http://www.3com.com/Part No. DUA1611-0AAA02Published August 2001SuperStack®3FirewallUser GuideSuperStack 3 Firewall 3CR16110-95SuperStack 3 Firewall W
DTECHNICALSUPPORTOnline Technical Services 201World Wide Web Site 2013Com Knowledgebase Web Services 2013Com FTP Site 202Support from Your Network Sup
100 CHAPTER7: SETTING APOLICYHTTP protocol even if both NetBIOS Passthrough boxes are leftunchecked.Enabling StealthModeBy default, the Firewall respo
Adding and Deleting Services 101Adding andDeleting ServicesIf a protocol is not listed in the Services window, you can add the service.Click Policy, a
102 CHAPTER7: SETTING APOLICYThe new service appears in the list box to the right, along with its numericprotocol description. Note that some well-kno
Editing Policy Rules 103marked Name Service (DNS) [53,6] deletes just the TCP portion of theservice.Editing Policy RulesNetwork Access Policy Rules ev
104 CHAPTER7: SETTING APOLICYRules are arranged in order of precedence from the most specific to themost general.For example if you block all FTP traf
Editing Policy Rules 105would only be necessary if you wanted the server on the WAN to initiateconnections with the PC on the LAN network port.Destina
106 CHAPTER7: SETTING APOLICYAdding a New Rule ToaddanewruleclickontheAdd New Rule button and fill in the fieldsthat you want to change. To keep the f
Updating User Privileges 107Changing the Timeout for Privileged UsersTo change the amount of time a privileged user can keep their connectionopen with
108 CHAPTER7: SETTING APOLICYChanging Passwords and PrivilegesTochangeauser’s password or privileges:1 Highlight the name in the scrollable box.2 Make
Setting Management Method 109SettingManagementMethodYou can manage your Firewall locally, or remotely from a remote hostsuch as a laptop.Click the but
ABOUTTHISGUIDEThis guide describes the following products: SuperStack 3 Firewall 3CR16110-95 SuperStack 3 Firewall 3CR16110-97 upgraded to v6.x firmwa
110 CHAPTER7: SETTING APOLICYSelecting RemoteManagementWhen remote management is selected, a Management SA isautomatically generated. The Management S
8ADVANCEDSETTINGSThis chapter describes the commands and options available in theAdvanced menu.Themenuisbrokenupintosectionsshownintheuserinterface as
112 CHAPTER8: ADVANCEDSETTINGSThe problem with installing a proxy server on the LAN is that each clientmust be configured to support the proxy, which
Automatic Proxy/Web Cache Forwarding 113Figure 50 Deploying the Firewall and Webcache together1Install the Webcache as described in the Superstack 3 W
114 CHAPTER8: ADVANCEDSETTINGSc In the Proxy Web Server Port field enter the number8080d Click Update to save your changes.3 No configuration is neces
Specifying Intranet Settings 115Figure 51 Connecting the Firewall to protect an internal part of the networkInstalling the Firewallto Protect theIntra
116 CHAPTER8: ADVANCEDSETTINGSFigure 52 Intranet WindowTo enable intranet firewalling, it is necessary to identify which machinesare protected against
Setting Static Routes 117 Firewall’s WAN link is connected directly to the Internet router — Usethis setting if the Firewall is protecting the entire
118 CHAPTER8: ADVANCEDSETTINGSFigure 53 Isolating a network using a second routerTo configure static routes click Advanced and then select the Static
Setting up One-to-One NAT 119LANThe IP Address and Subnet on the Firewall’s LAN port are shown at thetop of the window. See “Specifying the LAN Settin
12 ABOUT THIS GUIDEHow to Use ThisGuideTable 1 shows where to look for specific information in this guide.ConventionsTable 2 and Table 3 list conventi
120 CHAPTER8: ADVANCEDSETTINGS.You cannot include the Firewall WAN IP Address in a range.TosetupOne-toOneNATclickAdvanced, and then select theOne-to-O
Setting up One-to-One NAT 121Private Range BeginType the beginning IP address of the private address range being mappedin the Private Range Begin box.
122 CHAPTER8: ADVANCEDSETTINGSDUA1611-0AAA02.book Page 122 Thursday, August 2, 2001 4:01 PM
9CONFIGURINGVIRTUALPRIVATENETWORKSERVICESThis chapter describes the commands and options available in the VPNmenu. The menu is broken up into sections
124 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESFigure 56 VPN Summary WindowChanging the GlobalIPSec SettingsThe Firewall’s security uses the IP
Configuring a VPN Security Association 125Check the Disable all Windows Networking (NetBIOS) Broadcasts checkbox to disable NetBIOS traffic. Click the
126 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESFigure 57 VPN Configure WindowAdding/ModifyingIPSec SecurityAssociationsTo add a new Security As
Configuring a VPN Security Association 127SA NameEnter a descriptive name for the Security Association in the SA Namefield. This allows you to identif
128 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESLeave the Disable all Windows Networking (NetBIOS) Broadcasts boxunchecked for the Enable Window
Configuring a VPN Security Association 129The Incoming SPI and Outgoing SPI are only used when Manual Keying isemployed. These fields do not appear wh
Terminology 13TerminologyThis section lists terminology used in this guide.DMZ — Demilitarized Zone port. The Firewall has an extra port. If youconnec
130 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESSelect your preferred method from the Encryption Method drop-downbox.Shared SecretA shared secre
Configuring a VPN Security Association 131alphanumeric characters with a minimum length of 4 characters and amaximum of 128 characters. Precautions sh
132 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESThis option does not appear for the GroupVPN SA. This SA allows doesnot restrict the IP address
Configuring the Firewall to use a RADIUS Server 133does not respond within the specified number of retries, the VPNconnection will be dropped. This fi
134 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESEnter the shared secret or administrative password of your RADIUS serverin the Shared Secret Fie
Using the Firewall with Check Point Firewall-1 135selected for Firewall VPN. If SecuRemote is used, FWZ must also beselected.2 Create the Remote Objec
136 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESf Select Gateway for the Type.g Leave the Firewall-1 Installed box unchecked.h Go to the Encrypt
Configuring the IRE VPN Client for use with the Firewall 1379 Select the Manual IPSec and the Logging radio buttons.10 Press the Edit button. Select t
138 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESSetting up theGroupVPN SecurityAssociation1 Click on VPN onthelefthandsideofthescreenandthenonth
Configuring the IRE VPN Client for use with the Firewall 139Installing the IRE VPNClient Software1 Insert the CD that came with the Firewall into your
14 ABOUT THIS GUIDEa network number and a host number, or a network number, a subnetnumber, and a host number.IP Spoof — AtypeofDoSattack.AnIPspoofuse
140 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICES5 Close the Security Policy Editor saving changes when prompted.6 Delete the export file from th
10CONFIGURINGHIGHAVAILABILITYThis chapter describes the commands and options available in the HighAvailability menu. The menu is broken up into sectio
142 CHAPTER10: CONFIGURINGHIGHAVAILABILITYprimary Firewall and the backup Firewall then two addresses arerequired.High Availability does not allow the
Configuring High Availability 143 Configuring High Availability on the Backup FirewallBoth steps must be completed before the two Firewalls will funct
144 CHAPTER10: CONFIGURINGHIGHAVAILABILITYThe primary and backup Firewalls use a “heartbeat” signal tocommunicate with one another. This heartbeat is
Making Configuration Changes 1454 Log into the backup Firewall. Click the Tools button on the left side of thebrowser window, and then click the Confi
146 CHAPTER10: CONFIGURINGHIGHAVAILABILITYChecking HighAvailability StatusIf a failure of the primary Firewall occurs, the backup Firewall will assume
Checking High Availability Status 147If the backup Firewall has taken over for the primary, for example, in theevent of a failure to the primary Firew
148 CHAPTER10: CONFIGURINGHIGHAVAILABILITYFigure 62 Log Screen Showing Switchover of FirewallForcing TransitionsIn some cases, it may be necessary to
Forcing Transitions 149CAUTION: If the Preempt Mode checkbox has been checked for theprimary Firewall, the primary unit will take over operation from
Feedback about this User Guide 15RADIUS — Remote Authentication Dial-in User Service. RADIUS enablesnetwork administrators to effectively deploy and m
150 CHAPTER10: CONFIGURINGHIGHAVAILABILITYDUA1611-0AAA02.book Page 150 Thursday, August 2, 2001 4:01 PM
IIIADMINISTRATION ANDTROUBLESHOOTINGChapter 11 Administration and Advanced OperationsChapter 12 Troubleshooting GuideDUA1611-0AAA02.book Page 151 Th
152DUA1611-0AAA02.book Page 152 Thursday, August 2, 2001 4:01 PM
11ADMINISTRATION ANDADVANCEDOPERATIONSThis chapter provides some background on Firewall concepts anddescribes some administration functions not availa
154 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONSIn evaluating a site for inclusion in the list, the team consider the effect ofthe site on a typica
Introducing the Web Site Filter 155sexual orientation. Any picture or text that elevates one group overanother. Also includes intolerant jokes or slur
156 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONS Questionable/Illegal & Gambling:Pictures or text advocating materials or activities of a dubio
Using Network Access Policy Rules 157You must have already registered the Firewall before Activating the WebSite Filter.Using NetworkAccess Policy Rul
158 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONS Does this rule conflict with any existing rules?Once you have answered these questions, to add rul
Using Network Access Policy Rules 159When evaluating rules, the Firewall uses the following criteria: A rule defining a specific service is more speci
16 ABOUT THIS GUIDE Part Number DUA1611-0AAA02 Page 24Do not use this e-mail address for technical support questions. Forinformation about contacting
160 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONS4 Enter the blocked network’s starting IP address in the Source Addr. RangeBegin box and the blocke
Using Network Access Policy Rules 161Restoring the default rules will delete all custom rules and Public LANServers. If an IKE VPN Security Associatio
162 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONSWhile some of these services such as TELNET or FTP are inherently risky,blocking access to these se
Resetting the Firewall 163Resetting the Firewall To reset the Firewall:1 Disconnect the power from the Firewall.2 Using a blunt pointed object, fully
164 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONSMake sure that you are using the browser that supports HTML uploads,otherwise you cannot upload the
Direct Cable Connection 165only provide limited protection the first time the administrator’s passwordis set. In principle, an individual inside the n
166 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONSDUA1611-0AAA02.book Page 166 Thursday, August 2, 2001 4:01 PM
12TROUBLESHOOTINGGUIDEThis chapter contains the following: Introduction Potential Problems and Solutions Troubleshooting the Firewall VPN Client Frequ
168 CHAPTER12: TROUBLESHOOTINGGUIDEPower LED FlashesContinuouslyIf the Power LED continues to flash after 120 seconds, please contactTechnical Support
Potential Problems and Solutions 169 Remember that passwords are case-sensitive; make sure the CapsLock key is off. Click Reload or Refresh in the Web
IGETTINGSTARTEDChapter 1 IntroductionChapter 2 Installing the HardwareChapter 3 Quick Setup for the FirewallDUA1611-0AAA02.book Page 17 Thursday, Au
170 CHAPTER12: TROUBLESHOOTINGGUIDEMachines on theWAN Are NotReachableMake sure the Intranet settings in the Advanced section are correct.Troubleshoot
Troubleshooting the Firewall VPN Client 171Restarting theFirewall with ActiveVPN TunnelIf you restart the Firewall with a VPN Client active you must d
172 CHAPTER12: TROUBLESHOOTINGGUIDEFrequently AskedQuestions aboutPPPoEWhy are ISPs using PPPoE in their broadband services?The theory is that PPPoE m
IVFIREWALL ANDNETWORKINGCONCEPTSChapter 13 Types of Attack and Firewall DefencesChapter 14 Networking ConceptsDUA1611-0AAA02.book Page 173 Thursday,
174DUA1611-0AAA02.book Page 174 Thursday, August 2, 2001 4:01 PM
13TYPES OFATTACK ANDFIREWALLDEFENCESThis chapter describes the some of attacks that hackers may use toinfiltrate and attack your network. It also deta
176 CHAPTER13: TYPES OFATTACK ANDFIREWALLDEFENCESThe return address of the ping has been faked (spoofed) to appear tocome from a machine on another ne
Trojan Horse Attacks 177Port Scanning Port Scanning is the testing of ports to see which are active and which aredisabled. Although ports are scanned
178 CHAPTER13: TYPES OFATTACK ANDFIREWALLDEFENCESDUA1611-0AAA02.book Page 178 Thursday, August 2, 2001 4:01 PM
14NETWORKINGCONCEPTSThis appendix contains the following: Introduction to TCP/IP Network Address Translation (NAT) Dynamic Host Configuration Protocol
18DUA1611-0AAA02.book Page 18 Thursday, August 2, 2001 4:01 PM
180 CHAPTER14: NETWORKINGCONCEPTS(called dotted decimal notation), for example, 123.45.67.89.Becausecomputers use a binary number system, each number
IntroductiontoTCP/IP 181Most large centralized companies have a network manager in charge ofall IP address numbers. Other companies have a distributed
182 CHAPTER14: NETWORKINGCONCEPTSthe network, use an IP address of0.0.0.0in fields that apply to a defaultgateway.Network AddressTranslation (NAT)Netw
Dynamic Host Configuration Protocol (DHCP) 183 Not All Applications lend themselves easily to address translation byNAT devices. Especially, the appli
184 CHAPTER14: NETWORKINGCONCEPTSPort Numbers The port numbers are divided into three ranges: Well Known ports — those from 0 to 1023 Registered ports
Virtual Private Network Services 185 Basic Terms and ConceptsIntroduction toVirtual PrivateNetworksVirtual Private Networks (VPN) provide an easy, aff
186 CHAPTER14: NETWORKINGCONCEPTS Linking two or more Private Networks TogetherVPN is the perfect way to connect branch offices and businesspartners t
Virtual Private Network Services 187communications can range in length, but are typically 16 or 32characters. The longer the key, the more difficult i
188 CHAPTER14: NETWORKINGCONCEPTSWhen DES is used for data communications, both sender and receivermust know the same secret key, which can be used to
Virtual Private Network Services 189The SPI must be unique, is from one to eight characters long, and iscomprised of hexadecimal characters. Valid hex
1INTRODUCTIONThis chapter contains the following: What is the SuperStack 3 Firewall? Firewall and 3Com Network Supervisor Firewall Features Introducti
190 CHAPTER14: NETWORKINGCONCEPTSDUA1611-0AAA02.book Page 190 Thursday, August 2, 2001 4:01 PM
VAPPENDICESAppendix A Safety InformationAppendix B Technical Specifications and StandardsAppendix C Cable SpecificationsAppendix D Technical SupportIn
192DUA1611-0AAA02.book Page 192 Thursday, August 2, 2001 4:01 PM
ASAFETYINFORMATIONWARNING:Pleasereadthe‘Important Safety Information’ section beforeyou start.VORSICHT: Bitte lesen Sie den Abschnitt ‘WichtigeSicherh
194 APPENDIX A: SAFETY INFORMATIONWARNING: There are no user-replaceable fuses or user-serviceable partsinside the unit. If you have a physical proble
Consignes Importantes de Sécurité 195VORSICHT: Es sind keine von dem Benutzer zu ersetzende oder zuwartende Teile in dem Gerät vorhanden. Wenn Sie ein
196 APPENDIX A: SAFETY INFORMATIONAVERTISSEMENT: L’appareil fonctionne à une tension extrêmementbasse de sécurité qui est conforme à la norme CEI 950.
BTECHNICALSPECIFICATIONS ANDSTANDARDSThis appendix lists the technical specifications for the SuperStack 3Firewall. The Firewall has been designed and
198 APPENDIX B: TECHNICAL SPECIFICATIONS AND STANDARDSFunctionalISO/IEC 8802-3, IEEE 802.3, ICSA Firewall CertificationSafetyUL1950, EN 60950, CSA 22.
CCABLESPECIFICATIONSCable Specifications The Firewall supports the following cable types and maximum lengths: Category 5 cable. Maximum cable length o
3Com Corporation5400 Bayfront PlazaSanta Clara, California95052-8145Copyright © 2001, 3Com Technologies. All rights reserved. No part of this document
20 CHAPTER1: INTRODUCTION The Demilitarized Zone (DMZ) port is used for public servers, such asWeb or FTP servers. Machines attached to this port are
200 APPENDIX C: CABLE SPECIFICATIONSFigure 68 and Figure 69 below show the pin connections when using acrossover Category 5 cable. It is not necessary
DTECHNICALSUPPORT3Com provides easy access to technical support information through avariety of services. This appendix describes these services.Infor
202 APPENDIX D: TECHNICAL SUPPORT3Com FTP Site Download drivers, patches, software, and MIBs across the Internet from the3Com public FTP site. This se
Support from 3Com 203 A list of system hardware and software, including revision levels Diagnostic error messages Details about recent configuration c
204 APPENDIX D: TECHNICAL SUPPORTReturning Productsfor RepairBefore you send a product directly to 3Com for repair, you must firstobtain an authorizat
Returning Products for Repair 205U.S.A. and Canada 1 800 NET 3Com(1 800 638 3266)Enterprise Customers:1 800 876 32661 408 326 7120(not toll-free)Count
206 APPENDIX D: TECHNICAL SUPPORTDUA1611-0AAA02.book Page 206 Thursday, August 2, 2001 4:01 PM
INDEXNumbers0.0.0.018210 Mbpsstatus LED 30100 Mbpsstaus LED3010BASE-T cableDMZ connection33LAN connection33255.255.255.01813Com Knowledgebase Web Serv
208 INDEXSYN Flood21Teardrop21DHCPclient25overview24DHCP serversetting up60viewing status63diagnostic tools64diagram31direct connection165disable web
INDEX 209IP addressclasses180defined13, 180Firewall default36sharing24IP Spoof14IRC14ISP14JJavablocking81defined68Kkeyword75field75LLANport19static ro
Firewall Features 213Com Network Supervisor offers the following support to Firewall users: If your 3Com Network Supervisor management station is loca
210 INDEXPing tool65Point-to-Point Portocol over Ethernet14policy rules103creating157policy, security21port numbersregistered184well-known184portsDMZ2
INDEX 2113Com Knowledgebase Web Services2013Com URL201network suppliers202product repair204Technical Support Report66terminology13tests, self-diagnost
212 INDEXDUA1611-0AAA02.book Page 212 Thursday, August 2, 2001 4:01 PM
REGULATORY NOTICESFCC STATEMENTThis equipment has been tested and found to comply with the limits for a Class A digital device, pursuant topart 15 of
DUA1611-0AAA02.book Page 214 Thursday, August 2, 2001 4:01 PM
22 CHAPTER1: INTRODUCTIONFigure 2 Firewall Security Functions - Default Firewall PolicyThe Firewall examines every packet that comes from outside the
Firewall Features 23The Firewall will protect your network against the following Denial ofService attacks: Ping of Death Smurf Attack SYN Flood LAND A
24 CHAPTER1: INTRODUCTIONpurchase a twelve month Web Site Filter (3C16111) subscription. Boththe trial and the twelve month subscription are valid for
Introduction to Virtual Private Networking (VPN) 25NAT automatically translates multiple IP addresses on the private LAN toone public address that is
26 CHAPTER1: INTRODUCTIONterminating device at the other end of the tunnel must be using the samelevel and type of encryption. See “Configuring Virtua
2INSTALLING THEHARDWAREThis chapter contains the following: Before You Start Positioning the Firewall Firewall Front Panel Firewall Rear Panel Redunda
28 CHAPTER2: INSTALLING THEHARDWARE A SuperStack 3 Firewall CD. Warranty Information. Software License Agreement.Positioning theFirewallWhen installin
Firewall Front Panel 29CAUTION: Disconnect all cables from the unit before continuing.Remove the self-adhesive pads from the underside of unit, if alr
CONTENTSABOUTTHISGUIDEHow to Use This Guide 12Conventions 12Terminology 13Feedback about this User Guide 15Registration 16IGETTINGSTARTED1INTRODUCTION
30 CHAPTER2: INSTALLING THEHARDWAREThe Firewall front panel contains the following components:1LANPort- Use a Category 5 cable with RJ-45 connectors.
Firewall Rear Panel 31To diagnose faults see “Troubleshooting Guide” on page 167.8 Power/SelfTestLED- This LED shows green to indicate that the unit i
32 CHAPTER2: INSTALLING THEHARDWARE SuperStack 3 - Advanced RPS (3C16071) and 60W RPS Power Module - (3C16072)Attaching theFirewall to theNetworkFigur
Attaching the Firewall to the Network 33To attach the Firewall to your network:1 Connect the Ethernet port labeled WAN on the front of the Firewall to
34 CHAPTER2: INSTALLING THEHARDWAREThe Firewall is now attached to the network.By default, no traffic that originates from the Internet is allowed ont
3QUICKSETUP FOR THEFIREWALLThis chapter contains the following: Introduction Setting up a Management Station Configuring Basic Settings Configuring WA
36 CHAPTER3: QUICKSETUP FOR THEFIREWALLThe process followed by the Installation Wizard is described in thefollowing sections: Configuring Basic Settin
Configuring Basic Settings 37Figure 7 Installation Wizard Startup ScreenClick the Next button to start configuring your Firewall using theInstallation
38 CHAPTER3: QUICKSETUP FOR THEFIREWALLFigure 8 Set Password ScreenClick the Next button to continue.Setting the TimeZoneSelect the Time Zone appropri
Configuring WAN Settings 39Installation Wizard will prompt you for the required settings.Configuring WANSettingsThe Installation Wizard detects if the
Redundant Power System (RPS) 31Attaching the Firewall to the Network 323QUICKSETUP FOR THEFIREWALLIntroduction 35Setting up a Management Station 36Con
40 CHAPTER3: QUICKSETUP FOR THEFIREWALLManual WANSettingsIf the Installation Wizard is unable to detect an automatic address serveron the WAN Port or
Configuring WAN Settings 41 Using a Single Static IP Address — This address must be taken by theFirewall’s WAN port to allow devices connected to the
42 CHAPTER3: QUICKSETUP FOR THEFIREWALLTo configure the WAN networking of your Firewall enter the following1 In the Firewall WAN IP Address field ente
Configuring WAN Settings 43Click the Next buttontoproceedtotheGetting to the Internet screenshowninFigure14below.Figure 14 Setting the Firewall WAN co
44 CHAPTER3: QUICKSETUP FOR THEFIREWALLUsinganIPAddressprovided by a PPPoEServerSelect the Provided you with two or more IP addresses option and click
Configuring LAN Settings 45 If there is no DHCP server found on the network connected to theLAN port then the Firewall’s DHCP server is activated allo
46 CHAPTER3: QUICKSETUP FOR THEFIREWALLOtherwise the Firewall’s DHCP Server screen will be displayed as shown inFigure 17 below.Figure 17 Configuring
Confirming Firewall Settings 47Figure 18 Firewall Configuration Summary If you want to keep a hard copy of this page click the Print This Pagebutton.
48 CHAPTER3: QUICKSETUP FOR THEFIREWALLFigure 19 Congratulations PageClick the Restart button to complete the configuration of the Firewallusing the I
IICONFIGURING THEFIREWALLChapter 4 Basic Settings of the FirewallChapter 5 Setting up Web FilteringChapter 6 Using the Firewall Diagnostic ToolsChapte
Global Options 61Dynamic Ranges 62Static Entries 63Viewing the DHCP Server Status 63Using the Network Diagnostic Tools 64Choosing a Diagnostic Tool 64
50DUA1611-0AAA02.book Page 50 Thursday, August 2, 2001 4:01 PM
4BASICSETTINGS OF THEFIREWALLChapters 4 to 10 describe in detail, each of the management operationsavailable from the Firewall’s web interface. You ca
52 CHAPTER4: BASICSETTINGS OF THEFIREWALL Chapter 7 —“Setting a Policy” describes the functions available inthe Policy menu of the Web interface. Thes
Setting the Administrator Password 53 ROM Version Firmware Version Device Up-time in days, hours, minutes, and secondsProblems appear in red text. For
54 CHAPTER4: BASICSETTINGS OF THEFIREWALLSetting the InactivityTimeoutThe Administrator Inactivity Timeout Setting allows you to extend orreduce the p
Setting the Time 55Automatically adjust clock for daylight savings changesCheck this box to enable the Firewall to adjust to Daylight Savings Timeauto
56 CHAPTER4: BASICSETTINGS OF THEFIREWALLChanging the BasicNetwork SettingsClick the Settings Tab f ro m t he Network Menu to display the NetworkSetti
Changing the Basic Network Settings 57When using IP addresses on a LAN which have not been assigned by anInternet Service Provider, it is a good idea
58 CHAPTER4: BASICSETTINGS OF THEFIREWALLConnect/DisconnectPressing the Connect button in the Network Addressing Mode Sectionwill initiate a PPPoE ses
Specifying DMZ Addresses 59Specifying the DNSSettingsIn the Other Settings section, specify the DNS Servers.UptothreeDNSservers can be specified, alth
Managing the Firewall Configuration File 90Importing the Settings File 91Exporting the Settings File 92Restoring Factory Default Settings 92Using the
60 CHAPTER4: BASICSETTINGS OF THEFIREWALLClick Network, and then select the DMZ Addresses tab. A window similarto that in Figure 25 displays.Figure 25
Setting up the DHCP Server 61The Firewall can allocate up to 255 static or dynamic IP addresses. 3Comrecommends you use a dedicated DHCP server if mor
62 CHAPTER4: BASICSETTINGS OF THEFIREWALLSubnet MaskEnter the Subnet mask for your network. This value will be given out bytheDHCPserverandwillbeusedb
Viewing the DHCP Server Status 63Delete RangeTo remove a range of addresses from the dynamic pool, select it from thescrolling list of dynamic ranges,
64 CHAPTER4: BASICSETTINGS OF THEFIREWALLTodeleteabinding,whichfreestheIPaddressintheDHCPserver,selectthe binding from the list and then click Delete.
Using the Network Diagnostic Tools 65Find Network PathUse the Find Network Path tool to show on which port, LAN, WAN orDMZ where appropriate, an IP ho
66 CHAPTER4: BASICSETTINGS OF THEFIREWALLPacket Trace requires an IP address. Use the Firewall’s DNS Name Lookuptool to find the IP address of a host.
5SETTING UPWEBFILTERINGThis chapter describes the commands and options available in the Filtermenu. The menu is broken up into five sections shown in
68 CHAPTER5: SETTING UPWEBFILTERINGFigure 29 Filter Settings WindowContent Filtering only applies to nodes on the LAN Port.Select the options in the S
Changing the Filter Settings 69CookiesCookies are used by Web servers to track usage. Unfortunately, cookiescan be programmed not only to identify the
Viewing the Current IPSec Security Associations 125Configuring a VPN Security Association 125Adding/Modifying IPSec Security Associations 126Security
70 CHAPTER5: SETTING UPWEBFILTERING Drugs/Drug Culture Militant/Extremist Sex Education Questionable/Illegal & Gambling Alcohol & TobaccoVisit
Filtering Web Sites using a Custom List 71Figure 30 Custom List WindowYou can add or remove web sites from the Custom List. For example, if alocal rad
72 CHAPTER5: SETTING UPWEBFILTERINGEnable Filtering on Custom ListUse this to enable or disable the custom filtering without re-entering allsite names
Updating the Web Filter 73Updating the WebFilterSince content on the Internet is constantly changing, make sure youupdate the Web Site Filter used by
74 CHAPTER5: SETTING UPWEBFILTERINGDownloading anUpdated Filter ListDownload NowClick this button to download and update the Web Site Filterimmediatel
Blocking Websites by using Keywords 75Blocking Websitesby using KeywordsClick Filter and then select the Keywords tab. A window similar to that inFigu
76 CHAPTER5: SETTING UPWEBFILTERINGagree to the terms outlined in an organization’s Acceptable Use PolicybeforeyouallowthemtobrowsetheWebanyfurther.Cl
Filtering by User Consent 77Consent page URL (Optional Filtering)When users begins an Internet session on a computer that is not alwaysfiltered, they
78 CHAPTER5: SETTING UPWEBFILTERINGcreate this page, and can add the text from the Acceptable Use Policy,and notification that violations of the AUP a
6USING THEFIREWALLDIAGNOSTICTOOLSThis chapter describes the commands and options available in the Logmenu and the Tool s menu. Each menu is broken up
Examples of Network Access Policies 159Resetting the Firewall 162Resetting the Firewall 163Reloading the Firmware 163Direct Cable Connection 164Direct
80 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSThe Firewall logs the following events: Unauthorized connection attempts Blocked Web, FTP and Gopher site
Viewing the Log 81information. Much of this information refers to the Internet trafficpassing through the Firewall.TCP, UDP, or ICMP packets droppedTh
82 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSWhen ActiveX or Java code is compressed into an archive it is not alwayspossible to differentiate between
Changing Log and Alert Settings 83Sending the Log Use the Sending the Log feature to inform your administrator of theperformance of the Firewall and t
84 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSevery connection’s source and destination IP addresses, IP service, andnumber of bytes transferred. To su
Changing Log and Alert Settings 85When log overflowsIn some cases, the log buffer may fill up, which can happen if there is aproblem with the mail ser
86 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSAttacksWhen enabled, log messages showing SYN Floods, Ping of Death, IPSpoofing, and attempts to manage t
Generating Reports 87Blocked Web SitesWhen enabled, all log entries that are categorized as a Blocked Web Siteare generated as an alert message. This
88 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSReset DataClick Reset Data to clear the report statistics and begin a new sampleperiod. The sample period
Restarting the Firewall 89services, such as HTTP, FTP, RealAudio and so forth, and the number ofmegabytes received from the service during the current
Intrusion Attacks 176External Access 176Port Scanning 177IP Spoofing 177Trojan Horse Attacks 17714NETWORKINGCONCEPTSIntroduction to TCP/IP 179IP and T
90 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSWhen the Front Panel Power LED stops flashing you can refresh yourbrowser.To reset the Firewall clearing
Managing the Firewall Configuration File 91Importing theSettings FileUse this function to import a previously saved settings file back into theFirewal
92 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSExporting theSettings FileYou can save the Firewall configuration settings to a file on a local systemand
Upgrading the Firewall Firmware 93When upgrading the firmware, all settings will be reset to factory default.3Com recommends that you export the Firew
94 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSFigure 42 Save Settings Window2Click Yes if you have saved the settings.A window similar to that in Figur
Upgrading the Firewall Firmware 95interrupted this way, it may result in the Firewall not responding toattempts to log in.If your Firewall does not re
96 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSDUA1611-0AAA02.book Page 96 Thursday, August 2, 2001 4:01 PM
7SETTING APOLICYThis chapter describes the commands and options available in the Policymenu. The menu is broken up into sections shown in the user int
98 CHAPTER7: SETTING APOLICYClick Policy, and then select the Services tab. A window similar to that inFigure 44 displays.Figure 44Services WindowAmen
Changing Policy Services 99DMZ In CheckboxIf you are using the DMZ port on the Firewall access to the protocol is notpermitted from the Internet to th
Commentaires sur ces manuels