User Guide

ManualsBrandsGlobal Technology Associates ManualsOtherGBWA200501-01

GB-Ware

SOFTWARE

Firewall

Product Guide

GBWA200501-01

GNAT Box

System Software

Summary of content (60 pages)

PAGE 1
GB-Ware SOFTWARE Firewall powered by GNAT Box System Software Product Guide GBWA200501-01
PAGE 2
Copyright © 1996-2004, Global Technology Associates, Incorporated (GTA). All rights reserved. Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated. Technical Support GTA includes 30 days “up and running” installation support from the date of purchase. See GTA’s web site for more information.
PAGE 3
Table of Contents iii Contents 1 INTRODUCTION ............................................................................................... 1 About GTA Firewalls ....................................................................................... 1 About GB-Ware ............................................................................................... 1 Features ..................................................................................................... 1 Additional Software Products ...
PAGE 4
iv GB-Ware Firewall Product Guide Re-conﬁguring Your Computer ................................................................ 28 Accessing the Firewall ............................................................................ 28 Conﬁguration Using GBAdmin.................................................................... 29 Entering Your Network Information ......................................................... 30 Re-conﬁguring Your Computer ..........................................................
PAGE 5
1 - Introduction 1 1 Introduction About GTA Firewalls Global Technology Associates, Inc. (GTA) has been designing and building Internet ﬁrewalls since 1994. In 1996, GTA developed the ﬁrst truly affordable commercial-grade ﬁrewall, the GNAT Box®. Since then, ICSAcertiﬁed GNAT Box System Software has become the engine that drives all GTA hardware appliance and software ﬁrewall systems.
PAGE 6
2 GB-Ware Firewall Product Guide • Dynamic DNS • DNS proxy • Transparent and traditional web proxy with script blocking • DNS server (optional on 10 user version) • DHCP server • Web and GBAdmin user interfaces for remote management • SNMP (read-only) • Trafﬁc shaping (bandwidth limiting) • NTP (network time protocol) server Additional Software Products • GTA Reporting Suite™ (ﬁrewall log reporting) • GB-Commander™ (ﬁrewall management) Optional Features • VPN hardware acceleration •
PAGE 7
1 - Introduction 3 Software Specifications Speciﬁcation Concurrent connections (standard) GB-Ware 10 users GB-Ware unrestricted users 1,000 128,000 Concurrent outbound users (standard) 10 Unrestricted Network interfaces (standard) 2 3 User authentication 50 750 Address objects 50 600 Aliases 5 300 Pass-through hosts 10 300 Filters, outbound & remote access objects 75 400 Trafﬁc shaping objects 5 50 Static outbound maps 25 300 Static routes 10 300 Time groups 75 100 Tunne
PAGE 8
4 GB-Ware Firewall Product Guide conﬁguration with full network speeds on all interfaces. The best possible performance can be obtained by using a Pentium class or higher CPU with PCI network cards. Network performance bottlenecks usually occur at the connection to the Internet when using DSL or T1 class connectivity. GB-Ware with 10 Mbps Ethernet cards easily provides enough throughput for network connectivity of up to T1 speeds (1.5 Mbps).
PAGE 9
1 - Introduction 5 Optional Components • 1-18 additional network cards (if using the Multi-Interface Option) • Async modem (PPP connections or pager only) • ISDN TA with RS-232 interface (PPP connections only) • Cable modem • Serial ports for COM 1-4 (1645x/1655x UARTs only) Note GTA recommends installing only the GB-Ware required or GB-Ware optional components in the system. Devices such as SCSI controllers and sound cards remain unused and may decrease performance.
PAGE 10
6 GB-Ware Firewall Product Guide Modem/ISDN TA Hardware GTA recommends conﬁguring the modem or ISDN TA on another system before installing it on GB-Ware. Most modems allow the storage of a user conﬁguration and the recall of this conﬁguration using a speciﬁc command (e.g. ATZ). It is usually easiest to conﬁgure the modem before installation, and then to recall that conﬁguration and set the modem with a few commands. Note The default conﬁguration for most modems will generally work with GB-Ware.
PAGE 11
1 - Introduction 7 Other avenues for assistance are available through authorized GTA Channel Partners, the GNAT Box Mailing List, or the GTA web site (www.gta.com). Upgrades Once registered, you can view available upgrades in the GTA online support center section of the GTA web site (www.gta.com/support/center/login/). Click on the serial number of your registered product to see if an upgrade is available for that speciﬁc unit. Click on the DOWNLOADS link to view all available software versions.
PAGE 12
8 GB-Ware Firewall Product Guide Additional Documentation For additional instructions on installation, registration and setup of a GTA product, see applicable Quick Guides, FAQs or technical papers. For optional features, see the appropriate feature guide. Documentation is included on installation CDs, and is available for download from the GTA web site. Note Check the GTA web site for the latest PDFs and other documentation.
PAGE 13
2 – Installation 9 2 Installation Registration To get technical support and software updates, you must register your GTA ﬁrewall. 1) To register, go to www.gta.com. Click on SUPPORT and then the SUPPORT CENTER link to visit https://gta.com/support/center/login/. 2) If you do not have an online support account, click on the CREATE AN ACCOUNT NOW link and enter your information. Once you have completed the form, click the SUBMIT button to save the proﬁle.
PAGE 14
10 GB-Ware Firewall Product Guide Installing GB-Ware on PC Hardware GB-Ware software must be installed on x86 (Intel-compatible) computer hardware before you can use your ﬁrewall. The GB-Ware installation CD will install the ﬁrewall software onto your computer hardware.
PAGE 15
2 – Installation 11 Setup for GB-Ware Installation The computer (either the intended ﬁrewall or an installation proxy computer) must be modiﬁed to boot using a CD-ROM drive. This enables the GNAT Box System Software installation CD to activate and install the GB-Ware ﬁrewall software when powering on the PC. Caution If installing GB-Ware using a proxy computer, temporarily disconnect other (non-GB-Ware) writable drives to prevent accidental erasure during ﬁrewall installation.
PAGE 16
12 GB-Ware Firewall Product Guide Caution Installing GB-Ware on a hard drive will erase its contents and replace them with GB-Ware. If you wish to keep the data on a hard drive, do not install GB-Ware on it; instead, install GB-Ware on a different hard drive. You may also wish to temporarily disconnect other (nonGB-Ware) hard drives to prevent accidental erasure during ﬁrewall installation. 2. Power on the computer. Insert the GNAT Box System installation CD into the system’s CD-ROM drive. 3.
PAGE 17
2 – Installation 13 GNAT Box System Software Licensing Agreement Selecting a GB-Ware Runtime The GNAT Box System Software Runtime Installer screen will appear. If you are upgrading, verify that your conﬁguration has been backed up to another location. Any information currently on the disk will be over-written during the installation. Select the desired GB-Ware runtime (executable) version from the list of products in step 2.
PAGE 18
14 GB-Ware Firewall Product Guide The serial version of the GB-Ware runtime installs factory default settings; a serial or temporary peer Ethernet connection can be used to change these settings. If you prefer to perform initial ﬁrewall conﬁguration over the web or with GBAdmin, choose this option. The selection list also includes the Erase Disk function. This allows the user to clear all the disk data from the selected disk. Caution Using the ERASE DISK choice will erase a drive’s contents.
PAGE 19
2 – Installation 15 Note USB pen drives may appear, but should not be selected for installation as they are not IDE-bootable devices. CD-ROM or DVDROM drives will not be displayed by the GB-Ware system installation process, as they are not writable discs. Other drives will not display.
PAGE 20
16 GB-Ware Firewall Product Guide Disk Re-formatting Warning It may take several minutes for the runtime to install. A pipe indicator (|) will be animated while the system installs.
PAGE 21
2 – Installation 17 attach the hardware key block to a prospective GB-Ware ﬁrewall and boot the GB-Ware disk.
PAGE 22
18 GB-Ware Firewall Product Guide
PAGE 23
3 – Configuration 19 3 Conﬁguration The following sections describe how to change GB-Ware from the default conﬁguration, in which all internal users are allowed outbound connections, but no unsolicited inbound connections are allowed. Use either the web user interface, GBAdmin, the video console, or the serial console to conﬁgure the GB-Ware ﬁrewall. Setting the Boot Sequence After installing GB-Ware and attaching the hardware key block, power up the GB-Ware ﬁrewall. 1.
PAGE 24
20 GB-Ware Firewall Product Guide During installation, you chose the video or the serial console version of the GNAT Box runtime. These methods can be used during setup, or when you have direct physical access to the ﬁrewall, or as a failsafe if the network is down and you can no longer administer your ﬁrewall remotely. Additionally, you may choose to set up your ﬁrewall over a peer Ethernet connection using GBAdmin or a web user interface.
PAGE 25
3 – Configuration 21 Requirements If using the web user interface, you will need: • 1 crossover Ethernet cable to connect with the computer directly, or 1 straight-through Ethernet cable to connect with the computer through a hub or switch • 2 straight-through Ethernet cables, one for each required network connection • 1 computer with a SSL-compatible and frames-enabled browser If using GBAdmin, you will need: • 1 crossover Ethernet cable to connect with the computer directly, or 1 straight-through
PAGE 26
22 GB-Ware Firewall Product Guide match the network address scheme. Then you may add the ﬁrewall to your network and connect remotely (by web or GBAdmin) through your normal network. 1) Use a crossover Ethernet cable to connect a computer to the ﬁrewall’s ﬁrst network interface card. Alternately, use straight-through cables to connect your computer and the ﬁrewall’s ﬁrst network interface to a hub or switch. 2) Note or back-up your computer’s network conﬁgurations.
PAGE 27
3 – Configuration 23 Temporary Network Conﬁguration for Connection with Firewall Defaults - Mac OS X 3) Reboot your computer if necessary to put your new network conﬁguration into effect. Note Please refer to the GNAT Box System Software User’s Guide for speciﬁc information about editing network information. Making a Serial Connection If you want to initially conﬁgure your ﬁrewall using the serial console, use a null-modem serial cable to connect a computer’s COM port to the COM port of your ﬁrewall.
PAGE 28
24 GB-Ware Firewall Product Guide Conﬁguring Your Firewall You will need to conﬁgure your ﬁrewall to match your network scheme before installing it.
PAGE 29
3 – Configuration 25 On Macintosh computers, GTA does not recommend using Microsoft Internet Explorer for Macintosh (Mac IE 5). OpenSSL encryption, used by the ﬁrewall, is known to be incompatible with Mac IE 5, and your browser will not allow you to continue past the security alert screen. If you must use Mac IE 5, install the ﬁrewall using a compatible browser, GBAdmin or the console and disable SSL before using Mac IE 5. Mac IE 5 can only be used with SSL encryption disabled.
PAGE 30
26 GB-Ware Firewall Product Guide Entering the Default User ID and Password Caution GTA recommends changing the default user ID and password to prevent unauthorized access. Entering Your Network Information GB-Ware requires entry of the serial number and activation code. Click on Basic Conﬁguration and expand the menu, then select Features. Enter the serial number and activation code, then click the SAVE button then the OK button.
PAGE 31
3 – Configuration 27 Caution Closing the browser without clicking SAVE will cause the entered data to be lost, and your ﬁrewall will remain in default conﬁguration. You will need to re-connect to the ﬁrewall and re-enter the network information. 2) Once you have completed the network conﬁguration, apply the changes by clicking SAVE. The ﬁrewall will then join the assigned network. Close your browser. Caution Failure to close the browser may allow unauthorized access to the ﬁrewall.
PAGE 32
28 GB-Ware Firewall Product Guide Using CIDR-based or Slash (/) Notation CIDR (Classless Inter-Domain Routing) aggregates routes so that one IP address represents thousands served by a backbone provider. GNAT Box System Software uses CIDR-based notation as the default for subnet masks, instead of dotted decimal (e.g. 255.255.255.0) notation.
PAGE 33
3 – Configuration 29 Caution Failure to change the default password is a serious security weakness. GTA recommends changing the default user ID and password to prevent unauthorized access. Configuration Using GBAdmin If your computer’s operating system is Microsoft Windows, you can choose to conﬁgure your ﬁrewall by using the GBAdmin software you installed earlier instead of using the web interface. Note GBAdmin can only be installed on a local computer that uses Windows 98, NT 4.0, XP, Me, 2000 or 2003.
PAGE 34
30 GB-Ware Firewall Product Guide GBAdmin Network Information Window Entering Your Network Information GB-Ware requires entry of the serial number and activation code. Click on Basic Conﬁguration and expand the menu, then select Features. Enter the serial number and activation code, then click the SAVE button then the OK button. The ﬁrewall has default settings which need to be changed to match your network settings. Click on Basic Conﬁguration and expand the menu to select Network Information.
PAGE 35
3 – Configuration 31 Caution Closing GBAdmin without clicking SAVE will cause the entered data to be lost, and your ﬁrewall will remain in default conﬁguration. You will need to re-connect to the ﬁrewall and re-enter the network information. 2) Once you have completed the Network Information form, apply the changes by clicking SAVE. The ﬁrewall will then join the assigned network. Close GBAdmin.
PAGE 36
32 GB-Ware Firewall Product Guide 1) On your computer, open terminal emulator software such as Tera Term or Microsoft HyperTerminal and enter the following settings for a new connection: EMULATION PORT BAUD RATE DATA / BIT RATE PARITY STOP FLOW CONTROL VT-100 Computer serial (COM) port connected to the ﬁrewall via a DB-9 cable 38400 8 None 1 Hardware* * Set ﬂow control to “None” as an alternative to hardware ﬂow control.
PAGE 37
3 – Configuration 33 2) If you speciﬁed the video console version during installation and your hardware was conﬁgured correctly, and the system did not encounter any problems, the Setup Wizard should now appear. Video Console Navigation There are three modes on the video console: log messages, the main interface and statistics. View log messages by pressing ALT+F1. Press ALT+F2 to switch to the main interface. These keys are always active. After initial setup, see ﬁrewall statistics by pressing ALT+F3.
PAGE 38
34 GB-Ware Firewall Product Guide Note If you cancel the Setup Wizard, go to Basic Conﬁguration then Features to enter your serial number and activation code. Next, enter your initial configuration information in Basic Configuration then Network Information. Your ﬁrewall will not be functional until these steps are performed, either by hand or Setup Wizard. Setup Wizard 3. Host Name Enter the host name of the ﬁrewall.
PAGE 39
3 – Configuration 35 Run DHCP? 6c. IP Address You will reach this option if you rejected use of dynamic IP address services. Enter the static IP address and subnet mask of the external network interface. The IP address for the external network interface should be a valid ISP-registered IP address if you will be connecting your ﬁrewall to the Internet. 7. Network Interface Card for the External, Protected Network or PSN Select an available NIC to assign to the external interface.
PAGE 40
36 GB-Ware Firewall Product Guide ment Numbers Authority (IANA) has speciﬁed network addresses in RFC 1918 that are designated exclusively for internal networks. IANA Private Network IP Address Rules Quantity of Addresses Available Network Class IP Address Range 1 A 10.0.0.0 10.255.255.255 16 B 172.16.0.0 172.31.255.255 256 C 192.168.0.0 192.168.255.255 Note Because GTA ﬁrewalls perform NAT, the IP address and any network addresses behind the ﬁrewall (i.e.
PAGE 41
3 – Configuration 37 Accessing Your GTA Firewall After completing the initial conﬁguration in the setup wizard, your GTA ﬁrewall should be active and functioning in default security mode (all internal users are allowed outgoing connections, and no unsolicited connections are allowed in). After testing connectivity, you can now perform any additional conﬁguration tasks using GBAdmin or the web interface. See the GNAT Box System Software User's Guide for more information.
PAGE 42
38 GB-Ware Firewall Product Guide
PAGE 43
4 – Troubleshooting 39 4 Troubleshooting Troubleshooting Basics GTA Support recommends the following guidelines as a starting point when troubleshooting network problems: • Start with the simplest case of locally attached hosts. • Use IP addresses, not names. Your problem could be DNS. • Work with one network segment at a time. • Verify your ﬁrewall system conﬁguration by using Verify Conﬁguration. The veriﬁcation check is the best method of ensuring that your system is conﬁgured correctly.
PAGE 44
40 GB-Ware Firewall Product Guide • Have you added a static route on the ﬁrewall to tell it which router is used to reach the Internet? Have you set the router’s default route to be the ﬁrewall? Have you set the default route for hosts on the problem network to be the router or ﬁrewall? • Is the wrong IP address assigned to the hosts or ﬁrewall? All network interfaces on the ﬁrewall must be on different logical networks.
PAGE 45
4 – Troubleshooting 41 Note Distinguish between crossover cables and straight-through cables by comparing the connection ends. On a straight-through cable, the wire order matches; on a crossover cable, the ﬁrst three of the four wires are in reverse order. 6a. How do I install the parallel port hardware key block? The parallel port hardware key block must be installed in the parallel (printer) port.
PAGE 46
42 GB-Ware Firewall Product Guide Installation of the USB Key Block 3. Enter the GB-Ware serial number and activation code in the Basic Conﬁguration then Features section of the GB-Ware web interface or wizard. Note If the hardware key block is not recognized once you have booted the system, and the serial number and activation code are both entered correctly, make sure that your ﬁrewall’s USB port is active and functional according to your hardware’s BIOS.
PAGE 47
4 – Troubleshooting 43 11. The warning message “Initializing runtime slice 2 failed; No space left on device” is displayed. 1. The Compact Flash card is too small; GTA only supports GTA-certiﬁed Compact Flash cards. 2. The Compact Flash card no longer functions correctly; contact GTA or a GTA Channel Partner for hardware warranty. 12. I lost my user name and/or password.
PAGE 48
44 GB-Ware Firewall Product Guide 13. How do I revert to my previous conﬁguration after a version upgrade? The ﬁrewall’s Compact Flash or hard drive memory is in two sections (“slices”); one contains the current software version plus any saved conﬁguration, the other contains the previous software version and conﬁguration. A new ﬁrewall’s two memory slices are identical.
PAGE 49
4 – Troubleshooting 45 1. If you have more than one CD-ROM drive installed, either disconnect the additional CD-ROM drives and retry, or verify that the installation CD-ROM drive is detected ﬁrst in the boot sequence, before other CD-ROM drives in the IDE controller ports. 2. Connect a different CD-ROM drive and retry. 3. Try installing GB-Ware into a different hardware system. 16. My system did not auto-detect the Compact Flash. Use these troubleshooting steps: 1.
PAGE 50
46 GB-Ware Firewall Product Guide
PAGE 51
4 – Troubleshooting 47 Appendix Installing the Compact Flash Card If you are installing your GB-Ware ﬁrewall on a Compact Flash card, use these instructions to install the Compact Flash card for your ﬁrewall. The instructions assume that the Compact Flash IDE adapter is being installed in the intended ﬁrewall; modiﬁcation is necessary to install the GB-Ware ﬁrewall Compact Flash IDE adapter on an installation proxy computer.
PAGE 52
48 GB-Ware Firewall Product Guide Warning Improper grounding can damage your system or Compact Flash card, and may cause physical injury or death. Never service your GB-Ware system while it is plugged in or powered on! Assembling the Compact Flash IDE Adapter 1) Insert the four white nylon mounting posts into the mounting holes in the adapter board. (You can also mount the adapter board in a hard disk drive bay using 3.5” hard disk drive mounting hardware.
PAGE 53
4 – Troubleshooting 49 (Refer to the motherboard’s user guide if you cannot locate the IDE controller ports.) Locating the Primary IDE Controller Port Mounting the Compact Flash Card Mount the adapter board securely inside the ﬁrewall’s case; ﬁnd a place where the components ﬁt easily and securely, and where the IDE cable can easily reach from the adapter board to the primary IDE controller port. DO NOT mount the adapter board onto or near other electronic components inside the case.
PAGE 54
50 GB-Ware Firewall Product Guide Connecting the IDE Cable Insert one end of the IDE cable into the primary IDE controller port with the red-striped side of the cable lined up with pin #1 of the IDE controller port. Insert the other end of the IDE cable into the IDE port of the adapter board with the red-striped side of the IDE cable nearest to the 4-pin power port.
PAGE 55
4 – Troubleshooting 51 Note Those upgrading from GNAT Box System Software version 2.x or lower should record all conﬁguration data and use it as a guide to enter new conﬁguration data manually. You may use the web interface to print the conﬁguration or manually record it. 1) Once you have installed GB-Ware on a Compact Flash card or hard drive, power up the GB-Ware ﬁrewall. 2) Overwrite the default GB-Ware conﬁguration with your network information.
PAGE 56
52 GB-Ware Firewall Product Guide 4) GBAdmin will connect to the GB-Ware ﬁrewall and prompt you for the user ID and password selected during installation; when successfully authenticated, GBAdmin will load the GB-Ware conﬁguration. 5) Merge the old conﬁguration with the GB-Ware ﬁrewall conﬁguration. Click File then Merge. A warning will ask if you wish to overwrite your current settings. Click YES. In the MERGE dialog box, select FILE in the SOURCE ﬁeld.
PAGE 57
4 – Troubleshooting 53 Note If your NIC is not listed, it’s possible that you are upgrading from an older version in which that NIC was supported. Please contact support with any questions. If you are placing the conﬁguration on new hardware with different NICs, you will need to select your cards. 10) Save the conﬁguration to the ﬁrewall by clicking on the SAVE ALL button on the tool bar or by selecting File then Save All.
PAGE 58
54 GB-Ware Firewall Product Guide
PAGE 59
Index 55 Index default user ID 36. Desk Pro 45. dial-up connection 5. DSL 34. E email address support Symbols 4-pin power port 52. A activation code 34, 41, 47. adapter board 49. ADSL 5. asterisk. See wildcard symbol. auto-detect IDE 45. B ii. C cable 40, 41, 43. cable modem 34. case-sensitive 43. compact ﬂash 10, 16, 42. 49. Compaq 45. components 5, 51. COM port 43. Conﬁguration 19. conﬁguration testing Factory settings 31. feet, adapter board 49. ﬁlter, remote access 40. ﬂash card 42.
PAGE 60
56 GB-Ware Firewall Product Guide Serial Console interface 20, 42, 47. serial number 34, 41, 47. slice 44. SPP 41. straight-through cable 40. switch 40. log 43. Login 26. login 43. lost 43. lost 43. lower case 43. M T mailing list 8. memory 43, 44. memory slice 16, 43. Microsoft 40. modem 6, 43. mounting posts 49, 50. T-1, T-3 4. terminal emulation testing 44. traceroute 39. U N network conﬁguration 40. Note 9, 23. notes & warnings 4, 5, 6, 10, 35. warning 50.