Console Guide 5.4

8/3/2019 Console Guide 5.4

1/43

Users Guide

Global Technology Associates

3505 Lake Lynda Drive Suite 109Orlando, FL 32817

Tel: +1.407.380.0220

Fax. +1.407.380.6080Email: [email protected]

Web: www.gta.com

GB-OS5.4

GBOSCG201009-01

Console


2/43


3/43ii

GB-OS Console Users Guide

Table of Contents

Table of Contents

Introduction. 1

About.This.Guide. 1

Conventions 1

Additional.Documentation. 1

Connecting.to.the.Console.Interface.3

Common.Tasks.5

Resetting.the.rewall.to.factory.defaults. 5

Switching.the.rewalls.active.slice. 6

HowdoIswitchbetweenslices? 6

Using.the.Console.Interface. 7

Cong. 8

CongurationVerication 8

EmailConguration 9

System 10

ActivationCodes 10

ContactInformation 11

Date/Time 12

Objects 13

AddressObjects 13

Accounts 14

RemoteAdministration 14

Encryption 15

GeneratingSSLCerticates 15

Network 16

Settings 16

EnteringtheHostName 16

EnteringtheDefaultRoute 16

DeningNetworkInterfaces 16

Aliases 19

Timeouts 20

NAT 21

InboundTunnels 21

StaticAddressMapping 23

PassThrough 24

Hosts/Networks 24

Routing 25RIP 25

StaticRoutes 27

SecurityPolicies 28

Preferences 28

ResettoFactoryDefaults 29

Tools. 30

Shutdown 30

Halt 30

Reboot 30

NetworkDiagnostics 30

FlushARPTable 30

Ping 31

TraceRoute 31

Interfaces 32

Reports. 33

Hardware 33

Reference.A:.User.Interface.34

Keystroke.Commands. 35

Navigation. 35

Menus 35

Buttons 36

Entry,Choice,Check,andItemListFields 36


4/43


5/43


6/431


Introduction

IntroductionGTA Firewall UTM Appliances, powered by GB-OS, are predominantly administered using the platform-

independent Web interface. A second user interface, the Console interface, allows the user to default

policies in case of a conguration error, recover a GTA Firewall UTM Appliance, reset a miscongured

rewall to defaults and perform basic conguration tasks.

The Console interface is a GUI-based interface of hierarchical menus. It operates only on the GTArewall console; it cannot be accessed in any other way. The Console interface should only be used for

basic conguration or for recovery purposes. Comprehensive conguration settings are only available

from the Web interface.

In this guide, the Console interface is illustrated and described in the order the functions appear in the

Console interface menus. Navigation, common keystrokes, menu items and buttons are explained in

Reference A: User Interface.

About This GuideThis guide only provides a brief overview when discussing conguration areas. For detailed explanations,

examples and walkthroughs, refer to the GB-OS Users Guide.

ConventionsA few conventions are used in this guide to help you recognize specic elements of the text. If you are

viewing this guide in PDF format, color variations may also be used to emphasize notes, warnings and

new sections.

Bold Italics Emphasis

Italics Publications

Blue Underline Clickable hyperlink (email address, Web site or in-PDF link)

Small CapS On-screen eld names

Monospace Font On-screen text

Condensed Bold On-screen menus, menu items

BOLD.SMALL.CAPS On-screen buttons, links

Organization of the chapters in this guide is according to the Console interfaces menu structure. The

exceptions to this rule include the Reference chapters. For the location of specic topics, please see the

table of contents.

Additional DocumentationFor additional instructions on installation, registration and setup of a GTA product, see applicable

Quick Guides, FAQs or technical papers. For optional features, see the appropriate feature guide.

Documentation is included on the CD shipped with new GTA products, and is also available for

download from the GTA Web site.

Note

For the latest documentation, check the GTA Web site for current PDFs.

These manuals and other documentation can also be found on the GTA Web site (www.gta.com).

Documents on the Web site are either in plain text (*.txt) or portable document format (*.pdf) which

requires Adobe Reader version 7.0 or greater. A free copy of Adobe Reader can be obtained from www.

adobe.com.
http://www.gta.com/http://www.adobe.com/http://www.adobe.com/http://www.adobe.com/http://www.adobe.com/http://www.gta.com/


7/432


Introduction

Available Documentation

Document Topics

GB-OS Users Guide GB-OS features and Web user interface.

GB Commander Product Guide GB Commander for GTA rewalls.

GTA Reporting Suite Product Guide GTA Reporting Suite stand-alone reporting software.

Mail Sentinel Option Guide Email anti-spam and anti-virus ltering optional feature.

Surf Sentinel Content Filtering Option Guide Content ltering optional feature.

H2A High Availability Option Guide High availability optional feature.

GTA VPN Option Guide VPN (virtual private networks) feature.

www.gta.com Hardware specications, current documentation, examples
https://www.gta.com/https://www.gta.com/


8/433


Connecting to the Console Interface

Connecting to the Console InterfaceThe Console interface is always available on the GTA rewall; access cannot be disabled. The Console

interface is accessible using the serial port and a serial cable. To connect to the Console interface, a

physical connection between the GTA rewall and either a terminal (using a serial console cable) or a

computer with terminal emulation software (using a DB-9 null-modem cable) is required.

GB-2000

1. Connect the GTA firewall to the workstation.To connect to the Console interface, connect your GTA firewall

to a PC workstation using the serial port and boot up the firewall.

2. Configure the terminal emulation software.

Enter the appropriate settings to emulate the console connections.

3. Enter the firewall administrators user name and password.

GTA Firewall

Serial Cable

PC Workstation

Connect to the Console interface using the serial cable included

with your GTA firewalls packaging.


Figure 2.1: Connecting to the Console Interface


9/434



To connect to the GTA rewall using a computer running terminal emulation software, enter the following

settings:

Table 2.1: Connecting to the Console Interface

Field Description

Emulation VT-100 or PuTTY

Port COM port connected via DB-9 cable to the rewall

Baud Rate 38400

Data/Bit Rate 8

Parity None

Stop 1

Flow Control Hardware

Power on the GTA rewall. Once booted, you will be prompted for the rewall administrators user ID

and password (defaults are fwadmin ). The conguration menu screen (similar to the illustration below)

should appear.

Figure 2.2: The Console Interface


10/435


Common Tasks

Common TasksIn most circumstances, the Console interface is used as an effort of last resort. Since conguration

options are limited, rewall administrators generally use the Console interface when the Web interface is

no longer accessible. Common tasks that are performed include resetting the rewall to factory defaults

and switching the rewalls active slice.

Note

This chapter only applies to issues that can be resolved using the Console interface. For more troubleshootingissues and solutions, refer to the GB-OS Users Guide.

Resetting the firewall to factory defaultsGenerally, resetting the rewall to factory defaults should only be performed when all other options havebeen exhausted. For example, if login information has been irretrievably lost or if it is no longer possibleto connect to the Web interface.

By resetting to factory defaults, all current conguration data will be erased and the rewalladministrators user name and password will both become the case-sensitive user name and passwordfwadmin.

CAUTION

Resetting the rewall will cause it to lose current conguration data. The conguration data can only be restoredby loading a saved conguration with a known user name and password, or by manually entering the desired

settings.

How do I reset my firewall to factory defaults?To reset your rewall to factory defaults, attach either a terminal (using a serial console cable), or acomputer with terminal emulation software (using a DB-9 null-modem cable).

Power on the GTA rewall. The following will be displayed:

GB-OS 5.3.x

loading ...

When the word loading appears, immediately press CONTROL-R. The system will begin to load, andconguration and hardware data will appear on screen. Finally, a conrmation question displays:

Are you sure you want to reset your rewall conguration?: (yes or no)

To reset to factory defaults, type the word yes in lower caseletters. Typing any other key will reboot thesystem without resetting to defaults. If there is no input after two minutes, the rewall will continue itsboot process.


11/436


Common Tasks

Switching the firewalls active sliceThe memory section (slice) feature can be used to test a new rewall conguration in production whilepreserving the current conguration in the other memory slice. Because each slice contains its own

conguration, it is possible to roll back your rewalls settings to a known good conguration.

How do I switch between slices?The memory section (slice) feature can be used to test a new rewall conguration in production whilepreserving the current conguration in the other memory slice. In the following example, memory slice 1contains the current conguration, and memory slice 2 is used for testing a conguration.

1. Reboot the rewall.

2. Select and boot memory slice 2.

CAUTION

Memory slice 2 will now be your active rewall.

3. Switch to the Web interface to make advanced conguration changes; the currently selected

slice will load by default until another is selected.

4. To revert to the last conguration, reboot the rewall using the console interface and selectmemory slice 1.

Note

The active slice can also be selected from within the Web interface. See the GB-OS Users Guidefor more

information.


12/437


Using the Console Interface

Using the Console InterfaceThis chapter provides a walkthrough of the Console interface, providing explanation and instruction on

conguration areas.

CAUTION

Any changes made to the conguration will be immediately applied to the rewall.

Note

For information on the Console interfaces user interface, refer to Reference A: User Interface.

Figure 4.1: The Console Interface


13/438



ConfigThe Cong menu contains commands related to the setup and conguration of the GTA rewall. The

Console interface is limited in its conguration options. To properly administer the rewall, use the Web

interface.

Figure 4.2: The Cong Menu

Configuration VerificationConguration Verication will run a system conguration check on the GTA rewall. The check will verify all

areas of the rewalls conguration.

After you have congured your GTA rewall, run a conguration verication to ensure that you have a

valid conguration. Verication happens every time a section or conguration is saved.

To verify your conguration, navigate to Cong>Conguration Verication.

Figure 4.3: Verifying the Conguration


14/439



Email ConfigurationThe Email Conguration sub-section allows the user to email the rewalls conguration to the entered

recipient. This function is useful for technical support purposes.

Email Conguration allows the user to email a copy of the system information to a designated email

address.

Email Conguration sends an email with these reports:

A Conguration Report

HTML

A Hardware Conguration Report

A Verication Report

A copy of the current routing table

A copy of the current ARP table

Active VPNs

Active Policies

Authenticated ARP Table

Audit Events

Current Statistics

Hardware Summary

Ipsec Tunnels

Mail Sentinel Polices, Routes, Statistics

XML

Enter any additional information in the Comment(s) eld.

To email your rewalls conguration, navigate to Cong>Email Conguration.

Figure 4.4: Emailing the Conguration


15/4310



SystemThe System menu item contains menu options for conguring activation codes, contact information, the

rewalls date and time, and address objects.

Activation Codes

In Activation Codes, the administrator can enter the GTA rewalls serial number and optional feature

activation codes for options such as H2A High Availability, Surf Sentinel, Mail Sentinel Anti-Spam & Anti-Virus or GTA Mobile VPN Client licenses. Activation codes entered during installation or pre-installed

with hardware appliances will also appear.

Activation codes are provided with software or feature registration. Enter GTA rewall activation codes

by highlighting the selected row and hitting to edit or or the I key to add.

Select Save. The system will display a description of what has been activated. If this description is

garbled or does not appear, the code has been entered incorrectly or is not correct for the current

system or version.

To enter activation codes, navigate to Cong>System>Activation Codes.

Note

Activation codes will not function without the system serial number entered in the Serial eld. GTA Firewall UTMAppliances have the serial number pre-installed. The rewalls serial number can also be found on the card that

shipped with the rewall or in the GTA Online Support Center.

Figure 4.5: Entering Activation Codes


16/431



Contact Information

Contact Information stores information about the rewall administrator. This information is used by email,

reports and list functions.

To enter the rewall administrators contact information, navigate to Cong>System>Contact Information.

Figure 4.6: Entering Contact Information

Table 4.1: Contact Information

Field Name Description

Name Enter the rewall administrators name.

Company Enter the rewall administrators company.

Email Address Enter the rewall administrators email address.

Phone Number Enter the rewall administrators phone number.

Support Email Address Enter the email address to be used for technical support. Default is

[email protected]


17/4312



Date/Time

Since the rewalls date and local time are used to tag log messages, having the rewall congured

to operate on accurate time settings is important. The Date/Time service uses UTC (Universal Time

Coordinated) as its default time zone.

To set your rewalls date and time, navigate to Cong>System>Date/Time.

Figure 4.7: Setting the Firewalls Date and Time

Table 4.2: Date/Time

Field Name Description

Date Enter your the current date as YYYY-MM-DD.

Time Enter the current time (in 24 hour format) as HH:MM:SS.


18/431



Objects

Using objects increases speed and consistency when creating a conguration with GB-OS. A user need

only dene an address or group of addresses, an interface, or a conguration once, then select the

object in each screen where that denition is required. Once the object is created the user will only need

to change the object to change the denition in all the locations where it is used.

In the Console interface, only address objects are available for conguration. To congure all other

objects, it is necessary to log into the Web interface.

Address ObjectsThe address object list displays the name and description of all dened address objects. When using

the Console interface, users can reset and save the address objects. Editing or inserting new address

objects is not possible.

To view or reset the address object list, navigate to Cong>System>Objects>Address Objects.

Figure 4.11: Address Objects


19/4314



AccountsThe Accounts section contains conguration screens that display options for remote administration.

Note

Administration accounts are only congurable via the Web interface. For more information, refer to the GB-OSUsers Guide.

Remote Administration

Remote Administration controls remote administration via the Web interface, and whether a VPN connection

requires User Authentication. The default settings enable remote administration and the ability to apply

updates. The Web interface is served on standard TCP port 443 for SSL encryption.

To congure remote administration preferences, navigate to Cong>Accounts>Remote Administration.

Figure 4.12: Remote Administration

Table 4.6: Remote Administration

Field Description

WWW (Web Interface)

Enabled Enables remote administration for the Web interface.

Server Port The TCP port allowing Web administration. SSL encryption default is 444.

Encryption A selection for the level of SSL encryption. All levels of SSL encryption are enabled

by default. Setting encryption to will turn off SSL encryption.

Automatic All A selection for whether automatic policies should be enabled for all interfaces.

Automatic Protected A selection for whether automatic policies should be enabled for the protected

interface.


20/431



EncryptionFor additional security, SSL (Secure Sockets Layer) encryption is available. SSL encrypted

administration requires a remote access policy with a port that matches the remote administration port

(443, by default).

SSL certicates include three validity checks:

1. An issuer, or self-issued certicate authority.

2. A date, which will be the date of certicate generation.

3. A name, which will be the rewalls host name.

To create a certicate in which the name on the security certicate matches the name on the site, the

host name found in Cong>Network>Settings must match the name given to the rewall in the DNS Server. If

you cannot match the host name, you may instead add the host name to the LMHOST le on Windows

computers.

Table 4.7: Encryption Levels

Level Key Strength Description

None n/a Disables SSL encryption

All n/a Accepts low/medium/high levels of encryption

Low 40-,56-, 64-bit A low level of SSL encryption. Easier to break.

Medium 128-bit A medium level of SSL encryption. Harder to break.

High 168-bit A high level of SSL encryption. Difcult to break.

Generating SSL CertificatesEach time GB-OS is updated, the SSL certicate is renewed for a period of one year from the release

build date. You may also manually generate a new certicate by using the New SSL CertifiCate button.

This creates a new SSL certicate for the rewall, which is valid for one year from its creation date.

Note

Changing the rewalls host name will automatically generate a new SSL certicate using the new host name.


21/4316



NetworkThe Network section allows for the conguration of the rewalls network settings, aliases, timeouts, NAT(Network Address Translation), pass through and routing.

Settings

Much of the data found in Network Settings will have been entered during installation, including the required

protected and external network.To dene your networks settings, navigate to Cong>Network>Settings.

Figure 4.13: Network Settings

Entering the Host NameThe host name, dened in the Host name eld, is the system name assigned to the GTA rewall andis used to tag log messages. GTA recommends using a fully qualied domain name as the hostname for your GTA rewall. A fully qualied domain name is the complete domain name for a speciccomputer (host) on the network, which is broken down to a host, domain and top-level domain (e.g.

rewall.example.com). Host names must be unique. If your network DHCP servers create IP addressassignments based on the system name, enter the host name, often assigned by your ISP.

Entering the Default RouteThe default gateway, dened in the Default Route eld, is a node on the network that serves as anaccess point to another network, usually the Internet. Enter the IP address of the selected default route.This value is usually the IP address of the router connecting the network to the Internet and must beon the same logical network as the associated external interface. If your external interface uses PPP orDHCP to obtain an IP address, entering an IP address in the Default Route eld is not needed.

Defining Network InterfacesA network interface:

Assigns a network (represented by an IP address and a subnet mask) to a physical NIC Designates a network type

Identies a gateway (default route)

A GTA rewall recommends two logical networks, a protected network and an external network.Additional external and protected logical networks can be added, as well as one or more Private ServiceNetworks (PSN).

Dened network interfaces serve as interface objects throughout the conguration, allowing theadministrator to reference the interface quickly when conguring the rewall.

CAUTION

If a network interfaces name is changed, but a policy that references it is not updated to refer to the new name,

all new connections maintained by the policy will fail to match.


22/431



Logical network interfaces that do not use PPP or DHCP congurations require an IP address and

subnet mask. If a subnet mask is not entered, the system will attempt to create one based on the

network class in CIDR notation, Class C = /24, Class B = /16 or Class A = /8. Doing so helps prevent

misconguration.

When editing a network interface, a table labeled netwoRk InteRfaCe CaRDs will be displayed. The netwoRkInteRfaCe CaRDs table shows information regarding the GTA rewalls NICs, such as their MAC addressand connection.

CAUTION

Use caution when changing the logical names of interfaces; if a logical name does not match a policy, you may

lose access to the rewall.

To edit a network interface, highlight the desired interface and hit the Enter key.

Figure 4.14: Editing a Network Interface

Table 4.8: Dening a Network Interface

Field Description

Name Assign a logical name to identify the network interface. Network interface names

may not use a number as the rst character.

Gateway Enable this checkbox if you wish to make the logical interface an Internet gateway.

NIC The NIC to be used by the dened network interface.

Connection AUTO is generally recommended.Selections are:

AUTO: Auto-select the active network connection.

UTP_10: Use the unshielded twisted pair interface at 10Mbps.

TX_100: Use the unshielded twisted pair interface at 100Mbps.

Option Select Default (full- orhalf-duplex) or Full Duplex.

MTU Maximum Transmission Value. Default is 1500.

Incorrect MTUs can cause poor performance.

Interface Type

External Select to dene the network interface as an external interface.

Protected Select to dene the network interface as a protected interface.

PSN (Private Service Network) Select to dene the network interface as an PSN interface.


23/4318



Table 4.8: Dening a Network Interface

Field Description

Network Address

DHCP Dynamic Host Conguration Protocol. DHCP is typically required for cable modem

connections. When selected, the system uses DHCP to obtain an IP address forthe specied interface. DHCP may be used on any and all network interfaces.

IP Address Enter the IP address/subnet to assign to the logical interface. Connections usingDHCP or PPP do not require an IP address to be entered.

Network Interface Cards

NIC The Network Interface Card (e.g., eth0).

MAC Address If the device is an Ethernet card, its MAC address will be displayed in this section.Use to assign a physical interface to a particular logical interface. Record MAC

addresses before installation into GB-Ware hardware.

Name The name assigned to the NIC.

Connection The NICs connection speed.

AUTO: Auto-selects the active network connection.

UTP_10: Uses the unshielded twisted pair interface at 10Mbps.

TX_100: Uses the unshielded twisted pair interface at 100Mbps.


24/431



Aliases

Aliases allow a network interface to possess multiple IP addresses. An IP alias may be assigned to any

network interface.

Aliases are especially useful on the external network interface, or if multiple hosts on the PSN or

protected network are required for the same service group via a tunnel (e.g. multiple internal Web

servers that all serve content to the external network). Aliases used on an external NIC attached to the

Internet must be legitimate, registered IP addresses. An alias does not need to have the same subnet as

the real IP address, since the GTA rewall will route packets between all networks to which it is logically

attached.

If the IP alias is on the same logical network as the network interfaces primary IP address, use a subnet

mask of 32 bits (255.255.255.255).

To congure aliases, navigate to Cong>Network>Aliases. The Aliases screen will display all dened aliases.

Press Enter to edit an existing alias, or press Insert or the I key to create a new alias.

Figure 4.15: Editing an Alias

Table 4.9: Edit Alias

Field Description

Name A unique name to identify the alias elsewhere in the rewalls conguration. Alias

names may not use a number as the rst character.

Interface The interface that will have an alias applied.

IP Address/Netmask The IP address of the alias.


25/4320



Timeouts

Timeouts dene how long a connection should be idle before it is marked ready to close. The result

of a connection reaching its timeout value differs for each IP protocol. For example, TCP has enough

information embedded for GB-OS to determine when the connection is ready to close, but with ICMP

and UDP, it is generally impossible to determine when a connection is ready to close.

To dene timeouts, navigate to Cong>Network>Timeouts.

Figure 4.16: Dening Timeouts

Table 4.10: Timeouts

Field Description

TCP

Timeout The time, in seconds, that the rewall will wait before timing out TCP packets.Default is 600.

Send Keep Alives? If a successfully created, TCP connections remain idle for the timeout period

and if this eld is disabled, the connection is marked ready to close. If this eld

is enabled, a Keep Alive packet is sent. If the connection is still valid, the GTArewall will set the connection idle time to zero. If the connection is invalid, the

GTA rewall will see a reset packet indicating this, sent by the client to its server,and will mark the connection ready to close. If no response is received within ve

minutes, the GTA rewall will mark the connection ready to close. Enabled by

default.

Wait for ACK As part of TCP connection creation, the client and server exchange several

IP packets. All packets sent from the server will have a bit indicating ACK(acknowledgement) in the header. As part of Stateful Packet Inspection, the GTA

rewall keeps a record of seeing this bit. If it is not seen, the remote server may be

down. If the idle time is reached without an ACK from the server, the connection ismarked ready for close. Default is 30 seconds.

UPD Timeout The time, in seconds, that the rewall will wait before timing out UDP packets.Default is 600.

ICMP Timeout The time, in seconds, that the rewall will wait before timing out ICMP packets.

Default is 15.

Default Timeout This is the timeout for any supported protocol other than TCP, UDP or ICMP. After

a connection is marked as ready to close, the GTA rewall will wait ve seconds

before it actually closes the connection. This gives redundant IP packets a chanceto clear the GTA rewall without causing false doorknob twist error messages.

Default is 600 (10 minutes).

Wait for close If your rewall is experiencing spurious Remote Access Policy blocks from reply

packets, typically from port 80 (the Internet), you may want to increase this value,

giving packets from slow or distant connections more time to return before theconnection is closed. Default value is 20 seconds.


26/432



NAT

Network Address Translation (NAT) translates an IP address behind the rewall to the IP address of the

external network interface, disguising the original IP address. NAT is applied in the Console interface

using inbound tunnels and static mapping.

Inbound TunnelsInbound tunnels allow external hosts to initiate connections with internal hosts using service groups

(e.g. TCP, UDP, ICMP or HTTP). Normally the rewall blocks all inbound trafc to the internal networks.Tunnels allow, for example, computers such as Web (port 80) servers on a PSN to be reached from the

Internet.

Tunnels can be dened for trafc from either external networks or the PSN. Tunnels are typically used

with inbound connections, they are not normally used for trafc inbound from a protected network

interface, which is by default allowed access to the other logical network types without use of a tunnel.

Tunnels can be created for these inbound connections:

From an external network interface to a host on a PSN.

From an external network interface to a host on a protected network.

From a PSN interface to a host on a protected network.

Tunnels are dened by an interface and service IP and an internal destination IP address.

Only the external destination side of the tunnel is visible. Since tunnels transparently forward theconnection using NAT, a user on the external network side will never see the ultimate destination of the

tunnel. The tunnel appears to be a service operating on the rewall.

If a tunnel originates from an IP alias address, you may need to map the destination host to the IP alias

using static address mapping so that secondary connections appear to originate from the same address

as the tunnel.

To congure inbound tunnels, navigate to Cong>Network>NAT>Inbound Tunnels. The Inbound Tunnels screen will

display all dened inbound tunnels, if any. Press Enter to edit an existing alias, or press Insert or the I key

to create a new alias.

Figure 4.17: Creating an Inbound Tunnel


27/4322



Table 4.11: Inbound Tunnels

Field Description

Disable A toggle for whether the inbound tunnel should be disabled or not. Default is off.

Description A short description to identify the function of the inbound tunnel.

Service Select the IP Protocol to be used by the inbound tunnel.

From Select the external destination IP address of the tunnel.

To Select the internal destination IP address of the tunnel.

Automatic Accept All Policy A toggle for whether the rewall should automatically accept all trafc for the tunnel

regardless of congured policies. Default is enabled.

Require Authentication Authentication allows the administrator to require users to authenticate to the

rewall using GBAuth before initiating a connection. Default is off.

Hide Source Hides the source of the inbound tunnel connection. Useful for when the GTArewall is used on an intranet. Default is off.

SYN Cookies A toggle for whether TCP SYN Cookies should be used or not. Default is on.


28/432



Static Address MappingStatic address mapping allows an internal IP address or subnet to be statically mapped to an interface

during NAT. By default, all IP addresses on the protected networks and PSNs are dynamically assigned

to the primary IP address of the outbound network interface. Static address mapping is used when it is

desirable to statically assign the IP address used in NAT.

To use static address mapping, rst assign at least one IP alias to the desired outbound network

interface (external network interface or PSN interface).

The target of a map denition must be an IP alias or interface. Mapping is only associated with outbound packet ow.

Map denitions may be for a single host or a subnet.

To congure static address mapping, navigate to Cong>Network>NAT>Static Address Mapping. The Static Address

Mapping screen will display all dened static address mappings, if any. Press Enter to edit an existing

alias, or press Insert or the I key to create a new alias.

Figure 4.18: Creating a Static Address Mapping

Table 4.12: Static Address Mapping

Field Description

From (source)

Object Select the address object that will be mapped.

IP Address If an address object cannot be used, enter the IP address and subnet mask thatwill be mapped (e.g., to a map a single IP address, use a subnet mask of /32

(255.255.255.255)) by selecting .

To Interface Select the address object representing the IP address to which the source will be

mapped.


29/4324



Pass Through

The Pass Through section contains Hosts/Networks, which species an IP address, subnet or network that will

not have NAT applied to its trafc.

Hosts/NetworksHosts/Networks species an IP address, subnet or network that will not have NAT applied to its trafc. See

product specications for the number of pass through hosts/networks available on a specic model.

To congure hosts or networks that will bypass NAT, navigate to Cong>Network>Pass Through>Hosts/Networks.The Hosts/Networks screen will display all dened hosts or networks, if any. Press Enter to edit an existing

host or network, or press Insert or the I key to create a new host or network denition.

Figure 4.19: Dening a Host or Network

Table 4.13: Hosts/Networks

Field DescriptionObject Select the address object that will be used as the host member.

Address If an address object cannot be used, select as the ObjeCt andenter the IP address and subnet mask that will be mapped (e.g., to a map a single

IP address, use a subnet mask of /32 (255.255.255.255)).

Interface Select the destination interface that should not apply NAT when outbound IPpackets are received.

Allow Inbound Enable to accept unsolicited IP packets from the specied IP address. Disabled by

default.


30/432



Routing

The Routing section contains RIP, which is used to receive routing tables, and Static Routes, which are used

to dene static paths between one internal subnet and another.

RIPRIP (Routing Information Protocol) is typically used by routers to receive updated routing tables. RIP is

an IP routing protocol that allows broadcasting and/or listening to routing information in order to choose

the most efcient route for a packet. Hosts using RIP select the routes that use the fewest hops, orselect an alternate path if a route is down or has been slowed by high trafc. RIP is limited to 15 hops;

more than that, and the route is agged as unreachable.

CAUTION

Most smaller network congurations do not benet from RIP. Before using RIP, be aware that the protocol may

decrease performance rather than help small networks and acceptance of RIP sources can compromise networksecurity.

RIP is disabled by default on GB-OS, so routing information to redirect packets is not accepted from

external sources. If RIP is enabled, the rewall can receive and/or broadcast routing information for

either RIP version 1 or 2.

To congure RIP, navigate to Cong>Network>Routing>RIP. The RIP screen will display all dened interfacesand their RIP conguration. There are two checkboxes available on the RIP screen, enable andaDveRtIse

Default Route. Toggle the enable checkbox to enable the service. Enable theaDveRtIse Default Route

checkbox if you wish to do so on any protected network or PSN on which RIP is enabled. Press Enter to

edit an existing host or network, or press Insert or the I key to create a new host or network denition.

Figure 4.20: RIP Setup


31/4326



Table 4.14: Edit RIP Interface

Field Description

Enabled Enables the RIP interface.

Interface The interface for which RIP is being congured. Not congurable.

Input Controls how RIP is implemented. inputdetermines whether any version of RIPwill be accepted from other routers.

The choices are: : Version 1 RIP is accepted or exported. : Version 2 RIP is accepted or exported.

: Both version 1 and 2 are used.

Output Controls how RIP is implemented. Output determines whether any version of RIP

will be exported or broadcast.

The choices are: : Version 1 RIP is accepted or exported.

: Version 2 RIP is accepted or exported. : Both version 1 and 2 are used.

Password Type Type of encryption that will be used. If an encryption is selected, the password eld

is enabled. Encryption types are: None, Clear and MD5.This only applies to RIPv2

Password Password that must be used to collect routing information through RIPv4.

Key ID Pre-shared secret key ID.This only applies to RIPv2 when MD5 encryption is used.


32/432



Static RoutesStatic Routes dene routing paths between one subnet and another. Static routes supersede the default

gateway dened in Cong>Network>Settings.

Dening a static route is useful when there is a router between different parts of an internal network,

creating multiple subnets within your internal network. Without a static route, the rewall routes all trafc,

even if it should be directed to a different subnet on the internal network. Trafc will not travel from

internal subnets in this case, causing spoong messages. Static routes solve this problem by diverting

internal trafc back to the appropriate internal subnet before it reaches a gateway.Using a static route, the rewall correctly routes internal multi-subnet trafc to other internal IPs.

To congure static address mapping, navigate to Cong>Network>Routing>Static Routes. The Static Routes screen

will display all dened static routes, if any. Press Enter to edit an existing static route, or press Insert or

the I key to create a new host or network denition.

Figure 4.21: Static Route Setup

Table 4.15: Conguring Static Routes

Field Description

Network

Object IP address(es) whose trafc will be subject to the static route, either by selecting

the appropriate interface object.

IP Address If has been selected for the networks ObjeCt, enter the address and

subnet mask, either in CIDR-based (slash) or dotted decimal notation.

Gateway

Object IP address or interface object of the destination/gateway (default route) selected

for this static route.

IP Address If has been selected for the gateways ObjeCt, enter the addressand subnet mask, either in CIDR-based (slash) or dotted decimal notation.


33/4328



Security PoliciesPolicies control access to and through the GTA rewall. The implicit rule, that which is not explicitly

allowed is denied, applies to both outbound and inbound packets. Unless a policy is in place allowing

for a situation where a packet is accepted, it will always be denied by default.

The Console interface only allows for the defaulting of policy sets. To dene security policies, it is

required to log in to the Web interface to do so.

Preferences

Policy preferences allow the rewall administrator to globally dene most logging and policy denitions

for all dened policies in one location. Logging options for automatic policies, tunnel connections

(opens and closes) and policy blocks may be selected.

From thealaRms section the rewall administrator can set the default parameters for alarm notications.

When a policy is matched, an alarm event is activated. Each alarm event increments the alarm count by

one. If either the time or number of alarms threshold is exceeded, a notication will be sent documenting

all the events. Multiple messages will be sent if the number of events exceeds the maximum count.

From the GeneRal section the rewall administrator can enable or disable automatic policies, generate

alarms, send email, send an ICMP service not available message, or log an event.

To set policy preferences, navigate to Cong>Security Policies>Preferences.

Figure 4.22: Policy Preferences

Table 4.16: Policy Preferences

Field Description

AlarmsSend email for alarms... Sets the intervals for when an email should be dispatched to the rewalls

administrator.

Maximum Alarms per Email Maximum number of alarm messages included in a per email message. An alarmmessage is generally 200 bytes.

Attempt to Log Host Names Attempt to resolve the host name of the IP address that generated the alarm.

Page When Threshold

ReachedIf pager is enabled and enabled, a pager notication is sent when an alarmthreshold is exceeded.


34/432



Table 4.16: Policy Preferences

Field Description

General

Automatic Policies Options: Enable/Disable; Log. GTA recommends leaving automatic

policies enabled.

Deny Address Spoof Always enabled. Options: Alarm, Email, Log.

Deny Doorknob Twist Always enabled. Options: Alarm, Email, ICMP, Log.

Deny Fragments Options: Enable/Disable, Log. Can be used to block some fragment attacks. GTArecommends leaving this option disabled.

Deny Invalid Packets Always enabled. Option: Log packets.

Deny Unexpected Packets Always enabled. Option: Enable/Disable, Log.

Stealth Mode Options: Enable/Disable, Log.

TCP Syn Cookies Options: Enable/Disable, Log.

Policy Blocks Options: Enable/Disable, Log. Stealth mode has priority over all lters.

Tunnel Opens Always enabled. Option: Log, enabled by default.

Tunnel Closes Always enabled. Option: Log, enabled by default.

Reset to Factory DefaultsReset to Factory Defaults will reset all GTA rewall conguration parameters back to their original factory

settings. This function is exclusive to the Console interface for ultimate security. To reset your GTA

rewall, navigate to Cong>Reset to Factory Defaults.

CAUTION

Resetting your GTA rewall to factory defaults will wipe out all previously congured settings.

Once you have used Reset to Factory Defaults, you must congure your rewall again. For conguring your

GTA rewall, please refer to the GB-OS Users Guide.

When the menu item is selected, a pop-up window is displayed which requests conrmation of the reset

request. Select the OK button to conrm the command.


35/4330



ToolsThe Tools section contains a number of tools useful for administrating and troubleshooting the rewalls

conguration.

Figure 4.23: The Tools Menu

Shutdown

The Shutdown conguration screen, located at Tools>Shutdown, contains halt and reboot services.

Halt

Halt properly shuts down all services, preparing the rewall so it can be powered off. Once halted, the

rewall must be restarted from the console interface or be physically reset.

To halt the rewall, navigate to Tools>Shutdown>Halt. When the menu item is selected, a pop-up window

is displayed which requests conrmation of the halt request. Select the OK button to conrm the

command.

Reboot

Reboot restarts the rewall. To reboot the rewall, navigate to Tools>Shutdown>Reboot. When the menu item is

selected, a pop-up window is displayed which requests conrmation of the reset request. Select the OK

button to conrm the command.

Network DiagnosticsThe Network Diagnostics conguration screen, located at Tools>Network Diagnostics, contains ping and traceroute

tests, which are useful for verifying connectivity.

Flush ARP Table

The ARP Table list contains a list of currently known ARP addresses. The list contains the IP address toMAC address translations and the TTL (Time to Live) for each entry. ARP table entries are kept for 20

minutes and are scanned every ve (5) minutes to check for expired entries. Once an entry is expired,the rewall will not try to re-map the address for 20 seconds.

Flushing the ARP Table will clear the cache of IP addresses resolved by the address resolution protocoland recorded in the ARP table.

To ush the ARP Table, navigate to Tools>Network Diagnostics>Flush ARP Table. When the menu item is selected,a pop-up window is displayed which requests conrmation of the reset request. Select the OK button toconrm the command.


36/433



Ping

The ping function executes the network ping connectivity test by using the ICMP protocol. The ping isexecuted from the GTA rewall, not from your computer. Pinging an IP address is useful for verifyingconnectivity from the rewall to any target host on the external or internal network.

The rewall will attempt to send ve ICMP ping packets to the target destination and will display relevantstatistics.

To ping an IP address or domain name, navigate to Tools>Network Diagnostics>Ping, enter the address into theHost eld and select the OK button.

Figure 4.24: Pinging an IP Address

Trace Route

The trace route function performs a routing trace from the rewall to a designated IP address or domain

name. Like PInG, tRaCe Route is useful for testing network connectivity. To determine whether a route to

an Internet host is viable, the trace route function launches UDP probe packets with a short time to live

(TTL), and then listens for an ICMP time exceeded reply from a gateway.

When the trace is active, three probes are launched from each gateway, with the output showing the TTL,

address of the gateway, and round trip time of each probe.

To trace an IP address or domain name, navigate to Tools>Network Diagnostics>Trace Route, enter the address

into the Host eld and select the OK button.

Figure 4.25: Tracing an IP Address


37/4332



Interfaces

The Interfaces conguration screen, located at Tools>Interfaces, allows a network interface on the rewall

to be Enabled (up and capable of sending/receiving packets), or (down and incapable of

sending/receiving packets).

CAUTION

Disabling the network interface on which your computer resides will result in loss of connectivity to the rewall.

To toggle an interface to be enabled or disabled, navigate to Tools>Network Diagnostics>Interface, highlight the

selected interface and hit the spacebar.

Figure 4.26: Enabling an Interface


38/433



ReportsThe Reports section contains the hardware report, which is useful for troubleshooting purposes.

Figure 4.27: The Reports Menu

HardwareThe Hardware Report generates a report of the hardware components detected in your system and is

useful in diagnosing hardware problems. If you suspect a hardware problem, generate this report andreview the hardware listed. GTAs technical support staff may also request a current hardware report in

order to resolve a GTA rewall issue.

To run the hardware report, navigate to Reports>Hardware.

Figure 4.28: Running the Hardware Report


39/4334


Reference A: User Interface

Reference A: User InterfaceThe Console interface is a GUI-based interface of hierarchical menus. As the name implies, the Console

interface only operates on the GTA rewall console; you can access the interface via a workstation

attached to the rewall through the serial port and using a terminal emulator such as TeraTerm.

The Console interface can only be used to perform limited conguration tasks, as it is primarily used as a

fail-safe. It is best suited for administrative tasks when the Web interface is not available.

CAUTION

Conguration data is read by the Console interface only once a session, when the administrator logs on. Thismeans that if the conguration is modied via the Web interface during a Console session, the new data will not

appear on the Console interface, and subsequent changes made using Console will overwrite the changes made

remotely.

Figure A.1: The Console Interface

Features:

Physical access control (one access point) when used as the only access to the rewall.

Reset capability.

Fail-safe access to rewall.


40/433



Keystroke CommandsAll data entry and interface navigation is done using the keyboard attached to the terminal or workstation

running terminal emulation software.

Table A.1: Keystroke Commands

Keystroke Command Description

Exit/Cancel Display all list choices

Clear eld

Previous eld

or Next eld

Ok/Save

Toggle color display

or Delete or backspace

Toggle choice list / Select highlighted button

or Insert line item

NavigationAlthough the Console interfaces display may vary based upon your method of connection, all variations

use the following menus, buttons, elds and lists in navigation.

MenusThere are ve top-level menus in the Console interface: Cong, Tools, Reports, Exit and Help. Most

conguration items are found under the Cong menu. Tools useful for troubleshooting your rewalls

conguration are located under the Tools menu. Reports contains the Hardware Report, which generates a

report on your rewalls hardware conguration. Exit includes the command to exit the Console interface,

while Help will display the GB-OS version number.

Use the keyboard arrow keys to move through the menus and press the or key to

select the function currently highlighted.

Figure A.2: Menus


41/4336



ButtonsButtons are elds which appear similar to the Web interfaces buttons; these Console button elds can

be selected by pressing or when the eld is highlighted.

Table A.2: Buttons

Keystroke Command Description

Save Saves the conguration screen.Cancel Cancels changes and exits the conguration screen or section.

OK Exits the screen, or executes an administrative action.

Default Creates conguration settings in the section that conforms to the GTA rewallssettings; notfactory settings.

Send Sends email.

Entry, Choice, Check, and Item List FieldsFields in the Console interface can be data or data entry elds, choice/selection elds, check elds and

item list elds.

Data elds are represented by either a blank line or a line with a default or placeholder entry

(e.g., 0.0.0.0/24 ) as a data format example. Some elds are prelled by the system and will be

unavailable for data entry.

Choice elds offer the user a number of items from which to select the desired entry; scroll through the

available selections by pressing the .

Check elds are either enabled [X] or disabled [ ]. Use the key to toggle a check eld.

Item List elds represent the items that have been entered in sections with more than one item. See the

edit screen for these by highlighting the selected item and pressing .


42/43


43/43


Copyright

1996-2010, Global Technology Associates, Incorporated (GTA). All rights reserved.

Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any meanswithout the prior permission of Global Technology Associates, Incorporated.

Technical Support

GTA includes 30 days up and running installation support from the date of purchase. See GTAs Web site for moreinformation. GTAs direct customers in the USA should call or email GTA using the telephone and email address below.International customers should contact a local Authorized GTA Channel Partner.

Tel: +1.407.380.0220 Email: [email protected]

Disclaimer

Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, asto the software and documentation, including without limitation, the condition of software and implied warranties of itsmerchantability or tness for a particular purpose. GTA shall not be liable for any lost prots or for any direct, indirect,incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising outof any breach of warranty. GTA further reserves the right to make changes to the specications of the program and contents ofthe manual without obligation to notify any person or organization of such changes.

Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor arecommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products.

Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing orclerical errors.

Trademarks & Copyrights

GB-OS, Surf Sentinel, Mail Sentinel and GB-Ware are registered trademarks of Global Technology Associates, Incorporated.GB Commander is a trademark of Global Technology Associates, Incorporated. Global Technology Associates and GTA areservice marks of Global Technology Associates, Incorporated.

Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of MicrosoftCorporation in the United States and/or other countries.

Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in theUnited States and/or other countries.

UNIX is a registered trademark of The Open Group.

Linux is a registered trademark of Linus Torvalds.

BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley.

WELF and WebTrends are trademarks of NetIQ.

Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the UnitedStates and/or other countries.

Java software may include software licensed from RSA Security, Inc.

Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/.

Some products include software developed by the OpenSSL Project (http://www.openssl.org/).

Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed fromMailshell Incorporated.

All other products are trademarks of their respective companies.

Console Guide 5.4

Documents

Transcript of Console Guide 5.4