Post on 19-Aug-2020
Part No. N450000377 Rev 001
Published May 2007
Nokia IP390 IntrusionPrevention with Sourcefire
Installation Guide
COPYRIGHT©2007 Nokia. All rights reserved.Rights reserved under the copyright laws of the United States.
RESTRICTED RIGHTS LEGENDUse, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.
Nokia reserves the right to make changes without further notice to any products herein.
TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.
070101
2 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Nokia Contact InformationCorporate Headquarters
Regional Contact Information
Nokia Customer Support
Web Site http://www.nokia.com
Telephone 1-888-477-4566 or 1-650-625-2000
Fax 1-650-691-2170
Mail Address
Nokia Inc.313 Fairchild DriveMountain View, California94043-2215 USA
Americas Nokia Inc.313 Fairchild DriveMountain View, CA 94043-2215USA
Tel: 1-877-997-9199Outside USA and Canada: +1 512-437-7089email: info.ipnetworking_americas@nokia.com
Europe, Middle East, and Africa
Nokia House, Summit AvenueSouthwood, FarnboroughHampshire GU14 ONG UK
Tel: UK: +44 161 601 8908Tel: France: +33 170 708 166email: info.ipnetworking_emea@nokia.com
Asia-Pacific 438B Alexandra Road#07-00 Alexandra TechnoparkSingapore 119968
Tel: +65 6588 3364email: info.ipnetworking_apac@nokia.com
Web Site: https://support.nokia.com/
Email: tac.support@nokia.com
Americas Europe
Voice: 1-888-361-5030 or 1-613-271-6721
Voice: +44 (0) 125-286-8900
Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666
Asia-Pacific
Voice: +65-67232999
Fax: +65-67232897
050602
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 3
4 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Contents
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13In this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Conventions this Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Command-Line Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19About Nokia IP390 IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Built-In Gigabit Ethernet Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . 21PMC Expansion Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22System Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Managing Your Nokia IP390 IPS . . . . . . . . . . . . . . . . . . . . . . . . . . 25Site Requirements, Warnings, and Cautions . . . . . . . . . . . . . . . . . 25Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Product Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2 Installing Nokia IP390 IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Rack Mounting the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Connecting Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Connecting to the Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Connecting to Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 36
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 5
3 Performing the Initial Configuration . . . . . . . . . . . . . . . . . . . . . 39Using a Console Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Using Nokia Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Viewing Nokia IPSO-LX Documentation by Using Nokia Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Using the Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . 44
4 Installing and Replacing Network Interface Cards . . . . . . . . . 45Deactivating Configured Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 46Removing, Installing, and Replacing NICs. . . . . . . . . . . . . . . . . . . 46
Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Monitoring Network Interface Cards. . . . . . . . . . . . . . . . . . . . . . . . 53
5 Connecting to the Gigabit Ethernet Network Interface Cards 55Two-Port Copper Gigabit Ethernet NIC . . . . . . . . . . . . . . . . . . . . . 56
Copper Gigabit Ethernet NIC Features . . . . . . . . . . . . . . . . . . . . 56Copper Gigabit Ethernet Connectors and Cables . . . . . . . . . . . . 57
Two-Port Fiber-Optic Gigabit Ethernet NIC . . . . . . . . . . . . . . . . . . 59Fiber-Optic Gigabit Ethernet NIC Features . . . . . . . . . . . . . . . . . 59Fiber-Optic Gigabit Ethernet Connectors and Cables . . . . . . . . . 60
Two-Port and Four-Port Fail Open Copper Gigabit Ethernet NICs 60Fail Open Copper Gigabit Ethernet NIC Features. . . . . . . . . . . . 61How a Fail Open NIC Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Front Panel Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61LED Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Fail Open Copper Gigabit Ethernet Connectors and Cables . . . 64
Two-Port Fail Open Fiber-Optic Gigabit Ethernet NIC . . . . . . . . . . 66Fail Open Fiber-Optic Gigabit Ethernet NIC Features. . . . . . . . . 67How a Fail Open NIC Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Front Panel Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68LED Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Fail Open Fiber-Optic Gigabit Ethernet Connectors and Cables 69
6 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
6 Installing and Replacing Other Components . . . . . . . . . . . . . . 71Replacing the Compact Flash Memory Card . . . . . . . . . . . . . . . . . 72Replacing a Hard-Disk Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Replacing or Upgrading Memory . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Replacing the Battery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
7 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
A Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Physical Dimensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Operating Temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100NIC Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
B Compliance Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Declaration of Conformity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Compliance Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102FCC Notice (US) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 7
8 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Tables
Table 1 Command-Line Conventions . . . . . . . . . . . . . . . . . . . . . 15Table 2 Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Table 3 Specifications for Nokia IP390 IPS . . . . . . . . . . . . . . . . . 20Table 4 Supported Network Interface Cards for PMC Expansion
Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Table 5 System Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Table 6 Pin Assignments Console Connector and Cable . . . . . . 36Table 7 LED Details for Two-Port Copper Fail Open NIC . . . . . . 63Table 8 LED Details for Four-Port Copper Fail Open NIC . . . . . 63Table 9 LED Details for Fail Open Fiber-Optic NIC . . . . . . . . . . . 69
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 9
10 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Figures
Figure 1 Component Locations Front View . . . . . . . . . . . . . . . . . 20Figure 2 Component Locations Rear View . . . . . . . . . . . . . . . . . 21Figure 3 Built-In Gigabit Ethernet Ports Details . . . . . . . . . . . . . . 21Figure 4 Appliance Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . 23Figure 5 Mounting Screws Location . . . . . . . . . . . . . . . . . . . . . . 30Figure 6 Adjustable Mounting Brackets . . . . . . . . . . . . . . . . . . . . 31Figure 7 Back Panel Power Switch and Socket . . . . . . . . . . . . . 32Figure 8 Nokia Network Voyager Reference Access Points . . . . 43Figure 9 Two-Port Copper Gigabit Ethernet NIC . . . . . . . . . . . . . 57Figure 10 Copper Gigabit Ethernet Cable Connector Output Pin
Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Figure 11 Gigabit Ethernet Crossover Cable Pin Connections . . 58Figure 12 Two-Port Fiber-Optic Gigabit Ethernet NIC . . . . . . . . . 60Figure 13 Two-Port Fail Open Copper Gigabit Ethernet NIC . . . 62Figure 14 Four-Port Fail Open Copper Gigabit Ethernet NIC . . . 62Figure 15 Copper Fail Open Gigabit Ethernet Cable Connector
Output Pin Assignments . . . . . . . . . . . . . . . . . . . . . . . 65Figure 16 Fail Open Copper Gigabit Ethernet Crossover Cable Pin
Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Figure 17 Two-Port Fail Open Fiber-Optic Gigabit Ethernet NIC 68Figure 18 Compact Flash Memory Card Slot . . . . . . . . . . . . . . . 72Figure 19 Hard-Disk Drive Location . . . . . . . . . . . . . . . . . . . . . . 75
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 11
Figure 20 DIMM Socket Locations . . . . . . . . . . . . . . . . . . . . . . . 82
12 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
About this Guide
This guide describes how to install and maintain Nokia IP390 Intrusion Prevention with Sourcefire appliances. For information on Nokia IP390 Firewall/VPN appliances, see the IP390 Security Platform Installation Guide.Installation and maintenance should be performed by experienced technicians or Nokia-approved service providers only. This preface provides the following information:
In this GuideConventions this Guide UsesRelated Documentation
In this GuideThis guide is organized into the following chapters and appendixes:
Chapter 1, “Overview” presents a general overview of the Nokia IP390 IPS appliance.Chapter 2, “Installing Nokia IP390 IPS” describes how to rack-mount the appliance and how to physically connect it to a network and power.Chapter 3, “Performing the Initial Configuration” describes how to make the appliance available on the network.Chapter 4, “Installing and Replacing Network Interface Cards” describes how to install, monitor, and replace network interface cards (NICs).
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 13
Chapter 5, “Connecting to the Gigabit Ethernet Network Interface Cards” describes how to connect to and use each of the supported NICs.Chapter 6, “Installing and Replacing Other Components” describes how to install or replace the compact flash memory card, RAM memory, a hard-disk drive, and the battery.Chapter 7, “Troubleshooting” describes problems you might encounter and proposes solutions to these problems.Appendix A, “Technical Specifications” provides technical specifications such as interface characteristics.Appendix B, “Compliance Information” provides compliance and regulatory information.
Conventions this Guide UsesThe following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.
Notices
WarningWarnings advise the user that bodily injury might occur because of a physical hazard.
CautionCautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service.
14 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Conventions this Guide Uses
NoteNotes provide information of special interest or recommendations.
Command-Line ConventionsYou might encounter one or more of the following elements on a command-line path.
Table 1 Command-Line Conventions
Convention Description
command This required element is usually the product name or other short word that invokes the product or calls the compiler or preprocessor script for a compiled Nokia product. It might appear alone or precede one or more options. You must spell a command exactly as shown and use lowercase letters.
Italics Indicates a variable in a command that you must supply. For example:delete interface if_name
Supply an interface name in place of the variable. For example:delete interface nic1
angle brackets < > Indicates arguments for which you must supply a value:retry-limit <1–100>
Supply a value. For example:retry-limit 60
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 15
Square brackets [ ] Indicates optional arguments.delete [slot slot_num]
For example:delete slot 3
-flag A flag is usually an abbreviation for a function, menu, or option name, or for a compiler or preprocessor argument. You must enter a flag exactly as shown, including the preceding hyphen.
.ext A filename extension, such as .ext, might follow a variable that represents a filename. Type this extension exactly as shown, immediately after the name of the file. The extension might be optional in certain products.
( . , ; + * - / ) Punctuation and mathematical notations are literal symbols that you must enter exactly as shown.
' ' Single quotation marks are literal symbols that you must enter as shown.
Table 1 Command-Line Conventions
Convention Description
16 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Related Documentation
Text ConventionsTable 2 describes the text conventions this guide uses.
Related DocumentationYou can find this guide in PDF on the Nokia support Web site (https:// support.nokia.com/) and on the product CD that was included with your
Table 2 Text Conventions
Convention Description
monospace font Indicates command syntax, or represents computer or screen output, for example:Log error 12453
bold monospace font Indicates text you enter or type, for example:# configure nat
Key names Keys that you press simultaneously are linked by a plus sign (+):Press Ctrl + Alt + Del.
Menu commands Menu commands are separated by a greater than sign (>):Choose File > Open.
The words enter and type Enter indicates you type something and then press the Return or Enter key.Do not press the Return or Enter key when an instruction says type.
Italics • Emphasizes a point or denotes new terms at the place where they are defined in the text.
• Indicates an external book title reference.• Indicates a variable in a command: delete interface if_name
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 17
Nokia IP390 IPS. In addition to this guide and other documents shipped with your appliance, documentation for this product includes the following:
Administrator’s Guide for Nokia IPSO-LX for the version of Nokia IPSO-LX you are usingCLI Reference Guide for Nokia IPSO-LX for the version of Nokia IPSO-LX you are usingRelease Notes for Nokia IPSO-LX for the version of Nokia IPSO-LX you are usingNokia Network Voyager page help
For information on setting up the appliance to operate as a Sourcefire Sensor on Nokia, see the following manuals:
Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup GuideNokia Intrusion Prevention with Sourcefire User’s Guide
You can find the most up-to-date version of the Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide in PDF on the Nokia support Web site at https://support.nokia.com.
18 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
1 Overview
Nokia IP390 Intrusion Prevention with Sourcefire, also referred to as Nokia IP390 IPS, is a purpose-built network security appliance optimized for the Sourcefire 3D System. Running Nokia IPSO-LX, a security-hardened operating system, Nokia IP390 IPS is designed to provide consistent in-line reliability, ease of management and simple acquisition and implementation. Nokia IP390 IPS comes preinstalled with Sourcefire Intrusion Prevention System (IPS) and Real-time Network Awareness (RNA) and can run both simultaneously.This highly versatile 1RU platform is designed for growing medium businesses, remote campuses, large branch offices and securing internal network segments. This chapter provides an overview of Nokia IP390 IPS and the requirements for using it. The following topics are covered:
About Nokia IP390 IPSManaging Your Nokia IP390 IPSSite Requirements, Warnings, and CautionsSoftware RequirementsProduct Disposal
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 19
1 Overview
About Nokia IP390 IPSNokia IP390 IPS is a one rack-unit appliance that incorporates a serviceable slide-out tray into the chassis design and support for various network interface cards (NICs). Table 3 shows the specifications for Nokia IP390 IPS.
The following figures show component locations for Nokia IP390 IPS.
Figure 1 Component Locations Front View
Table 3 Specifications for Nokia IP390 IPS
Feature Nokia IP390 IPS
Maximum memory size 2 GB
Network interface cards (NICs) support
• Two or fewer two-port copper Gigabit Ethernet NICs• Two or fewer two-port fiber-optic Gigabit Ethernet
NICs• Two or fewer two-port or four-port copper fail open
Gigabit Ethernet NICs • Two or fewer two-port fiber-optic fail open Gigabit
Ethernet NICs
00525
IP390
System status LEDs
AUX portConsole port
Four-port Gigabit Ethernet
PC-card slots PMC NIC slots (slots 1 and 2)
Reset button
20 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
About Nokia IP390 IPS
NoteThe AUX port and the PC-card slots are not supported on Nokia IP390 IPS.
Figure 2 Component Locations Rear View
Built-In Gigabit Ethernet PortsThe four built-in Gigabit Ethernet ports are located on the front of the appliance. Figure 3 shows the layout of the built-in Gigabit Ethernet ports and status LEDs.
Figure 3 Built-In Gigabit Ethernet Ports Details
00527
Power socket
Power switch
00547
Activity LED (blinking yellow)Link LED (solid yellow for 10/100 Mbps, solid green for 1000 Mbps)
RJ-45 connectors
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 21
1 Overview
CautionCables that connect to the Gigabit Ethernet ports must be IEEE 802.3 compliant to prevent potential data loss.
NoteNokia recommends the use of shielded twisted-pair cables and connectors for best Electromagnetic Interference and Immunity performance.
PMC Expansion SlotsNokia IP390 IPS appliances provide two additional PMC network interface card (NIC) slots. These slots can be used for the NICs described in Table 4.
Table 4 Supported Network Interface Cards for PMC Expansion Slots
NIC For details, see...
Two-port copper Gigabit Ethernet (10/100/1000 Mbps)
“Two-Port Copper Gigabit Ethernet NIC” on page 56
Two-port fiber-optic Gigabit Ethernet
“Two-Port Fiber-Optic Gigabit Ethernet NIC” on page 59
Two-port fail open copper Gigabit Ethernet(10/100/1000 Mbps)
“Two-Port and Four-Port Fail Open Copper Gigabit Ethernet NICs” on page 60
Four-port fail open copper Gigabit Ethernet(10/100/1000 Mbps)
“Two-Port and Four-Port Fail Open Copper Gigabit Ethernet NICs” on page 60
Two-port fail open fiber-optic Gigabit Ethernet
“Two-Port Fail Open Fiber-Optic Gigabit Ethernet NIC” on page 66
22 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
About Nokia IP390 IPS
NoteNokia products only support NICs purchased from Nokia or Nokia-approved resellers. The Nokia Global Support Services group can provide support only for Nokia products that use Nokia-approved accessories. For sales or reseller information, contact a Nokia service provider listed in the “Nokia Contact Information” on page 3.
System Status LEDsYou can monitor the basic operation of the appliance and NICs by checking their status LEDs. The system status LEDs are located on the front panel of the appliance, as Figure 4 shows.
Figure 4 Appliance Status LEDs
Table 5 shows the system status LEDs and describes their meaning.
Table 5 System Status LEDs
Status Indicator Meaning Symbol
Solid blue Power on
Solid yellow Appliance is experiencing an internal voltage problem.
00526
!
Power indicator (blue)
Fault (red)Warning (yellow)
System OK (green)
!
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 23
1 Overview
The location and meaning of the status LEDs for NICs are described in Chapter 5, “Connecting to the Gigabit Ethernet Network Interface Cards.”
For information on the built-in Gigabit Ethernet interface LEDs, see “Built-In Gigabit Ethernet Ports” on page 21.For information on the two-port copper Gigabit Ethernet NIC LEDs, see “Two-Port Copper Gigabit Ethernet NIC” on page 56.For information on the two-port fiber-optic Gigabit Ethernet NIC LEDs, see “Two-Port Fiber-Optic Gigabit Ethernet NIC” on page 59.For information on the two-port or four-port fail open copper Gigabit Ethernet NIC LEDs, see “Two-Port and Four-Port Fail Open Copper Gigabit Ethernet NICs” on page 60.For information on the two-port fail open fiber-optic Gigabit Ethernet NIC LEDs, see “Two-Port Fail Open Fiber-Optic Gigabit Ethernet NIC” on page 66.
Blinking yellow Appliance is experiencing a temperature problem.
Solid red One or more fans are not operating properly.Power supply over temperature fault.
Blinking green System activity indicator
Table 5 System Status LEDs
Status Indicator Meaning Symbol
!
24 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Managing Your Nokia IP390 IPS
Managing Your Nokia IP390 IPSYou can manage your Nokia IP390 IPS by using one of the following interfaces:
Nokia Network Voyager—an SSL-secured, Web-based element management interface to Nokia appliances. Network Voyager is preinstalled on the appliance and enabled through the IPSO-LX operating system. With Network Voyager, you can manage and configure the appliance from any authorized location within the network by using a standard Web browser.For information about how to access Network Voyager and the related reference materials, see “Using Nokia Network Voyager” on page 41.The IPSO-LX command-line interface (CLI)—an SSHv2-secured interface that enables you to easily configure Nokia appliances from the command line. Almost everything that you can accomplish with Network Voyager you can also accomplish with the CLI. For information about how to access the CLI, see the CLI Reference Guide for Nokia IPSO-LX for the version of Nokia IPSO-LX you are using.
Site Requirements, Warnings, and CautionsBefore you install your Nokia IP390 IPS, ensure that your computer room or wiring closet conforms to the environmental specifications listed in Chapter A, “Technical Specifications.”
WarningExcessive electromagnetic interference (EMI) can occur if you use controls, make performance adjustments, or follow procedures that are not described in this document.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 25
1 Overview
WarningTo reduce the risk of fire, electric shock, and injury when you use telephone equipment, follow basic safety precautions. Do not use the product near water.
WarningRisk of explosion if battery is replaced by an incorrect type. Replace the battery only with the same or equivalent type that the manufacturer recommends. Dispose of used batteries according to the manufacturer's instructions.
CautionDo not block any of the ventilation holes on the appliance. The components might overheat and become damaged.
WarningHazardous radiation exposure can occur if you use controls, make performance adjustments, or follow procedures that are not described in this document.
CautionFor Nokia IP390 IPS appliances intended for shipment outside of the United States, the cord might be optional. If a cord is not provided, use a power cord rated at 6A, 250V, maximum 15 feet long, made of HAR cordage and IEC fittings approved by the country of end use.
26 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Software Requirements
Software RequirementsNokia IP390 IPS supports the following operating system and applications:
Nokia operating system software requirements—IPSO-LX 7.0 or laterSourcefire Sensor on Nokia versions compatible with the version of Nokia IPSO-LX you are using
For information about updates to the software requirements or additional applications that have become available since this guide was published, contact your Nokia service provider, as listed in “Nokia Contact Information” on page 3.
Product DisposalAt the end of its useful life, your appliance and all peripherals included with it, including power cords and cables, must be disposed of in accordance with all applicable national, state, and local laws and regulations. These devices contain materials and components that must be disposed of properly. Therefore, to help prevent damage to the environment, Nokia encourages you to dispose of these devices in an environmentally-friendly manner.The following resources are available to you to help with equipment-disposal decisions:
Many Nokia products are labeled with information about the materials used in their manufacture that can help those who will process equipment after you have disposed of it.The Nokia web site (http://www.nokia.com) provides information about our environmental programs and practices, which includes details about materials used in manufacturing and end-of-life practices. You can also find your product’s Eco Declaration, which provides basic information on the environmental attributes of the product covering material use, packaging, disassembly, and recycling.Contact your local waste management agencies for guidelines specific to your area.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 27
1 Overview
The crossed-out wheeled bin means that within the European Union the product must be taken to separate collection at the product end-of-life. This applies to your device but also to any enhancements marked with this symbol. Do not dispose of these products as unsorted municipal waste.
28 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
2 Installing Nokia IP390 IPS
This chapter describes how to install Nokia IP390 IPS. The following topics are covered:
Before You BeginRack Mounting the ApplianceConnecting PowerConnecting to the Console PortConnecting to Network Interfaces
Before You BeginTo rack-mount the appliance, you need:
Phillips-head screwdriverGrounding wrist strapSuitable, grounded work surface on which to place the chassis tray assembly
CautionTo help guard against electrostatic discharge damage, make sure you are properly grounded by using a grounding wrist strap and following the instructions provided with the wrist strap before you handle the components or open the appliance.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 29
2 Installing Nokia IP390 IPS
Rack Mounting the ApplianceNokia IP390 IPS mounts in a standard 19-inch rack with four mounting screws as Figure 5 shows.
NoteTo avoid damaging your equipment, Nokia recommends that you use all four rack-mounting screws when you install your appliance on the rack.
Figure 5 Mounting Screws Location
00525
IP390
Mounting screw slots
30 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Connecting Power
Two mounting positions are available allowing you to mount the unit either flush with the rack, or two inches forward of the rack.
Figure 6 Adjustable Mounting Brackets
CautionBlocking ventilation openings during installation may result in damage to the appliance.
Connecting PowerThe power plug and power switch are located on the back of the appliance, as Figure 7 shows.
00539
IP390
IP390Brackets located for flush with rack installation
Brackets located for forward of rack installation
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 31
2 Installing Nokia IP390 IPS
NoteThe Nokia IP390 IPS power supply automatically detects the input voltage (115VAC/60Hz [90 to 132] or 220VAC/50Hz [180 to 264]) and configures itself appropriately.
Figure 7 Back Panel Power Switch and Socket
To connect to the power supply1. Connect the power cord securely into the power socket on the back of the
appliance. 2. Plug the other end of the cord into a three-wire grounded power strip or
wall outlet.
Connecting to the Console PortYou must use a serial console connection (RJ-45 null-modem cable included) to perform the initial configuration of the appliance. After you perform the initial configuration, you no longer need the console connection, unless you want to make a local connection to the appliance.You can use any standard VT100-compatible terminal with an RS-232 data terminal equipment (DTE) interface or terminal-emulation program.If you connect the console port to a data communications equipment (DCE) device, use a straight-through cable.
00527
Power socket
32 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Connecting to the Console Port
Use the following configuration settings for the console:9600 bps8 data bitsNo parity1 stop bit
To connect to the console with a null-modem cable1. Connect the supplied null-modem console cable to the console port on the
front panel.
NoteThe supplied console cable is Cisco compatible.
Use only the RJ-45 port labeled Console on the front panel; the serial (AUX) port is not functional on Nokia IP390 IPS.One RJ-45 termination has a retractable shroud that releases or secures the RJ-45 tab. Use this end of the cable when connecting to the console port of Nokia IP390 IPS.
For cable pin assignments for the console connection, see “Console Port” on page 35.
2. Connect the other end of the cable to the VT100 console or to a system running a terminal-emulation program.
The cable that Nokia provides with Nokia IP390 IPS includes a latching mechanism used to secure the cable to the console port of your appliance.
00525
IP390
Console port
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 33
2 Installing Nokia IP390 IPS
NoteThe cable described in this section is a rollover cable, which is required for Nokia IP390 IPS console connections. You cannot use standard Ethernet cables for the console and auxiliary connections.
To connect the cable, push the connector into the receptacle, as you would with other similar cables. To disconnect the cable, push the cable toward the appliance, pull back on the boot to release the latch, and pull the connector out of the receptacle..
1 + 2 =
2
1
00548a
Push cable
Pull boot
To connect the cable
To disconnect the cable
34 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Connecting to the Console Port
You can connect the other end of the cable to a DB-9 console connection (using the appliance console port and the DB-9 female adaptor).The DB-9 adapter is provided with the cable.
Console PortUse the built-in console port, shown in Figure 6, to supply information that makes the appliance available on the network. The default configuration of the serial ports are: 9600 baud, 8 bits, no parity, and 1 stop. Table 6 provides pin assignment information for console connections. If you need to access the devices locally, you must use the console port.
DB-9 female adapter
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 35
2 Installing Nokia IP390 IPS
Table 6 Pin Assignments Console Connector and Cable
The console cable provided with Nokia IP390 IPS is comprised of two parts:6-foot rollover cable with RJ-45 terminationsRJ-45 to DB-9 adapter
On the opposite end of the console cable, connect the RJ-45 to the DB-9 adapter, which you can then connect to the host terminal.
Connecting to Network InterfacesConnect at least one network interface to use as the Nokia Network Voyager system management interface. You can choose any interface; however, it is customary to use the first on-board Ethernet port. This interface is configured during the system startup procedure, as described in Chapter 3, “Performing the Initial Configuration.”
Console Port (DTE)
RJ-45 to RJ-45 Rollover Cable
RJ-45 to DB-9 Terminal Adapter Remote Device
Signal RJ-45 Pin RJ-45 Pin DB-9 Pin Signal
RTS 1 8 8 CTS
DTR 2 7 6 DSR
TxD 3 6 2 RxD
GND 4 5 5 GND
GND 5 4 5 GND
RxD 6 3 3 TxD
DSR 7 2 4 DTR
CTS 8 1 7 RTS
36 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Connecting to Network Interfaces
You can also connect the remaining LAN interface cables at this point, although you are not required to do so.
To connect copper Gigabit Ethernet devicesUse a straight-through or crossover RJ-45 cable to connect to a 10-Mbps, 100-Mbps, or 1000-Mbps hub or directly to a host.
NoteAll Nokia copper Gigabit Ethernet NICs support cable auto-sensing. You can use a straight-through or crossover cable to connect the NIC to a Gigabit Ethernet hub or switch, or to connect directly to a host.
For details, see “Copper Gigabit Ethernet Connectors and Cables” on page 57 or “Fail Open Copper Gigabit Ethernet Connectors and Cables” on page 64
To connect fiber-optic Gigabit Ethernet devicesUse a multimode, fiber-optic cable with an LC connector to connect to a 10-Mbps, 100-Mbps, or 1000-Mbps hub or directly to a host. The destination end of the cable can be either LC or SC, depending on the type of connector required for the destination Gigabit Ethernet device. You can also use a half-duplex LC-to-LC cable to loop back the transmit port of an interface to the receiver port.
For details, see “Fiber-Optic Gigabit Ethernet Connectors and Cables” on page 60 or “Fail Open Fiber-Optic Gigabit Ethernet Connectors and Cables” on page 69.After you connect the network interfaces, continue with Chapter 3, “Performing the Initial Configuration.”
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 37
2 Installing Nokia IP390 IPS
38 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
3 Performing the Initial Configuration
The first time you turn power on to Nokia IP390 IPS, the initial configuration process begins. This process enables you to configure the network settings for the management interface and provides access to the admin account. This chapter describes how to perform the initial configuration by using a console connection. It includes the following sections:
Using a Console ConnectionUsing Nokia Network VoyagerUsing the Command-Line Interface
Using a Console ConnectionIf you have not already done so, you need to connect to the console port to complete the initial configuration. For information about console connections, see “Connecting to the Console Port” on page 32.Before you perform the initial configuration, you might gather the following information, which can be useful during the configuration process:
What is the hostname?What is the admin password?What is the root password?
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 39
3 Performing the Initial Configuration
Which interface will you use for the management interface?What is its assigned IP address and masklength?What is the default router?What is the interface speed?
To perform the initial configuration1. Press the power switch to the “on” position to turn on power to the
appliance.
The fans on the back of the appliance turn on when you press the power switch. Verify that the fans are running after you press the switch.Check the power LED on the front panel of the appliance (the Nokia logo) to ensure that the power supply is operating correctly. The power LED should be illuminated. For more information about the system status LEDs, see “System Status LEDs” on page 23.If the power supply fans are not running, or if the power LED is not illuminated:
Check the power supply cord to make sure it is properly connected.Make sure the power switch is on.Make sure the chassis tray assembly is pushed all the way in from the front of the appliance and that the front panel retaining screws are tightened.Make sure that power is turned on to the power strip or wall receptacle you plugged the appliance in to.
00527
Power switchCooling fans
40 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Using Nokia Network Voyager
If the fans are still not running, or if the power LED does not illuminate, contact your Nokia service provider as listed in “Nokia Contact Information” on page 3 for technical support.
2. After some miscellaneous output, the following prompt appears:Hostname?
If the Hostname? prompt does not appear on the console, check the console port and console display connections to ensure that the serial cable is completely plugged in at both ends. If you verify the console connections and still do not see the Hostname? prompt, verify that the terminal or terminal emulator program settings are correct. If the settings are correct, contact your Nokia service provider as listed in “Nokia Contact Information” on page 3.
3. Enter the hostname and press Enter. At each subsequent prompt, type the requested configuration information and then press Enter.For more information about how to respond to the prompts during the initial configuration process, see the Release Notes for Nokia IPSO-LX for the version of Nokia IPSO-LX you are using.
After you complete the initial configuration, you can use Network Voyager to configure the remaining network ports.
Using Nokia Network VoyagerUse Nokia Network Voyager to configure and monitor your appliance. For additional information about how to use Network Voyager, see “Viewing Nokia IPSO-LX Documentation by Using Nokia Network Voyager” later in this section.
To open Nokia Network Voyager1. Open a Web browser on the host you plan to use to configure or monitor
your appliance.2. In the Location or Address field, enter the IP address of the initial
interface you configured for the appliance.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 41
3 Performing the Initial Configuration
Because SSL is enabled by default, you will receive warning messages about the sample certificate on the system. Accept the connection.
NoteIf you use HTTP to connect, you are automatically directed to HTTPS and the correct SSL port.
For IPSO-LX 7.1 and later, if you use HTTPS to connect, you must include the SSL port, 8443, in the URL. For example:
https://10.10.10.5:8443
3. Enter the admin username and the password you entered when you performed the initial configuration.
NoteIf the login screen does not open, you might not have a physical network connection between the host and your appliance, or you might have a network routing problem. Confirm the information you entered during the initial configuration and check that all cables are firmly connected. For more information, see the Chapter 7, “Troubleshooting.”
Viewing Nokia IPSO-LX Documentation by Using Nokia Network Voyager
The following documentation is available in Nokia Network Voyager and is accessible from the Network Voyager interface, as shown in Figure 8:
Administrator’s Guide for Nokia IPSO-LX—This guide is the comprehensive reference source for configuring and managing the appliance using Nokia Network Voyager. To access this source, look at the list in the navigation tree on the left side of the window (as shown in Figure 8).You can also find this guide and other Nokia IPSO-LX
42 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Using Nokia Network Voyager
documentation at the Nokia support site (https://support.nokia.com) or on the software CD that was delivered with your appliance. Network Voyager Page Help—You can access help for individual pages when you use Network Voyager. To access help for the page you are viewing, click Help. A Close and Print button are available at the bottom of each help window.
Figure 8 Nokia Network Voyager Reference Access Points
button for context-sensitive page help
Link to Administrator’s Guide to Nokia IPSO-LX
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 43
3 Performing the Initial Configuration
Using the Command-Line InterfaceYou can also use the Nokia IPSO-LX command-line interface (CLI) to manage and configure Nokia IP appliances from the command line. Almost everything that you can accomplish with Network Voyager you can also do with the CLI.
To access the command-line interface1. Log on to the appliance by using a command-line connection (SSH or
console) over a TCP/IP network as an admin or monitor user:2. If you log in as a monitor user, you can execute only the show form of
commands. That is, you can view configuration settings, but you cannot change them.
You can now execute CLI commands from the CLI shell. For more information about how to use the CLI, see the CLI Reference Guide for Nokia IPSO-LX for the version of Nokia IPSO-LX you are using.
44 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
4 Installing and Replacing Network Interface Cards
Your Nokia IP390 IPS comes with any network interface cards (NICs) you ordered already installed. This chapter describes how to remove, add, or replace NICs later if it becomes necessary. The following topics are covered:
Deactivating Configured InterfacesRemoving, Installing, and Replacing NICsConfiguring InterfacesMonitoring Network Interface Cards
For detailed information on specific NICs, see Chapter 5, “Connecting to the Gigabit Ethernet Network Interface Cards.”
CautionYou should have a working knowledge of networking equipment before attempting to service a Nokia IP390 IPS. Limit service of the unit to the procedures described in this chapter.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 45
4 Installing and Replacing Network Interface Cards
CautionProtect your Nokia IP390 IPS and other electronic equipment from electrostatic discharge (ESD) by making sure you are properly grounded before touching any electronic components.
Deactivating Configured InterfacesIf you are removing or replacing an installed NIC, use Network Voyager to deactivate any configured ports on the NIC before removing it.If you do not deactivate the interfaces before removing the NIC, you may have to reinstall the NIC to deactivate its physical interfaces in Network Voyager.
NoteIf the interfaces are configured as Sourcefire Sensor on Nokia sensing interfaces, use the Sourcefire Defense Center for Nokia to remove the interfaces from any interface sets to which they belong before you remove the NIC.
For information about how to access Network Voyager, see “Using Nokia Network Voyager” on page 41.
Removing, Installing, and Replacing NICs
NoteBefore removing a configured NIC with these instructions, you must deactivate the NIC in Network Voyager. For additional information, see “Deactivating Configured Interfaces” on page 46.
46 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Removing, Installing, and Replacing NICs
Use these instructions to remove, install, or replace a NIC in Nokia IP390 IPS. Some steps are not applicable to all procedures. The instructions point out steps appropriate to each procedure.
Before You StartTo remove, install, or replace a Nokia NIC, you need the following:
A Phillips-head screwdriverPhysical access to the applianceAccess to the appliance by using Nokia Network Voyager or the CLISuitable, grounded work surface Network interface card kit
To remove, install, or replace a NIC
NoteBecause power to the appliance is automatically disconnected when the chassis tray assembly is opened, you do not need to manually disconnect the power for this procedure. Any servicing of the unit, however, should be completed with the chassis tray assembly fully removed from the appliance. Power is still active in the chassis body and care should be taken when working on the power supply or power supply wiring without disconnecting the power cord.
1. Use Network Voyager or the CLI to halt the appliance. To use Network Voyager to halt the appliance, select System Configuration > Reboot or Shutdown System > Halt.To use the CLI to do this, enter halt at the prompt.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 47
4 Installing and Replacing Network Interface Cards
2. Use your fingers or a screwdriver to loosen the retaining screws that hold the chassis tray assembly.
3. Gently pull the chassis tray assembly forward to expose the NIC connectors. Remove the tray completely to avoid damaging components.
00525
IP390
Chassis tray assembly retaining screws
00537
IP390
48 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Removing, Installing, and Replacing NICs
4. From underneath the chassis tray assembly, remove the bezel retaining screws.
If you are installing a NIC in an unoccupied slot, remove the blank bezel that occupies the space in the appliance front panel, retain it for future use, and proceed to step 7.
5. From above the chassis tray assembly, remove the NIC retaining screws from the back of the NIC.
00529
00530
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 49
4 Installing and Replacing Network Interface Cards
6. Remove the NIC by lifting the back of the NIC away from the chassis tray assembly and pulling the NIC gently away from the front panel.
7. Insert the new NIC or blank bezel.If you are removing a NIC without installing another NIC:a. Insert a blank bezel into the front panel slot formerly occupied by the
NIC and push it gently into place. Make sure that the bezel is completely seated into the front panel and that the screw holes on the bottom of the bezel align with those in the front panel.
NoteTo reduce electromagnetic interference (EMI), a blank bezel needs to be installed in the place of any NIC you have removed.
b. Proceed to step 9.
00533
50 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Removing, Installing, and Replacing NICs
If you are installing or replacing a NIC, insert the NIC.a. Insert the NIC bezel into the front panel.
b. Gently push the back of the NIC down toward the chassis tray assembly.Make sure that the NIC edge is completely seated into the connectors on the chassis tray assembly.
8. From the top of the chassis tray assembly, screw the NIC retaining screws into the standoffs on the back of the NIC.
00532
00531
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 51
4 Installing and Replacing Network Interface Cards
9. From beneath the chassis tray assembly, screw in the bezel retaining screws.
10. Slide the chassis tray assembly back into the appliance until it clicks into place.
The appliance automatically restarts when the chassis tray assembly clicks into place.
00528
00538
IP390
52 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Configuring Interfaces
11. Tighten the retaining screws that hold the chassis tray assembly.
Configuring InterfacesNokia IP390 IPS automatically detects any new NIC when the appliance is restarted. Use Network Voyager to configure the interfaces on the NIC.
NoteDo not administratively enable interfaces that you intend to use as Sourcefire Sensor on Nokia sensing interfaces. Connect the network cables but leave the interfaces in an administratively disabled state.
For information about how to access Network Voyager and the related reference materials, see “Using Nokia Network Voyager” on page 41.
Monitoring Network Interface CardsYou can assess the general operating condition of the NICs in your appliance by looking at the LED status indicators on the NICs. The status indicators for each NIC are explained in the NIC reference chapter.
For status indicator information for the built-in Gigabit Ethernet ports, see “Built-In Gigabit Ethernet Ports” on page 21.For status indicator information for the two-port copper Gigabit Ethernet NIC, see “Two-Port Copper Gigabit Ethernet NIC” on page 56.
00525
IP390
Chassis tray assembly retaining screws
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 53
4 Installing and Replacing Network Interface Cards
For status indicator information for the two-port fiber-optic Gigabit Ethernet NIC, see “Two-Port Fiber-Optic Gigabit Ethernet NIC” on page 59.For status indicator information for the two-port fail open copper Gigabit Ethernet NIC, see “Two-Port and Four-Port Fail Open Copper Gigabit Ethernet NICs” on page 60.For status indicator information for the four-port fail open copper Gigabit Ethernet NIC, see “Two-Port and Four-Port Fail Open Copper Gigabit Ethernet NICs” on page 60.For status indicator information for the two-port fail open fiber-optic Gigabit Ethernet NIC, see “Two-Port Fail Open Fiber-Optic Gigabit Ethernet NIC” on page 66.
Use Network Voyager to access additional port information. For information about accessing Network Voyager, see “Using Nokia Network Voyager” on page 41.
54 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
5 Connecting to the Gigabit Ethernet Network Interface Cards
This chapter describes the PMC network interface cards (NICs) available for Nokia IP390 IPS appliances and describes how to connect those NICs to your network. The following NICs are covered:
Two-Port Copper Gigabit Ethernet NICTwo-Port Fiber-Optic Gigabit Ethernet NICTwo-Port and Four-Port Fail Open Copper Gigabit Ethernet NICsTwo-Port Fail Open Fiber-Optic Gigabit Ethernet NIC
For instructions on adding or replacing interface cards, see Chapter 4, “Installing and Replacing Network Interface Cards.”
CautionProtect your Nokia IP390 IPS and other electronic equipment from electrostatic discharge (ESD) damage by making sure you are properly grounded before you touch any electronic component.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 55
5 Connecting to the Gigabit Ethernet Network Interface Cards
Two-Port Copper Gigabit Ethernet NICNokia IP390 IPS supports Nokia-approved, two-port copper Gigabit Ethernet NICs installed in its PMC expansion slots. When you purchase a copper Gigabit Ethernet NIC with your Nokia IP390 IPS, the NIC is installed before the appliance is delivered to you. For information about how to add or replace a NIC, see Chapter 4, “Installing and Replacing Network Interface Cards.”
NoteCopper Gigabit Ethernet NICs you use in Nokia IP390 IPS appliances need to be the Version 2 type, as indicated on the right end of the NIC faceplate. These NICs are sold by Nokia under the order code NIF4425.
Copper Gigabit Ethernet NIC FeaturesThe copper Gigabit Ethernet NIC supports the following features:
Supports traffic at 10, 100, and 1000 MbpsHigh bandwidthHalf-duplex mode operation up to 100 MbpsPacket tracing for analysis through tcpdumpCompliance with IEEE 802.3ab Gigabit Ethernet specification
NoteSensing interfaces used by the Sourcefire Sensor on Nokia software must must be 1000 Mbps.
Figure 9 shows the front panel details for the two-port copper Gigabit Ethernet NIC supported by Nokia IP390 IPS.
56 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Two-Port Copper Gigabit Ethernet NIC
Figure 9 Two-Port Copper Gigabit Ethernet NIC
NoteThe Link LED on the NIC is bicolored. A green LED indicates a 1 Gbps link speed, and an orange LED indicates a 10/100 Mbps link speed.
Copper Gigabit Ethernet Connectors and CablesThe copper Gigabit Ethernet NIC receptacles use RJ-45 connectors.To connect to a 1 Gbps hub, switch, or router, use a straight-through RJ-45 cable (Cat 5 type cable, or as required by your network configuration).
NoteAll Nokia copper Gigabit Ethernet NICs support cable auto-sensing. You can use a straight-through or crossover cable to connect the NIC to a Gigabit Ethernet hub or switch, or to connect directly to a host.
In Figure 10, the RJ-45 cable output connector is numbered from right to left, with the copper pins facing up and toward you.
00386.5
LINK
ACT
V2
LINK
ACT
1000
Base
T
Link LED (solid orange for 10/100 Mbps, solid green for 1000 Mbps)Activity LEDs (blinking orange)
RJ-45 connectors
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 57
5 Connecting to the Gigabit Ethernet Network Interface Cards
Figure 10 Copper Gigabit Ethernet Cable Connector Output Pin Assignments
To connect directly to a host, use an RJ-45 crossover cable wired as Figure 11 shows.
Figure 11 Gigabit Ethernet Crossover Cable Pin Connections
00270
Pin#
GigabitEthernetAssignment
10/100 MbpsAssignment
1 BI_DA+ TX
2 BI_DA- TX
3 BI_DB+ RX
4 BI_DC+
5 BI_DC-
6 BI_DB- RX
7 BI_DD+
8 BI_DD-
8 1
00020
12345678
12345678
58 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Two-Port Fiber-Optic Gigabit Ethernet NIC
To connect the appliance to other network components, you can order appropriate adapter cables separately from a cable vendor of your choice.
Two-Port Fiber-Optic Gigabit Ethernet NICNokia IP390 IPS supports Nokia-approved, two-port fiber-optic Gigabit Ethernet NICs installed in its PMC expansion slots. When you purchase a fiber-optic Gigabit Ethernet NIC with your Nokia IP390 IPS, the NIC is installed before the appliance is delivered to you. For information about how to add or replace a NIC, see Chapter 4, “Installing and Replacing Network Interface Cards.”
Fiber-Optic Gigabit Ethernet NIC FeaturesThe two-port fiber-optic Gigabit Ethernet NIC provides the following features:
High bandwidthFull-duplex mode operation up to 1 Gbps (no half-duplex support)Link speed auto advertisingPacket tracing for analysis through tcpdumpCompliance with IEEE 802.3z Gigabit Ethernet specification
You can configure and monitor Ethernet interfaces with Nokia Network Voyager, the Web-based element management interface to Nokia IP appliances. Figure 12 shows the front panel details for the two-port fiber-optic Gigabit Ethernet NIC supported by Nokia IP390 IPS.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 59
5 Connecting to the Gigabit Ethernet Network Interface Cards
Figure 12 Two-Port Fiber-Optic Gigabit Ethernet NIC
Fiber-Optic Gigabit Ethernet Connectors and CablesTo connect the two-port Gigabit Ethernet NIC to other network components, use a multimode, fiber-optic cable with an LC connector for each NIC interface. The destination end of the cable can be either LC or SC, depending on the type of connector required for the destination Gigabit Ethernet device. You can also use a half-duplex LC-to-LC cable to loop back the transmit port of an interface to the receiver port.Two LC-to-SC cables are included with two-port fiber-optic Gigabit Ethernet NICs. You can order additional cables from a cable vendor of your choice.
Two-Port and Four-Port Fail Open Copper Gigabit Ethernet NICs
Nokia IP390 IPS supports Nokia-approved, two-port and four-port fail open copper Gigabit Ethernet NICs installed in its PMC expansion slots. When you purchase a fail open copper Gigabit Ethernet NIC with your Nokia IP390 IPS, the NIC is installed before the appliance is delivered to you. For information about how to add or replace a NIC, see Chapter 4, “Installing and Replacing Network Interface Cards.”
00206
GIG
E
Link LEDs (solid green)Activity LEDs (blinking orange)
Ports
60 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Two-Port and Four-Port Fail Open Copper Gigabit Ethernet NICs
Fail Open Copper Gigabit Ethernet NIC FeaturesThe fail open copper Gigabit Ethernet NICs provide the following features:
High bandwidth10, 100, or 1000 Mbps operationSupports half-duplex up to 100 Mbps; full-duplex up to 1000 MbpsTracing through tcpdumpCompliance with IEEE 802.3ab Gigabit Ethernet specification
NoteSensing interfaces used by the Sourcefire Sensor on Nokia software must must be 1000 Mbps.
How a Fail Open NIC WorksDuring the Normal State, the two Gigabit Ethernet signals are straight-through connected to the Gigabit Ethernet ports through the NIC. The two Gigabit Ethernet ports work independently as normal dual Gigabit Ethernet ports. During the Bypass State, the two Gigabit Ethernet signal are crossover connected to each other, so that the Ethernet connection bypasses the computer or the network appliance where your fail open NIC is installed. A relay system sets the Normal or Bypass State as determined by a watch dog timer and bypass control logic circuits, and based on your configuration settings. For information about configurations applicable to your fail open NIC, see the Nokia Intrusion Prevention with Sourcefire User’s Guide.
Front Panel DetailsFigure 13 shows the front panel details for the two-port fail open copper Gigabit Ethernet NIC supported by Nokia IP390 IPS.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 61
5 Connecting to the Gigabit Ethernet Network Interface Cards
Figure 13 Two-Port Fail Open Copper Gigabit Ethernet NIC
Figure 14 shows the front panel details for the four-port fail open copper Gigabit Ethernet NIC supported by Nokia IP390 IPS.
Figure 14 Four-Port Fail Open Copper Gigabit Ethernet NIC
FailO
pen
ACT NORMAL
LNK
00608
P1ACT
LNK
P2
Normal LED (green)Illuminated for Normal State,off for Bypass State
Port 1 Port 2
Activity LEDs (blinking orange)Link LEDs (green)
FailO
pen
1
1
2
3
A B
4 2 3 4
00609
Normal LED (A) forPorts 1 and 2Green for Normal StateOff for Bypass State
Normal LED (B) forPorts 3 and 4Green for Normal StateOff for Bypass State
Link (green) and Activity (blinking green) LEDsfor Ports 1, 2, 3, and 4
62 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Two-Port and Four-Port Fail Open Copper Gigabit Ethernet NICs
LED IndicatorsBy default, the NIC is initially in Bypass State after you connect the cables and turn on power to the appliance. Both the Link and Normal LEDs are not illuminated. The Normal and Link LEDs will illuminate only after you use the Sourcefire Defense Center for Nokia to add the interfaces to an interface set and apply a detection policy to the interface set.As the NIC transmits data, the Activity LEDs on the appliance illuminate.Table 7 describes the LEDs for the two-port copper fail open Gigabit Ethernet NICs.Table 8 describes the LEDs for the four-port fail open copper Gigabit Ethernet NICs.
Table 7 LED Details for Two-Port Copper Fail Open NIC
LED Color Description
Link Green 10, 100, or 1000 Mbps connection
Activity Blinking orange Data received and transmitted
Normal Green Normal State
Off Bypass State
Table 8 LED Details for Four-Port Copper Fail Open NIC
LED Color Description
A Green Ports 1 and 2 in Normal State
Off Ports 1 and 2 in Bypass State
B Green Ports 3 and 4 in Normal State
Off Ports 3 and 4 in Bypass State
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 63
5 Connecting to the Gigabit Ethernet Network Interface Cards
Fail Open Copper Gigabit Ethernet Connectors and Cables
The fail open copper Gigabit Ethernet NICs use RJ-45 connectors. To connect to a hub, switch, or router, use a straight-through RJ-45 cable (Cat 5 type cable or as required by your network configuration).
CautionCables that connect to the copper fail open Gigabit Ethernet NIC must be IEEE 802.3 compliant to prevent potential data loss.
NoteCertain circumstances might require shielded Cat 5 Ethernet cables to meet Class B emissions requirements.
NoteAll Nokia copper Gigabit Ethernet NICs support cable autosensing. You can use a straight-through or crossover cable to connect the NIC to a copper Gigabit Ethernet hub or switch, or to connect directly to a host.
1, 2, 3, 4 Green 1-Gbps or 10/100-Mbps connection
Blinking green Data being received or transmitted
Table 8 LED Details for Four-Port Copper Fail Open NIC
LED Color Description
64 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Two-Port and Four-Port Fail Open Copper Gigabit Ethernet NICs
In Figure 10, the RJ-45 cable output connector is numbered from right to left, with the copper pins facing up and toward you.
Figure 15 Copper Fail Open Gigabit Ethernet Cable Connector Output Pin Assignments
To connect directly to a host, use an RJ-45 crossover cable wired as Figure 16 shows.
00270
Pin#
GigabitEthernetAssignment
10/100 MbpsAssignment
1 BI_DA+ TX
2 BI_DA- TX
3 BI_DB+ RX
4 BI_DC+
5 BI_DC-
6 BI_DB- RX
7 BI_DD+
8 BI_DD-
8 1
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 65
5 Connecting to the Gigabit Ethernet Network Interface Cards
Figure 16 Fail Open Copper Gigabit Ethernet Crossover Cable Pin Connections
To connect the fail open copper Gigabit Ethernet NIC to other network components, you can order appropriate adapter cables separately from a cable vendor of your choice.
Two-Port Fail Open Fiber-Optic Gigabit Ethernet NIC
Nokia IP390 IPS supports Nokia-approved, two-port fail open fiber-optic Gigabit Ethernet NICs installed in its PMC expansion slots. When you purchase a fiber-optic Gigabit Ethernet NIC with your Nokia IP390 IPS, the NIC is installed before the appliance is delivered to you. For information about how to add or replace a NIC, see Chapter 4, “Installing and Replacing Network Interface Cards.”
00020
12345678
12345678
66 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Two-Port Fail Open Fiber-Optic Gigabit Ethernet NIC
Fail Open Fiber-Optic Gigabit Ethernet NIC FeaturesThe fail open fiber-optic Gigabit Ethernet NICs provide the following features:
High bandwidthFull-duplex mode operation at 1 Gbps (no half-duplex support)Tracing through tcpdumpCompliance with IEEE 802.3z Gigabit Ethernet specification
How a Fail Open NIC WorksDuring the Normal state, the two Gigabit Ethernet signals are straight-through connected to the Gigabit Ethernet ports through the NIC. The two Gigabit Ethernet ports work independently as normal dual Gigabit Ethernet ports.During the Bypass state, the two Gigabit Ethernet signal are crossover connected to each other, so that the Ethernet connection bypasses the computer or the network appliance where your fail open NIC is installed.A relay system sets the Normal or Bypass state as determined by a watch dog timer and bypass control logic circuits, and based on your configuration settings. For information about configurations applicable to your fail open NIC, see the Nokia Intrusion Prevention with Sourcefire User’s Guide.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 67
5 Connecting to the Gigabit Ethernet Network Interface Cards
Front Panel DetailsFigure 12 shows the front panel details for the two-port fail open fiber-optic Gigabit Ethernet NIC you can use in Nokia IP390 IPS appliances.
Figure 17 Two-Port Fail Open Fiber-Optic Gigabit Ethernet NIC
LED IndicatorsBy default, the NIC is initially in Bypass State after you connect the cables and turn on power to the appliance. Both the Link and Normal LEDs are not illuminated. The Normal and Link LEDs will illuminate only after you use the Sourcefire Defense Center for Nokia to add the interfaces to an interface set and apply a detection policy to the interface set.A green Link LED indicates a 1-Gbps link speed. As the NIC transmits data, the Activity LEDs on the appliance illuminate.
00012
FailO
pen�
�TX TXRXRX
LINK P1 ACT LINK P2 ACT
NORMAL
Link LEDs (green)Activity LEDs (blinking orange)
Separate LEDs for Port 2
Port 1
Normal LED (green)Illuminated for Normal state
RX LEDTX LED
RX LEDTX LED
Port 2
68 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Two-Port Fail Open Fiber-Optic Gigabit Ethernet NIC
Table 7 describes the LED signals for the fail open fiber-optic Gigabit Ethernet NIC.
Fail Open Fiber-Optic Gigabit Ethernet Connectors and Cables
To connect the fail open fiber-optic Gigabit Ethernet NIC to other network components, use a multimode, fiber-optic cable with an LC connector for each NIC interface. You can use either 50 or 62.5 micron cable; 50 micron-type cable provides longer transmission length. The destination end of the cable can be either LC or SC, depending on the type of connector required for the destination fail open Gigabit Ethernet device. You can also use a half-duplex LC-to-LC cable to loop back the transmit port of an interface to the receiver port. LC and SC define the fiber-optic connector types; LC connectors are smaller than SC connectors.Two LC-to-SC cables are included with two-port fail open fiber-optic Gigabit Ethernet NICs. You can order additional cables from a cable vendor of your choice.
Table 9 LED Details for Fail Open Fiber-Optic NIC
LED Color Definition
Link Green 1-Gbps connection
Activity Blinking orange Data received and transmitted
Normal Green Normal state
Off Bypass state
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 69
5 Connecting to the Gigabit Ethernet Network Interface Cards
CautionCables that connect to the fail open Gigabit Ethernet NIC must be IEEE 802.3 compliant to prevent potential data loss.
70 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
6 Installing and Replacing Other Components
This chapter provides information on how to add or replace user serviceable items other than network interface cards (NICs) in your Nokia IP390 IPS. The following topics are covered:
Replacing the Compact Flash Memory CardReplacing a Hard-Disk DriveReplacing or Upgrading MemoryReplacing the Battery
For instructions on adding or replacing interface cards, see Chapter 4, “Installing and Replacing Network Interface Cards.”
CautionYou should have a working knowledge of networking equipment before attempting to service an appliance. Limit service of the appliance to the procedures described in this chapter.
CautionProtect your Nokia IP390 IPS and other electronic equipment from electrostatic discharge (ESD) damage by making sure you are properly grounded before you touch any component.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 71
6 Installing and Replacing Other Components
Replacing the Compact Flash Memory CardThe compact flash card stores the boot manager, which is used to boot the system or perform a new installation of the IPSO-LX operating system on the disk. The compact flash card is located on the motherboard in a slot behind the hard-disk drive location.Figure 18 shows the location of the compact flash memory card.
Figure 18 Compact Flash Memory Card Slot
CautionTo protect the appliance and the compact flash memory from electrostatic discharge damage, make sure you are properly grounded before you touch these components. Use a grounding wrist strap and follow the instructions provided with the wrist strap before you handle the components or open the appliance. If you do not have a grounding wrist strap, make sure you are properly grounded before you touch any electronic component.
00550
IP390
72 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Replacing the Compact Flash Memory Card
You must perform an orderly shutdown of the appliance and turn the power off whenever you remove the chassis tray assembly to service internal components.
NoteBecause power to the appliance is automatically disconnected when the chassis tray assembly is opened, you do not need to manually disconnect the power for this procedure. Any servicing of the unit, however, should be completed with the chassis tray assembly fully removed from the appliance. Power is still active in the chassis body and care should be taken when working on the power supply or power supply wiring without disconnecting the power cord.
CautionYou risk damage to the appliance or loss of data if you do not use the following procedure when you replace the compact flash memory.
To replace compact flash memory in your appliance1. Use Network Voyager or the CLI to halt the appliance.
To use Network Voyager to halt the appliance, select System Configuration > Reboot or Shutdown System > Halt.To use the CLI to do this, enter halt at the prompt.
2. Loosen the two front panel retaining screws.
00525
IP390
Chassis tray assembly retaining screws
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 73
6 Installing and Replacing Other Components
3. Slide the chassis tray assembly forward and completely remove the chassis to expose the motherboard components.
4. Place the chassis tray assembly on a table top.5. Locate and remove the existing compact flash memory card from the slot
by gently sliding it out of the slot.6. Gently insert the new compact flash memory card into the slot. 7. Slide the chassis tray assembly back into the appliance until it clicks into
place.
The appliance automatically restarts when the chassis tray assembly clicks into place.
8. Resecure the two chassis tray assembly retaining screws.
00537
IP390
00538
IP390
74 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Replacing a Hard-Disk Drive
Replacing a Hard-Disk DriveThe following figure shows the location of the hard-disk drive on the motherboard.
NoteBack up your files to a remote system on a regular basis. For back up and restore procedures, see the Administrator’s Guide for Nokia IPSO-LX for the version of Nokia IPSO-LX you are using.
Figure 19 Hard-Disk Drive Location
00542
IP390
Hard-disk drive
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 75
6 Installing and Replacing Other Components
Before You StartTo replace the hard-disk drive in your appliance, you need the following:
Physical access to the applianceA Nokia-approved hard-disk driveAccess to the appliance through Network VoyagerA Phillips-head screwdriverA torque screwdriver capable of a 69.4ozf*in (5kgf*cm) setting
To install or replace a hard-disk drive1. Use Network Voyager or the CLI to halt the appliance.
To use Network Voyager to halt the appliance, select System > Configuration > Reboot or Shutdown System > Halt.To use the CLI to do this, enter halt at the prompt.
2. Loosen the retaining screws that hold the chassis tray assembly.
00525
IP390
Chassis tray assembly retaining screws
76 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Replacing a Hard-Disk Drive
3. Gently slide the chassis tray assembly forward to remove the tray from the appliance so you can access the hard-disk drive retaining screws from the bottom of the tray.
NoteBecause power to Nokia IP390 IPS is automatically disconnected when the chassis tray assembly is opened, you do not need to manually disconnect the power for this procedure. Any servicing of the unit, however, should be completed with the chassis tray assembly fully removed from the appliance. Power is still active in the chassis body and care should be taken when working on the power supply or power supply wiring without disconnecting the power cord.
00537
IP390
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 77
6 Installing and Replacing Other Components
4. Remove the retaining screws that hold the hard-disk drive unit from the bottom of the chassis tray assembly.
Gently remove the hard-disk drive from the motherboard, taking care not to damage the connector.
00534
78 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Replacing a Hard-Disk Drive
5. Insert the hard-disk drive unit.
NotePush the hard-disk drive gently into place. Take care to align the connectors correctly as the connectors are not keyed.
00536
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 79
6 Installing and Replacing Other Components
6. Tighten the retaining screws that holds the hard-disk drive into place.
7. Slide the chassis tray assembly back into the appliance until it clicks into place.
The appliance automatically restarts when the chassis tray assembly clicks into place.
00535
00538
IP390
80 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Replacing or Upgrading Memory
8. Tighten the retaining screws that hold the chassis tray assembly.
Replacing or Upgrading MemoryNokia IP390 IPS appliances have two dual inline memory-module (DIMM) sockets. This section explains how to upgrade or replace the memory in your appliance by using a Nokia-approved memory upgrade kit.Nokia IP390 IPS comes with different memory configurations. Contact Nokia customer support for more information on the supported memory configurations.
NoteNokia recommends that you obtain memory kits only from Nokia or authorized resellers. For further information, contact the appropriate Nokia customer support site listed “Nokia Contact Information” on page 3.
The DIMM sockets are located at the right of the motherboard, as you look at the appliance from the front, as Figure 20 shows.
00525
IP390
Chassis tray assembly retaining screws
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 81
6 Installing and Replacing Other Components
Figure 20 DIMM Socket Locations
Before You StartTo upgrade or replace the memory in your appliance, you need the following:
Physical access to the applianceNokia memory upgrade kitNetwork or console access to the appliance
CautionTo protect Nokia IP390 IPS and the memory modules from electrostatic discharge (ESD), make sure you are properly grounded before you touch these components.
00546
IP390
DIMMs and DIMM sockets
82 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Replacing or Upgrading Memory
To add or replace DIMMs1. Use Network Voyager or the CLI to halt the appliance.
To use Network Voyager to halt the appliance, select System Configuration > Reboot or Shutdown System > Halt.To use the CLI to do this, enter halt at the prompt.
2. Loosen the two front panel retaining screws.
3. Slide the chassis tray assembly forward to expose the DIMM sockets. Remove the tray completely to avoid damaging components.
NoteBecause power to Nokia IP390 IPS appliance is automatically disconnected when the chassis tray assembly is opened, you do not need to manually disconnect the power for this procedure. Any servicing of the unit, however, should be completed with the chassis tray assembly fully removed from the appliance. Power is still active in the chassis body and care should be taken when working on the power supply or power supply wiring without disconnecting the power cord.
00525
IP390
Chassis tray assembly retaining screws
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 83
6 Installing and Replacing Other Components
4. Remove any memory module necessary by pressing the two retaining clips outward and carefully pulling each DIMM upward as the following figure shows.
You might need to pull opposite ends of the DIMM alternately to gradually free it from the contact pins.
5. The memory DIMMs are keyed to prevent improper insertion. Press the new DIMM into the socket until it clicks into place.
00545
IP390
84 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Replacing or Upgrading Memory
The top of the DIMM is smooth. The bottom edge has three different length sets of contacts, which mate with the slots on the socket. Be sure the contacts and slots are properly aligned before you insert the DIMM.
The retaining clips move into the lock position as you press the DIMM into place.
00544
IP390
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 85
6 Installing and Replacing Other Components
6. Slide the chassis tray assembly back into the appliance until it clicks into place.
The appliance automatically restarts when the chassis tray assembly clicks into place.
7. Resecure the two retaining screws.
The appliance automatically recognizes the new memory configuration. You can verify this from the Network Voyager or the IPSO-LX shell.To verify the memory from the IPSO-LX shell, enter:
dmesg | grep ‘Memory’
ormore /proc/meminfo
00538
IP390
00525
IP390
Chassis tray assembly retaining screws
86 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Replacing the Battery
Replacing the BatteryTo replace the battery, you need the following:
The appropriate Nokia battery replacement kit for your appliancePhysical access to the applianceA Phillips-head screwdriverA grounding wrist strap(Optional) Safety glasses
WarningRisk of explosion if battery is replaced by an incorrect type. Replace the battery only with the same or equivalent type that the manufacturer recommends. Dispose of used batteries according to the manufacturer's instructions.
WarningMake certain to remove the power cord from the appliance before you proceed with any of the following steps. Failure to do so could cause electric shock with burns or death resulting for the user.
CautionMake certain that you are properly grounded when you handle components internal to the appliance to protect against electrostatic discharge damage to the appliance. Use the grounding strap included in the battery replacement kit.
To install the battery1. Use Network Voyager or the CLI to halt the appliance.
To use Network Voyager to halt the appliance, select System Configuration > Reboot or Shutdown System > Halt.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 87
6 Installing and Replacing Other Components
To use the CLI to do this, enter halt at the prompt.2. Loosen the two front panel retaining screws.
3. Loosen the two front panel retaining screws.
4. Slide the chassis tray assembly forward to expose the DIMM sockets. Remove the tray completely to avoid damaging components.
NoteBecause power to Nokia IP390 IPS is automatically disconnected when the chassis tray assembly is opened, you do not need to manually disconnect the power for this procedure. Any servicing of the unit, however, should be completed with the chassis tray assembly fully removed from the appliance. Power is still active in the chassis body and care should be taken when working on the power supply or power supply wiring without disconnecting the power cord
00525
IP390
Chassis tray assembly retaining screws
00537
IP390
88 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Replacing the Battery
5. .Locate the battery on the motherboard. The battery is in a black battery holder secured with a battery retaining pin.
6. Remove the old battery. Use a small nonconductive device, such as a plastic probe, to slide the battery out of the battery holder through the cutout in the holder.
CautionReplace the battery only with the same or equivalent type battery recommended by the manufacturer. Dispose of used batteries according to the manufacturer's instructions.
7. With the positive side facing up, slide the new battery through the cutout in the battery holder.
00014
IP390
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 89
6 Installing and Replacing Other Components
CautionYou must place the new battery into the battery holder observing the correct polarity. The positive terminal of the battery must be facing up.
8. Slide the chassis tray assembly back into the appliance until it clicks into place.
The appliance automatically restarts when the chassis tray assembly clicks into place.
9. Resecure the two retaining screws.
10. Reset the appliance date and time information by using Network Voyager or the command-line interface. The battery is required to maintain the date and time whenever you shut down the appliance.
00538
IP390
00525
IP390
90 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
7 Troubleshooting
This chapter provides troubleshooting tips, problems, and solutions related to Nokia IP390 IPS installations.
Unable to Log in to the Console Port—No Error MessageTwo laptop computers (using terminal emulation programs) or terminals should be able to communicate back to back in the same way that the terminal communicates with Nokia IP390 IPS. If this is not possible using your laptop computer or terminal, the problem is with the terminal or cable and not the appliance.
Problem You do not have a console connection to the appliance.Solution For information about how to create a console connection, see “Using a Console Connection” on page 39.
Problem Not connected with a null-modem cable. Solution Verify that you are using a null-modem cable. For pinout information, see “Using a Console Connection” on page 39.
Problem Wrong terminal settings.Solution Verify terminal settings: 8 data, 1 stop, no parity, 9600 bps.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 91
7 Troubleshooting
Problem Terminal set for flow control.Solution Nokia IP390 IPS does not use flow control. The terminal should be set for no flow control.
Problem Defective appliance or file system.Solution Contact the Nokia customer support site listed in “Nokia Contact Information” on page 3.
Do Not Get a Login Prompt—Error Messages Appear
Problem The appliance is defective, or the file system on the appliance is defective.Solution Contact the Nokia customer support site listed in “Nokia Contact Information” on page 3.
NoteUse the full installation procedure to install a new system. The new system completely replaces the contents of the drive and might be needed to restore or reload an appliance. This procedure erases any configuration database on the appliance. For information about how to complete the full installation procedure, see the current release notes. The release notes are located on the Nokia customer support Web site as listed in the “Nokia Contact Information” on page 3.
Login Prompt Appears, But Password Not Accepted
Problem Entered wrong password.Solution Obtain a valid password or set the password to a default value.
92 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
To reset the Admin password without knowing the current password1. Log in to the system as the root user.2. Open a CLI shell by entering the following command:
su - admin
This operation does not require a password.3. If the default shell for Admin is not clish, enter the clish command.4. Enter the following command:
set user admin passwd
5. At the prompt Old password, press Enter without typing a password.6. At the New password and Verify new password prompts, enter the
new password and press Enter.The password is now reset.
If you have lost the root password, you can reset the root password by using the procedure in “To reset the password for root user.” You must have physical access to the device to perform this procedure.
To reset the password for root user1. From a console connection, reboot the system, watching the message that
appear on the console.2. Enter the boot manager by typing 2 when you see the following message:
LILO 22.5.91 ipso2 bootmgrPress key '2' to enter BOOTMGR command modeboot:
You must do this within 5 seconds or else the reboot continues.3. When you see the BOOTMGR[1]> prompt, enter the following
command:overpw
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 93
7 Troubleshooting
This is a hidden command and is not in the help menu. The root password is reset to " ", that is, there is no password.
4. Continue the boot process by entering the following command:boot
5. Log in as root (no password)6. Enter the following command:
passwd root 7. Set a new password for root.
Unable to Connect to Network Voyager Using the Ethernet Port, But Console Access Works
Problem Using the wrong Ethernet cable.Solution Use a crossover Ethernet cable if you are connecting directly to the computer. Use a straight-through cable if you are connecting to a hub. For cabling information, see “Connecting to Network Interfaces” on page 36.
Problem Port is not configured as active. Solution Use the CLI over the console connection to verify the interface configuration and fix it if necessary.
Problem Host port configuration is incorrect.Solution Use the CLI over the console connection to verify the interface configuration and fix it if necessary.
Problem Wrong link speed.Solution Use the CLI over the console connection to verify the interface configuration and fix it if necessary.
94 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Do Not See Interfaces that Should be Present
Problem Local appliance ports do not appear. Solution Your NIC might be defective. Contact the appropriate Nokia customer support site as listed in “Nokia Contact Information” on page 3.
NoteThe problem could be with the slot on the PMC card carrier. Try installing the NIC in another slot.
Common Ethernet Problems—Connectivity with Attached Device
Problem No link light. Solution You might have used the wrong cable. Use a crossover cable between a Nokia IP390 IPS and a host, and a straight-through cable between a Nokia IP390 IPS and a hub.
Problem Solid data and activity LED. Solution You might have set the wrong speed. Verify that the speeds match on each end of the Ethernet connection.
Problem Port not enabled.Solution Verify from the Interface page in Network Voyager that the interface port is configured as active.
Problem High collision rate on the hub. Solution Disconnect connections one at a time until the problem is localized to one computer and troubleshoot further.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 95
7 Troubleshooting
Unable to Ping Through Appliance—No Connectivity Between Ports This section covers connectivity issues that are isolated within a Nokia IP390 IPS or network.Localize the problem by issuing pings to various network interfaces. Use tcpdump to help isolate the problem. Use tcpdump to verify that a packet is leaving or entering a port.
Problem Interfaces not up. Solution Ensure that the interfaces are up and active, as described in Chapter 3, “Performing the Initial Configuration.”
Problem No route to network. Solution Check the routing table to see if a route exists to the network where the interface is located.
Problem Attached device does not have proper default route or routing information. Solution If a local computer is unable to ping through an attached appliance, the computer might contain either an invalid default route or invalid routing information.If you are using default routes from a computer, ensure that the local interface is the default route for that computer.
Appliance Not Receiving Power
Problem Power cord is not properly plugged in.Solution Check cord. Make sure it is properly seated at both ends.
96 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Problem Power supply not providing power.Solution Check power source. If there is no power at the source, take appropriate action such as inserting a new fuse or resetting circuit breaker.
Appliance Does Not Recognize New Memory Configuration
Problem DIMMs are not properly seated in DIMM sockets.Solution Repeat memory installation procedures. Make sure DIMMs are fully seated in sockets. Be sure DIMMs click into place.
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 97
7 Troubleshooting
98 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
A Technical Specifications
Physical Dimensions
Space RequirementsNokia IP390 IPS is designed for front-screw mounting in a 19-inch rack. Each Nokia IP390 IPS requires the following space in a rack:
1.75 inches (4.45 centimeters) of vertical space 18 inches (46 centimeters) behind the front-panel of the rack 6 inches (15 centimeters) behind the appliance to allow the back exit fan to move air through the appliances
Dimensions Height: 1.75 in. (4.45 cm)
Width: 17 in. (44 cm)19 in. (48 cm) rack mountable
Depth: 16.12 in. (40.94 cm)
Weight 17 lbs. (7.7 kg) base system
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 99
A Technical Specifications
CautionDo not place objects over the ventilation holes on the appliance. The appliance might overheat and become damaged.
Operating TemperatureThe operating temperature range for Nokia IP390 IPS is 0° C to 45° C (32° F to 113° F).
NIC Interfaces
NIC Type Cable TypeCable Output Connector
Two-port fiber-optic Gigabit EthernetTwo-port fiber-optic fail open Gigabit Ethernet
IEEE 802.32 Gigabit Ethernet multi-mode Fiber
LC
Two-port copper Gigabit EthernetTwo-port copper fail open Gigabit EthernetFour-port copper fail open Gigabit Ethernet
Straight-through RJ-45 cable (Cat 5 type) or crossover cable; in some cases, shielded Cat 5 Ethernet cable to meet Class B emissions standards
RJ-45
100 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
B Compliance Information
This appendix contains the following compliance information:Declaration of ConformityCompliance StatementsFCC Notice (US)
Declaration of ConformityAccording to ISO/IEC Guide 22 and EN 45014:
declares that the product:
Manufacturer’s Name: Nokia Inc.
Manufacturer’s Address: 313 Fairchild DriveMountain View, CA 94043-2215USA
Product Name: IP390 and IP390 IPS
Model Number: EM7500
Product Options: All
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 101
B Compliance Information
conforms to the following standards:
Supplementary information:Pursuant to directive 1999/5/EC this product complies with the requirements of the Low Voltage Directive 73/23/EEC and the EMC Directive 89/336/EEC with Amendment 93/68/EEC.
Compliance StatementsThis hardware complies with the standards listed in this section.
Serial Number: 1 to 100,000
Date First Applied: 2006
Safety: EN60950-1:2001+A11; IEC60950-1:2001; UL60950, Third Edition:2000; CAN/CSA-C22.2 No.60950:2000.
EMC: EN55024 1998, EN55022A 1998, EN61000-3-2, EN61000-3-3
Christopher SaleemCompliance & Reliability Engineering ManagerSecurity & Mobile Connectivity, Enterprise SolutionsMountain View, CaliforniaMay 2006
102 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Compliance Statements
Emissions Standards
Immunity Standards
Harmonics and Voltage Fluctuation
Safety Standards
FCC Part 15 Subpart B Class A US/Canada
EN55022 (CISPR 22 Class A) European Community (CE)
EN55024 European Community (CE)
EN61000-4-2
EN61000-4-3
EN61000-4-4
EN61000-4-5
EN61000-4-6
EN61000-4-11
EN61000-3-2 European Community (CE)
EN61000-3-3 European Community (CE)
UL60950/EN60950 US/European Community(CE)
CAN/CSA-C22.2 No.60950 Canada
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide 103
B Compliance Information
FCC Notice (US)This device has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this device does cause harmful interference to radio or television reception, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.Increase the separation between the computer and receiver.Connect the computer into an outlet on a circuit different from that to which the receiver is connected.Consult the dealer or an experienced radio/TV technician for help.
CautionAny changes or modifications not expressly approved by the grantee of this device could void the user’s authority to operate the equipment.
060425
104 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
Index
Aappliance 20applications
supported 27auxiliary (AUX) port
lack of support of 21
Bbattery
holder 89location 89replacing 87
built-in Gigabit Ethernet ports 21
Ccables
Gigabit Ethernet NIC connectionsfor copper 57for copper fail open 64for fiber-optic 60for fiber-optic fail open 69
command-line interface (CLI)overview 25using the 44
compliance information 101declaration of conformity 101FCC notice 104
compliance statements 102component locations 20
Nokia IP390 Intrusion Prevention with Sourcefire
connectionspower 31two-port Gigabit Ethernet NIC, fiber-optic
fail open 69two-port Gigabit Ethernet NICs, copper 57two-port Gigabit Ethernet NICs, fiber-
optic 60two-port or four-port Gigabit Ethernet NICs,
copper fail open 64connector pin assignments
console connection 36Gigabit Ethernet crossover cable 58Gigabit Ethernet NICs, copper 58
connectors forGigabit Ethernet network interface cards 69
console connectionsusing 39
console portpin assignments 36
Ddeactivating NICs 46declaration of conformity 101depth specification 99DIMMs
socket locations 82
Eend-of-life information 27
Installation Guide Index - 105
equipment disposal 27
FFCC notice 104front panel details 20
GGigabit Ethernet network interface cards
connectors 69Gigabit Ethernet NICs
four-port copper fail opencable pin assignments 65connecting to 64front panel 62
two-port coppercable pin assignments 58connecting to 57front panel 57
two-port copper fail opencable pin assignments 65connecting to 64front panel 62
two-port fiber-opticconnecting to 60front panel 60
two-port fiber-optic fail openconnecting to 69front panel 68
Gigabit Ethernet ports, built-in 21
Hhard-disk drive
installing a 75height specification 99
Iinstalling
hard-disk drive, a 75NICs 46
LLEDs
Gigabit Ethernet NICsfour-port copper fail open 62two-port copper 57two-port copper fail open 62two-port fiber-optic 60two-port fiber-optic fail open 68
system status 23
Mmemory (RAM)
replacing 81upgrading 81
monitoring appliances 23
Nnetwork interface cards
see NICsnetwork interfaces
connecting to 36NICs
deactivating 46Gigabit Ethernet, four-port copper fail
open 60Gigabit Ethernet, two-port copper 57Gigabit Ethernet, two-port copper fail
open 60Gigabit Ethernet, two-port fiber-optic 60Gigabit Ethernet, two-port fiber-optic fail
open 66installing 45, 46
Index - 106 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide
interface specifications 100specifications 20, 100
Nokia IPSO-LXcommand-line interface (CLI) 25, 44reference documentation 42requirements 27
Nokia Network Voyageropening 41overview 25using 41
Oopening Nokia Network Voyager 41operating temperature specification 100output connector
Gigabit Ethernet NIC, copper 58Gigabit Ethernet NIC, copper fail open 65Gigabit Ethernet NIC, fiber-optic 60Gigabit Ethernet NIC, fiber-optic fail
open 69
Pphysical dimensions 99power connections 31power supply 32power switch 32
Rrack mounting 30random access memory (RAM)
specification 20recycling retired equipment 27replacing RAM memory 81RJ-45 connector
console cables, for 36
Sspace requirements 99specification
depth 99height 99operating temperature 100physical dimensions 99space requirements 99weight 99width 99
specificationsnetwork interfaces 100technical 99
system status LEDs 23
Ttechnical specifications 99troubleshooting 91
Uupgrading RAM memory 81
Vventilation requirements 26
Wweight specification 99width specification 99
Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide Index - 107
Index - 108 Nokia IP390 Intrusion Prevention with Sourcefire Installation Guide