity checks:
1. An issuer, or self-issued certicate authority.
2. A date, which will be the date of certicate generation.
3. A name, which will be the rewalls host name.
To create a certicate in which the name on the security certicate matches the name on the site, the
host name found in Cong>Network>Settings must match the name given to the rewall in the DNS Server. If
you cannot match the host name, you may instead add the host name to the LMHOST le on Windows
computers.
Table 4.7: Encryption Levels
Level Key Strength Description
None n/a Disables SSL encryption
All n/a Accepts low/medium/high levels of encryption
Low 40-,56-, 64-bit A low level of SSL encryption. Easier to break.
Medium 128-bit A medium level of SSL encryption. Harder to break.
High 168-bit A high level of SSL encryption. Difcult to break.
Generating SSL CertificatesEach time GB-OS is updated, the SSL certicate is renewed for a period of one year from the release
build date. You may also manually generate a new certicate by using the New SSL CertifiCate button.
This creates a new SSL certicate for the rewall, which is valid for one year from its creation date.
Note
Changing the rewalls host name will automatically generate a new SSL certicate using the new host name.
8/3/2019 Console Guide 5.4
21/4316
GB-OS Console Users Guide
Using the Console Interface
NetworkThe Network section allows for the conguration of the rewalls network settings, aliases, timeouts, NAT(Network Address Translation), pass through and routing.
Settings
Much of the data found in Network Settings will have been entered during installation, including the required
protected and external network.To dene your networks settings, navigate to Cong>Network>Settings.
Figure 4.13: Network Settings
Entering the Host NameThe host name, dened in the Host name eld, is the system name assigned to the GTA rewall andis used to tag log messages. GTA recommends using a fully qualied domain name as the hostname for your GTA rewall. A fully qualied domain name is the complete domain name for a speciccomputer (host) on the network, which is broken down to a host, domain and top-level domain (e.g.
rewall.example.com). Host names must be unique. If your network DHCP servers create IP addressassignments based on the system name, enter the host name, often assigned by your ISP.
Entering the Default RouteThe default gateway, dened in the Default Route eld, is a node on the network that serves as anaccess point to another network, usually the Internet. Enter the IP address of the selected default route.This value is usually the IP address of the router connecting the network to the Internet and must beon the same logical network as the associated external interface. If your external interface uses PPP orDHCP to obtain an IP address, entering an IP address in the Default Route eld is not needed.
Defining Network InterfacesA network interface:
Assigns a network (represented by an IP address and a subnet mask) to a physical NIC Designates a network type
Identies a gateway (default route)
A GTA rewall recommends two logical networks, a protected network and an external network.Additional external and protected logical networks can be added, as well as one or more Private ServiceNetworks (PSN).
Dened network interfaces serve as interface objects throughout the conguration, allowing theadministrator to reference the interface quickly when conguring the rewall.
CAUTION
If a network interfaces name is changed, but a policy that references it is not updated to refer to the new name,
all new connections maintained by the policy will fail to match.
8/3/2019 Console Guide 5.4
22/431
GB-OS Console Users Guide
Using the Console Interface
Logical network interfaces that do not use PPP or DHCP congurations require an IP address and
subnet mask. If a subnet mask is not entered, the system will attempt to create one based on the
network class in CIDR notation, Class C = /24, Class B = /16 or Class A = /8. Doing so helps prevent
misconguration.
When editing a network interface, a table labeled netwoRk InteRfaCe CaRDs will be displayed. The netwoRkInteRfaCe CaRDs table shows information regarding the GTA rewalls NICs, such as their MAC addressand connection.
CAUTION
Use caution when changing the logical names of interfaces; if a logical name does not match a policy, you may
lose access to the rewall.
To edit a network interface, highlight the desired interface and hit the Enter key.
Figure 4.14: Editing a Network Interface
Table 4.8: Dening a Network Interface
Field Description
Name Assign a logical name to identify the network interface. Network interface names
may not use a number as the rst character.
Gateway Enable this checkbox if you wish to make the logical interface an Internet gateway.
NIC The NIC to be used by the dened network interface.
Connection AUTO is generally recommended.Selections are:
AUTO: Auto-select the active network connection.
UTP_10: Use the unshielded twisted pair interface at 10Mbps.
TX_100: Use the unshielded twisted pair interface at 100Mbps.
Option Select Default (full- orhalf-duplex) or Full Duplex.
MTU Maximum Transmission Value. Default is 1500.
Incorrect MTUs can cause poor performance.
Interface Type
External Select to dene the network interface as an external interface.
Protected Select to dene the network interface as a protected interface.
PSN (Private Service Network) Select to dene the network interface as an PSN interface.
8/3/2019 Console Guide 5.4
23/4318
GB-OS Console Users Guide
Using the Console Interface
Table 4.8: Dening a Network Interface
Field Description
Network Address
DHCP Dynamic Host Conguration Protocol. DHCP is typically required for cable modem
connections. When selected, the system uses DHCP to obtain an IP address forthe specied interface. DHCP may be used on any and all network interfaces.
IP Address Enter the IP address/subnet to assign to the logical interface. Connections usingDHCP or PPP do not require an IP address to be entered.
Network Interface Cards
NIC The Network Interface Card (e.g., eth0).
MAC Address If the device is an Ethernet card, its MAC address will be displayed in this section.Use to assign a physical interface to a particular logical interface. Record MAC
addresses before installation into GB-Ware hardware.
Name The name assigned to the NIC.
Connection The NICs connection speed.
AUTO: Auto-selects the active network connection.
UTP_10: Uses the unshielded twisted pair interface at 10Mbps.
TX_100: Uses the unshielded twisted pair interface at 100Mbps.
8/3/2019 Console Guide 5.4
24/431
GB-OS Console Users Guide
Using the Console Interface
Aliases
Aliases allow a network interface to possess multiple IP addresses. An IP alias may be assigned to any
network interface.
Aliases are especially useful on the external network interface, or if multiple hosts on the PSN or
protected network are required for the same service group via a tunnel (e.g. multiple internal Web
servers that all serve content to the external network). Aliases used on an external NIC attached to the
Internet must be legitimate, registered IP addresses. An alias does not need to have the same subnet as
the real IP address, since the GTA rewall will route packets between all networks to which it is logically
attached.
If the IP alias is on the same logical network as the network interfaces primary IP address, use a subnet
mask of 32 bits (255.255.255.255).
To congure aliases, navigate to Cong>Network>Aliases. The Aliases screen will display all dened aliases.
Press Enter to edit an existing alias, or press Insert or the I key to create a new alias.
Figure 4.15: Editing an Alias
Table 4.9: Edit Alias
Field Description
Name A unique name to identify the alias elsewhere in the rewalls conguration. Alias
names may not use a number as the rst character.
Interface The interface that will have an alias applied.
IP Address/Netmask The IP address of the alias.
8/3/2019 Console Guide 5.4
25/4320
GB-OS Console Users Guide
Using the Console Interface
Timeouts
Timeouts dene how long a connection should be idle before it is marked ready to close. The result
of a connection reaching its timeout value differs for each IP protocol. For example, TCP has enough
information embedded for GB-OS to determine when the connection is ready to close, but with ICMP
and UDP, it is generally impossible to determine when a connection is ready to close.
To dene timeouts, navigate to Cong>Network>Timeouts.
Figure 4.16: Dening Timeouts
Table 4.10: Timeouts
Field Description
TCP
Timeout The time, in seconds, that the rewall will wait before timing out TCP packets.Default is 600.
Send Keep Alives? If a successfully created, TCP connections remain idle for the timeout period
and if this eld is disabled, the connection is marked ready to close. If this eld
is enabled, a Keep Alive packet is sent. If the connection is still valid, the GTArewall will set the connection idle time to zero. If the connection is invalid, the
GTA rewall will see a reset packet indicating this, sent by the client to its server,and will mark the connection ready to close. If no response is received within ve
minutes, the GTA rewall will mark the connection ready to close. Enabled by
default.
Wait for ACK As part of TCP connection creation, the client and server exchange several
IP packets. All packets sent from the server will have a bit indicating ACK(acknowledgement) in the header. As part of Stateful Packet Inspection, the GTA
rewall keeps a record of seeing this bit. If it is not seen, the remote server may be
down. If the idle time is reached without an ACK from the server, the connection ismarked ready for close. Default is 30 seconds.
UPD Timeout The time, in seconds, that the rewall will wait before timing out UDP packets.Default is 600.
ICMP Timeout The time, in seconds, that the rewall will wait before timing out ICMP packets.
Default is 15.
Default Timeout This is the timeout for any supported protocol other than TCP, UDP or ICMP. After
a connection is marked as ready to close, the GTA rewall will wait ve seconds
before it actually closes the connection. This gives redundant IP packets a chanceto clear the GTA rewall without causing false doorknob twist error messages.
Default is 600 (10 minutes).
Wait for close If your rewall is experiencing spurious Remote Access Policy blocks from reply
packets, typically from port 80 (the Internet), you may want to increase this value,
giving packets from slow or distant connections more time to return before theconnection is closed. Default value is 20 seconds.
8/3/2019 Console Guide 5.4
26/432
GB-OS Console Users Guide
Using the Console Interface
NAT
Network Address Translation (NAT) translates an IP address behind the rewall to the IP address of the
external network interface, disguising the original IP address. NAT is applied in the Console interface
using inbound tunnels and static mapping.
Inbound TunnelsInbound tunnels allow external hosts to initiate connections with internal hosts using service groups
(e.g. TCP, UDP, ICMP or HTTP). Normally the rewall blocks all inbound trafc to the internal networks.Tunnels allow, for example, computers such as Web (port 80) servers on a PSN to be reached from the
Internet.
Tunnels can be dened for trafc from either external networks or the PSN. Tunnels are typically used
with inbound connections, they are not normally used for trafc inbound from a protected network
interface, which is by default allowed access to the other logical network types without use of a tunnel.
Tunnels can be created for these inbound connections:
From an external network interface to a host on a PSN.
From an external network interface to a host on a protected network.
From a PSN interface to a host on a protected network.
Tunnels are dened by an interface and service IP and an internal destination IP address.
Only the external destination side of the tunnel is visible. Since tunnels transparently forward theconnection using NAT, a user on the external network side will never see the ultimate destination of the
tunnel. The tunnel appears to be a service operating on the rewall.
If a tunnel originates from an IP alias address, you may need to map the destination host to the IP alias
using static address mapping so that secondary connections appear to originate from the same address
as the tunnel.
To congure inbound tunnels, navigate to Cong>Network>NAT>Inbound Tunnels. The Inbound Tunnels screen will
display all dened inbound tunnels, if any. Press Enter to edit an existing alias, or press Insert or the I key
to create a new alias.
Figure 4.17: Creating an Inbound Tunnel
8/3/2019 Console Guide 5.4
27/4322
GB-OS Console Users Guide
Using the Console Interface
Table 4.11: Inbound Tunnels
Field Description
Disable A toggle for whether the inbound tunnel should be disabled or not. Default is off.
Description A short description to identify the function of the inbound tunnel.
Service Select the IP Protocol to be used by the inbound tunnel.
From Select the external destination IP address of the tunnel.
To Select the internal destination IP address of the tunnel.
Automatic Accept All Policy A toggle for whether the rewall should automatically accept all trafc for the tunnel
regardless of congured policies. Default is enabled.
Require Authentication Authentication allows the administrator to require users to authenticate to the
rewall using GBAuth before initiating a connection. Default is off.
Hide Source Hides the source of the inbound tunnel connection. Useful for when the GTArewall is used on an intranet. Default is off.
SYN Cookies A toggle for whether TCP SYN Cookies should be used or not. Default is on.
8/3/2019 Console Guide 5.4
28/432
GB-OS Console Users Guide
Using the Console Interface
Static Address MappingStatic address mapping allows an internal IP address or subnet to be statically mapped to an interface
during NAT. By default, all IP addresses on the protected networks and PSNs are dynamically assigned
to the primary IP address of the outbound network interface. Static address mapping is used when it is
desirable to statically assign the IP address used in NAT.
To use static address mapping, rst assign at least one IP alias to the desired outbound network
interface (external network interface or PSN interface).
The target of a map denition must be an IP alias or interface. Mapping is only associated with outbound packet ow.
Map denitions may be for a single host or a subnet.
To congure static address mapping, navigate to Cong>Network>NAT>Static Address Mapping. The Static Address
Mapping screen will display all dened static address mappings, if any. Press Enter to edit an existing
alias, or press Insert or the I key to create a new alias.
Figure 4.18: Creating a Static Address Mapping
Table 4.12: Static Address Mapping
Field Description
From (source)
Object Select the address object that will be mapped.
IP Address If an address object cannot be used, enter the IP address and subnet mask thatwill be mapped (e.g., to a map a single IP address, use a subnet mask of /32
(255.255.255.255)) by selecting .
To Interface Select the address object representing the IP address to which the source will be
mapped.
8/3/2019 Console Guide 5.4
29/4324
GB-OS Console Users Guide
Using the Console Interface
Pass Through
The Pass Through section contains Hosts/Networks, which species an IP address, subnet or network that will
not have NAT applied to its trafc.
Hosts/NetworksHosts/Networks species an IP address, subnet or network that will not have NAT applied to its trafc. See
product specications for the number of pass through hosts/networks available on a specic model.
To congure hosts or networks that will bypass NAT, navigate to Cong>Network>Pass Through>Hosts/Networks.The Hosts/Networks screen will display all dened hosts or networks, if any. Press Enter to edit an existing
host or network, or press Insert or the I key to create a new host or network denition.
Figure 4.19: Dening a Host or Network
Table 4.13: Hosts/Networks
Field DescriptionObject Select the address object that will be used as the host member.
Address If an address object cannot be used, select as the ObjeCt andenter the IP address and subnet mask that will be mapped (e.g., to a map a single
IP address, use a subnet mask of /32 (255.255.255.255)).
Interface Select the destination interface that should not apply NAT when outbound IPpackets are received.
Allow Inbound Enable to accept unsolicited IP packets from the specied IP address. Disabled by
default.
8/3/2019 Console Guide 5.4
30/432
GB-OS Console Users Guide
Using the Console Interface
Routing
The Routing section contains RIP, which is used to receive routing tables, and Static Routes, which are used
to dene static paths between one internal subnet and another.
RIPRIP (Routing Information Protocol) is typically used by routers to receive updated routing tables. RIP is
an IP routing protocol that allows broadcasting and/or listening to routing information in order to choose
the most efcient route for a packet. Hosts using RIP select the routes that use the fewest hops, orselect an alternate path if a route is down or has been slowed by high trafc. RIP is limited to 15 hops;
more than that, and the route is agged as unreachable.
CAUTION
Most smaller network congurations do not benet from RIP. Before using RIP, be aware that the protocol may
decrease performance rather than help small networks and acceptance of RIP sources can compromise networksecurity.
RIP is disabled by default on GB-OS, so routing information to redirect packets is not accepted from
external sources. If RIP is enabled, the rewall can receive and/or broadcast routing information for
either RIP version 1 or 2.
To congure RIP, navigate to Cong>Network>Routing>RIP. The RIP screen will display all dened interfacesand their RIP conguration. There are two checkboxes available on the RIP screen, enable andaDveRtIse
Default Route. Toggle the enable checkbox to enable the service. Enable theaDveRtIse Default Route
checkbox if you wish to do so on any protected network or PSN on which RIP is enabled. Press Enter to
edit an existing host or network, or press Insert or the I key to create a new host or network denition.
Figure 4.20: RIP Setup
8/3/2019 Console Guide 5.4
31/4326
GB-OS Console Users Guide
Using the Console Interface
Table 4.14: Edit RIP Interface
Field Description
Enabled Enables the RIP interface.
Interface The interface for which RIP is being congured. Not congurable.
Input Controls how RIP is implemented. inputdetermines whether any version of RIPwill be accepted from other routers.
The choices are: : Version 1 RIP is accepted or exported. : Version 2 RIP is accepted or exported.
: Both version 1 and 2 are used.
Output Controls how RIP is implemented. Output determines whether any version of RIP
will be exported or broadcast.
The choices are: : Version 1 RIP is accepted or exported.
: Version 2 RIP is accepted or exported. : Both version 1 and 2 are used.
Password Type Type of encryption that will be used. If an encryption is selected, the password eld
is enabled. Encryption types are: None, Clear and MD5.This only applies to RIPv2
Password Password that must be used to collect routing information through RIPv4.
Key ID Pre-shared secret key ID.This only applies to RIPv2 when MD5 encryption is used.
8/3/2019 Console Guide 5.4
32/432
GB-OS Console Users Guide
Using the Console Interface
Static RoutesStatic Routes dene routing paths between one subnet and another. Static routes supersede the default
gateway dened in Cong>Network>Settings.
Dening a static route is useful when there is a router between different parts of an internal network,
creating multiple subnets within your internal network. Without a static route, the rewall routes all trafc,
even if it should be directed to a different subnet on the internal network. Trafc will not travel from
internal subnets in this case, causing spoong messages. Static routes solve this problem by diverting
internal trafc back to the appropriate internal subnet before it reaches a gateway.Using a static route, the rewall correctly routes internal multi-subnet trafc to other internal IPs.
To congure static address mapping, navigate to Cong>Network>Routing>Static Routes. The Static Routes screen
will display all dened static routes, if any. Press Enter to edit an existing static route, or press Insert or
the I key to create a new host or network denition.
Figure 4.21: Static Route Setup
Table 4.15: Conguring Static Routes
Field Description
Network
Object IP address(es) whose trafc will be subject to the static route, either by selecting
the appropriate interface object.
IP Address If has been selected for the networks ObjeCt, enter the address and
subnet mask, either in CIDR-based (slash) or dotted decimal notation.
Gateway
Object IP address or interface object of the destination/gateway (default route) selected
for this static route.
IP Address If has been selected for the gateways ObjeCt, enter the addressand subnet mask, either in CIDR-based (slash) or dotted decimal notation.
8/3/2019 Console Guide 5.4
33/4328
GB-OS Console Users Guide
Using the Console Interface
Security PoliciesPolicies control access to and through the GTA rewall. The implicit rule, that which is not explicitly
allowed is denied, applies to both outbound and inbound packets. Unless a policy is in place allowing
for a situation where a packet is accepted, it will always be denied by default.
The Console interface only allows for the defaulting of policy sets. To dene security policies, it is
required to log in to the Web interface to do so.
Preferences
Policy preferences allow the rewall administrator to globally dene most logging and policy denitions
for all dened policies in one location. Logging options for automatic policies, tunnel connections
(opens and closes) and policy blocks may be selected.
From thealaRms section the rewall administrator can set the default parameters for alarm notications.
When a policy is matched, an alarm event is activated. Each alarm event increments the alarm count by
one. If either the time or number of alarms threshold is exceeded, a notication will be sent documenting
all the events. Multiple messages will be sent if the number of events exceeds the maximum count.
From the GeneRal section the rewall administrator can enable or disable automatic policies, generate
alarms, send email, send an ICMP service not available message, or log an event.
To set policy preferences, navigate to Cong>Security Policies>Preferences.
Figure 4.22: Policy Preferences
Table 4.16: Policy Preferences
Field Description
AlarmsSend email for alarms... Sets the intervals for when an email should be dispatched to the rewalls
administrator.
Maximum Alarms per Email Maximum number of alarm messages included in a per email message. An alarmmessage is generally 200 bytes.
Attempt to Log Host Names Attempt to resolve the host name of the IP address that generated the alarm.
Page When Threshold
ReachedIf pager is enabled and enabled, a pager notication is sent when an alarmthreshold is exceeded.
8/3/2019 Console Guide 5.4
34/432
GB-OS Console Users Guide
Using the Console Interface
Table 4.16: Policy Preferences
Field Description
General
Automatic Policies Options: Enable/Disable; Log. GTA recommends leaving automatic
policies enabled.
Deny Address Spoof Always enabled. Options: Alarm, Email, Log.
Deny Doorknob Twist Always enabled. Options: Alarm, Email, ICMP, Log.
Deny Fragments Options: Enable/Disable, Log. Can be used to block some fragment attacks. GTArecommends leaving this option disabled.
Deny Invalid Packets Always enabled. Option: Log packets.
Deny Unexpected Packets Always enabled. Option: Enable/Disable, Log.
Stealth Mode Options: Enable/Disable, Log.
TCP Syn Cookies Options: Enable/Disable, Log.
Policy Blocks Options: Enable/Disable, Log. Stealth mode has priority over all lters.
Tunnel Opens Always enabled. Option: Log, enabled by default.
Tunnel Closes Always enabled. Option: Log, enabled by default.
Reset to Factory DefaultsReset to Factory Defaults will reset all GTA rewall conguration parameters back to their original factory
settings. This function is exclusive to the Console interface for ultimate security. To reset your GTA
rewall, navigate to Cong>Reset to Factory Defaults.
CAUTION
Resetting your GTA rewall to factory defaults will wipe out all previously congured settings.
Once you have used Reset to Factory Defaults, you must congure your rewall again. For conguring your
GTA rewall, please refer to the GB-OS Users Guide.
When the menu item is selected, a pop-up window is displayed which requests conrmation of the reset
request. Select the OK button to conrm the command.
8/3/2019 Console Guide 5.4
35/4330
GB-OS Console Users Guide
Using the Console Interface
ToolsThe Tools section contains a number of tools useful for administrating and troubleshooting the rewalls
conguration.
Figure 4.23: The Tools Menu
Shutdown
The Shutdown conguration screen, located at Tools>Shutdown, contains halt and reboot services.
Halt
Halt properly shuts down all services, preparing the rewall so it can be powered off. Once halted, the
rewall must be restarted from the console interface or be physically reset.
To halt the rewall, navigate to Tools>Shutdown>Halt. When the menu item is selected, a pop-up window
is displayed which requests conrmation of the halt request. Select the OK button to conrm the
command.
Reboot
Reboot restarts the rewall. To reboot the rewall, navigate to Tools>Shutdown>Reboot. When the menu item is
selected, a pop-up window is displayed which requests conrmation of the reset request. Select the OK
button to conrm the command.
Network DiagnosticsThe Network Diagnostics conguration screen, located at Tools>Network Diagnostics, contains ping and traceroute
tests, which are useful for verifying connectivity.
Flush ARP Table
The ARP Table list contains a list of currently known ARP addresses. The list contains the IP address toMAC address translations and the TTL (Time to Live) for each entry. ARP table entries are kept for 20
minutes and are scanned every ve (5) minutes to check for expired entries. Once an entry is expired,the rewall will not try to re-map the address for 20 seconds.
Flushing the ARP Table will clear the cache of IP addresses resolved by the address resolution protocoland recorded in the ARP table.
To ush the ARP Table, navigate to Tools>Network Diagnostics>Flush ARP Table. When the menu item is selected,a pop-up window is displayed which requests conrmation of the reset request. Select the OK button toconrm the command.
8/3/2019 Console Guide 5.4
36/433
GB-OS Console Users Guide
Using the Console Interface
Ping
The ping function executes the network ping connectivity test by using the ICMP protocol. The ping isexecuted from the GTA rewall, not from your computer. Pinging an IP address is useful for verifyingconnectivity from the rewall to any target host on the external or internal network.
The rewall will attempt to send ve ICMP ping packets to the target destination and will display relevantstatistics.
To ping an IP address or domain name, navigate to Tools>Network Diagnostics>Ping, enter the address into theHost eld and select the OK button.
Figure 4.24: Pinging an IP Address
Trace Route
The trace route function performs a routing trace from the rewall to a designated IP address or domain
name. Like PInG, tRaCe Route is useful for testing network connectivity. To determine whether a route to
an Internet host is viable, the trace route function launches UDP probe packets with a short time to live
(TTL), and then listens for an ICMP time exceeded reply from a gateway.
When the trace is active, three probes are launched from each gateway, with the output showing the TTL,
address of the gateway, and round trip time of each probe.
To trace an IP address or domain name, navigate to Tools>Network Diagnostics>Trace Route, enter the address
into the Host eld and select the OK button.
Figure 4.25: Tracing an IP Address
8/3/2019 Console Guide 5.4
37/4332
GB-OS Console Users Guide
Using the Console Interface
Interfaces
The Interfaces conguration screen, located at Tools>Interfaces, allows a network interface on the rewall
to be Enabled (up and capable of sending/receiving packets), or (down and incapable of
sending/receiving packets).
CAUTION
Disabling the network interface on which your computer resides will result in loss of connectivity to the rewall.
To toggle an interface to be enabled or disabled, navigate to Tools>Network Diagnostics>Interface, highlight the
selected interface and hit the spacebar.
Figure 4.26: Enabling an Interface
8/3/2019 Console Guide 5.4
38/433
GB-OS Console Users Guide
Using the Console Interface
ReportsThe Reports section contains the hardware report, which is useful for troubleshooting purposes.
Figure 4.27: The Reports Menu
HardwareThe Hardware Report generates a report of the hardware components detected in your system and is
useful in diagnosing hardware problems. If you suspect a hardware problem, generate this report andreview the hardware listed. GTAs technical support staff may also request a current hardware report in
order to resolve a GTA rewall issue.
To run the hardware report, navigate to Reports>Hardware.
Figure 4.28: Running the Hardware Report
8/3/2019 Console Guide 5.4
39/4334
GB-OS Console Users Guide
Reference A: User Interface
Reference A: User InterfaceThe Console interface is a GUI-based interface of hierarchical menus. As the name implies, the Console
interface only operates on the GTA rewall console; you can access the interface via a workstation
attached to the rewall through the serial port and using a terminal emulator such as TeraTerm.
The Console interface can only be used to perform limited conguration tasks, as it is primarily used as a
fail-safe. It is best suited for administrative tasks when the Web interface is not available.
CAUTION
Conguration data is read by the Console interface only once a session, when the administrator logs on. Thismeans that if the conguration is modied via the Web interface during a Console session, the new data will not
appear on the Console interface, and subsequent changes made using Console will overwrite the changes made
remotely.
Figure A.1: The Console Interface
Features:
Physical access control (one access point) when used as the only access to the rewall.
Reset capability.
Fail-safe access to rewall.
8/3/2019 Console Guide 5.4
40/433
GB-OS Console Users Guide
Reference A: User Interface
Keystroke CommandsAll data entry and interface navigation is done using the keyboard attached to the terminal or workstation
running terminal emulation software.
Table A.1: Keystroke Commands
Keystroke Command Description
Exit/Cancel Display all list choices
Clear eld
Previous eld
or Next eld
Ok/Save
Toggle color display
or Delete or backspace
Toggle choice list / Select highlighted button
or Insert line item
NavigationAlthough the Console interfaces display may vary based upon your method of connection, all variations
use the following menus, buttons, elds and lists in navigation.
MenusThere are ve top-level menus in the Console interface: Cong, Tools, Reports, Exit and Help. Most
conguration items are found under the Cong menu. Tools useful for troubleshooting your rewalls
conguration are located under the Tools menu. Reports contains the Hardware Report, which generates a
report on your rewalls hardware conguration. Exit includes the command to exit the Console interface,
while Help will display the GB-OS version number.
Use the keyboard arrow keys to move through the menus and press the or key to
select the function currently highlighted.
Figure A.2: Menus
8/3/2019 Console Guide 5.4
41/4336
GB-OS Console Users Guide
Reference A: User Interface
ButtonsButtons are elds which appear similar to the Web interfaces buttons; these Console button elds can
be selected by pressing or when the eld is highlighted.
Table A.2: Buttons
Keystroke Command Description
Save Saves the conguration screen.Cancel Cancels changes and exits the conguration screen or section.
OK Exits the screen, or executes an administrative action.
Default Creates conguration settings in the section that conforms to the GTA rewallssettings; notfactory settings.
Send Sends email.
Entry, Choice, Check, and Item List FieldsFields in the Console interface can be data or data entry elds, choice/selection elds, check elds and
item list elds.
Data elds are represented by either a blank line or a line with a default or placeholder entry
(e.g., 0.0.0.0/24 ) as a data format example. Some elds are prelled by the system and will be
unavailable for data entry.
Choice elds offer the user a number of items from which to select the desired entry; scroll through the
available selections by pressing the .
Check elds are either enabled [X] or disabled [ ]. Use the key to toggle a check eld.
Item List elds represent the items that have been entered in sections with more than one item. See the
edit screen for these by highlighting the selected item and pressing .
8/3/2019 Console Guide 5.4
42/43
8/3/2019 Console Guide 5.4
43/43
GB-OS Console Users Guide
Copyright
1996-2010, Global Technology Associates, Incorporated (GTA). All rights reserved.
Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any meanswithout the prior permission of Global Technology Associates, Incorporated.
Technical Support
GTA includes 30 days up and running installation support from the date of purchase. See GTAs Web site for moreinformation. GTAs direct customers in the USA should call or email GTA using the telephone and email address below.International customers should contact a local Authorized GTA Channel Partner.
Tel: +1.407.380.0220 Email: [email protected]
Disclaimer
Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, asto the software and documentation, including without limitation, the condition of software and implied warranties of itsmerchantability or tness for a particular purpose. GTA shall not be liable for any lost prots or for any direct, indirect,incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising outof any breach of warranty. GTA further reserves the right to make changes to the specications of the program and contents ofthe manual without obligation to notify any person or organization of such changes.
Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor arecommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products.
Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing orclerical errors.
Trademarks & Copyrights
GB-OS, Surf Sentinel, Mail Sentinel and GB-Ware are registered trademarks of Global Technology Associates, Incorporated.GB Commander is a trademark of Global Technology Associates, Incorporated. Global Technology Associates and GTA areservice marks of Global Technology Associates, Incorporated.
Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of MicrosoftCorporation in the United States and/or other countries.
Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in theUnited States and/or other countries.
UNIX is a registered trademark of The Open Group.
Linux is a registered trademark of Linus Torvalds.
BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley.
WELF and WebTrends are trademarks of NetIQ.
Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the UnitedStates and/or other countries.
Java software may include software licensed from RSA Security, Inc.
Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/.
Some products include software developed by the OpenSSL Project (http://www.openssl.org/).
Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed fromMailshell Incorporated.
All other products are trademarks of their respective companies.
Top Related