HP SuperStack Firewall Series Manuel d'utilisateur

http://www.3com.com/Part No. DUA1611-0AAA02Published August 2001SuperStack®3FirewallUser GuideSuperStack 3 Firewall 3CR16110-95SuperStack 3 Firewall W

DTECHNICALSUPPORTOnline Technical Services 201World Wide Web Site 2013Com Knowledgebase Web Services 2013Com FTP Site 202Support from Your Network Sup

100 CHAPTER7: SETTING APOLICYHTTP protocol even if both NetBIOS Passthrough boxes are leftunchecked.Enabling StealthModeBy default, the Firewall respo

Adding and Deleting Services 101Adding andDeleting ServicesIf a protocol is not listed in the Services window, you can add the service.Click Policy, a

102 CHAPTER7: SETTING APOLICYThe new service appears in the list box to the right, along with its numericprotocol description. Note that some well-kno

Editing Policy Rules 103marked Name Service (DNS) [53,6] deletes just the TCP portion of theservice.Editing Policy RulesNetwork Access Policy Rules ev

104 CHAPTER7: SETTING APOLICYRules are arranged in order of precedence from the most specific to themost general.For example if you block all FTP traf

Editing Policy Rules 105would only be necessary if you wanted the server on the WAN to initiateconnections with the PC on the LAN network port.Destina

106 CHAPTER7: SETTING APOLICYAdding a New Rule ToaddanewruleclickontheAdd New Rule button and fill in the fieldsthat you want to change. To keep the f

Updating User Privileges 107Changing the Timeout for Privileged UsersTo change the amount of time a privileged user can keep their connectionopen with

108 CHAPTER7: SETTING APOLICYChanging Passwords and PrivilegesTochangeauser’s password or privileges:1 Highlight the name in the scrollable box.2 Make

Setting Management Method 109SettingManagementMethodYou can manage your Firewall locally, or remotely from a remote hostsuch as a laptop.Click the but

ABOUTTHISGUIDEThis guide describes the following products: SuperStack 3 Firewall 3CR16110-95 SuperStack 3 Firewall 3CR16110-97 upgraded to v6.x firmwa

110 CHAPTER7: SETTING APOLICYSelecting RemoteManagementWhen remote management is selected, a Management SA isautomatically generated. The Management S

8ADVANCEDSETTINGSThis chapter describes the commands and options available in theAdvanced menu.Themenuisbrokenupintosectionsshownintheuserinterface as

112 CHAPTER8: ADVANCEDSETTINGSThe problem with installing a proxy server on the LAN is that each clientmust be configured to support the proxy, which

Automatic Proxy/Web Cache Forwarding 113Figure 50 Deploying the Firewall and Webcache together1Install the Webcache as described in the Superstack 3 W

114 CHAPTER8: ADVANCEDSETTINGSc In the Proxy Web Server Port field enter the number8080d Click Update to save your changes.3 No configuration is neces

Specifying Intranet Settings 115Figure 51 Connecting the Firewall to protect an internal part of the networkInstalling the Firewallto Protect theIntra

116 CHAPTER8: ADVANCEDSETTINGSFigure 52 Intranet WindowTo enable intranet firewalling, it is necessary to identify which machinesare protected against

Setting Static Routes 117 Firewall’s WAN link is connected directly to the Internet router — Usethis setting if the Firewall is protecting the entire

118 CHAPTER8: ADVANCEDSETTINGSFigure 53 Isolating a network using a second routerTo configure static routes click Advanced and then select the Static

Setting up One-to-One NAT 119LANThe IP Address and Subnet on the Firewall’s LAN port are shown at thetop of the window. See “Specifying the LAN Settin

12 ABOUT THIS GUIDEHow to Use ThisGuideTable 1 shows where to look for specific information in this guide.ConventionsTable 2 and Table 3 list conventi

120 CHAPTER8: ADVANCEDSETTINGS.You cannot include the Firewall WAN IP Address in a range.TosetupOne-toOneNATclickAdvanced, and then select theOne-to-O

Setting up One-to-One NAT 121Private Range BeginType the beginning IP address of the private address range being mappedin the Private Range Begin box.

122 CHAPTER8: ADVANCEDSETTINGSDUA1611-0AAA02.book Page 122 Thursday, August 2, 2001 4:01 PM

9CONFIGURINGVIRTUALPRIVATENETWORKSERVICESThis chapter describes the commands and options available in the VPNmenu. The menu is broken up into sections

124 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESFigure 56 VPN Summary WindowChanging the GlobalIPSec SettingsThe Firewall’s security uses the IP

Configuring a VPN Security Association 125Check the Disable all Windows Networking (NetBIOS) Broadcasts checkbox to disable NetBIOS traffic. Click the

126 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESFigure 57 VPN Configure WindowAdding/ModifyingIPSec SecurityAssociationsTo add a new Security As

Configuring a VPN Security Association 127SA NameEnter a descriptive name for the Security Association in the SA Namefield. This allows you to identif

128 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESLeave the Disable all Windows Networking (NetBIOS) Broadcasts boxunchecked for the Enable Window

Configuring a VPN Security Association 129The Incoming SPI and Outgoing SPI are only used when Manual Keying isemployed. These fields do not appear wh

Terminology 13TerminologyThis section lists terminology used in this guide.DMZ — Demilitarized Zone port. The Firewall has an extra port. If youconnec

130 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESSelect your preferred method from the Encryption Method drop-downbox.Shared SecretA shared secre

Configuring a VPN Security Association 131alphanumeric characters with a minimum length of 4 characters and amaximum of 128 characters. Precautions sh

132 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESThis option does not appear for the GroupVPN SA. This SA allows doesnot restrict the IP address

Configuring the Firewall to use a RADIUS Server 133does not respond within the specified number of retries, the VPNconnection will be dropped. This fi

134 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESEnter the shared secret or administrative password of your RADIUS serverin the Shared Secret Fie

Using the Firewall with Check Point Firewall-1 135selected for Firewall VPN. If SecuRemote is used, FWZ must also beselected.2 Create the Remote Objec

136 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESf Select Gateway for the Type.g Leave the Firewall-1 Installed box unchecked.h Go to the Encrypt

Configuring the IRE VPN Client for use with the Firewall 1379 Select the Manual IPSec and the Logging radio buttons.10 Press the Edit button. Select t

138 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICESSetting up theGroupVPN SecurityAssociation1 Click on VPN onthelefthandsideofthescreenandthenonth

Configuring the IRE VPN Client for use with the Firewall 139Installing the IRE VPNClient Software1 Insert the CD that came with the Firewall into your

14 ABOUT THIS GUIDEa network number and a host number, or a network number, a subnetnumber, and a host number.IP Spoof — AtypeofDoSattack.AnIPspoofuse

140 CHAPTER9: CONFIGURINGVIRTUALPRIVATENETWORKSERVICES5 Close the Security Policy Editor saving changes when prompted.6 Delete the export file from th

10CONFIGURINGHIGHAVAILABILITYThis chapter describes the commands and options available in the HighAvailability menu. The menu is broken up into sectio

142 CHAPTER10: CONFIGURINGHIGHAVAILABILITYprimary Firewall and the backup Firewall then two addresses arerequired.High Availability does not allow the

Configuring High Availability 143 Configuring High Availability on the Backup FirewallBoth steps must be completed before the two Firewalls will funct

144 CHAPTER10: CONFIGURINGHIGHAVAILABILITYThe primary and backup Firewalls use a “heartbeat” signal tocommunicate with one another. This heartbeat is

Making Configuration Changes 1454 Log into the backup Firewall. Click the Tools button on the left side of thebrowser window, and then click the Confi

146 CHAPTER10: CONFIGURINGHIGHAVAILABILITYChecking HighAvailability StatusIf a failure of the primary Firewall occurs, the backup Firewall will assume

Checking High Availability Status 147If the backup Firewall has taken over for the primary, for example, in theevent of a failure to the primary Firew

148 CHAPTER10: CONFIGURINGHIGHAVAILABILITYFigure 62 Log Screen Showing Switchover of FirewallForcing TransitionsIn some cases, it may be necessary to

Forcing Transitions 149CAUTION: If the Preempt Mode checkbox has been checked for theprimary Firewall, the primary unit will take over operation from

Feedback about this User Guide 15RADIUS — Remote Authentication Dial-in User Service. RADIUS enablesnetwork administrators to effectively deploy and m

150 CHAPTER10: CONFIGURINGHIGHAVAILABILITYDUA1611-0AAA02.book Page 150 Thursday, August 2, 2001 4:01 PM

IIIADMINISTRATION ANDTROUBLESHOOTINGChapter 11 Administration and Advanced OperationsChapter 12 Troubleshooting GuideDUA1611-0AAA02.book Page 151 Th

152DUA1611-0AAA02.book Page 152 Thursday, August 2, 2001 4:01 PM

11ADMINISTRATION ANDADVANCEDOPERATIONSThis chapter provides some background on Firewall concepts anddescribes some administration functions not availa

154 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONSIn evaluating a site for inclusion in the list, the team consider the effect ofthe site on a typica

Introducing the Web Site Filter 155sexual orientation. Any picture or text that elevates one group overanother. Also includes intolerant jokes or slur

156 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONS Questionable/Illegal & Gambling:Pictures or text advocating materials or activities of a dubio

Using Network Access Policy Rules 157You must have already registered the Firewall before Activating the WebSite Filter.Using NetworkAccess Policy Rul

158 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONS Does this rule conflict with any existing rules?Once you have answered these questions, to add rul

Using Network Access Policy Rules 159When evaluating rules, the Firewall uses the following criteria: A rule defining a specific service is more speci

16 ABOUT THIS GUIDE Part Number DUA1611-0AAA02 Page 24Do not use this e-mail address for technical support questions. Forinformation about contacting

160 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONS4 Enter the blocked network’s starting IP address in the Source Addr. RangeBegin box and the blocke

Using Network Access Policy Rules 161Restoring the default rules will delete all custom rules and Public LANServers. If an IKE VPN Security Associatio

162 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONSWhile some of these services such as TELNET or FTP are inherently risky,blocking access to these se

Resetting the Firewall 163Resetting the Firewall To reset the Firewall:1 Disconnect the power from the Firewall.2 Using a blunt pointed object, fully

164 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONSMake sure that you are using the browser that supports HTML uploads,otherwise you cannot upload the

Direct Cable Connection 165only provide limited protection the first time the administrator’s passwordis set. In principle, an individual inside the n

166 CHAPTER11: ADMINISTRATION ANDADVANCEDOPERATIONSDUA1611-0AAA02.book Page 166 Thursday, August 2, 2001 4:01 PM

12TROUBLESHOOTINGGUIDEThis chapter contains the following: Introduction Potential Problems and Solutions Troubleshooting the Firewall VPN Client Frequ

168 CHAPTER12: TROUBLESHOOTINGGUIDEPower LED FlashesContinuouslyIf the Power LED continues to flash after 120 seconds, please contactTechnical Support

Potential Problems and Solutions 169 Remember that passwords are case-sensitive; make sure the CapsLock key is off. Click Reload or Refresh in the Web

IGETTINGSTARTEDChapter 1 IntroductionChapter 2 Installing the HardwareChapter 3 Quick Setup for the FirewallDUA1611-0AAA02.book Page 17 Thursday, Au

170 CHAPTER12: TROUBLESHOOTINGGUIDEMachines on theWAN Are NotReachableMake sure the Intranet settings in the Advanced section are correct.Troubleshoot

Troubleshooting the Firewall VPN Client 171Restarting theFirewall with ActiveVPN TunnelIf you restart the Firewall with a VPN Client active you must d

172 CHAPTER12: TROUBLESHOOTINGGUIDEFrequently AskedQuestions aboutPPPoEWhy are ISPs using PPPoE in their broadband services?The theory is that PPPoE m

IVFIREWALL ANDNETWORKINGCONCEPTSChapter 13 Types of Attack and Firewall DefencesChapter 14 Networking ConceptsDUA1611-0AAA02.book Page 173 Thursday,

174DUA1611-0AAA02.book Page 174 Thursday, August 2, 2001 4:01 PM

13TYPES OFATTACK ANDFIREWALLDEFENCESThis chapter describes the some of attacks that hackers may use toinfiltrate and attack your network. It also deta

176 CHAPTER13: TYPES OFATTACK ANDFIREWALLDEFENCESThe return address of the ping has been faked (spoofed) to appear tocome from a machine on another ne

Trojan Horse Attacks 177Port Scanning Port Scanning is the testing of ports to see which are active and which aredisabled. Although ports are scanned

178 CHAPTER13: TYPES OFATTACK ANDFIREWALLDEFENCESDUA1611-0AAA02.book Page 178 Thursday, August 2, 2001 4:01 PM

14NETWORKINGCONCEPTSThis appendix contains the following: Introduction to TCP/IP Network Address Translation (NAT) Dynamic Host Configuration Protocol

18DUA1611-0AAA02.book Page 18 Thursday, August 2, 2001 4:01 PM

180 CHAPTER14: NETWORKINGCONCEPTS(called dotted decimal notation), for example, 123.45.67.89.Becausecomputers use a binary number system, each number

IntroductiontoTCP/IP 181Most large centralized companies have a network manager in charge ofall IP address numbers. Other companies have a distributed

182 CHAPTER14: NETWORKINGCONCEPTSthe network, use an IP address of0.0.0.0in fields that apply to a defaultgateway.Network AddressTranslation (NAT)Netw

Dynamic Host Configuration Protocol (DHCP) 183 Not All Applications lend themselves easily to address translation byNAT devices. Especially, the appli

184 CHAPTER14: NETWORKINGCONCEPTSPort Numbers The port numbers are divided into three ranges: Well Known ports — those from 0 to 1023 Registered ports

Virtual Private Network Services 185 Basic Terms and ConceptsIntroduction toVirtual PrivateNetworksVirtual Private Networks (VPN) provide an easy, aff

186 CHAPTER14: NETWORKINGCONCEPTS Linking two or more Private Networks TogetherVPN is the perfect way to connect branch offices and businesspartners t

Virtual Private Network Services 187communications can range in length, but are typically 16 or 32characters. The longer the key, the more difficult i

188 CHAPTER14: NETWORKINGCONCEPTSWhen DES is used for data communications, both sender and receivermust know the same secret key, which can be used to

Virtual Private Network Services 189The SPI must be unique, is from one to eight characters long, and iscomprised of hexadecimal characters. Valid hex

1INTRODUCTIONThis chapter contains the following: What is the SuperStack 3 Firewall? Firewall and 3Com Network Supervisor Firewall Features Introducti

190 CHAPTER14: NETWORKINGCONCEPTSDUA1611-0AAA02.book Page 190 Thursday, August 2, 2001 4:01 PM

VAPPENDICESAppendix A Safety InformationAppendix B Technical Specifications and StandardsAppendix C Cable SpecificationsAppendix D Technical SupportIn

192DUA1611-0AAA02.book Page 192 Thursday, August 2, 2001 4:01 PM

ASAFETYINFORMATIONWARNING:Pleasereadthe‘Important Safety Information’ section beforeyou start.VORSICHT: Bitte lesen Sie den Abschnitt ‘WichtigeSicherh

194 APPENDIX A: SAFETY INFORMATIONWARNING: There are no user-replaceable fuses or user-serviceable partsinside the unit. If you have a physical proble

Consignes Importantes de Sécurité 195VORSICHT: Es sind keine von dem Benutzer zu ersetzende oder zuwartende Teile in dem Gerät vorhanden. Wenn Sie ein

196 APPENDIX A: SAFETY INFORMATIONAVERTISSEMENT: L’appareil fonctionne à une tension extrêmementbasse de sécurité qui est conforme à la norme CEI 950.

BTECHNICALSPECIFICATIONS ANDSTANDARDSThis appendix lists the technical specifications for the SuperStack 3Firewall. The Firewall has been designed and

198 APPENDIX B: TECHNICAL SPECIFICATIONS AND STANDARDSFunctionalISO/IEC 8802-3, IEEE 802.3, ICSA Firewall CertificationSafetyUL1950, EN 60950, CSA 22.

CCABLESPECIFICATIONSCable Specifications The Firewall supports the following cable types and maximum lengths: Category 5 cable. Maximum cable length o

3Com Corporation5400 Bayfront PlazaSanta Clara, California95052-8145Copyright © 2001, 3Com Technologies. All rights reserved. No part of this document

20 CHAPTER1: INTRODUCTION The Demilitarized Zone (DMZ) port is used for public servers, such asWeb or FTP servers. Machines attached to this port are

200 APPENDIX C: CABLE SPECIFICATIONSFigure 68 and Figure 69 below show the pin connections when using acrossover Category 5 cable. It is not necessary

DTECHNICALSUPPORT3Com provides easy access to technical support information through avariety of services. This appendix describes these services.Infor

202 APPENDIX D: TECHNICAL SUPPORT3Com FTP Site Download drivers, patches, software, and MIBs across the Internet from the3Com public FTP site. This se

Support from 3Com 203 A list of system hardware and software, including revision levels Diagnostic error messages Details about recent configuration c

204 APPENDIX D: TECHNICAL SUPPORTReturning Productsfor RepairBefore you send a product directly to 3Com for repair, you must firstobtain an authorizat

Returning Products for Repair 205U.S.A. and Canada 1 800 NET 3Com(1 800 638 3266)Enterprise Customers:1 800 876 32661 408 326 7120(not toll-free)Count

206 APPENDIX D: TECHNICAL SUPPORTDUA1611-0AAA02.book Page 206 Thursday, August 2, 2001 4:01 PM

INDEXNumbers0.0.0.018210 Mbpsstatus LED 30100 Mbpsstaus LED3010BASE-T cableDMZ connection33LAN connection33255.255.255.01813Com Knowledgebase Web Serv

208 INDEXSYN Flood21Teardrop21DHCPclient25overview24DHCP serversetting up60viewing status63diagnostic tools64diagram31direct connection165disable web

INDEX 209IP addressclasses180defined13, 180Firewall default36sharing24IP Spoof14IRC14ISP14JJavablocking81defined68Kkeyword75field75LLANport19static ro

Firewall Features 213Com Network Supervisor offers the following support to Firewall users: If your 3Com Network Supervisor management station is loca

210 INDEXPing tool65Point-to-Point Portocol over Ethernet14policy rules103creating157policy, security21port numbersregistered184well-known184portsDMZ2

INDEX 2113Com Knowledgebase Web Services2013Com URL201network suppliers202product repair204Technical Support Report66terminology13tests, self-diagnost

212 INDEXDUA1611-0AAA02.book Page 212 Thursday, August 2, 2001 4:01 PM

REGULATORY NOTICESFCC STATEMENTThis equipment has been tested and found to comply with the limits for a Class A digital device, pursuant topart 15 of

DUA1611-0AAA02.book Page 214 Thursday, August 2, 2001 4:01 PM

22 CHAPTER1: INTRODUCTIONFigure 2 Firewall Security Functions - Default Firewall PolicyThe Firewall examines every packet that comes from outside the

Firewall Features 23The Firewall will protect your network against the following Denial ofService attacks: Ping of Death Smurf Attack SYN Flood LAND A

24 CHAPTER1: INTRODUCTIONpurchase a twelve month Web Site Filter (3C16111) subscription. Boththe trial and the twelve month subscription are valid for

Introduction to Virtual Private Networking (VPN) 25NAT automatically translates multiple IP addresses on the private LAN toone public address that is

26 CHAPTER1: INTRODUCTIONterminating device at the other end of the tunnel must be using the samelevel and type of encryption. See “Configuring Virtua

2INSTALLING THEHARDWAREThis chapter contains the following: Before You Start Positioning the Firewall Firewall Front Panel Firewall Rear Panel Redunda

28 CHAPTER2: INSTALLING THEHARDWARE A SuperStack 3 Firewall CD. Warranty Information. Software License Agreement.Positioning theFirewallWhen installin

Firewall Front Panel 29CAUTION: Disconnect all cables from the unit before continuing.Remove the self-adhesive pads from the underside of unit, if alr

CONTENTSABOUTTHISGUIDEHow to Use This Guide 12Conventions 12Terminology 13Feedback about this User Guide 15Registration 16IGETTINGSTARTED1INTRODUCTION

30 CHAPTER2: INSTALLING THEHARDWAREThe Firewall front panel contains the following components:1LANPort- Use a Category 5 cable with RJ-45 connectors.

Firewall Rear Panel 31To diagnose faults see “Troubleshooting Guide” on page 167.8 Power/SelfTestLED- This LED shows green to indicate that the unit i

32 CHAPTER2: INSTALLING THEHARDWARE SuperStack 3 - Advanced RPS (3C16071) and 60W RPS Power Module - (3C16072)Attaching theFirewall to theNetworkFigur

Attaching the Firewall to the Network 33To attach the Firewall to your network:1 Connect the Ethernet port labeled WAN on the front of the Firewall to

34 CHAPTER2: INSTALLING THEHARDWAREThe Firewall is now attached to the network.By default, no traffic that originates from the Internet is allowed ont

3QUICKSETUP FOR THEFIREWALLThis chapter contains the following: Introduction Setting up a Management Station Configuring Basic Settings Configuring WA

36 CHAPTER3: QUICKSETUP FOR THEFIREWALLThe process followed by the Installation Wizard is described in thefollowing sections: Configuring Basic Settin

Configuring Basic Settings 37Figure 7 Installation Wizard Startup ScreenClick the Next button to start configuring your Firewall using theInstallation

38 CHAPTER3: QUICKSETUP FOR THEFIREWALLFigure 8 Set Password ScreenClick the Next button to continue.Setting the TimeZoneSelect the Time Zone appropri

Configuring WAN Settings 39Installation Wizard will prompt you for the required settings.Configuring WANSettingsThe Installation Wizard detects if the

Redundant Power System (RPS) 31Attaching the Firewall to the Network 323QUICKSETUP FOR THEFIREWALLIntroduction 35Setting up a Management Station 36Con

40 CHAPTER3: QUICKSETUP FOR THEFIREWALLManual WANSettingsIf the Installation Wizard is unable to detect an automatic address serveron the WAN Port or

Configuring WAN Settings 41 Using a Single Static IP Address — This address must be taken by theFirewall’s WAN port to allow devices connected to the

42 CHAPTER3: QUICKSETUP FOR THEFIREWALLTo configure the WAN networking of your Firewall enter the following1 In the Firewall WAN IP Address field ente

Configuring WAN Settings 43Click the Next buttontoproceedtotheGetting to the Internet screenshowninFigure14below.Figure 14 Setting the Firewall WAN co

44 CHAPTER3: QUICKSETUP FOR THEFIREWALLUsinganIPAddressprovided by a PPPoEServerSelect the Provided you with two or more IP addresses option and click

Configuring LAN Settings 45 If there is no DHCP server found on the network connected to theLAN port then the Firewall’s DHCP server is activated allo

46 CHAPTER3: QUICKSETUP FOR THEFIREWALLOtherwise the Firewall’s DHCP Server screen will be displayed as shown inFigure 17 below.Figure 17 Configuring

Confirming Firewall Settings 47Figure 18 Firewall Configuration Summary If you want to keep a hard copy of this page click the Print This Pagebutton.

48 CHAPTER3: QUICKSETUP FOR THEFIREWALLFigure 19 Congratulations PageClick the Restart button to complete the configuration of the Firewallusing the I

IICONFIGURING THEFIREWALLChapter 4 Basic Settings of the FirewallChapter 5 Setting up Web FilteringChapter 6 Using the Firewall Diagnostic ToolsChapte

Global Options 61Dynamic Ranges 62Static Entries 63Viewing the DHCP Server Status 63Using the Network Diagnostic Tools 64Choosing a Diagnostic Tool 64

50DUA1611-0AAA02.book Page 50 Thursday, August 2, 2001 4:01 PM

4BASICSETTINGS OF THEFIREWALLChapters 4 to 10 describe in detail, each of the management operationsavailable from the Firewall’s web interface. You ca

52 CHAPTER4: BASICSETTINGS OF THEFIREWALL Chapter 7 —“Setting a Policy” describes the functions available inthe Policy menu of the Web interface. Thes

Setting the Administrator Password 53 ROM Version Firmware Version Device Up-time in days, hours, minutes, and secondsProblems appear in red text. For

54 CHAPTER4: BASICSETTINGS OF THEFIREWALLSetting the InactivityTimeoutThe Administrator Inactivity Timeout Setting allows you to extend orreduce the p

Setting the Time 55Automatically adjust clock for daylight savings changesCheck this box to enable the Firewall to adjust to Daylight Savings Timeauto

56 CHAPTER4: BASICSETTINGS OF THEFIREWALLChanging the BasicNetwork SettingsClick the Settings Tab f ro m t he Network Menu to display the NetworkSetti

Changing the Basic Network Settings 57When using IP addresses on a LAN which have not been assigned by anInternet Service Provider, it is a good idea

58 CHAPTER4: BASICSETTINGS OF THEFIREWALLConnect/DisconnectPressing the Connect button in the Network Addressing Mode Sectionwill initiate a PPPoE ses

Specifying DMZ Addresses 59Specifying the DNSSettingsIn the Other Settings section, specify the DNS Servers.UptothreeDNSservers can be specified, alth

Managing the Firewall Configuration File 90Importing the Settings File 91Exporting the Settings File 92Restoring Factory Default Settings 92Using the

60 CHAPTER4: BASICSETTINGS OF THEFIREWALLClick Network, and then select the DMZ Addresses tab. A window similarto that in Figure 25 displays.Figure 25

Setting up the DHCP Server 61The Firewall can allocate up to 255 static or dynamic IP addresses. 3Comrecommends you use a dedicated DHCP server if mor

62 CHAPTER4: BASICSETTINGS OF THEFIREWALLSubnet MaskEnter the Subnet mask for your network. This value will be given out bytheDHCPserverandwillbeusedb

Viewing the DHCP Server Status 63Delete RangeTo remove a range of addresses from the dynamic pool, select it from thescrolling list of dynamic ranges,

64 CHAPTER4: BASICSETTINGS OF THEFIREWALLTodeleteabinding,whichfreestheIPaddressintheDHCPserver,selectthe binding from the list and then click Delete.

Using the Network Diagnostic Tools 65Find Network PathUse the Find Network Path tool to show on which port, LAN, WAN orDMZ where appropriate, an IP ho

66 CHAPTER4: BASICSETTINGS OF THEFIREWALLPacket Trace requires an IP address. Use the Firewall’s DNS Name Lookuptool to find the IP address of a host.

5SETTING UPWEBFILTERINGThis chapter describes the commands and options available in the Filtermenu. The menu is broken up into five sections shown in

68 CHAPTER5: SETTING UPWEBFILTERINGFigure 29 Filter Settings WindowContent Filtering only applies to nodes on the LAN Port.Select the options in the S

Changing the Filter Settings 69CookiesCookies are used by Web servers to track usage. Unfortunately, cookiescan be programmed not only to identify the

Viewing the Current IPSec Security Associations 125Configuring a VPN Security Association 125Adding/Modifying IPSec Security Associations 126Security

70 CHAPTER5: SETTING UPWEBFILTERING Drugs/Drug Culture Militant/Extremist Sex Education Questionable/Illegal & Gambling Alcohol & TobaccoVisit

Filtering Web Sites using a Custom List 71Figure 30 Custom List WindowYou can add or remove web sites from the Custom List. For example, if alocal rad

72 CHAPTER5: SETTING UPWEBFILTERINGEnable Filtering on Custom ListUse this to enable or disable the custom filtering without re-entering allsite names

Updating the Web Filter 73Updating the WebFilterSince content on the Internet is constantly changing, make sure youupdate the Web Site Filter used by

74 CHAPTER5: SETTING UPWEBFILTERINGDownloading anUpdated Filter ListDownload NowClick this button to download and update the Web Site Filterimmediatel

Blocking Websites by using Keywords 75Blocking Websitesby using KeywordsClick Filter and then select the Keywords tab. A window similar to that inFigu

76 CHAPTER5: SETTING UPWEBFILTERINGagree to the terms outlined in an organization’s Acceptable Use PolicybeforeyouallowthemtobrowsetheWebanyfurther.Cl

Filtering by User Consent 77Consent page URL (Optional Filtering)When users begins an Internet session on a computer that is not alwaysfiltered, they

78 CHAPTER5: SETTING UPWEBFILTERINGcreate this page, and can add the text from the Acceptable Use Policy,and notification that violations of the AUP a

6USING THEFIREWALLDIAGNOSTICTOOLSThis chapter describes the commands and options available in the Logmenu and the Tool s menu. Each menu is broken up

Examples of Network Access Policies 159Resetting the Firewall 162Resetting the Firewall 163Reloading the Firmware 163Direct Cable Connection 164Direct

80 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSThe Firewall logs the following events: Unauthorized connection attempts Blocked Web, FTP and Gopher site

Viewing the Log 81information. Much of this information refers to the Internet trafficpassing through the Firewall.TCP, UDP, or ICMP packets droppedTh

82 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSWhen ActiveX or Java code is compressed into an archive it is not alwayspossible to differentiate between

Changing Log and Alert Settings 83Sending the Log Use the Sending the Log feature to inform your administrator of theperformance of the Firewall and t

84 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSevery connection’s source and destination IP addresses, IP service, andnumber of bytes transferred. To su

Changing Log and Alert Settings 85When log overflowsIn some cases, the log buffer may fill up, which can happen if there is aproblem with the mail ser

86 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSAttacksWhen enabled, log messages showing SYN Floods, Ping of Death, IPSpoofing, and attempts to manage t

Generating Reports 87Blocked Web SitesWhen enabled, all log entries that are categorized as a Blocked Web Siteare generated as an alert message. This

88 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSReset DataClick Reset Data to clear the report statistics and begin a new sampleperiod. The sample period

Restarting the Firewall 89services, such as HTTP, FTP, RealAudio and so forth, and the number ofmegabytes received from the service during the current

Intrusion Attacks 176External Access 176Port Scanning 177IP Spoofing 177Trojan Horse Attacks 17714NETWORKINGCONCEPTSIntroduction to TCP/IP 179IP and T

90 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSWhen the Front Panel Power LED stops flashing you can refresh yourbrowser.To reset the Firewall clearing

Managing the Firewall Configuration File 91Importing theSettings FileUse this function to import a previously saved settings file back into theFirewal

92 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSExporting theSettings FileYou can save the Firewall configuration settings to a file on a local systemand

Upgrading the Firewall Firmware 93When upgrading the firmware, all settings will be reset to factory default.3Com recommends that you export the Firew

94 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSFigure 42 Save Settings Window2Click Yes if you have saved the settings.A window similar to that in Figur

Upgrading the Firewall Firmware 95interrupted this way, it may result in the Firewall not responding toattempts to log in.If your Firewall does not re

96 CHAPTER6: USING THEFIREWALLDIAGNOSTICTOOLSDUA1611-0AAA02.book Page 96 Thursday, August 2, 2001 4:01 PM

7SETTING APOLICYThis chapter describes the commands and options available in the Policymenu. The menu is broken up into sections shown in the user int

98 CHAPTER7: SETTING APOLICYClick Policy, and then select the Services tab. A window similar to that inFigure 44 displays.Figure 44Services WindowAmen

Changing Policy Services 99DMZ In CheckboxIf you are using the DMZ port on the Firewall access to the protocol is notpermitted from the Internet to th