User's Manual
Table Of Contents
- Chapter 1 Introduction
- Chapter 2 Mesh Point CLI and Administrative Access
- Chapter 3 Networking and Radio Configuration
- 3.1 Network Interfaces
- 3.2 Network Bridging
- 3.2.1 Bridging Configuration
- 3.2.2 FastPath Mesh Bridging
- 3.2.3 Fine-tuning FastPath Mesh Network Performance
- 3.2.3.1 Selecting the FastPath Mesh Multicast Transmit Mode
- 3.2.3.2 Setting the FastPath Mesh Packet Interval
- 3.2.3.3 Setting the FastPath Mesh Transmit Control Level
- 3.2.3.4 Setting Multicast Video Clamping Thresholds
- 3.2.3.5 Setting Mesh Routing Reactivity
- 3.2.3.6 Setting Mesh Packet Time To Live
- 3.2.3.7 Viewing Current Mesh Performance Parameters
- 3.2.3.8 Frame Processor Parameters
- 3.2.4 STP Bridging
- 3.3 Global Radio Settings
- 3.4 Individual Radio Settings
- 3.4.1 Radio Band, Short Preamble, Guard Interval
- 3.4.2 Channel Selection
- 3.4.3 Distance, Beacon Interval, Noise Immunity
- 3.4.4 Network Type, Antenna Gain, Tx Power
- 3.4.5 MIMO
- 3.4.6 STBC
- 3.4.7 Channel Lock and Other Channel Selection Features
- 3.4.8 DFS, TDWR, and Channel Exclusion
- 3.4.9 Radio BSS Settings
- 3.4.9.1 BSS Radio, BSS Name and SSID
- 3.4.9.2 WDS Bridging or AP Infrastructure Configuration
- 3.4.9.3 BSS State, SSID Advertising and Drop Probe Requests
- 3.4.9.4 BSS STA Idle Timeout and 802.11g-Only Settings
- 3.4.9.5 BSS Unicast Transmission Rate Settings
- 3.4.9.6 BSS WMM QoS Setting
- 3.4.9.7 BSS Fragmentation and RTS Thresholds
- 3.4.9.8 BSS DTIM Beacon Countdown
- 3.4.9.9 BSS VLANs Settings
- 3.4.9.10 BSS Fortress Security Zone
- 3.4.9.11 FastPath Mesh BSS Cost Offset
- 3.4.9.12 BSS Multicast Settings
- 3.4.9.13 Bridging MTU and Beacon Encryption
- 3.4.9.14 BSS Description
- 3.4.9.15 BSS Wi-Fi Security Configuration
- 3.4.10 Antenna Tracking / Rate Monitoring
- 3.4.11 ES210 Mesh Point STA Settings and Operation
- 3.4.11.1 STA Radio, Name, SSID and SSID Roaming
- 3.4.11.2 STA State
- 3.4.11.3 STA Unicast Transmission Rate Settings
- 3.4.11.4 STA Background Scanning
- 3.4.11.5 STA WMM QoS Setting
- 3.4.11.6 STA Fragmentation and RTS Thresholds
- 3.4.11.7 STA Multicast Rate
- 3.4.11.8 STA Description
- 3.4.11.9 STA Wi-Fi Security Configuration
- 3.4.11.10 Editing or Deleting a STA Interface Connection
- 3.4.11.11 Establishing a STA Interface Connection
- 3.4.11.12 ES210 Station Access Control Lists
- 3.5 Local Area Network Configuration
- 3.6 Time and Location Configuration
- 3.7 GPS and Location Configuration
- 3.8 DHCP and DNS Services
- 3.9 Ethernet Interfaces
- 3.10 Quality of Service
- 3.11 VLANs Implementation
- 3.12 ES210 Mesh Point Serial Port Settings
- 3.13 Mesh Viewer Protocol Settings
- Chapter 4 Network Security, Authentication and Auditing
- 4.1 Fortress Security Settings
- 4.1.1 Operating Mode
- 4.1.2 FIPS Settings
- 4.1.3 MSP Encryption Algorithm
- 4.1.4 Encrypted Data Compression
- 4.1.5 MSP Key Establishment
- 4.1.6 MSP Re-Key Interval
- 4.1.7 Key Beacon Interval
- 4.1.8 Fortress Legacy Devices
- 4.1.9 Encrypted Zone Cleartext Traffic
- 4.1.10 Encrypted Zone Management Settings
- 4.1.11 Authorized Wireless Client Management Settings
- 4.1.12 Turning Mesh Point GUI Access Off and On
- 4.1.13 SSH Access to the Mesh Point CLI
- 4.1.14 Blackout Mode
- 4.1.15 Allow Cached Credentials
- 4.1.16 Fortress Access ID
- 4.2 Digital Certificates
- 4.3 Access Control Entries
- 4.4 Internet Protocol Security
- 4.5 Authentication and Timeouts
- 4.5.1 Authentication Servers
- 4.5.2 Internal Authentication Server
- 4.5.2.1 Basic Internal Authentication Server Settings
- 4.5.2.2 Certificate Authority Settings
- 4.5.2.3 Global User and Device Authentication Settings
- 4.5.2.4 Local 802.1X Authentication Settings
- 4.5.2.5 OCSP Authentication Server Settings
- 4.5.2.6 OCSP Cache Settings and Management
- 4.5.2.7 Internal Authentication Server Access Control Lists
- 4.5.3 User Authentication
- 4.5.4 Client Device Authentication
- 4.5.5 Session Idle Timeouts
- 4.6 ACLs and Cleartext Devices
- 4.7 Remote Audit Logging
- 4.8 Wireless Schedules
- 4.1 Fortress Security Settings
- Chapter 5 System Options, Maintenance and Licensing
- Chapter 6 System and Network Monitoring
- Index
- Glossary
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing
163
4.6.3.1 Packet Filtering on Ingress and Egress
CAUTION: A use-
ful tool for under-
standing the effect of
configured filters is to
write out the set of rules
as if each rule were 2
rules: one applying to
the inbound packets on
the interface and the
other to the outbound
packets. For example:
add pktfilter -name
SrvTalksToAnyone -
action permit -log N
-type ipv4 -inter-
face lan3 -priority
5 -srcaddr 10.1.1.1
-srcpl 32 -destaddr
0.0.0.0 -destpl 0
This will match all pack-
ets the server 10.1.1.1 on
lan3 sends to any desti-
nation on any interface.
After we exchange all
the source fields for all
the destination fields,
we see that it will also
match all packets being
forwarded from any
source to the server
OUT on lan3.
When a packet enters any interface, the FMP checks whether
packet filtering is enabled on that interface. If it is, the FMP
compares the packet's information to each configured rule in
priority order. The FMP takes the action specified by the first
matching rule; e.g. if the action is permit, the FMP continues to
process the packet. If the action is deny, the FMP drops the
packet immediately. If the packet does not match any of the
configured rules, it will always match the automatically-
generated packet deny rule at the end.
Once the FMP has determined the interface out which the
packet should be forwarded, the FMP checks whether packet
filtering is enabled on that egress interface. If it is, the FMP
compares the packet's information to each configured rule in
priority order - but with one significant difference. The packet's
SOURCE information (address, prefix length, port) is
compared to the rule's DESTINATION information.
4.6.3.2 ICMPv6 Neighbor Discovery Alert
Neighbor Discovery (ND) is IPv6's equivalent of IPv4's ARP
protocol. IPv4 hosts use ARP to discover the MAC address
corresponding to a given IPv4 address. IPv6 hosts use ND to
discover the MAC address corresponding to a given IPv6
address. There is one significant difference when it comes to
packet filtering. ARP is a separate protocol, and is thus not
filtered out by IPv4 filtering mechanisms. ND packets are IPv6
packets, because ND is part of ICMPv6. A user can permit
traffic between two IPv4 hosts with one or two simple IPv4
packet filtering permit rules. For IPv6, however, Fortress
advises permitting all ICMPv6 packets using some variation of
the following rule on all appropriate interfaces:
# add pktfilter -name AllowICMPv6 -action permit -log N -type ipv6 -
interface lan3 -priority 3 -srcaddr 0::0 -srcpl 0 -destaddr 0::0 -
destpl 0 -protocol 58
You must be logged on to an administrator-level account to
change configuration settings (refer to Section 2.2).
4.6.4 Fortress Controller Access Control
NOTE: Local con-
troller authentica-
tion settings apply
regardless of whether
device authentication is
enabled (as described
for Secure Client
devices authentication
in Section 4.5.4, above).
Fortress’s controller device authentication assigns every Mesh
Point a unique Device ID that is subsequently used to
authenticate the device for access to the Fortress-secured
network.
The Mesh Point automatically detects other Fortress devices
on the network and populates a record of authenticating
controllers.
Attempts made by auto-populating devices to connect to the
Mesh Point-protected network are treated according to the