A

TM
Alteon Switched Firewall 4.0.2
User’s Guide and

Command Reference
part number: 217014-A, November 2004
4655 Great America Parkway

Santa Clara, CA 95054
Phone 1-800-4Nortel
http://www.nortelnetworks.com
ASF 4.0.2 User’s Guide and
Command Reference
Alteon Switched Firewall 4.0.2 User’s Guide and Command Reference
Copyright © 2004 Nortel Networks, Inc., 4655 Great America Parkway, Santa Clara, California, 95054,
USA. All rights reserved. Part Number: 217014-A.
This document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and decompilation. No part of this document may be reproduced in any form by any means
without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without
warranty of any kind, either express or implied, including any kind of implied or express warranty of non-
infringement or the implied warranties of merchantability or fitness for a particular purpose.
U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR
2.101 (Oct. 1995) and contains “commercial technical data” and “commercial software documentation” as
those terms are used in FAR 12.211-12.212 (Oct. 1995). Government End Users are authorized to use this
documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR
12.211- 12.212 (Oct. 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov. 1995).
Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without
notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products
described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of
this product does not convey a license under any patent rights, trademark rights, or any other intellectual
property rights of Nortel Networks, Inc.
Alteon, Alteon Switched Firewall, Alteon 5014, 6400, 6600, 6414, Alteon Firewall Director, Firewall OS,
Alteon Firewall Accelerator, and Alteon Accelerator OS are trademarks of Nortel Networks, Inc. in the
United States and certain other countries.
Check Point, SecureXL, SmartCenter, SmartDashboard, SmartView Tracker, OPSEC, and SmartView
Monitor are trademarks of Check Point Software Technologies Ltd. FireWall-1 and VPN-1 are registered
trademark of Check Point Software Technologies Ltd. Any other trademarks appearing in this manual are
owned by their respective companies.
Originated in the USA.
Export
This product, software and related technology is subject to U.S. export control and may be subject to export
or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations.
A license to export or reexport may be required by the U.S. Department of Commerce.
Licensing
This product includes software developed by Check Point Software Technologies

(http://www.checkpoint.com). This product also contains software developed by other parties.
See Appendix D, “Software Licenses,” for more information.
Common Criteria Certified Software
For more details, see Appendix E, “Common Criteria Certified Software.”
2
217014-A, November 2004
Contents
Preface 9
Who Should Use This Book 10
How This Book Is Organized 10
Part 1: Getting Started 10
Part 2: Command Reference 11
Part 3: Appendices 11
How to Get Help 12
Typographic Conventions 13
Part 1: Getting Started 15
Chapter 1: Overview 17
Feature Summary 17
Alteon Switched Firewall Basics 20
Basic Operation 22
Port Filtering 22
Topology Specifics 23
Security Processing 24
Chapter 2: Initial Setup 25

Overview of Initial Setup Tasks 26
Collect Basic System Information 26
Example Network 27
Use Setup for Basic Configuration 28
Configure Licenses and Interfaces 32
Install Check Point Management Tools 35
Configure and Installing Firewall Policies 45
Task Overview 45
Log in to the SmartDashboard Management Tool 45
Define the Alteon Switched Firewall Object 47
3
217014-A, November 2004
Establish Secure Internal Communications 49

Using Central Licensing 51
Create and Install Firewall Policies 53
Chapter 3: Dynamic Host Configuration Protocol 57

DHCP Relay Agent 58
Configuring for DHCP Relay Agent 58
Chapter 4: Routing Information Protocol 61

Distance Vector Protocol 61
Stability 61
RIP and ASF 62
Routing Updates 62
Configuring for Route Redistribution 63
Chapter 5: Open Shortest Path First 67

OSPF Overview 68
Types of OSPF Areas 68
Types of OSPF Routing Devices 69
Neighbors and Adjacencies 70
The Link-State Database 71
The Shortest Path First Tree 71
Authentication 72
Internal Versus External Routing 72
Alteon Switched Firewall OSPF Implementation 73
Configurable Parameters 73
Defining Areas 74
Interface Cost 76
Electing the Designated Router and Backup 76
Summarizing Routes 76
Virtual Links 77
Router ID 77
Authentication 78
OSPF Features Not Supported in This Release 79
GRE Tunnel Support 79
Configuring GRE Tunnel 79
Avoiding Loops in the GRE Tunnel 82
OSPF Configuration Examples 83
Example 1: Simple OSPF Domain 83
4 Contents
217014-A, November 2004
Example 2: Virtual Links 85

Example 3: Summarizing Routes 89
Example 4: Redistributing Routes 91
Verifying OSPF Support 93
Chapter 6: Load Balancing IDS Servers 95

How IDS Load Balancing Works 96
Load Balancing IDS Servers 96
Example 1 96
Example 2 100
Chapter 7: Expanding the Cluster 105

Adding a Second Firewall Accelerator 106
Requirements 107
Installing the New Firewall Accelerator 107
Configuring the New Firewall Accelerator 109
Adding Firewall Directors 111
Requirements 111
Installing the New Firewall Director 112
Configuring the New Firewall Director 112
Manually Adding a Firewall Director 120
Synchronizing Firewall Directors 122
Changing the Firewall Accelerator Ports 125
Configuring the Inter-Accelerator Port 125
Configuring the Firewall Director Uplink Ports 126
Configuring the Network Ports 126
Chapter 8: Upgrading the Software 127

Upgrading to Version 4.0.2 128
Upgrading Version 4.0.2 to a Higher Version 131
Overview of Upgrade Tasks 131
Compatibility 131
Types of Upgrade 132
Installing a Minor/Major Release Upgrade 133
Activating the Software Upgrade Package 135
Reinstalling the Software 137
Contents 5
217014-A, November 2004
Chapter 9: Basic System Management 139

Management Tools 140
Users and Passwords 141
The Single System Image 142
Part 2: Command Reference 143
Chapter 10: The Command Line Interface 145

Accessing the Command Line Interface 146
Using the Local Serial Port 146
Defining the Remote Access List 146
Using Telnet 148
Using Secure Shell 150
Using the Command Line Interface 153
Basic Operation 153
The Main Menu 154
Idle Time-out 154
Multiple Administration Sessions 154
Global Commands 155
Command Line History and Editing 157
Command Line Shortcuts 158
Chapter 11: The Main Menu 159

Information Menu 163
Network Display Menu 166
Boot Menu 173
Software Management Menu 175
The Maintenance Menu 177
Diagnostics Tools Menu 179
Debug Information Menu 180
Tech Support Dump Menu 193
SFA Flow Control Configuration Menu 194
Backup Restore Menu 195
6 Contents
217014-A, November 2004
Chapter 12: The Configuration Menu 197

Configuration Menu 197
System Menu 200
SFD IP and Firewall License Menu 242
Accelerator Configuration Menu 244
Network Configuration Menu 250
Firewall Configuration Menu 323
Application Configuration Menu 330
Miscellaneous Settings Menu 332
Part 3: Appendices 333
Appendix A: Event Logging API 335

Configure the Check Point Management Server 336
Configure the Firewall Directors 341
The Check Point SmartView Tracker 343
Appendix B: Common Tasks 345

Managing Check Point Central Licenses 346
Installing Central Licenses with SmartUpdate 346
Deleting or Reinstalling Central Licenses 346
Backup and Restore Firewall Configuration 347
Remote Login via SSH 348
Mounting a Floppy Disk on the Firewall Director 349
Mounting a CD-ROM on the Firewall Director 350
Manually Upgrading the Firewall Accelerator 351
Tuning Check Point NG Performance 352
Increasing Concurrent Connections 352
Increasing NAT Connections 353
Reading System Memory Information 354
Verifying VNIC Configuration 354
Recovering from a Lock-Out 355
Appendix C: Troubleshooting 357

Unable to Locate the Firewall Accelerator 358
Failed to Establish Trust between Management Station and Firewall Director 359
Cannot Check Communication or Download Policy on Firewall Director 361
Low Performance with Other Devices 362
Contents 7
217014-A, November 2004
Cannot Log in to SmartCenter Station from SmartClient 362

Check Point Sends Connection Failed Messages to Firewall Director 363
Low Performance Under Heavy Traffic 363
Cannot Contact to Default Gateway 363
Log Messages Do Not Appear 364
Cannot Push Policy 365
Before You Open a Support Ticket 365
Appendix D: Software Licenses 367

Apache Software Licence 367
mod_ssl License 368
OpenSSL and SSLeay Licenses 369
OpenSSL License 369
Original SSLeay License 370
PHP License 371
SMTPclient License 372
GNU General Public License 373
Index 379
8 Contents
217014-A, November 2004
Preface
This User’s Guide and Command Reference describes the Alteon Switched Firewall system
with version 4.0.2 software (and higher). This guide introduces the components and features of
the system and explains how to perform installation, configuration and maintenance. The fol-
lowing topics are discussed in the Preface.
“Who Should Use This Book” on page 10

“How This Book Is Organized” on page 10
“How to Get Help” on page 12
“Typographic Conventions” on page 13
9
217014-A, November 2004
Who Should Use This Book

This User’s Guide and Command Reference is intended for network installers and system
administrators engaged in configuring and maintaining a network. It assumes that you are
familiar with Ethernet concepts and IP addressing.
How This Book Is Organized

The chapters in this book are organized as follows:
Part 1: Getting Started

Chapter 1, “Overview,” provides an overview of the major features of the Alteon
Switched Firewall, including the physical layout of its components and the basic concepts
behind their operation.
Chapter 2, “Initial Setup,” describes how to perform start-up configuration on the Alteon
Switched Firewall.
Chapter 3, “Dynamic Host Configuration Protocol,” describes how to configure the
Alteon Switched Firewall for DHCP support
Chapter 4, “Routing Information Protocol,” describes how to configure the Alteon
Switched Firewall for RIP routing.
Chapter 5, “Open Shortest Path First,” describes how to configure the Alteon Switched
Firewall for OSPF routing.
Chapter 6, “Load Balancing IDS Servers,” describes how to configure the Alteon
Switched Firewall to load balance IDS servers.
Chapter 7, “Expanding the Cluster,” describes how to add components to the cluster for
high-availability, increased processing capacity, and stateful failover.
Chapter 8, “Upgrading the Software,” describes how to upgrade or reinstall the Alteon
Switched Firewall system component software.
Chapter 9, “Basic System Management,” describes the various tools used for managing
the system, and explains basic management concepts.
10 Preface
217014-A, November 2004
Part 2: Command Reference

Chapter 10, “The Command Line Interface,” describes how to access and use the text-
based management interface for collecting system information and performing configura-
tion.
Chapter 11, “The Main Menu,” explains the commands in the Main menu and three sub
menus: Information Menu, Boot Menu, and Maintenance Menu.
Chapter 12, “The Configuration Menu,” explains the commands in the Configuration
Menu.
Part 3: Appendices
Appendix A, “Event Logging API,” describes how to view Alteon Switched Firewall log
messages with your Check Point SmartView Tracker.
Appendix B, “Common Tasks,” describes routine management functions.
Appendix C, “Troubleshooting,” provides suggestions for troubleshooting basic problems.
Appendix D, “Software Licenses,” provides licensing information for the software used in this
product.
Preface 11
217014-A, November 2004
How to Get Help

If you purchased a service contract for your Nortel Networks product from a distributor or autho-
rized reseller, contact the technical support staff for that distributor or reseller for assistance.
If you purchased a Nortel Networks service program, contact one of the following Nortel Net-
works Technical Solutions Centers:
Technical Solutions Center Telephone
Europe, Middle East, and Africa 00800 8008 9009

or
+44 (0) 870 907 9009
North America (800) 4NORTEL or (800) 466-7835
Asia Pacific (61) (2) 8870-8800
China (800) 810-5000
Additional information about the Nortel Networks Technical Solutions Centers is available at
the following URL:
http://www.nortelnetworks.com/help/contact/global
An Express Routing Code (ERC) is available for many Nortel Networks products and services.
When you use an ERC, your call is routed to a technical support person who specializes in sup-
porting that product or service. To locate an ERC for your product or service, refer to the fol-
lowing URL:
http://www.nortelnetworks.com/help/contact/erc/index.html
12 Preface
217014-A, November 2004
Typographic Conventions
The following table describes the typographic styles used in this book.
Table 1 Typographic Conventions
Typeface or Meaning Example

Symbol
AaBbCc123 This type is used for names of commands, View the readme.txt file.
files, and directories used within the text.
It also depicts on-screen computer output and Main#

prompts.
AaBbCc123 This bold type appears in command exam- Main# sys

ples. It shows text that must be typed in
exactly as shown.
<AaBbCc123> This italicized type appears in command To establish a Telnet session, enter:
examples as a parameter placeholder. Replace host# telnet <IP address>
the indicated text with the appropriate real
name or value when using the command. Do
not type the brackets.
This also shows book titles, special terms, or Read your User’s Guide thoroughly.
words to be emphasized.
[ ] Command items shown inside brackets are host# ls [-a]

optional and can be used or excluded as the
situation demands. Do not type the brackets.
Preface 13
217014-A, November 2004
14 Preface
217014-A, November 2004
Part 1: Getting Started
This section discusses basic Firewall functions and Alteon Switched Firewall components. The
following topics are included in this section:
Understanding the Alteon Switched Firewall

Initial Setup
Routing Protocols: DHCP Relay, RIP, and OSPF
Load balancing IDS servers
Upgrading the Software
Expanding the Cluster
217014-A, November 2004

16 Getting Started
217014-A, November 2004
CHAPTER 1
Overview
The Alteon Switched Firewall (ASF) is a high-performance firewall system for network secu-
rity. The system uses a versatile, multi-component approach to deliver unparalleled firewall
processing power, reliability, and scalability. This chapter describes the following topics for
Alteon Switched Firewall model 6614 and 6414.
Feature Summary
“Alteon Switched Firewall Basics” on page 20
Feature Summary
The following features have been added to the Alteon Switched Firewall release 4.0.2 since the
last major release:
Supports Check Point™ FireWall-1® NG with

Application Intelligence R55 and Hotfix Accumulator 08 (HFA_08) software
Application Intelligence R54 and Hotfix Accumulator 412 (HFA_412) software
Supports hardware bundles ASF 6614 and 6414
ASF 6614 consists of the Firewall Accelerator 6600 and the Firewall Director 5014.
ASF 6414 consists of the Firewall Accelerator 6400 and the Firewall Director 5014.
Supports up to 500K concurrent connections
Supports a total of 8K routes on ASF 6614 and 4K routes on ASF 6414
Supports Generic Routing Encapsulation (GRE) Tunnel
Supports Audit Trail
ASF 4.0.2 supports a log mechanism that enables logging of all CLI actions. This
enhances your ability to pinpoint and respond to critical events, allows you to track admin
user actions, and serves as a useful tool for debugging functions. The ASF Firewall keeps
a log of the CLI commands and sends it to any configured syslog or RADIUS servers.
17
217014-A, November 2004
Supports SmartView Monitor

ASF 4.0.2 allows you to monitor your firewall performance in real time using Check Point
SmartView Monitor™.
Supports Remote Login via SSH version 2
ASF 4.0.2 allows remote users to login to troubleshoot or perform maintenance on the
firewall.
This feature must be used cautiously, because it provides users with the ability to login
remotely using SSH and access the Linux shell. Remote users with root password can use
the Linux utility, su and run “su root”.
The following defenses are built-in to ensure maximum security.
To log in, the user has to authenticate using the public key/private key mechanism.
DSA or RSA key pairs can be used but has to be in OpenSSH format version 2 format
only. Password based authentication is not allowed.
The IP address of the remote user must be part of the access list.
The Check Point policy must allow the SSH connection between the remote user and
the ASF.
Backup and Restore Firewall Configuration
ASF 4.0.2 allows you to backup the Director configuration and restore it later to the same
state. The restore operation will restore the configuration in the registry as well as the
Check Point SIC and policy.
The backup and restore feature is for a Director only and not the cluster. To backup an
entire cluster, you must login to each Director and create backups separately. You cannot
create a backup from one member of the cluster and use it to restore another member. A
backup taken from a Director can be used only to restore that same Director or a replace-
ment for that Director.
Supports port mirroring on the Firewall Accelerator 6600 and 6400
Supports SecureXL™ 2.1 with Application Intelligence (AI) software
Routing protocols supported
Supports Dynamic Host Configuration Protocol (DHCP) Relay
In the DHCP environment, the Alteon Switched Firewall acts as a relay agent allow-
ing hosts or clients on an IP network to obtain their configurations from a DHCP
server, thereby reducing network administration. ASF implementation of the DHCP
relay agent eliminates the need to have DHCP/BOOTP servers on every subnet reduc-
ing the number of DHCP servers deployed on the network and centralizing manage-
ment.
18 Chapter 1: Overview
217014-A, November 2004
Supports the Open Shortest Path First (OSPF) routing protocol—This implementation
conforms to the OSPF version 2 specifications detailed in Internet RFC 1583 and
route redistribution is also supported.
Supports the Router Interface Protocol (RIP) version 1 and 2 with route redistribu-
tion.
Scalability and Management
Flexible Management
To help you minimize the amount of time spent manually configuring individual
devices, ASF gives you a flexible set of management options to control the configura-
tion, policy-creation, deployment and on-going management of your ASF security
solutions. You can use the CLI, BBI, or the Management Console.
Centralized Management
Provides dynamic scalability—Additional processing power can be added to the clus-
ter without disrupting the firewall traffic.
Provides dynamic Plug N Play—Added components can be automatically configured
and brought into service.
Provides a Single System Image (SSI)—all components in a given Alteon Switched
Firewall cluster are configured together as a single system.
Supports SNMP version 2c and 3 event and alarm traps.
217014-A, November 2004
Alteon Switched Firewall Basics

A basic network utilizing the Alteon Switched Firewall appears as follows:
Alteon Check Point

Switched Firewall: Alteon Alteon Management Server
Firewall Director & Switched Firewall Remote SmartCenter
Firewall Accelerator Local Console Console
Untrusted
Client
Trusted
Internet Network
Untrusted
Networks
DMZ Servers
11353EA
Figure 1-1 Alteon Switched Firewall Network Elements
The Networks
Trusted Networks
These represent internal network resources that must be protected from unauthorized
access. Trusted networks usually provide internal services such as a company’s intranet, as
well as valued applications made available to external clients, such as public e-commerce
Web sites.
Semi-trusted Networks
To increase security, services intended primarily for external clients are often placed on a
separate network so that a hostile intrusion would not affect the company’s internal net-
works. A network isolated in this way is also known as a De-Militarized Zone (DMZ).
Untrusted Networks
These are the external networks that are presumed to be potentially hostile, such as the
Internet.
217014-A, November 2004
The Firewall
Alteon Switched Firewall
The Alteon Switched Firewall is placed in the path between your various trusted, semi-
trusted, and untrusted networks. It examines all traffic moving between the connected net-
works and either allows or blocks that traffic, depending on the security policies defined
by the administrator. The Alteon Switched Firewall consists of multiple Firewall Director
and Firewall Accelerator components that are clustered together to act as a single system.
Firewall Director
The Firewall Director is a compact, high-performance computing device running Firewall
Operating System (OS) software. It uses built-in Check Point FireWall-1 NG software to
inspect network traffic and enforce firewall policies. For increased firewall processing
power, additional Firewall Directors can be attached to the cluster.
Firewall Accelerator
The Firewall Accelerator is an Alteon switch running Accelerator OS software. It offloads
the processing of secured traffic from the Firewall Director, enhancing firewall performance.
For high-availability configurations, a second Firewall Accelerator and Firewall Director
can be attached to the cluster.
The Management Interfaces

Alteon Local Console
A local console is used for entering basic network information during initial configuration.
Once the system is configured, the local console can be used to access the text-based
Command Line Interface (CLI) for collecting system information and performing addi-
tional configuration. The Alteon console is not used to manage or install firewall policies.
Alteon Remote Console
For a list of trusted users, the administrator can separately allow or deny Telnet or Secure
Shell (SSH) access to the Alteon CLI, and HTTP or SSL access to the Alteon Browser-
Based Interface. Remote access features can be used for collecting system information and
performing additional configuration, but not to manage or install firewall policies.
Check Point SmartCenter™
The SmartCenter holds the master policy database for all the firewalls in your network. Its
job is to establish Secure Internal Communications (SIC) with each valid firewall and load
each firewall with the appropriate security policies.
Check Point SmartConsole with management clients
Check Point management client software, such as the SmartDashboard™, can be installed
on one or more administrator workstations on your network. This software usually pro-
vides a graphical user interface for creating, modifying, and monitoring firewall policies.
For security, management clients do not interact directly with the firewalls. Instead, any
217014-A, November 2004
policy changes made in a management client are forwarded to the SmartCenter which then
loads them onto the firewalls. For convenience, a management client can be installed on
the SmartCenter.
Basic Operation
Traditional firewall solutions involve running firewall software on a workstation or server with
a general-purpose OS. Such general-purpose OS solutions have security holes, and software
firewall solutions running on them perform poorly. The Alteon Switched Firewall was created
to solve these problems.
The Alteon Switched Firewall is a combination of dedicated hardware and software (hardened
OS, security applications, and networking technology). It addresses the needs for security, per-
formance and ease of use.
To enhance versatility, the Alteon Switched Firewall is a multi-component solution. Hardware

is a combination of Alteon Firewall Accelerators and Alteon Firewall Directors. The software
is a combination of Alteon Accelerator OS software and the FireWall-1 NG software from
Check Point. By using the throughput of a Gigabit switch controlled by the Check Point
inspection engine, the speed of the firewall is dramatically increased. If you need more connec-
tions per second, additional Firewall Directors can be added.
Port Filtering
The Firewall Accelerator features wire speed packet filters that allow or deny traffic based on a
variety of address and protocol characteristics. These port filters screen packets before they
reach the firewall inspection engine. The logging information for these filters can be passed to
the Check Point ELA log and can be viewed with the Check Point SmartView Tracker™.
Security and speed can be enhanced dramatically by using Alteon port filters.
217014-A, November 2004
Topology Specifics
The classic software firewall model can become a security speed bump. Typically, data enters
from one network card, passes through the a policy inspection engine, and is deposited on
another network card. When relying on the single processing path such systems offer, there are
major limitations on speed and expandability.
The Alteon Switched Firewall solution flattens the security speed bump and boosts the speed
of data.
Server Cluster
Classic Firewall Scenario
Firewall
Clients Switch
Router
Internet
Server Cluster
Alteon Switched Firewall Solution Alteon Switched Firewall
Clients Firewall Acceleration
Router
Internet
Firewall
Accelerator
Load Balanced
Firewall Traffic
Control
Firewall Directors
Untrusted Networks Trusted Networks
Figure 1-2 Classic Firewall versus the Alteon Switched Firewall
Check Point FireWall-1 NG is a stateful inspection firewall. The Alteon Switched Firewall per-
forms policy checking for every new connection request, manages the connection table, and
specifies the rules for handling the subsequent packets in a session. Once a session is active,
policy checking for packets is handled by the Firewall Accelerator.
Each port of a Firewall Accelerator is connected to a high-capacity, multi-Gigabit backplane.

The Firewall Accelerator performs parallel processing on data flowing though any port. All
four processors work together regardless of the port through which the data entered the Fire-
wall Accelerator.
217014-A, November 2004
Security Processing
The Firewall Director connection table is mirrored by the Firewall Accelerator. This is accom-
plished through the Nortel Appliance Acceleration Protocol (NAAP).
After the Firewall Director inspection engine accepts the setup packets in a session, subsequent
packets belonging to the session are inspected and forwarded by the Firewall Accelerator with-
out the involvement of the Firewall Director. This solution achieves a tremendous improve-
ment in firewall performance because approximately 90% of the data can be accelerated at
wire speed.
Traditionally, a stateful inspection firewall would either interrogate every packet or run in a cut
through mode or fast mode, which would inspect the first packet and then, once the packet is
accepted, allow all further packets without investigation until the session ends. By using a high
speed switch as a hardware accelerator, this inspection can be done at Gigabit speeds without
compromising security.
217014-A, November 2004
CHAPTER 2
Initial Setup
This chapter describes how to perform initial setup for the minimal Alteon Switched Firewall
configuration (one Firewall Director and one Firewall Accelerator).
It is assumed that you have installed the Alteon Switched Firewall hardware as described in the
Alteon Switched Firewall Hardware Installation Guide including mounting the components,
attaching network cables, turning on power, and connecting a console terminal.
The following topics are discussed in this chapter:
“Overview of Initial Setup Tasks” on page 2-26

“Collect Basic System Information” on page 2-26
“Example Network” on page 2-27
“Use Setup for Basic Configuration” on page 2-28
“Configure Licenses and Interfaces” on page 2-32
“Install Check Point Management Tools” on page 2-35
“Configure and Installing Firewall Policies” on page 2-45
NOTE – For configurations with multiple Firewall Directors or Firewall Accelerators, first
install the minimum system as described in the Alteon Switched Firewall Hardware Installa-
tion Guide and perform initial setup as described in this chapter. When the minimum system is
fully configured, add and setup the extra components as described in Chapter 7, “Expanding
the Cluster,” on page 105.
25
217014-A, November 2004
Overview of Initial Setup Tasks

Initial setup involves the following tasks, each of which is detailed in the remaining sections of
this chapter:
Collect basic system information (page 26)

Understand the example network (page 27)
Use the CLI Setup utility for basic configuration (page 28)
Use the CLI to configure Check Point NG licenses and network details (page 32)
Install Check Point management tools on a separate administration station (page 35)
Use the management tools to configure and install firewall policies (page 45)
Update the system software, if required
Collect Basic System Information

The following is needed prior to configuring the Alteon Switched Firewall:
A Check Point license for each Firewall Director in the cluster.

One subnet assigned for internal Alteon Switched Firewall use. This subnet must consist
of the following IP addresses:
One Management IP (MIP) address. This is used as the main access point for the
entire Alteon Switched Firewall cluster.
An IP address for each Firewall Director in the cluster.
An IP address for each Firewall Accelerator in the cluster.
NOTE – The highest IP address and lowest IP address in the subnet range are reserved for
broadcasts and cannot be assigned to specific cluster devices.
A list of subnets that will be statically configured on the firewall for internal subnets, plus
the IP address of the internal router that handles routes for these subnets.
The IP address of the default gateway for data moving from the Alteon Switched Firewall
to the Internet.
26 Chapter 2: Initial Setup

217014-A, November 2004
An IP address reserved for the Alteon Switched Firewall on each trusted, untrusted, and
semi-trusted subnet that will connect directly to the firewall.
A Check Point SmartCenter station and management console client, SmartDashboard on
one of the networks attached to the Firewall Accelerator.
NOTE – Before upgrading the software on the Firewall Accelerator and Firewall Director, you
must perform the initial setup procedures as explained in this chapter. Once initial setup is
complete, see Chapter 8, “Upgrading the Software,” on page 127 for more information.
Example Network
The following example network will be used to illustrate the procedures described in this chap-
ter:
MIP: 10.10.1.10
Network A (Untrusted) Network B (Trusted)
IP: 10.10.1.2
Gateway: 20.1.1.2
IP: 30.1.1.0/16
Internet 2 IF1 IF2 3
Gateway: 30.1.1.1
IP: 20.1.1.1 IP: 30.1.1.1
Router
11
Inside Interface–
IP: 20.1.1.2
Firewall Director
IP: 10.10.1.1
Check Point SmartCenter
IP: 30.1.1.10
Figure 2-1 Example Network for Initial Setup
Using this topology, the required information is as follows:
Alteon Switched Firewall cluster MIP address: 10.10.1.10

Firewall Accelerator IP address: 10.10.1.2
Firewall Director IP address: 10.10.1.1
Firewall default gateway IP address: 20.1.1.2 (Router interface)
Network A (Untrusted) IP addresses: 20.1.1.0/24, with 20.1.1.1 reserved for firewall

217014-A, November 2004
Network B (Trusted) IP addresses: 30.1.1.0/16, with 30.1.1.1 reserved for firewall

Check Point SmartCenter IP address: 30.1.1.10 (located on Network B)
Once the network information is collected, you can use the Setup utility to begin basic system
configuration.
Use Setup for Basic Configuration

The Firewall Director console connection is used to access the Alteon Switched Firewall while
performing initial configuration. Connect the included console cable between the serial port on
the Firewall Director to the serial port of a computer with terminal emulation software as
described in the Alteon Switched Firewall Hardware Installation Guide.
Press <Enter> on the console terminal to establish the connection. The Alteon Switched Fire-
wall login prompt will appear. Enter the default login name (admin) and the default password
(admin). If the Alteon Switched Firewall is set to factory defaults, a special Setup utility
menu will appear:
login: admin
Password: admin (not displayed)
Welcome to the Alteon Switched Firewall initialization.

------------------------------------------------------------
[Setup Menu]
join - Join an existing SFD cluster
new - Initialize SFD as a new installation
restore - Restore this SFD from a backup taken earlier
offline - Initialize SFD for offline switchless maintenance
boot - Boot Menu
naap - Set NAAP VLAN id
exit - Exit
>> Setup#
NOTE – If the Setup Menu does not appear, disconnect the Firewall Director from the cluster
and reset it to its factory default state using the /boot/delete command (see page 174).
Below is an example of the Setup utility prompts and configuration. Follow the example to ini-
tialize a “new” installation. After answering the various Setup questions, the built-in Check
Point software will be initialized.

217014-A, November 2004
1. Select a “new” installation.
>> Setup# new

Setup will guide you through the initial configuration of a new SFD
cluster.
2. Enter the network IP address for this Firewall Director:
Enter an IP address for this SFD: 10.10.1.1
NOTE – The IP addresses shown here and in the following steps are taken from the example
network on page 27. Enter information for your specific network configuration.
3. Enter the network mask for the entire cluster subnet:
Enter a network mask or /bit count [255.255.255.0 or /24]: /24
In this example, the cluster network spans 10.10.1.0/24.
4. Enter other network IP address information.

These addresses must be in the cluster subnet.
Enter the cluster Master IP address (MIP): 10.10.1.10
5. Set your time zone by selecting continent or ocean, then country, then region.
For example:
Timezone setting
1 - Africa
2 - America
3 - Antarctica
4 - Arctic
5 - Asia
6 - Atlantic
7 - Australia
8 - Europe
9 - Indian
10 - Pacific
Select a continent or an ocean, or enter a full timezone name: 2

217014-A, November 2004
Countries:
1 - Antigua&Barbuda 18 - Ecuador 35 - Panama
2 - Anguilla 19 - Grenada 36 - Peru
3 - Antilles 20 - French Guiana 37 - St Pierre & Miquelon
4 - Argentina 21 - Greenland 38 - Puerto Rico
5 - Aruba 22 - Guadeloupe 39 - Paraguay
6 - Barbados 23 - Guatemala 40 - Suriname
7 - Bolivia 24 - Guyana 41 - El Salvador
8 - Brazil 25 - Honduras 42 - Turks & Caicos Is
9 - Bahamas 26 - Haiti 43 - Trinidad & Tobago
10 - Belize 27 - Jamaica 44 - United States
11 - Canada 28 - St Kitts&Nevis 45 - Uruguay
12 - Chile 29 - Cayman Islands 46 - St Vincent
13 - Colombia 30 - St Lucia 47 - Venezuela
14 - Costa Rica 31 - Martinique 48 - Virgin Islands (UK)
15 - Cuba 32 - Montserrat 49 - Virgin Islands (US)
16 - Dominica 33 - Mexico
17 - Dom. Republic 34 - Nicaragua
Select a country: 44
Regions & cities:

1 - Adak 8 - Indiana/Marengo 15 - Menominee
2 - Anchorage 9 - Indiana/Vevay 16 - New York
3 - Boise 10 - Indianapolis 17 - Nome
4 - Chicago 11 - Juneau 18 - North Dakota/Center
5 - Denver 12 - Kentucky/Monticello 19 - Phoenix
6 - Detroit 13 - Los Angeles 20 - Shiprock
7 - Indiana/Knox 14 - Louisville 21 - Yakutat
Select a region or city: 13

Selected timezone: America/Los_Angeles
6. Select a time server and set the current date and time:
Enter the current local date (YYY-MM-DD) [2001-07-10]: <Enter>

Enter the current local time (24-hour, HH:MM:SS) [14:21:23]: <Enter>
7. Set the new administrator password:
Enter new admin user password: admin (not displayed)

Enter password again: admin (not displayed)

217014-A, November 2004
8. Generate a new Secure Shell (SSH) host key for use secure remote administration ses-
sions:
Generate a new ssh host key? ([y]/n) y
It is recommended that you generate a new SSH key in order to maintain a high level of secu-
rity when connecting to the Alteon Switched Firewall using an SSH client. Answer the prompt
by pressing the y or n key. Do not press <Enter>.
9. Set the Check Point one-time password:
Enter CheckPoint SIC one-time password: <SIC password> (not displayed)

Enter password again: <SIC password> (not displayed)
The one-time password entered here will be required later when establishing Secure Internal
Communications (SIC) between the SmartCenter and the Firewall Director.
10. Specify the Firewall Accelerator that you will be using:
Accelerators Supported
1) 6600
2) 6400
Select the default type: 1
11. Allow self-configuration to complete.

Once the basic configuration information has been entered, the system begins a phase of self-
configuration and initialization. During this phase, a series of messages are displayed. The
self-configuration phase is complete when the following message is displayed:
Setup successful. Please relogin to configure.
Once this Setup process is complete, you will need to log in and configure Check Point
licenses as shown in the following section.

217014-A, November 2004
Configure Licenses and Interfaces

During this portion of the initialization process, you must install additional interfaces and a
Check Point license.
Once the Setup utility has been used for basic system configuration, the Setup menu is no
longer displayed upon subsequent log-ins. Instead, the CLI Main Menu is displayed:
[Main Menu]
info - Information Menu
cfg - Configuration Menu
boot - Boot Menu
maint - Maintenance Menu
diff - Show pending config changes [global command]
validate - Validate configuration
security - Display security status
apply - Apply pending config changes [global command]
revert - Revert pending config changes [global command]
paste - Restore saved config with key [global command]
help - Show command help [global command]
exit - Exit [global command, always available]
>> Main#
Use the following CLI commands to install your Check Point licenses and to configure infor-
mation about the network.
1. If local licensing is used, enter Check Point licensing information for the Firewall Direc-
tor.
NOTE – If central licensing is used, skip this step. With central licensing, the license is pushed
from the SmartCenter in a later step.
The license information will be part of your Check Point package. The expected information
will appear similar to this:
Expiry date: 02aug2004

Feature string: CPSUITE-EVAL-3DES-NG CK-CHECK-POINT
License string: aBZUeTWHR-FyxGGcdej-QiiS89a6N-isMP6Ywnn

217014-A, November 2004
Log in to the Firewall Director using the administrator account. Be sure to enter the informa-
tion exactly as shown on your specific Check Point license.
>> # /cfg/pnp/add
Enter the IP Address: 10.10.1.1 (address of the Firewall Director)
Enter the Expiry date for the License: <Expiration date>
Enter the Feature string: <Feature string>
Enter the License string: <License string>
Successfully added license/IP
NOTE – Local license installation is performed through the CLI only. Do not install local
licenses using the root login or SmartUpdate or they will be automatically deleted.
2. Configure information for the attached Firewall Accelerator:
>> SFD IP and Firewall License# /cfg/acc/ac1

>> Accelerator 1# addr 10.10.1.2
NOTE – You can also specify a MAC address in the Accelerator 1 Configuration menu. How-
ever, when the automatic discovery feature is enabled, the Alteon Switched Firewall automati-
cally determines the MAC address of the Firewall Accelerator. Auto discovery is on by
default, but can be turned on or off using the /cfg/acc/auto command.

217014-A, November 2004
3. Configure the ports and interfaces for the attached networks.

In our example, two networks are attached to the Firewall Accelerator: Network A on port 2
and Network B on port 3. These would be configured using IP interfaces (IFs) as follows:
>> Accelerator 1# /cfg/net/port 2 (Pick Network A port 2)

>> Port 2# ena (Enable port 1)
>> Port 2# ../if 1 (Pick IF 1 for Network A)
>> Interface 1# addr 20.1.1.1 (Set address for IF 1)
>> Interface 1# mask 255.255.255.0 (Set mask for IF 1)
>> Interface 1# ena (Enable IF 1)
>> Interface 1# port/add 2 (Add Net. A port to IF 1)
>> Interface Ports # /cfg/net/port 3 (Select Network B port 3)
>> Port 3# ena (Enable port 2)
>> Port 3# ../if 2 (Pick IF 2 for Network B)
>> Interface 2# addr 30.1.1.1 (Set address for IF 2)
>> Interface 2# mask 255.255.0.0 (Set mask for IF 2)
>> Interface 2# ena (Enable IF 2)
>> Interface 2# port/add 3 (Add Network B port to IF 2)
NOTE – Interface broadcast addresses will be automatically calculated from the network mask
unless configured manually.
4. Configure a default gateway or static route for the external networks.

Traffic headed to the Internet needs to be directed to its next hop. In this example, a default
gateway is used:
>> Interface 1# /cfg/net/route/gate/gw 1 (Pick default gateway 1)

>> Default gateway 1# addr 20.1.1.2 (Set gateway IP address)
>> Default gateway 1# ena (Enable the gateway)
5. Apply the configuration changes:
>> Default gateway 1# apply
This command applies the configuration changes on Firewall Director as well as on the Fire-
wall Accelerator (no manual configuration is required on the Firewall Accelerator). The Fire-
wall Director will also upgrade the Firewall Accelerator software if required.
Once the apply process is complete, the Link LED indicators for correctly configured ports
will be green.

217014-A, November 2004
In our example network, you can verify that the Firewall Accelerator configuration has been
updated by examining the port LEDs.
Once this is complete, proceed to the following section and install the Check Point manage-
ment tools on the management station.
Install Check Point Management Tools

The Alteon Switched Firewall uses standard Check Point management tools (available sepa-
rately from Check Point at http://www.checkpoint.com) to install, maintain, and monitor fire-
wall policies. The following Check Point tools are required to be installed on appropriate
administrator workstations on your network:
Check Point SmartCenter station.

This software acts as the central database for all your firewalls. The SmartCenter estab-
lishes secure communications with all your Check Point firewalls, stores all their firewall
policies, and uploads the policies to the appropriate firewalls as necessary. The Smart-
Center must be installed on a separate administrator workstation (not on the Alteon
Switched Firewall components).
Check Point SmartDashboard management client.
The management client software interfaces with the SmartCenter to provide a graphic
user-interface for creating, editing, and monitoring firewall security policies. It can be
installed on the SmartCenter or on administrative workstations in your network (not on the
Alteon Switched Firewall components).
If you have already installed an appropriate Check Point SmartCenter and SmartDashboard on
workstations in your network, proceed to “Configure and Installing Firewall Policies” on page
45.”
This procedure outlines how to install the Check Point management tools (SmartServer and
SmartConsole) NG with Application Intelligence (R55). The Management Client tools are
being installed on the SmartCenter station. These tools may also be installed on a remote sta-
tion. For details about this or any other version of Check Point software, please refer to your
complete Check Point documentation at http://www.checkpoint.com/support/technical/docu-
ments/index.html (ID and password required).
1. Make sure that your SmartCenter station meets or exceeds the minimum requirements.
Check Point SmartCenter requires a workstation or server with the following:
Operating System: Windows NT 4.0 SP6a or Windows 2000 Server and Advanced Server
(SP2)

217014-A, November 2004
Processor: Intel Pentium II 300 MHz or better

Disk space: 40 MB
Memory: 256 MB
Check Point NG CD-ROM
Network presence on one of the subnets attached to the Firewall Accelerator.
2. Insert the Check Point software CD-ROM into the SmartCenter station drive. The instal-
lation program will start automatically.
The following material will explain any important prompts and the expected responses. For
prompts not covered in these steps, follow any onscreen instructions.
3. Select New Installation and click on the Next button:

217014-A, November 2004
4. Specify the components being installed:
Select the checkboxes for the following items and click on the Next button:
SmartCenter
SmartConsole
Make sure Policy Server is not checked. The SmartConsole selection includes all of the GUI
Client tools you need for the SMART Client that administers the Check Point features on the
Firewall.
5. Confirm installing the components and click on the Next button.
At this point, the installation program will begin installation of each component. First, a com-
mon Check Point component knows as the SVN Foundation will be automatically installed and
configured. When completed, the SmartCenter software, and finally the SmartConsole compo-
nents. The Application Intelligence software is automatically installed during a later step.

217014-A, November 2004
6. Select Management Server as the type of product to install and click on the Next button.
At this point, the program will install the SVN Foundation software (standard), SmartCenter (if
selected) and SmartConsole components. The installation status is displayed in the Installation
Status window.
7. When prompted, click Next to continue.

217014-A, November 2004
8. Select Primary SmartCenter as the type of product and click on the Next button.
9. Specify the destination to install the software.

The SmartCenter installation will begin.
10. When prompted, click Next to continue.

217014-A, November 2004
11. When prompted, specify the SmartConsole components to be installed:
Check Point Enterprise/Pro preselects all of the SmartConsole components. Check Point
Express preselects the top four components. The selection rationales are discussed on the
Check Point Web site:
http://www.checkpoint.com/products/enterprise/smartcenter.html
NOTE – In previous versions of the Check Point management tool software, backward compat-
ibility was an option. With R55, backward compatibility is a standard feature that is installed in
the background.
12. Follow the onscreen prompts until asked to specify the SmartConsole GUI clients to be
installed:
Select the checkboxes and click on the Next button to install the management client software.

217014-A, November 2004
13. Once the software is installed, click on the OK button to configure licenses:
14. When prompted, specify a valid Check Point license for the SmartCenter Server. Select
the Fetch From File... or Add... button (below, left) and specify the appropriate license
data (below, right):
When you have entered the license data, click OK, and Next.

217014-A, November 2004
15. When prompted, click the Add… button (below, left) and enter login information for
SmartCenter administrators (below, right):
When you have entered the administrator information, click OK and Next.
16. When prompted, add any remote management clients (also known as SMART Clients):
Enter localhost or the host’s IP address if the GUI client is on the same host as the SmartCenter
Server. Also specify the DNS hostname or IP address of other management clients that will be
permitted to interface with this management station. Click Next to continue.

217014-A, November 2004
17. When prompted, type random characters for the cryptographic seed:
NOTE – Do not type excessively quickly. When overfilled, the input buffer may take a few
moments to process.
When the cryptographic seed is generated, click the Next button to continue.
18. Initialize the Certificate Authority. If the FQDN is correct, click the Send to CA button:
After you initialize the Certificate Authority, you should not change the IP address or the name
of the management station.

217014-A, November 2004
19. Record the SmartCenter fingerprint by clicking Export to file…..
As a security measure, this fingerprint will be required in a later step to ensure that no one has
impersonated the administrator.
20. When prompted, reboot the management station:
Once the station is rebooted, installation of the SmartCenter and SmartDashboard are com-
plete. The next task is to use the SmartDashboard to define and install firewall policies.

217014-A, November 2004
Configure and Installing Firewall Policies
Task Overview
The initial configuration of firewall policies involves the following tasks:
Log in to the SmartDashboard management tool

Define a firewall object in the SmartDashboard management tool
Establishing a trusted Secure Internal Communications (SIC) link between the Smart-
Center and the Firewall Director
If using central licensing, enter a license for the firewall object
Create security policies and install them on the Firewall Director
The following material describes each of these tasks. However, for more details on using your
Check Point tools, refer to your complete Check Point documentation at http://www.check-
point.com/support/technical/documents/index.html (ID and password required).
Log in to the SmartDashboard Management Tool

1. Launch the SmartDashboard software.
Select the SmartDashboard icon from the Check Point Management Clients directory or click
on StartProgramsCheck Point SmartConsole R55SmartDashboard:
2. Log in using an administrator account:

217014-A, November 2004
Enter one of the user name/password combinations configured during the installation of the
SmartCenter tools during Step 15 on page 42.
Also specify the IP address of the SmartCenter Server and click OK. NOTE—Be sure you have
added this IP address in the client access list to allow SMART Client access to the Firewall.
3. Verify the Check Point fingerprint.

At this point, the SmartDashboard tool will contact the SmartCenter. Since this is the first con-
tact, you will be prompted to verify the current fingerprint:
Click the Approve button to verify that the fingerprint is the same as the one obtained during
installation of the SmartCenter tools during Step 19 on page 44.

217014-A, November 2004
Define the Alteon Switched Firewall Object

1. Create a new Gateway object to represent the newly installed Firewall Director.
From the SmartDashboard menu bar, select Manage | Network Objects. When the Network
Objects window appears, click on the New button and select Check Point | Gateway from the
pop-up list.
2. Select Classic mode when the Check Point installed Gateway creation window appears.
3. Define the Firewall Director object parameters:
Enter the following information:

217014-A, November 2004
Name: The name of the newly installed Firewall Director. The SmartCenter must be con-
figured to resolve this name to the IP address below.
IP Address: The address of the newly installed Firewall Director. In our example, the
address is 10.10.10.1.
Check Point products: Select NG Application Intelligence (AI).
FireWall-1: Check this item from the list window.
NOTE – Only FireWall-1 is currently supported on this product. VPN-1® is not used.
Leave the Workstation Properties window open for use in the next steps.

217014-A, November 2004
Establish Secure Internal Communications

1. Establish trust between the SmartCenter and the Firewall Director.
Check Point FireWall-1 NG uses a one-time password to initiate Secure Internal Comminu-
tions (SIC) between configured objects and the SmartCenter.
To establish SIC, click on the Communication button in the Workstation Properties window.
The Communications window will appear:
Enter the same one-time SIC password that was defined during the Firewall Director initial
setup in Step 9 on page 31 and click on the Initialize button.
The SmartCenter will attempt to contact the Firewall Director and exchange security informa-
tion. When successful, the window will indicate “Trust established.”
2. Close the Communication window.
3. Get the interfaces for the Firewall Director object.

217014-A, November 2004
Select the Topology section of the Check Point Gateway window and click on the Get Topol-
ogy button. This will retrieve the interfaces that were configured from the Firewall Director.
The Get Topology button displays linked and enabled networks only.
NOTE – When using antispoofing, a message may appear stating that the Get Topology func-
tion was only partially successful. When this occurs, “IP addresses behind the interface” will
be undefined. Select each interface and use the Edit button to manually configure the unde-
fined address. The address should represent the full range of valid source IP addresses attached
through the interface. These addresses must be configured prior to loading policies to the Fire-
wall Director.
4. Close the Workstation Properties window.
5. From the SmartDashboard tool menu bar, select File | Save.

217014-A, November 2004
Using Central Licensing

Central licenses can be easily installed, managed, or deleted using the SmartUpdate module of
your Check Point management tools as follows:
NOTE – If local licensing was used in configuring interfaces in Step 1 on page 32, skip ahead to
“Create and Install Firewall Policies” on page 53.
1. Start the SmartUpdate management tool on your management client station (Smart-
Center).
2. From the SmartUpdate menu bar, select Licenses > New Licenses.
3. Click on Add Manually.

The following screen appears:.
Enter the information exactly as shown on your specific Check Point license.
4. Click on the License tab in the SmartUpdate menu bar.

A list of installed Firewall Directors appear.
5. Right click on your Firewall Director and select Attach Licenses.

A list of currently input licenses appear.
6. Select the license that you installed in Step 3.

217014-A, November 2004
The license will be automatically sent to the Check Point Management Console license reposi-
tory and then installed to the Firewall Director.
7. Follow onscreen prompts until the installation is complete.
8. Verify the license that you installed.

To verify that the central license is installed properly, login as root on the Firewall Director
and issue the following command:
cplic print -x -type

The output of this command should display the installed license information.
For more details on installing central licenses, see your complete Check Point documentation
at http://www.checkpoint.com/support/technical/documents/index.html (ID and password
required).

217014-A, November 2004
Create and Install Firewall Policies

1. Create a firewall policy test rule.
At this point in the initial setup, a test is recommended to ensure that the system components
are properly configured. For this test, create a policy rule that will allow any and all traffic to
pass through the firewall. Later, once the firewall operation is confirmed, you can create fire-
wall security rules that will restrict undesirable traffic.
From the SmartDashboard tool menu bar, select Rules | Add Rule | Top. A new rule will be
added to the rulebase. The default action of the new rule is “drop,” indicating that all traffic
from any source to any destination will not pass through the firewall.
Change the action of the new rule to “accept” by right-clicking on the “drop” action icon and
selecting “accept” as the new action from the pop-up list.
Also change the track setting to “log” by right-clicking on the “none” setting and selecting
“log” as the new track setting from the pop-up list.

217014-A, November 2004
2. Push the policies to the Firewall Director.

From the menu bar, select Policy | Install. When the Install Policy window appears, select the
firewall cluster object and click on the OK button.
NOTE – If the Check Point antispoofing feature is not enabled, a warning message will appear.
Please refer to your company’s security policy and your Check Point documentation at http://
www.checkpoint.com/support/technical/documents/index.html (ID and password required) to
determine whether antispoofing is necessary for your firewall.
Click on the OK button to initiate installing the rulebase.
If the effort to push policies fails, click Show Errors. A common cause of errors is an expired
license. If this is the case, update the license on the SmartCenter Server using SmartUpdate and
push policies again.
Close the Install Policy window when the process is complete.
3. Use the SmartView Tracker program to confirm proper operation of the Firewall Direc-
tor.
The SmartView Tracker lists all traffic being processed, accepted, dropped, and so on. To con-
firm that the Alteon Switched Firewall is properly configured, select the SmartView Tracker
Active Mode. Use a client station to ping the firewall. If the SmartView Tracker displays an
entry for the ping traffic, the configuration is good. Before you ping the Firewall, make sure
you enable the Accept ICMP Replies field in the Global properties tab.

217014-A, November 2004
NOTE – The SmartView Tracker is an excellent tool for debugging and enhancing your secu-
rity rules. For details regarding this tool, see your complete Check Point documentation at
http://www.checkpoint.com/support/technical/documents/index.html (ID and password
required).
4. Use the SmartDashboard tool to remove the test rule generated in Step 1.
5. Create and install complete firewall security rules.
The rules you apply to your security policy will depend on the security needs of your network.
In general, you should drop all traffic that is not specifically required. Refer to your company’s
security policy and Check Point documentation at http://www.checkpoint.com/support/techni-
cal/documents/index.html (ID and password required) for more information about creating and
maintaining effective security policies.

217014-A, November 2004

217014-A, November 2004
CHAPTER 3
Dynamic Host Configuration
Protocol
Dynamic Host Configuration Protocol (DHCP) is a transport protocol that provides a frame-
work for automatically assigning IP addresses and configuration information to other IP hosts
or clients in a large TCP/IP network. Without DHCP, the IP address must be entered manually
for each network device. DHCP allows a network administrator to distribute IP addresses from
a central point and automatically send a new IP address when a device is connected to a differ-
ent place in the network.
DHCP is an extension of another network IP management protocol, Bootstrap Protocol

(BOOTP), with an additional capability of being able to dynamically allocate reusable network
addresses and configuration parameters for client operation.
Built on the client/server model, DHCP allows hosts or clients on an IP network to obtain their
configurations from a DHCP server, thereby reducing network administration. The most sig-
nificant configuration the client receives from the server is its required IP address; (other
optional parameters include the “generic” file name to be booted, the address of the default
gateway, and so forth).
Nortel Networks DHCP relay agent eliminates the need to have DHCP/BOOTP servers on
every subnet. It allows the administrator to reduce the number of DHCP servers deployed on
the network and to centralize them. Without the DHCP relay agent, there must be at least one
DHCP server deployed at each subnet that has hosts needing to perform the DHCP request.
57
217014-A, November 2004
DHCP Relay Agent

DHCP is described in RFC 2131, and the DHCP relay agent supported on the Alteon Switched
Firewall is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends
messages to the server on port 67 and the server sends messages to the client on port 68.
DHCP defines the methods through which clients can be assigned an IP address for a finite
lease period and allowing reassignment of the IP address to another client later. Additionally,
DHCP provides the mechanism for a client to gather other IP configuration parameters it needs
to operate in the TCP/IP network.
In the DHCP environment, the Alteon Switched Firewall acts as a relay agent. The DHCP
relay feature (/cfg/net/dhcprl) enables the Firewall to forward a client request for an IP
address to DHCP servers with IP addresses that have been configured on the Alteon Switched
Firewall.
When Alteon Switched Firewall receives a UDP broadcast on port 67 from a DHCP client
requesting an IP address, the request is then forwarded as a UDP Unicast MAC layer message
to DHCP servers whose IP addresses are configured on the Firewall. The servers respond with
a UDP Unicast message back to the Firewall, with the default gateway and IP address for the
client. The destination IP address in the server response represents the interface address on the
Alteon Switched Firewall that received the client request. This interface address tells the
Alteon Switched Firewall on which VLAN to send the server response to the client.
Configuring for DHCP Relay Agent

To enable the Alteon Switched Firewall to be the DHCP forwarder, you need to configure the
DHCP server IP addresses on the Firewall. You must enable DHCP relay on the interface con-
nected to the client subnet.
58 Chapter 3: Dynamic Host Configuration Protocol

217014-A, November 2004
The following figure shows a basic DHCP network example:
Boston Atlanta
20.1.1.1
10.1.1.0
DHCP Client DHCP Server

Alteon Switched Firewall 10.1.1.2
DHCP Relay Agent
Figure 3-1 DHCP Relay Agent Configuration
The client request is forwarded to all DHCP servers configured on the Firewall. The use of two
servers provide failover redundancy. However, no health checking is supported.
DHCP Relay functionality is assigned on a per interface basis. At least one server and one
interface must be enabled for DHCP, otherwise the configuration will fail validation. Use the
following commands to configure the Alteon Switched Firewall as a DHCP relay agent:
1. Enable DHCP Relay globally.
>> # /cfg/net/dhcprl
>> DHCP Relay# ena
2. Configure DHCP requests to enter on this interface.
>> DHCP Relay# if 1

>> DHCP Relay Interface 1# ena (Allow DHCP requests)
3. Configure DHCP server information.
>> # /cfg/net/dhcprl/server 1
>> DHCP Server 1# addr 10.1.1.1 (Set IP address of 1st DHCP server)
>> DHCP Server 1# ena (Enable the DHCP server)
>> DHCP Server 1# ../server 2 (Set IP address of 2nd DHCP server)
>> DHCP Server 2# addr 10.1.1.2 (Set IP address of 2nd DHCP server)
>> DHCP Server 2# ena (Enable the DHCP server)
4. Display current configuration.
>> # /cfg/net/dhcprl/cur (Display current configuration)
Chapter 3: Dynamic Host Configuration Protocol 59

217014-A, November 2004
5. Apply and save the changes.
>> DHCP Relay# apply
60 Chapter 3: Dynamic Host Configuration Protocol

217014-A, November 2004
CHAPTER 4
Routing Information Protocol
In a routed environment, routers communicate with one another to keep track of available
routes. Routers can learn about available routes dynamically using the Routing Information
Protocol (RIP).
Distance Vector Protocol

RIP is known as a distance vector protocol. The vector is the network number and next hop,
and the distance is the cost associated with the network number. RIP identifies network reach-
ability based on cost, and cost is defined as hop count. One hop is considered to be the distance
from one device to the next which is typically 1. This cost or hop count is known as the metric.
When a Firewall Director holding the MIP receives a routing update that contains a new or
changed destination network entry, the Firewall Director holding the MIP adds 1 to the metric
value indicated in the update and enters the network in the routing table. The IP address of the
sender is used as the next hop.
Stability
RIP version 1 was distributed in the early years of the Internet and advertised default class
address without subnet masking. RIP is stable, widely supported, and easy to configure. Use
RIP in stub networks and in small autonomous systems that do not have many redundant paths.
RIP includes a number of other stability features that are common to many routing protocols.
For example, RIP implements the split horizon and holddown mechanisms to prevent incorrect
routing information from being propagated.
RIP prevents routing loops from continuing indefinitely by implementing a limit on the num-
ber of hops allowed in a path from the source to a destination. The maximum number of hops
in a path is 15. The network destination network is considered unreachable if increasing the
metric value by 1 causes the metric to be 16 (that is infinity). This limits the maximum diame-
ter of a RIP network to less than 16 hops.
61
217014-A, November 2004
RIP and ASF

In ASF, Nortel has added support for the RIP v1 and v2 routing protocols. This feature allows
you to enable or disable RIP globally and on a per VLAN basis. You can also select the version
of RIP to be enabled per VLAN and or globally.
This implementation of RIP currently allows for up to 8K total routes, which include the
default routes, interfaces, static routes, and dynamically learned routes from RIP and or OSPF.
Loop prevention is performed through the use of Split Horizon algorithm to prevent the re-
broadcast of a route on the same interface that it was received on. Poison Reverse is used to
send routing updates with a hop count of 16 for dead routes.
Routing Updates
RIP sends routing-update messages at regular intervals and when the network topology
changes. RIP uses broadcast User Datagram Protocol (UDP) data packets to exchange routing
information. Each router “advertises” routing information by sending a routing information
update every 30 seconds. If a router does not receive an update from another router within 90
seconds, it marks the routes served by the non-updating router as being unusable. If no update
is received within 240 seconds, the router removes all routing table entries for the non-updat-
ing router.
When a router receives a routing update that includes changes to an entry, it updates its routing
table to reflect the new route. The metric value for the path is increased by 1, and the sender is
indicated as the next hop. RIP routers maintain only the best route (the route with the lowest
metric value) to a destination.
62 Chapter 4: Routing Information Protocol

217014-A, November 2004
Configuring for Route Redistribution

Alteon Switched Firewall can redistribute routes from other protocols into RIP or OSPF
domains. ASF can redistribute connected, OSPF, static, default gateway, and fictitious routes
into RIP routes. In this example, ASF is redistributing OSPF routes into a RIP domain.
OSPF Domain RIP Domain

Area 0.0.0.0 ASBR
100.100.2.1 100.100.3.1
Router 1 Router 2
100.100.2.80 Alteon Switched 100.100.3.150
Firewall
OSPF routes RIP routes
Figure 4-1 Redistributing OSPF Routes into RIP
In Figure 4-1 the Alteon Switched Firewall is configured as an ASBR between two domains,
OSPF and RIP. The ASF is connected to two routers, Router 1 in the OSPF domain and Router
2 in the RIP domain. ASF is required to advertise the OSPF routes from the OSPF domain into
the RIP domain. In this example, two IP interfaces are needed on the ASF: one for the OSPF
domain on 100.100.2.0/24 and one for the RIP domain on 100.100.3.0/24.
1. Configure the IP interface to the backbone router for the OSPF domain that is connected
to port 1 of the Alteon Switched Firewall.
>> # /cfg/net/if 1 (Select menu for IP interface 1)

>> Interface 1 # addr 100.100.2.1 (Set IP address on backbone network)
>> Interface 1 # mask 255.255.255.0 (Set subnet mask)
>> Interface 1 # broad 100.100.2.255 (Set broadcast address)
>> Interface 1 # ena (Enable IP interface 1)
>> Interface 1 # port/add 1 (Add port 1 to interface 1)

217014-A, November 2004
2. Configure the IP interface for the RIP domain that is connected to port 2 of the Alteon
Switched Firewall.

>> Interface 2 # addr 100.100.3.1 (Specify IP address for RIP domain)
>> Interface 2 # vlan 22 (Specify VLAN for RIP domain)
3. Add the port to the VLAN.
>> # /cfg/net/vlan 22 (Select VLAN 22)

>> VLAN 22 # port (Select Port menu)
>> VLAN 22 Ports # add 2 (Add port 2 to VLAN 22)
4. Enable OSPF for interface 1.
>> # /cfg/net/route/ospf/if 1/ena (Enable OSPF for interface 1)
5. Enable OSPF globally.
>> # /cfg/net/route/ospf/ena (Enable OSPF globally)
6. Enable RIP for VLAN 22 and specify the RIP version if required.
>> # /cfg/net/route/rip/vlan 22 (Select VLAN 22)

>> RIP VLAN 22 # ena (Enable RIP for VLAN 22)
7. Enable RIP globally.
>> # /cfg/net/route/rip/ena (Enable RIP globally)
Configure OSPF in Router 1 and verify if the Alteon Switched Firewall and Router 1 are able
to send and receive routes between them. Configure Router 1 to send OSPF routes to the
Alteon Switched Firewall. Verify the routing table on Router 2 and confirm that these routes
are not advertised and installed in Router 2, because it is not a OSPF router.

217014-A, November 2004
8. Configure the ASF to convert the OSPF routes into RIP routes.
>> # /cfg/net/route/rip/redist/ospf/ena (Redistribute OSPF routes into RIP)
When routes are redistributed, you must define a metric that is understands the receiving proto-
col. If you want to change the metric of the redistributed route, then enter the new metric under
/cfg/net/route/rip/redist/ospf/metric.
9. Apply the configuration changes.
>> RIP OSPF Route Redistribution# apply
Verify if Router 2 is able to see all the routes from the OSPF domain.

217014-A, November 2004

217014-A, November 2004
CHAPTER 5
Open Shortest Path First
The Alteon Switched Firewall 4.0.2 supports the Open Shortest Path First (OSPF) routing pro-
tocol. This implementation conforms to the OSPF version 2 specifications detailed in Internet
RFC 1583. The following sections discuss current OSPF support:
“OSPF Overview” on page 68. This section provides information on OSPF concepts:
Types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database,
authentication, and internal versus external routing.
“Alteon Switched Firewall OSPF Implementation” on page 73. This section gives you
information specific to the Alteon Switched Firewall implementation of OSPF: Configu-
ration parameters, electing the designated router, summarizing routes and so forth.
“GRE Tunnel Support” on page 79. This section describes how ASF 4.0.2 supports
Generic Routing Encapsulation (GRE) on the Firewall Directors.
“OSPF Configuration Examples” on page 83. This section provides step-by-step instruc-
tions on configuring four different configuration examples:
Creating a simple OSPF domain
Creating virtual links
Summarizing routes
Redistributing routes
67
217014-A, November 2004
OSPF Overview
OSPF is designed for routing traffic within a single IP domain called an Autonomous System
(AS). The AS can be divided into smaller logical units known as areas.
All routing devices maintain link information in their own Link State Database (LSDB). The
LSDB for all routing devices within an area is identical but is not exchanged between different
areas. Only routing updates are exchanged between areas, thereby significantly reducing the
overhead for maintaining routing information on a large, dynamic network.
The following sections describe key OSPF concepts.
Types of OSPF Areas

An AS can be broken into logical units known as areas. In any AS with multiple areas, one
area must be designated as area 0, known as the backbone. The backbone acts as the central
OSPF area. All other areas in the AS must be connected to the backbone. Areas inject sum-
mary routing information into the backbone, which then distributes it to other areas as needed.
As shown in Figure 5-1, OSPF defines the following types of areas:
Stub Area—an area that is connected to only one other area. External route information is
not distributed into stub areas.
Not-So-Stubby-Area (NSSA)—similar to a stub area with additional capabilities. Routes
originating from within the NSSA can be propagated to adjacent transit and backbone
areas. External routes from outside the AS can be advertised within the NSSA but are not
distributed into other areas.
68 Chapter 5: Open Shortest Path First

217014-A, November 2004
Transit Area—an area that allows area summary information to be exchanged between
routing devices. The backbone (area 0), any area that contains a virtual link to connect two
areas, and any area that is not a stub area or an NSSA are considered transit areas.
Backbone
Area 0
(Also a Transit Area)
ABR ABR
ABR
Internal LSA
Routes Virtual
Stub Area Transit Area Link
Not-So-Stubby Area No External Routes

from Backbone
(NSSA) ABR
External LSA
Routes
ASBR
Stub Area, NSSA,
ABR = Area Border Router or Transit Area
ASBR = Autonomous System Connected to Backbone
Non-OSPF Area Boundary Router via Virtual Link
RIP/BGP AS
Figure 5-1 OSPF Area Types
Types of OSPF Routing Devices

As shown in Figure 5-2, OSPF uses the following types of routing devices:
Internal Router (IR)—a router that has all of its interfaces within the same area. IRs main-
tain LSDBs identical to those of other routing devices within the local area.
Area Border Router (ABR)—a router that has interfaces in multiple areas. ABRs maintain
one LSDB for each connected area and disseminate routing information between areas.

217014-A, November 2004
Autonomous System Boundary Router (ASBR)—a router that acts as a gateway between
the OSPF domain and non-OSPF domains, such as RIP, BGP, and static routes.
OSPF Autonomous System
BGP Backbone
Area 3
Area 0
Inter-Area Routes
External ABR
ASBR (Summary Routes)
Routes
RIP
ABR ABR
Internal
ASBR Router
Area 1 Area 2
Figure 5-2 OSPF Domain and an Autonomous System
Neighbors and Adjacencies

In areas with two or more routing devices, neighbors and adjacencies are formed.
Neighbors are routing devices that maintain information about each others’ health. To establish
neighbor relationships, routing devices periodically send hello packets on each of their inter-
faces. All routing devices that share a common network segment, appear in the same area, and
have the same health parameters (hello and dead intervals) and authentication parameters
respond to each other’s hello packets and become neighbors. Neighbors continue to send peri-
odic hello packets to advertise their health to neighbors. In turn, they listen to hello packets to
determine the health of their neighbors and to establish contact with new neighbors.
Adjacencies are neighbors that exchange OSPF database information. In order to limit the
number of database exchanges, not all neighbors in an area (IP network) become adjacent to
each other. Instead, the hello process is used for electing one of the neighbors as the area’s Des-
ignated Router (DR) and one as the area’s Backup Designated Router (BDR).
The DR is adjacent to all other neighbors and acts as the central contact for database
exchanges. Each neighbor sends its database information to the DR, which relays the informa-
tion to the other neighbors.

217014-A, November 2004
Because of the overhead required for establishing a new DR in case of failure, the hello pro-
cess also elects a Backup Designated Router (BDR). The BDR is adjacent to all other neigh-
bors (including the DR). Each neighbor sends its database information to the BDR just as with
the DR, but the BDR merely stores this data and does not distribute it. If the DR fails, the BDR
will take over the task of distributing database information to the other neighbors.
The Link-State Database

OSPF is a link-state routing protocol. A link represents an interface (or routable path) from the
routing device. By establishing an adjacency with the DR, each routing device in an OSPF area
maintains an identical Link-State Database (LSDB) describing the network topology for its area.
Each routing device transmits a Link-State Advertisement (LSA) on each of its interfaces.
LSAs are entered into the LSDB of each routing device. OSPF uses flooding to distribute
LSAs between routing devices.
When LSAs result in changes to the routing device’s LSDB, the routing device forwards the
changes to the adjacent neighbors (the DR and BDR) for distribution to the other neighbors.
OSPF routing updates occur only when changes occur, instead of periodically. For each new
route, if an adjacency is interested in that route (for example, if configured to receive static
routes and the new route is indeed static), an update message containing the new route is sent
to the adjacency. For each route removed from the route table, if the route has already been
sent to an adjacency, an update message containing the route to withdraw is sent.
The Shortest Path First Tree

The routing devices use a link-state algorithm (Dijkstra’s algorithm) to calculate the shortest
path to all known destinations, based on the cumulative cost required to reach the destination.
The cost of an individual interface in OSPF is an indication of the overhead required to send
packets across it. The cost is inversely proportional to the bandwidth of the interface. A lower
cost indicates a higher bandwidth.

217014-A, November 2004
Authentication
OSPF also allows packet authentication and uses IP multicast when sending and receiving
packets. This ensures less processing on routing devices that are not listening to OSPF packets.
Internal Versus External Routing

To ensure effective processing of network traffic, every routing device on your network needs
to know how to send a packet (directly or indirectly) to any other location/destination in your
network. This is referred to as internal routing and can be done with static routes or using
active internal routing protocols, such as OSPF, RIP, or RIPv2.
It is also useful to tell routers outside your network (upstream providers or peers) about the
routes you have access to in your network. Sharing of routing information between autono-
mous systems is known as external routing.
Typically, an AS will have one or more border routers (peer routers that exchange routes with
other OSPF networks) as well as an internal routing system enabling every router in that AS to
reach every other router and destination within that AS.
When a routing device advertises routes to boundary routers on other autonomous systems, it
is effectively committing to carry data to the IP space represented in the route being advertised.
For example, if the routing device advertises 192.204.4.0/24, it is declaring that if another
router sends data destined for any address in the 192.204.4.0/24 range, it will carry that data to
its destination.

217014-A, November 2004
Alteon Switched Firewall OSPF

Implementation
The following sections describe issues specific to the OSPF implementation in the ASF 4.0.2
software:
“Configurable Parameters” on page 73

“Defining Areas” on page 74
“Interface Cost” on page 76
“Electing the Designated Router and Backup” on page 76
“Summarizing Routes” on page 76
“Virtual Links” on page 77
“Router ID” on page 77
“Authentication” on page 78
“OSPF Features Not Supported in This Release” on page 79
Configurable Parameters
In the Alteon Switched Firewall 4.0.2, OSPF parameters can be configured through the Com-
mand Line Interface (CLI) or Browser-Based Interface (BBI).
The CLI supports the following parameters: interface output cost, interface priority, dead and
hello intervals, retransmission interval, and interface transmit delay.
In addition, you can specify the following:
Shortest Path First (SPF) interval—Time interval between successive calculations of the
shortest path tree using the Dijkstra’s algorithm.
Stub area metric—A stub area can be configured to send a numeric metric value such that
all routes received via that stub area carry the configured metric to potentially influence
routing decisions.

217014-A, November 2004
Defining Areas
If you are configuring multiple areas in your OSPF domain, one of the areas must be desig-
nated as area 0, known as the backbone. The backbone is the central OSPF area and is usually
physically connected to all other areas. The areas inject routing information into the backbone
which, in turn, disseminates the information into other areas.
Since the backbone connects the areas in your network, it must be a contiguous area. If the
backbone is partitioned (possibly as a result of joining separate OSPF networks), parts of the
AS will be unreachable, and you will need to configure virtual links to reconnect the parti-
tioned areas (see “Virtual Links” on page 77).
Up to 16 OSPF areas can be connected to an Alteon Switched Firewall cluster. To configure an

area, the OSPF number must be defined and then attached to a network interface on the Alteon
Switched Firewall. The full process is explained in the following sections.
An OSPF area is defined by assigning two pieces of information—an area index and an area
ID. The command to define an OSPF area is as follows:
>> # /cfg/net/route/ospf/aindex <area index>/id <area ID number>
NOTE – The aindex option above is an arbitrary index used only on the Alteon Switched
Firewall and does not represent the actual OSPF area number. The actual OSPF area number is
defined in the id portion of the command as will be explained below.
Assigning the Area Index

The aindex <area index> option is actually just an arbitrary index (1-16) used only by the
Alteon Switched Firewall. This index does not necessarily represent the OSPF area number.
For example, the following commands define OSPF area 1 because that information is held in
the area ID portion of the command, even though the arbitrary area indexes do not agree with
the area IDs:
>> # /cfg/net/route/ospf/aindex 2/id 0.0.0.1 (Use index 2 to set area 1)
NOTE – The backbone area 0 is automatically configured as a transit area with

id 0.0.0.0.

217014-A, November 2004
Using the Area ID to Assign the OSPF Area Number

The OSPF area number is defined in the id <IP address> option. The octet format is used in
order to be compatible with two different systems of notation used by other OSPF network
vendors. There are two valid ways to designate an area ID:
Placing the area number in the last octet (0.0.0.n)

Most common OSPF vendors express the area ID number as a single number. For exam-
ple, the Cisco IOS-based router command “network 1.1.1.0 0.0.0.255 area 1”
defines the area number simply as “area 1.” On an Alteon Switched Firewall, using the
last octet in the area ID, “area 1” is equivalent to “id 0.0.0.1”.
Multi-octet (IP address)
Some OSPF vendors express the area ID number in multi-octet format. For example,
“area 2.2.2.2” represents OSPF area 2 and can be specified directly on an Alteon
Switched Firewall as “id 2.2.2.2”.
NOTE – Although both types of area ID formats are supported, be sure that the area IDs are in
the same format throughout an area.
Attaching an Area to a Network

Once an OSPF area has been defined, it must be associated with a network. To attach the area
to a network, you must assign the OSPF area index to an IP interface that participates in the
area. The format for the command is as follows:
>> # /cfg/net/route/ospf/if <interface number>/aindex <area index>
For example, the following commands could be used to configure IP interface 14 for a pres-
ence on the 10.10.10.1/24 network, to define OSPF area 1 using index 2 on the Alteon
Switched Firewall, and to attach the area to the network:

>> Interface 14# addr 10.10.10.1 (Define IP address on the backbone)
>> Interface 14# ena (Enable IP interface 14)
>> Interface 14# ../route/ospf/aindex 2 (Select menu for area index 2)
>> OSPF Area Index 2 # id 0.0.0.1 (Define area ID as OSPF area 1)
>> OSPF Area Index 2 # ena (Enable area index 2)
>> OSPF Area Index 2 # ../if 14 (Select OSPF menu for interface 14)
>> OSPF Interface 14# aindex 2 (Attach area to network interface 14)
>> OSPF Interface 14# ena (Enable interface 14 for area index 2)

217014-A, November 2004
Interface Cost
The OSPF link-state algorithm (Dijkstra’s algorithm) places each routing device at the root of a
tree and determines the cumulative cost required to reach each destination. Usually, the cost is
inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth.
You can manually enter the cost for the output route with the following commands:
>> # /cfg/net/route/ospf/if <interface number>

>> # cost <cost value (1-65535)>
Electing the Designated Router and Backup

In any area with more than two routing devices, a Designated Router (DR) is elected as the
central contact for database exchanges among neighbors, and a Backup Designated Router
(BDR) is elected in case the DR fails.
DR and BDR elections are made through the hello process. The election can be influenced by
assigning a priority value to the OSPF interfaces. The commands are as follows:
>> # /cfg/net/route/ospf/if <interface number>

>> # prio <priority value (0-255)>
A priority value of 255 is the highest, and 1 is the lowest. A priority value of 0 specifies that
the interface cannot be used as a DR or BDR. In case of a tie, the routing device with the
higher router ID wins.
Summarizing Routes
Route summarization condenses routing information. Without summarization, each routing
device in an OSPF network would retain a route to every subnet in the network. With summa-
rization, routing devices can reduce some sets of routes to a single advertisement, reducing
both the load on the routing device and the perceived complexity of the network. The impor-
tance of route summarization increases with network size.
Summary routes can be defined for up to 256 IP address ranges using the following command:
>> # /cfg/net/route/ospf/range <range number>

>> # addr <IP address>/mask <subnet mask>
where range number is a number from 1 to 256, IP address is the base IP address for the range,
and subnet mask is the IP address mask for the range. For a detailed configuration example, see
“Example 3: Summarizing Routes” on page 89.

217014-A, November 2004
Virtual Links
Usually, all areas in an OSPF AS are physically connected to the backbone. In some cases
where this is not possible, you can use a virtual link. Virtual links are created to connect one
area to the backbone through another non-backbone area (see Figure 5-1 on page 69).
The area which contains a virtual link must be a transit area and have full routing information.
Virtual links cannot be configured inside a stub area or NSSA. The area type must be defined
as transit using the following command:
>> # /cfg/net/route/ospf/aindex <area index>

>> # type transit
The virtual link must be configured on the routing devices at each endpoint of the virtual link,
though they may traverse multiple routing devices. To configure an Alteon Switched Firewall as
one endpoint of a virtual link, use the following commands:
>> # /cfg/net/route/ospf/virt <link number>

>> # aindex <area index>
>> # nbr <router ID>
where link number is a value between 1 and 64, area index is the OSPF area index of the transit
area, and router ID is the router ID of the virtual neighbor (nbr), the routing device at the target
endpoint. Another router ID is needed when configuring a virtual link in the other direction. To
provide the Alteon Switched Firewall with a router ID, see the following section Router ID
configuration example.
For a detailed configuration example, see “Example 2: Virtual Links” on page 85.
Router ID
Routing devices in OSPF areas are identified by a router ID. The router ID is expressed in IP
address format. The IP address of the router ID is not required to be included in any IP inter-
face range or in any OSPF area.
The router ID can be configured in one of the following two ways:
Statically—Use the following command to manually configure the router ID:
>> # /cfg/net/route/ospf/rtrid <IP address>
Dynamically—OSPF protocol configures the lowest IP interface IP address as the router

ID. This is the default. To use a dynamic router ID after having set it statically, set the
router ID to 0.0.0.0. Then disable OSPF and enable OSPF again.

217014-A, November 2004
Authentication
OSPF protocol exchanges are authenticated so that only trusted devices can participate. Alteon
Switched Firewall 4.0.2 supports simple authentication (plain text passwords) and MD5 authen-
tication (encrypted data and passwords) among neighboring routing devices in an area.
Simple Authentication
OSPF simple passwords are configured and enabled individually for each defined interface and
virtual link. The plain text passwords up to eight characters long
For interfaces, the following CLI commands can be used:
>> # /cfg/net/route/ospf/if <interface number> (Select OSPF interface)

>> OSPF Interface# auth password|none (Set simple authentication on/off)
>> OSPF Interface# key <password> (Set plain text password)
For virtual links, the following CLI commands can be used:
>> # /cfg/net/route/ospf/virt <link number> (Select OSPF virtual link)

>> OSPF Virtual Link# auth password|none (Set simple authentication on/off)
>> OSPF Virtual Link# key <password> (Set plain text password)
MD5 Authentication
OSPF MD5 passwords use strong cryptographic to protect data and passwords. To preserve
security, MD5 passwords should be changed frequently.
MD5 passwords are configured and enabled individually for each defined interface and virtual
link. MD5 passwords are defined with a key ID (1-255) and a password up to 16 characters.
For interfaces, the following CLI commands can be used:
>> # /cfg/net/route/ospf/if <interface number> (Select OSPF interface)

>> OSPF Interface# auth md5|none (Set MD5 on/off)
>> OSPF Interface# md5key <password> (Set MD5 ID & password)
Similarly, for virtual links the following CLI commands can be used:
>> # /cfg/net/route/ospf/virt <link number> (Select virtual link)

>> OSPF Virtual Link# auth md5|none (Set MD5 on/off)
>> OSPF Virtual Link# md5key <password> (Set MD5 password)

217014-A, November 2004
OSPF Features Not Supported in This Release

Filtering OSPF routes
Load balancing equal cost routes
During traffic forwarding if the first configured equal cost route is deleted, the next in line
is selected.
Using OSPF to forward multicast routes
GRE Tunnel Support

ASF 4.0.2 supports Generic Routing Encapsulation (GRE) on all Firewall Directors. GRE is a
point-to-point tunneling protocol that takes packets from one network system and places them
inside frames from another network system in a peer-to-peer configuration. Typically, GRE is
used to transport legacy Layer 3 protocols over an IP backbone. In this release, ASF supports
GRE over OSPF only.
You can configure up to 5 GRE tunnels on an OSPF network. All GRE-OSPF packets are for-
warded to the Management IP address (MIP). If GRE packets are IPSec, IPSec-GRE-OSPF
encrypted packets are decrypted by Check Point software and is then forwarded by GRE to the
MIP.
In this release, static GRE routes cannot be propogated in the unicast route table via the Com-
mand Line Interafce (CLI). GRE loopback interfaces are also not supported.
Configuring GRE Tunnel

Figure 5-3 shows two Alteon Switched Firewalls, ASF- California and ASF-New York config-
ured for GRE tunneling support. The two firewalls are configured to tunnel OSPF packets in a
GRE tunnel, so other routers on the internet do not need to learn about OSPF.
In Figure 5-3 the OSPF network is on the GRE interface 50.1.1.0/24; the GRE tunnel end
points is on physical interface 3.

217014-A, November 2004
ASF California ASF NewYork

Firewall Accelerator 6600 Firewall Accelerator 6400
Firewall Director 5014 Firewall Director 5014
30.1.1.2/8 20.1.1.2/8
If 3: 30.1.1.1/8 Internet If 3: 20.1.1.1/8
GRE Tunnel
GRE 1 OSPF Network GRE 1

SIP: 50.1.1.1 SIP: 50.1.1.2
DIP: 50.1.1.2 GRE Tunnel DIP: 50.1.1.1
Remote address: 20.1.1.1 end points Remote address: 30.1.1.1
Figure 5-3 Configuring for GRE Tunnel Support
To configure for GRE tunneling support, do the following on ASF-California and ASF-New
York firewalls:
1. Configure the two firewalls ASF-California and ASF-New York for basic operation.
Configure IP interfaces
Define the OSPF areas
Configure OSPF interface parameters
Enable OSPF on the GRE interface (do not enable OSPF on physical interface 3)
2. Configure GRE tunnel 1 on ASF-California.
>> # /cfg/net/gre 1 (Select GRE tunnel 1 )

>> GRE 1# name tunnel_one (Assign a name for GRE 1)
>> GRE 1# phyif 3 (Assign Physical Interface for GRE 1)
>> GRE 1# remoteaddr 20.1.1.1 (Assign GRE tunnel end point of
ASF-New York)
>> GRE 1# sip 50.1.1.1 (Assign source IP address)
>> GRE 1# dip 50.1.1.2 (Assign destination IP address)
>> GRE 1# mask 255.255.255.255 (Assign the mask)
>> GRE 1# ena y (Enable GRE 1)

217014-A, November 2004
NOTE – A physical interface must be configured for the GRE Tunnel end points. In Figure 5-3
physical interface 3 is configured for each of GRE tunnel end points, 20.1.1.1 and 30.1.1.1.
3. Enable OSPF on ASF-California.
>> # /cfg/net/route/ospf (Select OSPF menu )

>> OSPF# ena y (Enable OSPF)
4. Enable GRE 1 for OSPF on ASF-California.
>> # /cfg/net/route/ospf/gre 1 (Select GRE 1 )

>> GRE 1# ena y (Enable GRE for OSPF routes)
5. Configure GRE tunnel 1 support on ASF-New York.
>> # /cfg/net/gre 1 (Select GRE tunnel 1 )

>> GRE 1# name tunnel_one (Assign a name for GRE 1)
>> GRE 1# phyif 3 (Assign Physical Interface for GRE 1)
>> GRE 1# remoteaddr 30.1.1.1 (Assign GRE tunnel end point of
ASF-California)
>> GRE 1# sip 50.1.1.2 (Assign source IP address)
>> GRE 1# dip 50.1.1.1 (Assign destination IP address)
>> GRE 1# mask 255.255.255.255 (Assign the mask)
>> GRE 1# ena y (Enable GRE 1)
6. Enable OSPF on ASF-New York.
>> # /cfg/net/route/ospf (Select OSPF menu )

>> OSPF# ena y (Enable OSPF)
NOTE – Make sure OSPF is enabled on the GRE tunnel interface (50.1.1.0) only. To avoid infi-
nite loops, do not configure OSPF on the 20.1.1.1/8 or 30.1.1.1/8 networks. For more informa-
tion, see “Avoiding Loops in the GRE Tunnel” on page 82.
7. Enable GRE 1 for OSPF on ASF-New York.
>> # /cfg/net/route/ospf/gre 1 (Select GRE 1 )

>> GRE 1# ena y (Enable GRE for OSPF routes)

217014-A, November 2004
Avoiding Loops in the GRE Tunnel

Design the network carefully to ensure that packets do not get into a loop in the GRE tunnel. In
the previous example shown in Figure 5-3 on page 80, if the user enables OSPF both on GRE
tunnel end points (interface 3) and GRE source-destination addresses on ASF-New York, the
following routes are present on ASF-California:.
>> # /i/n/gre
GRE Tunnel Information
Num GRETunnel Phylcl Phyrmte GRElcl GRErmte GREMask
=== ======= ===== ====== ===== ===== ======
1 tunnel_one 30.1.1.1 20.1.1.1 50.1.1.1 50.1.1.2 255.255.255.255
>> # /i/n/r/table
Route Table Information
30 total routes:
Num Destination Gateway Metric Source Vlan Vnic
=== =========== ======= ====== ====== ==== ====
1 default 30.1.1.2 gw 30 v30
2 11.0.0.0/8 50.1.1.2 20 ospf <unreachable?>
3 20.0.0.0/8 50.1.1.2 20 ospf <unreachable?>
The above screen shows that a loop exists because data packets on the GRE tunnel end point
(50.1.1.2 subnet) and the OSPF subnet (20.0.0.0 subnet) have the same destination.

217014-A, November 2004
OSPF Configuration Examples

A summary of the basic steps for configuring OSPF on the Alteon Switched Firewall is listed
here. Detailed instructions for each of the steps is covered in the following sections:
1. Configure IP interfaces.
One IP interface is required for each desired network (range of IP addresses) being assigned to
an OSPF area on the Alteon Switched Firewall.
2. (Optional) Configure the router ID.

The router ID is required only when configuring virtual links.
3. Enable OSPF on the Alteon Switched Firewall.
4. Define the OSPF areas.
5. Configure OSPF interface parameters.

IP interfaces are used for attaching networks to the various areas.
6. (Optional) Configure route summarization between OSPF areas.
7. (Optional) Configure virtual links.
Example 1: Simple OSPF Domain

In this example, two OSPF areas are defined—one area is the backbone and the other is a stub
area. A stub area does not allow advertisements of external routes, thus reducing the size of the
database. Instead, a default summary route of IP address 0.0.0.0 is automatically inserted into
the stub area. Any traffic for IP address destinations outside the stub area will be forwarded to
the stub area’s IP interface, and then into the backbone.
Backbone Stub Area

Area 0 Area 1
(0.0.0.0) (0.0.0.1)
IF 1 IF 2
10.10.7.1 10.10.12.1
Network Network
10.10.7.0/24 10.10.12.0/24
Figure 5-4 A Simple OSPF Domain
Follow this procedure to configure OSPF support as shown in Figure 5-4:

217014-A, November 2004
1. Configure IP interfaces on each network that will be attached to OSPF areas.

In this example, two IP interfaces are needed: one for the backbone network on 10.10.7.0/24
and one for the stub area network on 10.10.12.0/24.

>> Interface 1 # mask 255.255.255.0 (Set IP mask on backbone network)
>> Interface 1 # broad 10.10.7.255 (Set the broadcast address)
>> Interface 1 # ../if 2 (Select menu for IP interface 2)
>> Interface 2 # addr 10.10.12.1 (Set IP address on stub area network)
>> Interface 2 # mask 255.255.255.0 (Set IP mask on stub area network)
>> Interface 2 # broad 10.10.12.255 (Set the broadcast address)
2. Enable OSPF.
>> Interface 2 # /cfg/net/route/ospf/ena (Enable OSPF on the ASF)
3. Define the stub area.
>> OSPF Area index 1 # ../aindex 1 (Select menu for area index 1)
>> OSPF Area index 1 # id 0.0.0.1 (Set the area ID for OSPF area 1)
>> OSPF Area index 1 # type stub (Define area as stub type)
>> OSPF Area index 1 # ena (Enable the area)
4. Attach the network interface to the transit area.
>> OSPF Area 2 # ../if 1 (Select OSPF menu for IP interface 1)

>> OSPF Interface 1 # ena (Enable the backbone interface)
5. Attach the network interface to the stub area.
>> OSPF Interface 1 # ../if 2 (Select OSPF menu for IP interface 2)

>> OSPF Interface 2 # aindex 1 (Attach network to stub area index)
>> OSPF Interface 2 # ena (Enable the stub area interface)
>> OSPF Interface 2 # apply

217014-A, November 2004
Example 2: Virtual Links

In the example shown in Figure 5-5, area 2 is not physically connected to the backbone as is
usually required. Instead, area 2 will be connected to the backbone via a virtual link through
area 1. The virtual link must be configured at each endpoint.
Backbone Transit Area Stub Area
Area 0 ASF 1 Area 1 ASF 2 Area 2
(0.0.0.0) (0.0.0.1) (0.0.0.2)
IF 1 IF 2 IF 1 IF 2
10.10.7.1 10.10.12.1 10.10.12.2 10.10.24.1
Virtual Link 1
10.10.7.0/24 Router ID: 10.10.12.0/24 Router ID: 10.10.24.0/24
Network 10.10.10.1 Network 10.10.14.1 Network
Figure 5-5 Configuring a Virtual Link

217014-A, November 2004
Configuring OSPF for a Virtual Link on ASF 1

1. Configure IP interfaces on each network that will be attached to the Alteon Switched
Firewall.
In this example, two IP interfaces are needed on ASF 1: one for the backbone network on
10.10.7.0/24 and one for the transit area network on 10.10.12.0/24.

>> Interface 2 # addr 10.10.12.0 (Set IP address on transit area)
>> Interface 2 # ena (Enable interface 2)
2. Configure the router ID.

A router ID is required when configuring virtual links. Later, when configuring the other end
of the virtual link on ASF 2, the router ID specified here will be used as the target virtual
neighbor (nbr) address.
>> Interface 2 # /cfg/net/route/ospf (Select the OSPF menu)

>> OSPF # rtrid 10.10.10.1 (Set static router ID on ASF 1)
3. Enable OSPF.
If OSPF is already enabled, then you must disable and enable OSPF for the router ID to be
active.
>> OSPF # ena (Enable OSPF on ASF 1)
4. Configure the transit area.

Set the area ID for the area that contains the virtual link.

217014-A, November 2004
5. Attach the network interface to the backbone.
>> OSPF Area index 2 # ../if 1 (Select OSPF menu for IP interface 1)

>> OSPF Interface 2 # aindex 1 (Attach network to transit area index)
>> OSPF Interface 2 # ena (Enable the transit area interface)
7. Configure the virtual link.
>> OSPF Interface 2 # ../virt 1 (Specify a virtual link number)

>> OSPF Virtual Link 1 # aindex 1 (Specify transit area for virtual link)
>> OSPF Virtual Link 1 # nbr 10.10.14.1 (Specify the router ID of the recipient)
>> OSPF Virtual Link 1 # ena (Enable the virtual link)
The nbr router ID configured in this step must be the same as the router ID that will be config-
ured for ASF 2 in Step 2 on page 88.
>> OSPF Virtual Link 1 # apply
Configuring OSPF for a Virtual Link on ASF 2

1. Configure IP interfaces on each network that will be attached to OSPF areas.
Two IP interfaces are needed on ASF 2: one for the transit area network on 10.10.12.0/24 and
one for the stub area network on 10.10.24.0/24.

>> IP Interface 1 # addr 10.10.12.2 (Set transit area network IP address)
>> IP Interface 1 # mask 255.255.255.0 (Set transit area network mask)
>> IP Interface 1 # broad 10.10.12.255 (Set transit area network broadcast)
>> IP Interface 1 # ena (Enable IP interface 1)
>> IP Interface 1 # ../if 2 (Select menu for IP interface 2)
>> IP Interface 2 # addr 10.10.24.1 (Set IP address on stub area network)
>> IP Interface 1 # mask 255.255.255.0 (Set transit area network mask)
>> IP Interface 1 # broad 10.10.24.255 (Set transit area network broadcast)
>> IP Interface 2 # ena (Enable IP interface 2)

217014-A, November 2004
2. Configure the router ID.

A router ID is required when configuring virtual links. This router ID should be the same one
specified as the target virtual neighbor (nbr) on ASF 1 in Step 7 on page 87.
>> IP Interface 2 # /cfg/net/route/ospf (Select the OSPF menu)

>> OSPF # rtrid 10.10.14.1 (Set static router ID on ASF 2)
3. Enable OSPF.
If OSPF is already enabled, then you must disable and enable OSPF for the router ID to be
active.
>> OSPF # ena (Enable OSPF on ASF 2)
4. Configure the transit area.
>> OSPF Area Index 0 # ../aindex 1 (Select menu for area index 1)
>> OSPF Area Index 1 # id 0.0.0.1 (Set the area ID for OSPF area 1)
>> OSPF Area Index 1 # ena (Enable the area)
5. Define the stub area.
>> OSPF Area Index 1 # ../aindex 2 (Select the menu for area index 2)
>> OSPF Area Index 2 # id 0.0.0.2 (Set the area ID for OSPF area 2)
>> OSPF Area Index 2 # type stub (Define area as stub type)
>> OSPF Area Index 2 # ena (Enable the area)
>> OSPF Area Index 2 # ../if 1 (Select OSPF menu for IP interface 1)
>> OSPF Interface 1 # aindex 1 (Attach network to transit area index)
>> OSPF Interface 1 # ena (Enable the transit area interface)


217014-A, November 2004
8. Configure the virtual link.

The nbr router ID configured in this step must be the same as the router ID that was config-
ured for ASF 1 in Step 2 on page 86.
>> OSPF Interface 2 # ../virt 1 (Specify a virtual link number)

>> OSPF Virtual Link 1 # aindex 1 (Specify the transit area for the virtual link)
>> OSPF Virtual Link 1 # nbr 10.10.10.1 (Specify the router ID of the recipient)
>> OSPF Virtual Link 1 # ena (Enable the virtual link)
9. Apply and save the configuration changes.
>> OSPF Interface 2 # apply
Only the endpoints of the virtual link are configured. The virtual link path may traverse multi-
ple routers in an area as long as there is a routable path between the endpoints.
Example 3: Summarizing Routes

By default, ABRs advertise all the OSPF routes from one area into another area. Route summa-
rization can be used for consolidating advertised addresses and reducing the perceived com-
plexity of the network.
If the network IP addresses in an area are assigned to a contiguous subnet range, you can con-
figure the ABR to advertise a single summary route that includes all the individual IP
addresses within the area.
The following example shows one summary route from area 1 (stub area) injected into area 0
(the backbone). The summary route consists of all IP addresses from 36.128.192.0 through
36.128.254.255.
Backbone Stub Area
Area 0 Area 1
(0.0.0.0) (0.0.0.1)
IF 1 IF 2
10.10.7.1 36.128.192.1
Summary 36.128.255.255/24 to
Route 36.128.255.0/24
ABR
10.10.7.0/24 36.128.192.0/18
Network Network
Figure 5-6 Summarizing Routes

217014-A, November 2004
NOTE – You can also specify an address range to prevent advertising by using the hide option
on the OSPF Summary Range Menu.
Follow this procedure to configure OSPF support as shown in Figure 5-6:
1. Configure IP interfaces for each network which will be attached to OSPF areas.

>> Interface 2 # addr 36.128.192.1 (Set IP address on stub area network)
2. Enable OSPF.
>> IP Interface 2 # /cfg/net/route/ospf/ena (Enable OSPF on the ASF)
3. Define Area 1 (stub area).
>> OSPF Area index 2 # type stub (Define area as stub type)
>> OSPF Area index 2 # ../if 1 (Select OSPF menu for IP interface 1)
5. Attach the network interface to the stub area.


217014-A, November 2004
6. Configure route summarization by specifying the starting address and mask of the range
of addresses to be summarized.
>> OSPF Interface 2 # ../range 1 (Select menu for summary range)

>> OSPF Range 1 # addr 36.128.192.0 (Set base IP address of range)
>> OSPF Range 1 # mask 255.255.192.0 (Set mask address for summary range)
>> OSPF Range 1 # aindex 1 (Inject summary route into backbone)
>> OSPF Range 1 # ena (Enable summary range)
>> OSPF Summary Range 1 # apply
Example 4: Redistributing Routes

Alteon Switched Firewall can redistribute routes from other protocols into RIP or OSPF
domains. ASF can redistribute connected, OSPF, static, default gateway, and fictitious routes
into RIP routes. ASF can also redistribute connected, static, RIP, default gateway routes into
OSPF routes. In this example, ASF is redistributing RIP routes into an OSPF domain.
OSPF Domain RIP Domain

Area 0.0.0.0 ASBR
100.100.2.1 100.100.3.1
Router 1 Router 2
100.100.2.80 Alteon Switched 100.100.3.150
Firewall
OSPF routes RIP routes
Figure 5-7 Redistributing RIP Routes into OSPF
In Figure 5-7 the Alteon Switched Firewall is configured as an ASBR between two domains,
RIP and OSPF. The ASF is connected to two routers, Router 1 in the OSPF domain and Router
2 in the RIP domain. ASF is required to advertise the RIP routes from the RIP domain into
OSPF. In this example, two IP interfaces are needed on the ASF: one for the OSPF domain on
100.100.2.0/24 and one for the RIP domain on 100.100.3.0/24.

217014-A, November 2004
1. Configure the IP interface to the backbone router for the OSPF domain that is connected
to port 1 of the Alteon Switched Firewall.

2. Configure the IP interface for the RIP domain that is connected to port 2 of the Alteon
Switched Firewall.

>> Interface 2 # addr 100.100.3.1 (Specify IP address for RIP domain)
3. Configure the IP address for the Accelerator.
>> # /cfg/acc/ac1/addr 10.10.1.45 (Specify IP address for accelerator)
4. Enable OSPF for interface 1.
>> # /cfg/net/route/ospf/if 1/ena (Enable OSPF for interface 1)
5. Enable OSPF globally.
>> # /cfg/net/route/ospf/ena (Enable OSPF globally)
6. Enable RIP for VLAN 2 and specify the RIP version if required.
>> # /cfg/net/route/rip/vlan 2/ena (Enable RIP for vlan 2)
7. Enable RIP globally.
>> # /cfg/net/route/rip/ena (Enable RIP globally)

217014-A, November 2004
Configure RIP in Router 2 and verify if the Alteon Switched Firewall and Router 2 are able to
send and receive routes between them. Configure Router 2 to send RIP routes to the Alteon
Switched Firewall. Verify the routing table on Router 1 and confirm that these routes are not
advertised and installed in Router 1, because it is not a RIP router.
8. Configure the ASF to redistribute the RIP routes it learned.
>> # /cfg/net/route/ospf/redist/rip/ena (Redistribute RIP routes into OSPF)
When routes are redistributed, you must define a metric that is understands the receiving proto-
col. If you want to change the metric of the redistributed route, then enter the new metric under
/cfg/net/route/ospf/redist/rip/metric.
>> OSPF RIP Route Redistribution# apply
Verify if Router 1 is able to see all the routes from the RIP domain.
Verifying OSPF Support

Use the following commands to verify the OSPF information on your ASF:
/info/net/route/ospf/routes
/info/net/route/ospf/lsa
/info/net/route/ospf/neigh
/info/net/route/ospf/if
/info/net/route/ospf/fib
/info/net/route/ospf/spf

217014-A, November 2004

217014-A, November 2004
CHAPTER 6
Load Balancing IDS Servers
This chapter explains how to configure the Alteon Switched Firewall (ASF) to support Intru-
sion Detection Systems (IDS). IDS is a type of security management system for computers and
networks. IDS Server Load Balancing helps scale intrusion detection systems since it is not
possible for an individual server to scale information being processed at Gigabit speeds.
An Intrusion Detection System gathers and analyzes information from various areas within a
computer or a network to identify possible security breaches, which include both intrusions
(attacks from outside the organization) and misuse (attacks from within the organization).
IDS servers monitor traffic by performing in-depth traffic analysis and detect inappropriate,
incorrect, or anomalous activity on your network. Intrusion detection functions include:
Monitoring and analyzing both user and system activities

Analyzing system configurations and vulnerabilities
Assessing system and file integrity
Recognizing patterns typical of attacks
Analyzing abnormal activity patterns
Tracking user policy violations
95
217014-A, November 2004
How IDS Load Balancing Works

Intrusion detection devices inspect every packet before it enters a network, looking for any
signs of an attack. The attacks are recorded and logged in an attempt to guard against future
attacks and to record the information about the intruders.
Alteon Switched Firewall allows the switch to forward the IP packets to an Intrusion Detection
server. You must enable IDS SLB on the port and allocate a IDS server group containing IDS
servers. The IDS SLB-enabled Firewall copies all incoming packets to this group of intrusion
detection servers. For each connection to the Firewall, a hashing algorithm is used to select the
IDS server based on the client and server IP addresses.
The IDS server receives copies of all the processed frames that are forwarded to the destination
devices. Session entries are maintained so that all the frames of a given session are forwarded
to the same IDS server. ASF load balances ingress and egress traffic between IDS server
groups.
Each IDS server must be connected directly to a different Firewall Accelerator ports because
ASF uses link state to determine health of the IDS server. Because the traffic is mirrored to the
IDS ports, connecting multiple IDS servers to a single Accelerator port via a hub or layer 2
switch will result in all IDS servers analyzing the same traffic as opposed to sharing the load.
An enforcement, NAAP, or monitor port cannot be enabled for IDS load balancing. A port that
is a member of one IDS group cannot be added to another IDS group. A single IDS group can
monitor traffic from multiple VLANs. An IDS group cannot be specified for automatic
VLANs.
Load Balancing IDS Servers

Two basic examples of configuring IDS load balancing are illustrated in this section. The first
example shows an IDS server group monitoring two clients on the same VLAN. In example 2,
multiple VLANs are being monitored by an IDS group of servers. In both examples, a hash
algorithm is used to send all of the frames for a given pair of IP addresses (client and server IP
addresses) to the same IDS server.
Example 1
This example illustrates a basic configuration for load balancing client traffic on a single
VLAN to an IDS server group.
96 Chapter 6: Load Balancing IDS Servers

217014-A, November 2004
In Figure 6-1, ingress and egress traffic from Client 1 and 2 are being monitored by IDS serv-
ers 1 and 2. The client traffic enters the Firewall via layer 2 switches or routers.
IDS server 2 Management Console

IDS server 1 192.168.1.41
IF 1: 192.168.1.1/24
11 12 Alteon Switched
6 10
2 5 Firewall
3
IF 2: 20.20.20.1
IF 3: 30.30.30.1
Client 1
20.20.20.88
Server 1
30.30.30.66
Client 2
20.20.20.90
Server 2
30.30.30.67
Figure 6-1 Load balancing IDS Servers
To configure your switch for load balancing IDS servers, do the following:
1. Configure your switch for basic operation.

Configure the three interfaces on the Alteon Switched Firewall for the Management, Cli-
ent, and Server networks
The Firewall Accelerator must have an IP route to all of the real servers that receive
switching services. To configure an IP interface for this example, enter the commands
from the CLI as described in this procedure.
Configure the VLAN for the clients and servers
Configure the IDS servers
Configure the IDS group to monitor the VLAN
2. Connect the IDS servers to the Firewall Accelerator ports.

217014-A, November 2004
NOTE – Each IDS server must be connected directly to a different switch port. Link health
check is performed to check the status of the IDS servers.
Connect IDS server 1 and IDS server 2 to port 5 and port 6 respectively on the Firewall Accel-
erator 6600.
3. Configure the IP interface for the management console:
>> # /cfg/ip/if 1 (Select IP interface 1)

>> IP Interface 1# addr 192.168.1.1/24 (Assign IP address for the SmartCon
sole)
>> IP Interface 1# ena (Enable IP interface 1)
4. Configure the IP interface for the Client network:

>> IP Interface 2# addr 20.20.20.1 (Assign IP address for the Client net
work)
5. Configure the IP interface for the Server network:

>> IP Interface 3# addr 30.30.30.1 (Assign IP address for the Server net
work)
6. Configure a VLAN for the client network.

For example in Figure 6-1, configure port 2 on VLAN 10.
>> # /cfg/net/vlan 10/port/add 2 (Add port 2 to VLAN 10)
7. Add VLAN 10 to interface 2.
>> # /cfg/net/if 2/vlan 10 (Add VLAN 10 to the interface)
8. Assign port 3 to interface 3.
>> # /cfg/net/if 3/port/add 3 (Add port 3 to interface 3)

217014-A, November 2004
9. Enable IDS load balancing globally on the Firewall.
>> # /cfg/net/idslb/on (Enable IDS globally)
10. Define the group for IDS server load balancing.
>> # /cfg/net/idslb/group 1 (Define a group)
11. Add the IDS ports to the IDS group.
>> # /cfg/net/idslb/group 1/port/add 5 (Add IDS server 1’s port to Group 1)

>> # /cfg/net/idslb/group 1/port/add 6 (Add IDS server 2’s port to Group 1)
12. Enable IDS load balancing for IDS group 1.
>> # /cfg/net/idslb/group 1/ena (Enable IDS for group 1)
13. Set IDS Group 1 for monitoring VLAN 10.
>> # /cfg/net/vlan 10/idsgrp 1 (Enable IDS group 1 to monitor VLAN

10)
14. Enable IDS ports 5 and 6.
>> # /cfg/net/port 5/ena (Enable port 5)

15. Apply and save your changes.
>> Port 6# apply
The client traffic is load balanced between the two IDS servers. The hashing algorithm which
hashes on both source and destination IP addresses ensures that all the ingress/egress traffic
from Client 1 is copied to IDS server 1 and all the ingress/egress traffic from Client 2 is copied
to IDS server 2.

217014-A, November 2004
Example 2
A single IDS group can monitor traffic from multiple VLANs. This example shows the Fire-
wall configuration in a high availability environment with IDS group of servers monitoring
multiple VLANS. The mirrored traffic sent to the IDS servers will be VLAN-tagged, so the
IDS servers should be capable of handling VLAN-tagged traffic.
In this example, the IDS port on the Accelerator is VLAN-tagged. Also, the inter Accelerator
port is always tagged when IDS load balancing is enabled. However, this is done internally by
the Alteon Switched Firewall. You must not enable VLAN tagging manually on the IDS ports
or the inter accelerator port.
When you add a port to an IDS group, the port on both Firewall Accelerators are configured as
IDS ports. You can choose to connect an IDS server to one of the Accelerators on that specific
port. For IDS high availability, you must connect at least one IDS server on both the Accelera-
tors.

217014-A, November 2004
Figure 6-2 illustrates two Firewall Accelerators 6600 installed in a redundant configuration.
Both Firewalls are monitoring client traffic on two different VLANs with 2 IDS servers. The
client traffic enter the Firewall via layer 2 switches. In this example, the Firewall Accelerator
(master) performs IDS load balancing on both ingress and egress client traffic.
Client 1 Client 2
(VLAN 10) (VLAN 20)
20.20.20.88 25.25.25.60
Firewall
Accelerator 2 3 5 (Backup)
(Master) 5 10 4 10.10.1.102
10.10.1.101
IDS server 2 IDS server 1

(IDS Group 1) (IDS Group 1)
Firewall Director 1 Firewall Director 2

10.10.1.91 10.10.1.92
Server 2
30.30.30.67
Management Console
192.168.1.41 Server 1
30.30.30.66
Figure 6-2 IDS Load Balancing for Multiple VLANs

217014-A, November 2004
To configure your switch for load balancing IDS servers, do the following:
1. Configure your switch for basic operation.

Configure the four interfaces on the Alteon Switched Firewall for the Management, Cli-
ent, and Server networks
The Firewall Accelerator must have an IP route to all of the real servers that receive
switching services. To configure an IP interface for this example, enter these commands
from the CLI.
Configure the VLAN for the clients and servers
Configure the IDS servers
Configure the IDS group to monitor the VLAN
2. Connect the IDS servers to the Firewall Accelerator ports.

Connect IDS server 1 to port 5 on the and master Firewall Accelerator 6600 and connect IDS
server 2 to port 5 on the backup Firewall Accelerator 6600.
NOTE – Each IDS server must be connected directly to a different switch port. Link health
check is performed to check the status of the IDS servers.
3. Configure the IP interface 1 for the management console.

>> IP Interface 1# addr 192.168.1.1/24 (Assign IP address for the SmartCon
sole)
4. Configure the IP interface 2 for the Client 1 network.

>> IP Interface 2# addr 20.20.20.1 (Assign IP address for the Client 1 net
work)
5. Configure port 2 on VLAN 10.
>> # /cfg/net/vlan 10/port/add 2 (Assign port 2 on VLAN 10)

>> # /cfg/net/if 2/vlan 10 (Add interface 2 to VLAN 10)

217014-A, November 2004
6. Configure the IP interface 3 for the Client 2 network.

>> IP Interface 3# addr 25.25.25.1 (Assign IP address for the Client 2 net
work)
7. Configure port 3 on VLAN 20.
>> # /cfg/net/vlan 20/port/add 3 (Assign port 3 on VLAN 20)

>> # /cfg/net/if 3/vlan 20 (Add interface 3 to VLAN 20)
8. Configure the IP interface 4 for the Server network.

>> IP Interface 4# addr 30.30.30.1 (Assign IP address for the Server net
work)
9. Configure port 4 to interface 4.
>> # /cfg/net/if 4/port/add 4 (Add port 4 to interface 4)
10. Enable IDS load balancing globally on the Firewall.
>> # /cfg/net/idslb/on (Enable IDS globally)
11. Define the group for IDS server load balancing.
>> # /cfg/net/idslb/group 1 (Define a group)
12. Add the IDS port 5 to the IDS group.
>> # /cfg/net/idslb/group 1/port/add 5 (Add IDS server 1 port to Group 1)
13. Enable IDS load balancing for IDS group 1.
>> # /cfg/net/idslb/group 1/ena (Enable IDS for group 1)

217014-A, November 2004

10)

20)
16. Enable IDS port 5.
17. Enable for high availability.
>> # /cfg/acc/ha y (Enable high availability)
18. Configure VRRP on each IP interface.

In this step, each IP interface is given its own unique Virtual Router ID (VRID), and is
assigned a Virtual Router IP (VRIP) address for each of the two Firewall Accelerators. Each
VRIP address must be a unique IP address in the same subnet as the IP interface.
For example, continuing with the network shown in Figure 6-2 on page 101, two VLANs
(VLAN 10 and 20) are being monitored on two IP interfaces: IP Interface #2 uses 20.20.20.1
and IP interface #3 uses 25.25.25.1. To configure the VRRP on each IP interface, refer to the
commands shown in the example in Step 5 on page 110.
Make sure that all virtual routers have unique VRRP group IDs. The VRRP group IDs should
be unique not only within the ASF configuration, but also between other VRRP devices on the
same segment as your ASF. The VRRP group ID is set using the command cfg/net/adv/
vrrp/vrid. For more information on the command, see “Advanced VRRP Configuration
Menu” on page 322.
19. Apply and save your changes.
>> Filter 1# apply
The client traffic is load balanced between the two IDS servers. The hashing algorithm which
hashes on both source and destination IP addresses ensures that all the ingress/egress traffic
from VLAN 10 (Client 1 network) and from VLAN 20 (Client 2 network) are copied to IDS
Group 1 servers.

217014-A, November 2004
CHAPTER 7
Expanding the Cluster
This chapter describes how to expand the Alteon Switched Firewall cluster beyond the basic
configuration. The cluster can be expanded in a variety of ways:
A redundant Firewall Accelerator and extra Firewall Directors can be added to create a
high-availability firewall. With a high-availability solution, the failure of any single com-
ponent or network link will not cause the firewall to fail.
Firewall Directors can be added seamlessly to the cluster, increasing firewall processing
capacity without taking the system offline.
Firewall Directors can be synchronized to provide stateful failover of sessions. With syn-
chronization, if a Firewall Director fails, its open sessions will be transparently reassigned
to a healthy Firewall Director.
Each of these avenues for expansion is discussed in detail in the following sections:
“Adding a Second Firewall Accelerator” on page 106

“Adding Firewall Directors” on page 111
“Synchronizing Firewall Directors” on page 122
“Changing the Firewall Accelerator Ports” on page 125
105
217014-A, November 2004
Adding a Second Firewall Accelerator

As part of a high-availability firewall, a redundant Firewall Accelerator must be added to the
cluster. The network topology for a typical high-availability firewall is shown below:
High-Availability Cluster
Trusted Network &

Internet Server Farm
Routers with Layer 2

VRRP & Layer 2 Switches
Interfaces
Two Firewall Accelerators

Four Firewall Directors
Check Point Management Console

SmartCenter
Figure 7-1 High-Availability Firewall Topology
For high-availability, each Firewall Accelerator is attached to the same networks using the
same ports, and each has at least one Firewall Director. One of the Firewall Accelerators in this
network acts as the master, and the other acts as a backup. Selection of the master is performed
using Virtual Router Redundancy Protocol (VRRP).
The master Firewall Accelerator performs load balancing and firewall acceleration services for
all active Firewall Directors in the cluster, including those that are attached to the backup.
While the master Firewall Accelerator is healthy, the backup is passive and merely provides
connectivity between its attached Firewall Directors and the master Firewall Accelerator. The
backup mirrors sessions on the master, and will take over if the master fails.
106 Chapter 7: Expanding the Cluster

217014-A, November 2004
Requirements
The installation of a redundant Firewall Accelerator is handled as an expansion to an existing
cluster and requires the following:
A basic cluster (one Firewall Director and one Firewall Accelerator) must be already be
physically installed as described in the Alteon Switched Firewall Hardware Installation
Guide.”
The basic cluster must already be configured with basic parameters as described in Chap-
ter 2, “Initial Setup.”
Optionally, the basic cluster can include additional Firewall Directors (attached to the
master Firewall Accelerator), installed as described in “Adding Firewall Directors” on
page 111.
The redundant Firewall Accelerator being added must be identical to the existing Firewall
Accelerator. You cannot mix different models of Firewall Accelerator in the same cluster.
Installing the New Firewall Accelerator
NOTE – No Firewall Directors should be attached to the redundant Firewall Accelerator while
it is being initially installed and configured.
The redundant Firewall Accelerator should be physically installed as follows:
1. Make sure that the basic cluster is on and operational.
2. Rack mount the new Firewall Accelerator hardware.

Heed the rack-mounting precautions and mount the new Firewall Accelerator as described in
the Alteon Switched Firewall Hardware Installation Guide.
3. Connect the power cable for the new Firewall Accelerator, but do not turn it on yet.
Heed the power precautions and attach power as described in the Alteon Switched Firewall
Hardware Installation Guide.

217014-A, November 2004
4. Connect the Inter-Accelerator Ports (IAP) together.

For more information on IAP ports, see “Configuring the Inter-Accelerator Port” on page 125.
If dual physical connectors are available on the IAP, the connection can be made using either
the gigabit LC fiber optic connector, the 10/100/1000 Mbps RJ-45 copper connector, or both.
If both are connected, then the gigabit optical link is used as the preferred link and the copper
link is used as the backup. The active link is then selected according to the redundant connec-
tor rules (see the Alteon Switched Firewall Hardware Installation Guide).
5. Connect the trusted, untrusted and semi-trusted network feeds to the new Firewall Accel-
erator.
NOTE – For redundant operation, the same networks which are connected to the master Fire-
wall Accelerator must be connected to the redundant Firewall Accelerator. Be sure to use con-
nect each network to the same port on both Firewall Accelerators.
In this example, since Network A is on port 1 and Network B is on port 2 of the master Fire-
wall Accelerator, we must connect Network A to port 1 and Network B to port 2 on the backup
as well.
6. Turn the new Firewall Accelerator on.

217014-A, November 2004
Configuring the New Firewall Accelerator
NOTE – The Firewall Accelerator cannot be configured through its own console port. Instead,
configuration is performed using the Command Line Interface (CLI) as discussed in Chapter
10, or the Browser-Based Interface (BBI) as discussed in Alteon Switched Firewall Browser-
based Interface Guide. The following procedures focus on the CLI method.
1. Connect to the CLI and log in as the administrator.

Access the cluster CLI locally from any Firewall Director serial port, or remotely by establish-
ing a Telnet or SSH session to the cluster Management IP (MIP) address.
2. Verify that the redundant Firewall Accelerator’s MAC address has been detected.
Use the following command to verify whether auto-discovery is enabled and to display the
detected MAC addresses:
>> # /info/det
If the MAC addresses have been correctly detected, proceed to Step 3. However, if auto-dis-
covery is disabled, you can set the MAC address of the new Firewall Accelerator using the fol-
lowing command:
>> # /cfg/acc
>> Accelerator Configuration# ac2/mac <MAC address>
where MAC address is specified in hexadecimal XX:XX:XX:XX:XX format.
3. Enable high-availability for the cluster:
>> Accelerator Configuration# /cfg/acc/ha y
4. Configure the new Firewall Accelerator IP address.
>> Accelerator Configuration# ac2/addr <IP address>
The redundant Firewall Accelerator IP address must be a unique address on the same subnet as
the master Firewall Accelerator.

217014-A, November 2004
5. Configure VRRP on each IP interface.

During initial setup of the cluster, IP interfaces were configured for each trusted, untrusted, or
semi-trusted network attached to the Firewall Accelerator. In this step, each IP interface is
being given its own unique Virtual Router ID (VRID), and is assigned a Virtual Router IP
(VRIP) address for each of the two Firewall Accelerators. Each VRIP address must be a
unique IP address in the same subnet as the IP interface.
For example, continuing with the network shown in Figure 2-1 on page 27, there are two IP
interfaces: IP Interface #1 uses 10.1.1.1 on Network A, and IP interface #2 uses 10.2.0.1 on
Network B. The following configuration commands could be used:
>> # /cfg/net/if 1/vrrp (VRRP menu for interface 1)

>> VRRP Configuration# vrid 1 (Set unique VRID to 1)
>> VRRP Configuration# ip1 10.1.1.100 (Set VRIP for Accelerator 1)
>> VRRP Configuration# /cfg/net/if 2/vrrp (VRRP menu for interface 2)
>> VRRP Configuration# vrid 2 (Set unique VRID to 2)
Make sure that all virtual routers have unique VRRP group IDs. The VRRP group IDs should
be unique not only within the ASF configuration, but also between other VRRP devices on the
same segment as your ASF. The VRRP group ID is set using the command
cfg/net/adv/vrrp/vrid. For more information on the command, see “Advanced
VRRP Configuration Menu” on page 322.
6. Apply the changes.
>> VRRP Configuration# apply

217014-A, November 2004
Adding Firewall Directors

Multiple Firewall Directors can be added seamlessly to the cluster, increasing firewall process-
ing capacity without taking the system offline. Firewall traffic is load balanced among all Fire-
wall Directors within the cluster, regardless of whether attached to the master or backup
Firewall Accelerator.
Requirements
The installation of additional Firewall Directors is handled as an expansion to the existing clus-
ter and requires the following:
A basic cluster (one Firewall Director and one Firewall Accelerator) must already be
physically installed as described in the Alteon Switched Firewall Hardware Installation
Guide.”
The basic cluster must already be configured with basic parameters as described in Chap-
ter 2, “Initial Setup.”
Optionally, the cluster can include a redundant Firewall Accelerator installed and config-
ured as described in “Adding a Second Firewall Accelerator” on page 106.
The redundant Firewall Director being added must be identical to the existing Firewall
Director.
The following criteria are required to facilitate proper integration of the new equipment with
the established cluster:
CAUTION—Any Firewall Director being added to the cluster must have the same version of
! Firewall OS as the other Firewall Directors in the cluster. See Chapter 8, “Upgrading the Soft-
ware,” for more information.
CAUTION—Also, any Firewall Director being added to the cluster must be set to the factory
default mode. If moving a previously configured Firewall Director from another established
cluster, you must first delete the Firewall Director from the old cluster to reset its configura-
tion. For more information, see the delete command in the SFD Host menu on page 206.

217014-A, November 2004
Installing the New Firewall Director

The additional Firewall Director should be physically installed as follows:
1. Make sure that the basic cluster is on and operational.
2. Rack mount the new Firewall Director hardware.

Heed the rack-mounting precautions and mount the new Firewall Accelerator as described in
the Alteon Switched Firewall Hardware Installation Guide.
3. Connect the power cable for the new Firewall Director, but do not turn it on yet.
Heed the power precautions noted and attach power as described in the Alteon Switched Fire-
wall Hardware Installation Guide.
4. Connect the new Firewall Director to the Firewall Accelerator.

By default, Firewall Accelerator ports 11 and 12 are reserved for Firewall Director connec-
tions. If using the defaults, connect the Firewall Director uplink port to an available port 11 or
12 on any Firewall Accelerator. The uplink port uses the gigabit fiber optic LC connector. The
RJ-45 connector is not normally recommended for Firewall Director connections.
To change the Firewall Accelerator uplink ports, see “Changing the Firewall Accelerator
Ports” on page 125.
NOTE – See the Alteon Switched Firewall Hardware Installation Guide for cable information.
5. Turn the new Firewall Director on.
NOTE – The newly added Firewall Director will not become fully operational until configura-
tion is complete (see “Configuring the New Firewall Director” on page 112), trust is estab-
lished with the Check Point management console, and firewall policies are loaded.
Configuring the New Firewall Director
Configure Cluster Properties

Newly installed Firewall Directors can be configured manually, or they can be configured
automatically using Plug N Play processes on the established cluster.
To utilize Plug N Play, the cluster must be pre-configured with resource information, consist-
ing of a list of available IP addresses. If local licensing is used, Check Point licenses must be
also be added. Then, when each new Firewall Director is detected, the cluster will automati-
cally assign the pre-configured resources and bring the new device into the cluster.

217014-A, November 2004
By default, the Plug N Play feature is enabled without resources. The following procedure is
used to enable Plug N Play and add resources. If you instead wish to configure the new Fire-
wall Director manually, see “Manually Adding a Firewall Director” on page 120.
1. Log in to the cluster MIP address as an administrator.

Although configuration can be performed using either the Command Line Interface (CLI) as
discussed in Chapter 10, or the Browser-Based Interface (BBI) as discussed in the Alteon
Switched Firewall Browser-based Interface Guide, the following procedures focus on the CLI
method.
NOTE – When using Plug N Play, do not log in to the newly installed Firewall Director’s serial
port. Instead, connect to the cluster MIP address using established equipment.
2. Verify Plug N Play is enabled.

The following command will show you whether Plug N Play is enabled and if any unused
resources are available:
>> # /cfg/pnp/cur
If Plug N Play is enabled, and valid IP addresses and Check Point licenses are listed as
unused, pre-configuration of resources has already been done and you can proceed to “Add
Policies for the New Firewall Director” on page 114.
If Plug N Play is disabled, you must either enable it or configure the new Firewall Director
manually. See “Manually Adding a Firewall Director” on page 120 for manual configuration.
Otherwise, to enable Plug N Play, use the following command:
>> SFD IP and Firewall License# ena
3. Add resources for a new Firewall Director.

Enter the following command:
>> SFD IP and Firewall License# add
You will be prompted for the following information:

IP address. Enter an IP address for a new Firewall Director. The IP address must be in the
same subnet as the cluster MIP address.
One-time password. The one-time password entered here will be required later when
establishing Secure Internal Communications (SIC) between the management station
(SmartCenter) and the Firewall Director.

217014-A, November 2004
Add a license: This is covered in the next step.
4. If local licensing is used, enter Check Point licensing information for the new Firewall
Director.
You will be prompted whether to add a Check Point license at this time:
Do you want to add a license (y/n)?
NOTE – If central licensing is used, enter n at the prompt. With central licensing, the license
must be pushed from the management server before the firewall policy can be installed. For
more information, see Chapter 2, “Initial Setup,” Step 8 on page 51.
If local licensing is used, enter y at the prompt. You will then be asked to specify the following
information:
Enter the Expiry date for the License: <Expiration date>

Enter the Feature string: <Feature string>
Enter the License string: <License string>
Cannot validate this license now because the target host is not up
and running now. Do you want to add it any way? y
Successfully added License/IP...
The license information will be part of your Check Point package. The expected information
will appear similar to the following example:
Expiry date: 02aug2003
Feature string: CPSUITE-EVAL-3DES-NG CK-CHECK-POINT
License string: aBZUeTWHR-FyxGGcdej-QiiS89a6N-isMP6Ywnn
Be sure to enter the information exactly as shown on your specific Check Point license.
NOTE – Each Firewall Director requires a separate license.
Add Policies for the New Firewall Director

1. Launch the SmartDashboard software on your Check Point management client and log
in using an administrator account.
2. Create a new workstation object to represent the newly installed Firewall Director.
From the SmartDashboard menu bar, select Manage | Network Objects. When the Network
Objects window appears, click on the New button and select Workstation from the pop-up list.

217014-A, November 2004
3. Define the Firewall Director object parameters:

Name: Any name to represent the newly installed Firewall Director.
IP Address: The address of the newly installed Firewall Director. In this example, the
address is 10.10.1.2
Version: NG Application Intelligence (AI) software.
FireWall-1: Check this item from the list window.
NOTE – Only FireWall-1 is currently supported on this product. VPN-1 is not used.
Leave the Workstation Properties window open for use in the next step.
4. Establish trust between the SmartCenter and the Firewall Director.

Check Point FireWall-1 NG uses a one-time password to initiate Secure Internal Comminu-
tions (SIC) between configured objects and the management station (SmartCenter).

217014-A, November 2004
To establish SIC, click on the Communication button in the Workstation Properties window.
The Communications window will appear:
Enter the same one-time SIC password that was defined when adding the new Firewall Direc-
tor to the cluster in Step 3 on page 113 and click on the Initialize button.
The management station (SmartCenter) will attempt to contact the Firewall Director and
exchange security information. When successful, the window will indicate “Trust established.”
NOTE – Trust cannot be established if the cluster firewall software has been disabled
(/cfg/fw/dis).
5. Close the Communications window and Workstation Properties window.

6. From the SmartDashboard menu bar, select File | Save.
7. If using central licensing, install a license for the Firewall Director object.
NOTE – If local licensing was used when adding the new Firewall Director to the cluster in
Step 4 on page 114, skip this step.
Use the SmartUpdate module to enter central licenses. For more information on installing
licenses, refer to “Using Central Licensing” on page 2-51.
To verify that the central license is installed properly, login as root on the Firewall Director
and issue the following command:
cplic print -x -type

The output of this command should display the installed license information.
8. If necessary, create a gateway cluster object.

The same policies must be installed on all the Firewall Directors in the cluster. Using a gate-
way cluster object, the administrator ensures that all Firewall Directors in the cluster are
updated as a group.

217014-A, November 2004
If this is the first time you are adding a Firewall Director to an established cluster, you must
create a gateway cluster object. If you created the gateway cluster object during a previous
installation, there is no need to repeat this step.
To create a new gateway cluster object, right click on “Check Points”, “New”, and then “Gate-
way Cluster” in the Network Objects tree on the left side of the window. The Gateway Cluster
properties tab will be displayed.
Name: Any name of your choosing to represent the gateway cluster.

IP Address: The Interface IP address of external network.
Version: Select NG Application Intelligence (AI)
9. Add Firewall Director members to the gateway cluster object.

Access the Gateway Cluster properties window. If not already displayed, right-click on the
gateway cluster object and select Properties from the pop-up menu.

217014-A, November 2004
Click on the Cluster Members tab to add Firewall Directors as cluster members.
Select a Firewall Director and click OK. This process has to be repeated until all the Firewall
Directors in the cluster are added as members.
Select the Security - Standard tab and right click on INSTALL ON column in the table. Select
Add | Targets to show a list of gateway clusters.
Select the Alteon Switched Firewall gateway cluster object and click OK.
10. Click on the 3rd Party Configuration tab to specify 3rd party solution.

217014-A, November 2004
The Gateway Cluster properties tab will be displayed.
11. Click Load Sharing for Cluster Operating mode.

Load sharing implies that all the firewalls are processing the traffic and traffic is shared
between the Firewall Accelerators.
This completes the procedure to add policies to the new Firewal Director.

217014-A, November 2004
Manually Adding a Firewall Director

If Plug N Play is disabled on the cluster, newly installed Firewall Directors must be configured
manually. To enable it for the cluster, use the /cfg/pnp/ena command. To disable it, use
the /cfg/pnp/dis command. Plug N Play is enabled by default, but you must manually
configure the IP addresses. To check the status of the Plug N Play feature on the cluster, use
the /cfg/pnp/cur command.
The following procedure requires the Firewall Director to be physically installed as described
in “Installing the New Firewall Director” on page 112. This includes mounting the device,
powering it on, and connecting it to an existing cluster.
1. Connect directly to the new Firewall Director’s serial port.
NOTE – A new Firewall Director cannot be configured manually through the cluster MIP
address. Access the CLI directly through the serial port of the device being installed (see
Alteon Switched Firewall Hardware Installation Guide).
2. Log in using the default administrator account.

Press <Return> on the console terminal to establish the connection. When the login prompt
appears enter the default login name (admin) and the default password (admin):
login: admin
Password: admin (not displayed)
NOTE – Since the new Firewall Director is still set to factory defaults, you must use the default
admin password regardless of whether the password has been changed on the rest of the clus-
ter.

217014-A, November 2004
The special Setup utility menu should appear:
Welcome to the Alteon Switched Firewall initialization.

------------------------------------------------------------
[Setup Menu]
join - Join an existing iSD cluster
new - Initialize iSD as a new installation
restore - Restore this SFD from a backup taken earlier
offline - Initialize iSD for offline switchless maintenance
boot - Boot Menu
naap - Set NAAP VLAN id
exit - Exit
>> Setup#
3. Join the new Firewall Director to the existing cluster:
>> Setup# join
4. Follow the onscreen prompts to manually configure the new Firewall Director.
Enter cluster admin user password: admin (not displayed)

Enter password again: admin (not displayed)
Enter this SFD's IP: 10.10.1.2
Enter the cluster Master IP (MIP): 10.10.1.10
Enter Check Point SIC one-time password: <SIC password> (not displayed)
Enter password again: <SIC password>
......
Cluster has been joined successfully.
Please relogin if any further setup is necessary.
5. If local licensing is used, enter the Check Point License.

For example:
>> # /cfg/pnp/add
Enter the IP Address: 10.10.1.2
Enter the Expiry date for the License:25Oct2003
Enter the Feature string:cpsuite-eval-3des-ng CK-FDFA9AA20D27
Enter the License string:aWkxm4Pj6-zbcfsY7Ju-AUsu8FKvS-KrsokXokv
6. Complete the configuration by installing policies.

Once the new Firewall Director has been manually added, policies must be installed. See “Add
Policies for the New Firewall Director” on page 114 for the next steps in this process.

217014-A, November 2004
Synchronizing Firewall Directors

Firewall Directors can be synchronized to provide stateful failover of sessions. With synchro-
nization, if a Firewall Director fails, its open sessions will be transparently reassigned to a
healthy Firewall Director.
When synchronizing the Firewall Directors, isolate the synchronization traffic using dedicated
ports (10/100/1000 Mbps port 2) on the Firewall Directors. Using the dedicated ports requires
additional cabling, but can provide better performance under heavy traffic.
To achieve stateful failover, synchronization must be configured both on the Alteon Switched
Firewall and on the Check Point management server as follows:
1. Make sure Alteon Switched Firewall synchronization is off.

Log in to the Alteon Switched Firewall cluster MIP address using an administrator account and
enter the following commands:
>> # /cfg/fw/sync/cur
2. Synchronize with dedicated ports defining a network for use with the synchronization
traffic.
When using the dedicated ports, a unique network address should be used for synchronization
traffic. This network should not be on the same subnet as the MIP. For example:
>> Sync Configuration# net 192.168.2.0
NOTE – The synchronization network uses the same subnet mask specified in the System
Menu netmask option (/cfg/sys/netmask) to define the synchronization network
range.
3. Enable the synchronization network and apply the changes:
>> Sync Configuration# ena

>> Sync Configuration# apply
Enabling synchronization automatically reboots the Firewall Director.
4. Using the SmartDashboard management tool, update the firewall interface information.

217014-A, November 2004
Start the SmartDashboard application on your management client station. From within the
SmartDashboard, select a Firewall Director in the cluster and edit its properties. Select the
Topology tab in the Properties window and click on the Get Interfaces button.
Verify that the list of detected interfaces includes the appropriate Ethernet device with an IP
address on the synchronization network defined in Step 2. For example, the appropriate Ether-
net device for ASF 5014 would be FE2.
Repeat this step for each Firewall Director in the cluster.
5. From the SmartDashboard tool, enable Check Point firewall synchronization.

Select the Gateway Cluster in the Network Objects tree on the left side of the SmartDashboard
window. If necessary, click on the minus ( - ) icon in front of the Gateway Cluster to reveal its
objects.
Check for a gateway cluster object representing the Alteon Switched Firewall. This object
should have been created when a new Firewall Director was initially added to the existing clus-
ter. If no object exists, see Step 8 through Step 9 starting on page 116.
6. Right click on the gateway cluster object and select Edit from the pop-up menu. When the
properties dialog appears, select the Synchronization tab and check the “Use State Synchroni-
zation” box.
If there are already any synchronization networks defined, delete them.
Click on the Add button to add a synchronization network and enter the following information:

217014-A, November 2004
Network Name: Enter your choice of network name to represent the synchronized net-
work.
IP Address: Enter the base network IP address which will be used for synchronization.
This should be the same address specified in Step 2.
Click OK to add the configured synchronization network.
7. From the SmartDashboard tool, re-install the security policies on the firewall cluster.
8. If using the dedicated synchronization ports, connect all Firewall Director SyncNet ports
together.
Connect synchronization port 2 on all Firewall Directors in the cluster. If connecting the ports
directly together, use a crossover network cable. If connecting the ports through a hub or layer-
2 switch, use a straight-through network cable.
If there are more than two Firewall Directors in the cluster, connect all of them together
through a hub or layer-2 switch using straight-through network cables. In such a case, synchro-
nization port 2 of all the Firewall Directors should be connected to the hub or layer-2 switch.

217014-A, November 2004
Changing the Firewall Accelerator Ports
Configuring the Inter-Accelerator Port

The Inter-Accelerator Port (IAP) is used to connect the master and backup Firewall Accelera-
tors together in a high-availability cluster. Typically, the IAP ports are port 12 on the Firewall
Accelerator 6600 and port 28 on the Firewall Accelerator 6400. However, the IAP can be con-
figured to use a different Firewall Accelerator port, although is not recommended to use the
other ports. Before you configure the IAP port, do a cur command in the
/cfg/acc/ac1/iap menu, the IAP ports appear as port 0.
The IAP number must be the same for both Firewall Accelerators. Use the following com-
mands to configure the IAP ports:
>> # /cfg/acc/ac1/iap <port number>

>> # /cfg/acc/ac2/iap <port number>
>> # /cfg/net/port <port number>/naap y
>> # /cfg/net/port <port number>/vtag y
Where dual physical connectors are available on the Inter-Accelerator Port (IAP), connection
can be made using either the gigabit LC fiber-optic connector, the 10/100/1000 Mbps RJ-45
copper connector, or both. If both are connected, then the gigabit optical link is used as the pre-
ferred link and the 10/100/1000 Mbps copper link is used as the backup. The active link is then
selected according to the redundant connector rules (see the Alteon Switched Firewall Hard-
ware Installation Guide).
To select the preferred link:
>> # /cfg/net/port <port number>/pref copper|fiber
where fiber specifies the gigabit optical link and copper specifies the 10/100/1000
Mbps copper link.
To select the backup link:
>> # /cfg/net/port <port number>/back copper|fiber

217014-A, November 2004
Configuring the Firewall Director Uplink Ports

By default, Firewall Accelerator 6600 ports 11 and 12 are reserved for connecting Firewall
Directors.On Firewall Accelerator 6400, ports 1, 24, 27, and 28 are reserved for connecting
Firewall Directors. However, Firewall Directors can be attached to the Firewall Accelerator on
any port that has NAAP enabled.
To configure any Firewall Accelerator port for use with a Firewall Director, use the following
commands:
>> # /cfg/net/port <port number>/naap y

>> # /cfg/net/port <port number>/ena
Configuring the Network Ports

Some Firewall Accelerator ports are NAAP disabled by default and are reserved for connect-
ing trusted, untrusted, and semi-trusted networks. On Firewall Accelerator 6400—ports 2
through 23, 25, and 26 and on Firewall Accelerator 6600—ports 1 through 10 are reserved for
connecting trusted, untrusted, and semi-trusted networks.
NOTE – By default, NAAP is enabled on port 12 of the Firewall Accelerator 6600 and on port
28 of the Firewall Accelerator 6400. If you plan to use port 12 and port 28 for network traffic,
make sure you disable NAAP on those ports.
However, network traffic can be attached to the Firewall Accelerator on any port where NAAP
is disabled.To configure any Firewall Accelerator port for use with a trusted, untrusted, or
semi-trusted networks, use the following command to disable NAAP:
>> # /cfg/net/port <port number>/naap n

217014-A, November 2004
CHAPTER 8
Upgrading the Software
This chapter describes the steps involved to upgrade ASF version 4.0.2 to a higher version of
the software. The following topics are discussed in this chapter:
“Upgrading to Version 4.0.2” on page 128

“Upgrading Version 4.0.2 to a Higher Version” on page 131
“Overview of Upgrade Tasks” on page 131
“Compatibility” on page 131
“Types of Upgrade” on page 132
“Installing a Minor/Major Release Upgrade” on page 133
“Activating the Software Upgrade Package” on page 135
“Reinstalling the Software” on page 137
127
217014-A, November 2004
Upgrading to Version 4.0.2

To upgrade your Alteon Switched Firewall to version 4.0.2, you will need the following:
An Alteon Switched Firewall running software version 3.5.1.x, 3.5.2.1, 4.0.1 or higher
Command Line Interface (CLI) access to the Alteon Switched Firewall via local console
terminal or to the cluster MIP address through a remote Telnet or SSH connection.
The version 4.0.2 software upgrade package (identified by the .pkg extension) loaded on
an FTP server on your network. The FTP server must allow anonymous login.
The host name or IP address of the FTP server. If you choose to specify the host name,
please note that the DNS parameters must have been configured. For more information,
see the “DNS Servers Menu” on page 204.
See the product Readme file for any other upgrade limitations or restrictions.
Typically, the cluster FireWall Accelerator software is automatically upgraded along with the
cluster Firewall Directors. However, to manually upgrade the Firewall Accelerator, see “Man-
ually Upgrading the Firewall Accelerator” on page 351.
To install the upgrade, use the following procedure.
1. Begin with a fully operational system.

Ensure that trust is established between the Alteon Switched Firewall and the Check Point
SmartCenter component or the SmartDashboard management tool. Verify that network traffic
passes properly through the firewall.
2. If necessary, upgrade your Check Point SmartCenter and management clients.

If you will be using Check Point Feature Pack-2 or Check Point Feature Pack-3 on the Alteon
Switched Firewall, you must upgrade any stations running the Check Point SmartCenter or
management clients to use NG Application Intelligence software. See your complete Check
Point documentation at http://www.checkpoint.com/support/technical/documents/index.html
(ID and password required) for upgrade procedures.
3. Load the Alteon Switched Firewall 4.0.2 upgrade package into the Alteon Switched Fire-
wall.
To load the software package, log in to the Alteon Switched Firewall Command Line Interface
(CLI) and issue to following menu command:
>> Main# /boot/software/download
4. When prompted, enter the protocol FTP to download the upgrade package.
128 Chapter 8: Upgrading the Software

217014-A, November 2004
TFTP will not work because the upgrade package file is greater than 32MB.
Select TFTP or FTP [tftp/ftp]: ftp
5. When prompted, enter the host name or IP address of the server.
Enter FTP server host: <host name or IP address>
6. Enter the name of the new software file on the server.
Enter filename on server: <filename.pkg>
7. Wait for the software to complete loading.

If no problems are encountered, when the download is complete, the size of the downloaded
file will be reported, followed by an “ok” message and the CLI menu prompt.
Received 13056048 bytes in 27.2 seconds
ok
>> Software Management#
8. Inspect the status of the software:
>> Software Management# cur

Version Name Status
------- ---- ------
4.0.2.0_R55 tng unpacked
4.0.1.0 tng permanent
The downloaded software upgrade package is indicated with the status unpacked. In this
example, version 4.0.2 is being installed.
9. Activate the desired upgrade package:
>> Software Management# activate <version> (in this example: 4.0.2.0_R55)

Confirm action 'activate'? [y/n]: y
Activate ok, relogin
Restarting system.
login:

217014-A, November 2004
NOTE – After activating the new version, the Firewall Directors will reboot. When they have
rebooted, there may be a brief period of time during which the new menus may not yet be ini-
tialized. It this occurs, log out and then log back in again after a brief wait.
The Check Point software is automatically upgraded as part of the activation.
10. When the system reboots, log in again and check the software status:
>> Main# /boot/software/cur

Version Name Status
------- ---- ------
4.0.2.0_R55 tng permanent
4.0.1.0 tng old
In this example version 4.0.2 is now operational and will survive a reboot of the system, while
the software version previously indicated as permanent now is marked as old.
NOTE – At this point, your firewall will still be running, but may have turned firewall acceler-
ation off.
Wait for the Firewall Director to reboot after the Check Point software upgrade.
11. In the SmartDashboard management tool on your management client, change the ver-
sion ID of the firewall cluster object.
12. Push your policies to the upgraded Alteon Switched Firewall cluster.
13. Verify that traffic again passes through firewall.

217014-A, November 2004
Upgrading Version 4.0.2 to a Higher Version

To ensure that the Alteon Switched Firewall software running on the Firewall Accelerators and
Firewall Directors, as well as on the Check Point management devices is operating properly,
you must from time to time upgrade one or more of the software components. This chapter
describes the different types of software upgrades and provides detailed procedures as neces-
sary.
Overview of Upgrade Tasks

Upgrading the software on your Alteon Switched Firewall consists of the following tasks:
Verifying compatibility
Identifying the type of upgrade you wish to install
Loading the new software upgrade package or install image onto an FTP server on your
network
Downloading the new software from the FTP server to your Alteon Switched Firewall
Activating the new software image on your Alteon Switched Firewall cluster.
Compatibility
When upgrading any software component, take care to ensure that appropriate and compatible
versions of software are installed. Be sure to check any accompanying product Readme file
and Release Notes for software compatibility and special installation instructions.
The following versions of software are required for this release:
Alteon Switched Firewall Release 4.0.2

This software resides on each Firewall Director and Firewall Accelerator in the cluster. A
version is included on CD-ROM with each Alteon Switched Firewall component and is
pre-installed on the devices. Upgrades are performed using the Alteon Switched Firewall
Single System Image (SSI), where all cluster software is updated simultaneously. The SSI
includes the Firewall OS, Accelerator OS, and built-in Check Point firewall software.
Check Point SmartCenter
This software resides on administrator workstations in your network (not on the Alteon
Switched Firewall). It is used to install, maintain, and monitor security policies for all your
network’s firewalls. One Check Point SmartCenter station is required, along with one or
more Check Point management clients such as the SmartDashboard.
Check Point FireWall-1 NG Application Intelligence (AI) software
This is a software upgrade required for the workstations running the Check Point Smart-
Center and Management Clients.

217014-A, November 2004
Types of Upgrade
There are three major classes of software upgrades that may be required for maintaining the
Alteon Switched Firewall: those that affect the Alteon Switched Firewall SSI, those that target
only the Alteon Switched Firewall’s built-in Check Point firewall software, and those are
installed on Check Point management stations outside the cluster.
Alteon Switched Firewall SSI Upgrades

The following upgrades affect the Alteon Switched Firewall SSI.
Major Releases: This type of upgrade may contain important software corrections an fea-
ture enhancements for the Alteon Switched Firewall. It may affect any or all SSI compo-
nents: the Firewall OS, Accelerator OS, or built-in Check Point firewall software.
The Alteon Switched Firewall will automatically reboot after a major upgrade, in order to
initialize new features. All configuration data is retained.
Minor Releases: This type of upgrade typically corrects minor software problems on the
Alteon Switched Firewall. All upgrades installed will require rebooting the cluster. All
configuration data is retained.
Patches: This type of upgrade corrects individual software issues on the Alteon Switched
Firewall. Patches are usually extremely small and target specific sub-files in the SSI.
Patches can usually be installed without rebooting the cluster, retaining normal operational
traffic flow. All configuration data is retained.
Built-In Firewall Software Upgrades

The following upgrades are obtained separately from Check Point and can be used to enhance
the Alteon Switched Firewall’s built-in Check Point software:
Check Point Feature Pack: This type of upgrade may contain important firewall soft-
ware corrections an feature enhancements. This may be necessary to ensure compatibility
with the Check Point software installed on the supporting management stations.
The Alteon Switched Firewall may automatically reboot after installation of a feature
pack. All configuration data is retained.
Check Point Hotfix: This type of upgrade corrects minor software problems in the Check
Point software built into the Alteon Switched Firewall. After installing Hotfixes, you must
reboot the cluster. All configuration data is retained.

217014-A, November 2004
Check Point Software Tool Station Upgrades

SmartCenter or management client Check Point Feature Pack
SmartCenter or management client Hotfix
Installing a Minor/Major Release Upgrade

To install a minor or major release upgrade on your Alteon Switched Firewall, you will need
the following:
CLI access via local console terminal or to the cluster MIP address through a remote Tel-
net or SSH connection.
The software upgrade package loaded on an FTP server on your network. The FTP server
must allow anonymous login.
A firewall rule that allows FTP traffic (and DNS traffic if using a host name) to pass to and
from the Firewall Directors.
The name of the software upgrade package (upgrade packages are identified by the .pkg
extension).
All of the cluster components cooperate to provide a single system view. Thus, you need only
to connect to the cluster MIP address to perform a cluster-wide software upgrade. The upgrade
will be automatically extended to all the cluster components which are in operation at the time
of the upgrade. All configuration data is retained.
Access can be accomplished via local serial port, or remote Telnet or SSH (Secure Shell) con-
nection. Note, however, that Telnet and SSH connections are disabled by default, and if
desired, must be manually configured after you have set up the initial cluster. For more infor-
mation about enabling Telnet and SSH connections, see Chapter 10, “The Command Line
Interface,” on page 145.
Once you have logged in to the CLI, use the following procedure.
1. At the Main menu prompt, enter the following command:
>> Main# /boot/software/download

217014-A, November 2004
2. When prompted, enter the protocol FTP to download the upgrade package.
Select TFTP or FTP [tftp/ftp]: ftp
3. When prompted, enter the host name or IP address of the FTP server.
Enter FTP server host: <host name or IP address>
4. Enter the name of the new software file on the FTP server.
Enter filename on server: <filename.pkg>
5. Wait for the software to complete loading.

If no problems are encountered, when the download is complete, the size of the downloaded
file will be reported, followed by an “ok” message and the CLI menu prompt.
Received 13056048 bytes in 27.2 seconds
ok
>> Software Management#
Once the upgrade is loaded, it must be activated.

217014-A, November 2004
Activating the Software Upgrade Package

The Alteon Switched Firewall can hold up to two versions of the same major software release
simultaneously (version 4.0.2.1 and version 4.0.2 for example). To view the current software
status, use the /boot/software/cur command. When a new version of the software is
downloaded to the Alteon Switched Firewall, the software package is decompressed automati-
cally and marked as unpacked. After you activate the unpacked software version (which may
cause the Alteon Switched Firewall to reboot), the software version is marked as permanent.
The software version previously marked as permanent will then be marked as old.
For minor and major releases, the software change will take part synchronously among the
components in a cluster. If one or more components are not operational when the software is
upgraded, they will be automatically upgraded with the new version when they are started.
NOTE – If more than one software upgrade has been performed to a cluster while a Firewall
Accelerator or Firewall Director has been out of operation, the device must be reinstalled with
the software version currently in use in that cluster. For more information see “Reinstalling the
Software” on page 137.
When you have downloaded the software upgrade package, you can inspect its status and acti-
vate it using the following commands.
1. Inspect the status of the software:

Version Name Status
------- ---- ------
4.0.2.0_R55 tng unpacked
4.0.1.0 tng permanent
The downloaded software upgrade package is indicated with the status unpacked. The soft-
ware versions can be marked with one out of four possible status values. The meaning of these
status values are as follows:
unpacked means that the software upgrade package has been downloaded and automati-
cally decompressed.
current means that a software version marked as old or unpacked has been activated. As
soon as the system has performed the necessary health checks, the current status changes
to permanent.

217014-A, November 2004
permanent means that the software is operational and will survive a reboot of the system.
old means the software version has been permanent but is not currently operational. If a
software version marked old is available, it is possible to switch back to this version by
activating it again.
2. Activate the desired software package:
>> Software Management# activate 4.0.2.0_R55

Confirm action 'activate'? [y/n]: y
Activate ok, relogin
Restarting system.
login:
As a result of running the activate command, you will be logged out and have to log in
again. The reason for this is the CLI menus may be upgraded. Wait until the login prompt
appears again, which may take up to two minutes depending on whether the system reboots.
3. Log in again and check the software status again:

Version Name Status
------- ---- ------
4.0.2.0_R55 tng permanent
4.0.1.0 tng old
In this example version 4.0.2.0 is now operational and will survive a reboot of the system,
while the software version previously indicated as permanent now is marked as old.
NOTE – If you encounter serious problems while running the new software version, you can
revert to the previous software version (now indicated as old). To do this, activate the software
version number indicated as old. When you log in again after having activated the old software
version, its status is indicated as current for a short while. After about one minute, when the
system has performed the necessary health checks, the current status is changed to permanent.

217014-A, November 2004
Reinstalling the Software

Reinstalling the software is seldom required. It is usually only necessary after a serious mal-
function, or when adding a new Firewall Director to a cluster with a different software version.
Reinstallation resets the Firewall Director configuration to factory defaults. All previous data
and software is erased, including old software image versions and upgrade packages.
Follow this procedure to reinstall the Firewall OS software:
1. Log in to the Firewall Director using the administrator account.
2. Obtain an Alteon Switched Firewall bootable CD-ROM and place it in the Firewall
Director CD-ROM drive.
3. Reboot the Firewall Director issue and confirm the following command:
>> # /boot/reboot
4. When the system reboots, login as root (no password is necessary when booting from
the CD-ROM).
root
5. Issue the following installation command.
install-tng asf-5014-x305 (For ASF 6614)
NOTE – The command must be entered in lower case.
6. Wait for the installation script to finish. If the Firewall Director doesn't reboot automati-
cally, take the software CD-ROM out and reboot the Firewall Director.
7. Log in using the administrator account. The installation is complete.

The new Firewall Director is now ready to be installed as part of a new cluster (see Chapter 2,
“Initial Setup,” on page 25) or added to an existing cluster (see Chapter 7, “Expanding the
Cluster,” on page 105).

217014-A, November 2004

217014-A, November 2004
CHAPTER 9
Basic System Management
This chapter explains how to access system management features on the Alteon Switched Fire-
wall. Management access is required for collecting system information, configuring system
parameters beyond initial setup, establishing firewall security policies, and monitoring policy
effectiveness.
The following topics are discussed in this chapter:
“Management Tools” on page 140

“Users and Passwords” on page 141
“The Single System Image” on page 142
139
217014-A, November 2004
Management Tools
The Alteon Switched Firewall provides the following system management tools:
The Command Line Interface (CLI)

The CLI offers a simple, text-based menu system for collecting system information and
configuring system parameters. Use of the CLI is required for initial setup of the system.
The CLI can be accessed locally at any Firewall Director or remotely via Telnet or Secure
Shell (SSH).
For details, see Part 2: Command Reference in this Guide.
The Browser-Based Interface (BBI)
The BBI allows management via your Web browser. The BBI must be enabled through the
CLI after initial setup is complete. Once enabled, the BBI can be accessed by workstations
included in the access list. The BBI provides a richly featured, graphical user interface that
makes routine configuration and data collection easier.
For details, see Alteon Switched Firewall Browser-based Interface Guide.
The Check Point FireWall-1 NG interface
The built-in Check Point software interfaces with remote Check Point management tools.
Using your required Check Point SmartCenter and a management client such as the
SmartDashboard, you can manage the Alteon Switched Firewall policies, and view fire-
wall logs and operational status.
For details, see your Check Point documentation at http://www.checkpoint.com/support/
technical/documents/index.html (ID and password required).
140 Chapter 9: Basic System Management

217014-A, November 2004
Users and Passwords

Access to Alteon Switched Firewall functions is controlled through the use of unique user
names and passwords. Once you establish a connection to the system via a local console or
remote Telnet, SSH, or Web-browser, you are prompted to log in. To log in, you must enter a
valid user name and its matching password. To enable better system management and user
accountability, there are four different kinds of users, each with different levels of system
access.
The default user names and passwords for each access level are listed in Table 9-1. User names
and passwords are case sensitive.
Table 9-1 User Access Levels
User Name Password Description and Tasks Performed
oper oper The operator login is available through the CLI and BBI. The operator
has no direct responsibility for system management. He or she can view
all configuration information and operating statistics, but cannot make
any configuration changes.
admin admin The administrator login is available through the CLI and BBI. The
administrator has complete access to all menus, information, and configu-
ration commands on the system, including the ability to add users and
change passwords.
boot ForgetMe The boot login is available only through a local console terminal. The
boot user can restore default passwords by reinstalling the Firewall Direc-
tor software if no other method of access is available (see “Recovering
from a Lock-Out” on page 355). To ensure that one avenue of access is
always available in case all passwords are changed and lost, the boot user
password cannot be changed.
root ForgetMe The root login is available only through a local console terminal. The root
user has complete internal access to the operating system and software.
Root user functions are outside the scope of this documentation.
NOTE – It is recommended that you change all the default passwords after initial configuration
and as regularly as required under your network security policies. For more information, see
“User Menu” on page 237 for CLI command or the Alteon Switched Firewall Browser-based
Interface Guide for BBI forms.
Chapter 9: Basic System Management 141

217014-A, November 2004
The Single System Image

The Alteon Switched Firewall system uses a Single System Image (SSI). Though the system
can be composed of multiple Firewall Director and Firewall Accelerator components, the SSI
allows all components to be configured and updated as a whole. When you make configuration
changes at any CLI or BBI management point, those changes are automatically synchronized
to the other components as required, simplifying the management process.
Through the SSI, most configuration commands affect the entire Alteon Switched Firewall
cluster. In general, features cannot be enabled or disabled on individual Firewall Directors.
The SSI is also used when updating system software. Just as with configuration changes, soft-
ware updates installed at any CLI or BBImanagement point are automatically installed on all
other components as required.
142 Chapter 9: Basic System Management

217014-A, November 2004
Part 2: Command Reference
This section provides detailed information about all Command Line Interface (CLI) commands
and menu items, organized in the same way was the CLI. The section starts with listing the glo-
bal commands, which can be used at any menu prompt and then explains the remaining com-
mands hierarchically:
Accessing the Command Line Interface

The Main Menu
The Configuration Menu
217014-A, November 2004

144 Command Reference

217014-A, November 2004
CHAPTER 10
The Command Line Interface
The Command Line Interface (CLI) is the most direct method for viewing information about
the Alteon Switched Firewall. In addition, you can use the CLI for performing all levels of sys-
tem configuration.
This chapter describes how to access the CLI locally through any Firewall Director serial port,
or remotely using a Telnet or Secure Shell (SSH) client. It also provides a list of commands
and shortcuts that are commonly available from all the menus within the CLI. The CLI is
described in following sections:
“Accessing the Command Line Interface” on page 146

“Using the Command Line Interface” on page 153
NOTE – Before the CLI can be used, minimal configuration must be performed as discussed in
Chapter 2, “Initial Setup” on page 25.
145
217014-A, November 2004
Accessing the Command Line Interface

The CLI is text-based, and can be viewed using a basic terminal. The various commands are
logically grouped into a series of menus and sub-menus. Each menu displays a list of com-
mands and/or sub-menus that are available, along with a summary of what each command
does. Below each menu is a prompt where you can enter any command appropriate to the cur-
rent menu.
Using the Local Serial Port

Any Firewall Director serial port provides direct, local access for managing the Alteon
Switched Firewall. For details on attaching a console terminal to the serial port and establish-
ing a connection, see the section “Connecting a Console Terminal” in the Alteon Switched
Firewall Hardware Installation Guide.
Once the connection is initiated, you will be prompted to log in and enter a valid password. For
more information about different access levels and initial passwords, see “Users and Pass-
words” on page 141.
When the login is validated, the Main Menu of the CLI will be displayed (see “The Main
Menu” on page 154).
Defining the Remote Access List

The Alteon Switched Firewall can be managed remotely using Telnet, SSH, or the BBI. For
security purposes, access to these features is restricted through the remote access list.
The remote access list allows the administrator to specify IP addresses or address ranges that
are permitted remote access to the system. There is only one remote access list which is shared
by all remote management features.
If a client whose IP address is not on the list requests remote management access, the request is
dropped. By default, the access list is empty, meaning that all remote management access is
initially disallowed.
When a client’s IP address is added to the access list, that client is permitted to access all
enabled remote management features. For example, if only the Telnet feature is enabled, the
client will be able to use Telnet to reach the CLI. If the BBI is also enabled, the same client will
be able to use their Web-browser to manage the system without any changes being made to the
access list.
146 Chapter 10: The Command Line Interface

217014-A, November 2004
NOTE – When a remote management feature is enabled, access will not be allowed if the
access list is left empty. Add all trusted management clients to the access list when initially
enabling any remote management feature. It is also vital that you review the access list regu-
larly and keep it up to date.
Displaying the Access List

The following CLI command is used to view the access list:
>> # /cfg/sys/accesslist/list
Adding Items to the Access List

The following CLI commands are used to permit remote management access to a specific IP
address or range of IP addresses.
1. Select the Access List menu:
>> # /cfg/sys/accesslist
2. Add trusted remote IP addresses to the list:
>> Access List# add <base IP address to permit> <network mask for range>
The add command can be repeated for as many remote managers as required. For example, to
allow IP addresses 201.10.14.7 and 214.139.0.0/24 to access remote management features, the
following commands could be used:
>> # /cfg/sys/accesslist (Select access list menu)

>> Access List# add 201.10.14.7 255.255.255.255 (Add single address)
>> Access List# add 214.139.0.0 255.255.255.0 (Add range of addresses)
NOTE – Although each remote management feature (Telnet, SSH, and BBI) can be enabled or
disabled independently, all share the same access list. All addresses on the access list are per-
mitted to access any enabled management feature. You cannot enable SSH for some and Telnet
for others.
3. Apply the changes:
>> Access List# apply

217014-A, November 2004
Using Telnet
A Telnet connection allows convenient management of the Alteon Switched Firewall from any
workstation connected to the network. Telnet access provides the same management options as
those available through the local serial port.
By default, Telnet access is disabled and all remote access is restricted. Depending on the
severity of your security policy, you may enable Telnet and permit remote access to one or
more trusted client stations.
NOTE – Telnet is not a secure protocol. All data (including the password) between a Telnet cli-
ent and the Alteon Switched Firewall is unencrypted and unauthenticated. If secure remote
access is required, consider using Secure Shell (SSH) (see “Using Secure Shell” on page 150).
Enabling Telnet Access

Before Telnet access is possible, some configuration must first be performed using the serial
port.
1. Log in as the administrator using the local serial port.
2. Check that the Firewall Directors are configured with proper IP addresses.
Each Firewall Director requires its own unique IP address, as well as one Management IP
(MIP) address which represents the entire Alteon Switched Firewall cluster. These IP
addresses are configured during the initial setup of the cluster (see Chapter 2, “Initial Setup,”
on page 25).
3. Enable Telnet access.

For security purposes, Telnet access is initially disabled. To explicitly enable Telnet for the
cluster, issue the following commands:
>> # /cfg/sys/adm/telnet/ena
>> Administration Applications# apply
NOTE – The telnet command affects the entire Alteon Switched Firewall cluster. Telnet
access cannot be enabled or disabled on individual Firewall Directors.
4. Use the access list to permit remote access to trusted clients.

If you have already configured the access list for SSH or the BBI, there is no need to repeat the
process. Otherwise, to permit access to only trusted clients, see “Defining the Remote Access
List” on page 146.

217014-A, November 2004
5. Use the Check Point SmartDashboard on your management client to add a security pol-
icy that allows Telnet traffic.
The firewall policy should be constructed as follows:
Source: The management client IP address or management network IP address range

Destination: The cluster MIP address
Service: Telnet
Action: Allow
Starting the Telnet Session

Remote Telnet access requires a workstation with Telnet client software. To establish a Telnet
session, run the Telnet client software and issue the Telnet command on your workstation:
telnet <MIP address>
Connect to the cluster MIP address. Using the MIP, you can make configuration changes to the
cluster as a whole, and you can use the individual CLI host menus to halt or reboot a particular
Firewall Director in a cluster or reset its configuration to the factory default settings. There is
no need to connect to the IP address of a particular Firewall Director.
Once the Telnet session is initiated, you will be prompted to log in and enter a valid password.
For more information about different access levels and initial passwords, see “Users and Pass-

217014-A, November 2004
Using Secure Shell

A Secure Shell (SSH) connection allows convenient and secure management of the Alteon
Switched Firewall from any workstation connected to the network. SSH access provides the
same management options as those available through the local serial port.
SSH access provides the following security benefits:
Server host authentication

Encryption of management messages
Encryption of passwords for user authentication
Remote user login
By default, SSH access is disabled and all remote access is restricted. Depending on the sever-
ity of your security policy, you may enable SSH and permit remote access to one or more
trusted client stations.
Enabling SSH Access on the Alteon Switched Firewall

Before SSH access is possible, some configuration must first be performed using the serial port
or enabled remote management feature.
1. Log in as the administrator.
2. Check that the Firewall Directors are configured with proper IP addresses.
Each Firewall Director requires its own unique IP address, as well as one Management IP
(MIP) address which represents the entire Alteon Switched Firewall cluster. These IP
addresses are configured during the initial setup of the cluster (see Chapter 2, “Initial Setup,”
on page 25).
3. Enable SSH access.

For security purposes, SSH access is initially disabled. To explicitly enable SSH for the cluster,
issue the following commands:
>> # /cfg/sys/adm/ssh/ena
NOTE – The ssh command affects the entire Alteon Switched Firewall cluster. SSH access
cannot be enabled or disabled on individual Firewall Directors.

217014-A, November 2004
4. If necessary, generate new SSH keys.

During the initial setup of the Alteon Switched Firewall, it was recommended that you select
the option to generate new SSH host keys. This is required to maintain a high level of security
when connecting to the Alteon Switched Firewall using a SSH client.
If you fear that your SSH host keys have been compromised, or at any time your security pol-
icy dictates, you can create new host keys using the following CLI command:
>> # /cfg/sys/adm/ssh/gensshkey
When reconnecting to the Alteon Switched Firewall after having generated new host keys,
your SSH client will display a warning that the host identification (or host keys) has been
changed.
5. Use the access list to permit remote access to trusted clients.

If you have already configured the access list for Telnet or the BBI, there is no need to repeat
the process. Otherwise, to permit access to only trusted clients, see “Defining the Remote
Access List” on page 146.
6. Use the Check Point SmartDashboard on your management client to add a security pol-
icy that allows SSH traffic.
The firewall policy should be constructed as follows:
Source: The management client IP address or management network IP address range

Destination: The cluster MIP address
Service: SSH
Action: Allow

217014-A, November 2004
Starting the SSH Session

Remote SSH access requires a workstation with SSH client software. To establish an SSH con-
nection with the Alteon Switched Firewall, run the SSH program on your workstation by issu-
ing the following SSH command:
ssh -l <user name> <MIP address>
where the -l (lower case L) option is followed by the user name (admin, oper, and so on)
being logged in, and the cluster MIP address.
NOTE – You cannot log in as boot or root using SSH.
Using the MIP address, you can make configuration changes to the cluster as a whole and to
individual Firewall Directors as appropriate. There is no need to connect to the IP address of a
particular Firewall Director.
Once the SSH session is initiated, you will be prompted to log in and enter a valid password.
For more information about different access levels and initial passwords, see “Users and Pass-
Remote Login via SSH

ASF 4.0.2 allows remote users to login to troubleshoot or perform maintenance on the firewall.
remotely using SSH and access the Linux shell. Remote users with root password can use the
To log in, the user has to authenticate using the public key/private key mechanism. DSA
or RSA key pairs can be used but has to be in OpenSSH format version 2 format only.
Password based authentication is not allowed.
the ASF.
To manage remote SSH users, use the following CLI command:
>> # /cfg/sys/user/adv/user

217014-A, November 2004
Using the Command Line Interface
Basic Operation
Using the CLI, Alteon Switched Firewall administration is performed in the following manner:
The administrator selects from a series of menu and sub-menu items, and modifies param-
eters to create the desired configuration.
Most changes are considered pending and are not immediately put into effect or perma-
nently saved. Only a few types of changes take effect when entered (such as changes to
users and passwords). Commands that take effect immediately are noted in the command
descriptions (see Chapter 11, “The Main Menu”).
The global cur command can be used to view the current settings for the commands in
the current menu.
In order to save changes and make them take effect, the administrator must use the global
Apply command. This allows the administrator to make an entire series of changes and
then put them into effect all at once.
Using the validate command on the Main Menu, the administrator can validate the
configuration to check for any configuration problems prior to applying them. If the con-
figuration is in an invalid state, the apply command will not be allowed.
The global diff command can be used to view pending changes before they are applied.
To clear all pending changes, the administrator can use the global revert command and
then continue the configuration session, or the global exit command to logout from the
system. Closing your remote session will also discard pending changes, though exiting
manually is preferred.
NOTE – When multiple CLI or BBI administrator sessions are open at the same time, only
pending changes made during your current session will be affected by the diff, revert, or
exit commands. However, if multiple CLI or BBI administrators apply changes to the same
set of parameters concurrently, the latest applied changes take precedence.

217014-A, November 2004
The Main Menu

After initial system setup is complete and the user performs a successful connection and login,
the Main Menu of the CLI is displayed. Figure 10-1 shows the Main Menu with administrator
privileges:
[Main Menu]
boot - Boot Menu
exit - Exit [global command, always available
>> Main#
Figure 10-1 Administrator Main Menu
For more information about initial system setup, see Chapter 2, “Initial Setup,” on page 25. For
details about accessing the CLI, see “Accessing the Command Line Interface” on page 146.
Idle Time-out
By default, the system will disconnect your CLI session after ten minutes of inactivity. This func-
tion is controlled by the idle time-out parameter as shown in the following command:
>> # /cfg/sys/adm/idle <time-out period>
where the time-out period is specified as an integer from 5 to 60 minutes.
Multiple Administration Sessions

It is possible to have more than one CLI or BBI administrator session open at the same time.
Although each concurrent administrator session is independent, when configuration changes
are saved to the Single Software Image (SSI) that is shared by the cluster, the saved changes
affect all users. However, if multiple CLI or BBI administrators apply changes to the same set
of parameters concurrently, the latest applied changes take precedence.

217014-A, November 2004
Global Commands
Some basic commands are recognized throughout the entire menu hierarchy. These commands
are useful for obtaining online help, navigating through menus, and for applying and saving
configuration changes:
Table 10-1 Global CLI Commands
Command Action
help [<command>] Provides more information about a specific command on the current
menu. When used without the command parameter, a summary of the glo-
bal commands is displayed.
. Redisplay the current menu.
.. or up Go up one level in the menu structure.
/ If placed at the beginning of a command, go to the Main Menu. Otherwise,

this is used to separate multiple commands placed on the same line.
apply Apply and save pending configuration changes.
diff Show any pending configuration changes.
exit Exit from the CLI and log out.
cur Displays the settings for the commands on the current menu. The output of
the cur command is for viewing only. It cannot be captured to a file and
later restored. If you wish to save the configuration for restoration later on,
use the dump or ptcfg commands.
lines <n> Set the number of lines (n) that display on the screen at one time. The
default is 24 lines. When used without a value, the current setting is dis-
played.
nslookup Find the IP address or host name of a network device. The format is as fol-
lows:
nslookup <host name|IP address>
In order to use this command, you must have configured the cluster to use
a DNS server. If you did not specify a DNS server during the initial setup
procedure, you can add a DNS server at any time by using the
/cfg/sys/dns/add command.
paste Set a password for restoring a saved configuration dump file that includes
encrypted private keys.

217014-A, November 2004
Table 10-1 Global CLI Commands
Command Action
ping Use this command to verify station-to-station connectivity across the net-
work. The format is as follows:
ping <address> [<tries> [<delay>]]
Where address is the hostname or IP address of the device, tries (optional)
is the number of attempts (1-32), and delay (optional) is the number of
milliseconds between attempts. The DNS parameters must be configured
if specifying hostnames (see “DNS Servers Menu” on page 204).
pwd Display the command path used to reach the current menu.
revert Cancel all pending configuration changes.
traceroute Use this command to identify the route used for station-to-station connec-
tivity across the network. The format is as follows:
traceroute <address> [<max-hops> [<delay>]]
Where address is the hostname or IP address of the target station, max-
hops (optional) is the maximum distance to trace (1-16 devices), and delay
(optional) is the number of milliseconds for wait for the response. As with
ping, the DNS parameters must be configured if specifying hostnames.
verbose <n> Sets the level of information displayed on the screen:

0 = Quiet: Nothing appears except errors—not even prompts.
1 = Normal: Prompts and requested output are shown, but no
menus.
2 = Verbose: Everything is shown.
When used without a value, the current setting is displayed.

217014-A, November 2004
Command Line History and Editing

Using the CLI, you can retrieve and modify previously entered commands with just a few key-
strokes. The following options are available globally at the command line:
Table 10-2 Command Line History and Editing Options
Option Description
history Display a numbered list of the last 10 previously entered commands.
!! Repeat the last entered command.
!<n> Repeat the nth command shown on the history list.
<Ctrl-p> (Also the up arrow key.) Recall the previous command from the history list. This can
be used multiple times to work backward through the last 10 commands. The recalled
command can be entered as is, or edited using the options below.
<Ctrl-n> (Also the down arrow key.) Recall the next command from the history list. This can be
used multiple times to work forward through the last 10 commands. The recalled com-
mand can be entered as is, or edited using the options below.
<Ctrl-a> Move the cursor to the beginning of command line.
<Ctrl-e> Move cursor to the end of the command line.
<Ctrl-b> (Also the left arrow key.) Move the cursor back one position to the left.
<Ctrl-f> (Also the right arrow key.) Move the cursor forward one position to the right.
<Backspace> (Also the Delete key.) Erase one character to the left of the cursor position.
<Ctrl-d> Delete one character at the cursor position.
<Ctrl-k> Kill (erase) all characters from the cursor position to the end of the command line.
<Ctrl-l> Redraw the screen.
<Ctrl-u> Clear the entire line.
Other keys Insert new characters at the cursor position.

217014-A, November 2004
Command Line Shortcuts
Command Stacking
As a shortcut, you can type multiple commands on a single line separated by forward slashes
( / ). You can connect as many commands as required to access the menu option that you want.
For example, the command stack to access Cluster Configuration menu from the Main#
prompt is as follows:
>> Main# cfg/sys/cluster
Command Abbreviation
Most commands can be abbreviated by entering the first characters which distinguish the com-
mand from the others in the same menu or sub-menu. For example, the command shown above
could also be entered as follows:
>> Main# c/s/cl
Tab Completion
By entering the first letter of a command at any menu prompt and pressing <Tab>, all com-
mands in that menu beginning with the letter you typed are displayed. By typing additional let-
ters, you can further refine the list of commands or options displayed. If only one command
matches the letter(s) when <Tab> is pressed, that command will be supplied on the command
line. You can then execute the command by pressing <Enter>. If the <Tab> key is pressed
without any input on the command line, the currently active menu will be displayed.

217014-A, November 2004
CHAPTER 11
The Main Menu
After initial system setup is complete and the user performs a successful connection and login,
the Main Menu of the Command Line Interface is displayed.
[Main Menu]
boot - Boot Menu
exit - Exit [global command, always available
Table 11-1 Main Menu
Command Syntax and Usage
info
The Information Menu is used for displaying information about the current status of the
Alteon Switched Firewall.
See page 163 for menu items.
cfg
The Configuration Menu is used for configuring the Alteon Switched Firewall. Some
commands are available only from an administrator login.
See Chapter 12, “The Configuration Menu” for menu items.
boot
The Boot Menu is used for upgrading Alteon Switched Firewall software and for reboot-
ing, if necessary.
159
217014-A, November 2004
maint
The Maintenance Menu is used for system diagnostics. This should be used only at the
request of Nortel Networks technical support.
diff
This global command is available from any menu or sub-menu. It displays the difference
between the applied configuration (the configuration that the system is currently using)
and the pending configuration (the uncommitted changes that have not yet been applied).
Only pending changes made during your current administrator session are included.
Pending changes being made by other CLI or BBI administrator sessions are not
included.
validate
This command is used to validate pending configuration changes made during your cur-
rent administration session. This command does not include pending changes being
made by other CLI or BBI administrator sessions that are running at the same time.
When you enter the validate command, your pending changes are examined to
ensure that they are complete and consistent. If problems are found, warning or error
messages are displayed.
Warnings identify conditions that you should pay special attention to, but that will not
cause errors or prevent the configuration from being applied when the you enter the
apply command.
Errors identify serious configuration problems that must be corrected before changes
can be applied. Uncorrected errors will cause the apply command to fail.
If the validate command returns warning or error messages, heed the messages and
make any necessary configuration changes.
security
This command lists the status (enabled or disabled) for remote management features
such as Telnet, SSH, and the BBI for the cluster. It also lists which users (if any) are still
using default passwords which should be changed.
160 Chapter 11: The Main Menu

217014-A, November 2004
apply
This global command is available from any menu or sub-menu. It is used to apply and
save configuration changes made during your current administration session. Changes
are considered pending and do not take effect until this command is issued. Pending
changes being made by other CLI or BBI administrator sessions are not affected.
When issued, the apply command first validates your session’s pending changes. If
problems are found, applicable warning and error messages are displayed. Errors are
serious and will cause the apply command to fail before any changes are applied. If
there are no errors (warnings are allowed), the changes are saved and put into effect.
Warning messages can be turned off using the /cfg/misc/warn command (see
page 332).
If multiple CLI or BBI administrators apply changes to the same set of parameters con-
currently, the latest applied changes take precedence.
The global revert command clears pending changes and will not restore the configu-
ration to it’s previous settings once the apply command is issued.
revert
This global command is available from any menu or sub-menu. It cancels all pending
configuration changes made during your current administration session. Applied
changes are not affected. Pending changes made by other open CLI or BBI sessions are
also not affected.
paste
This global command is available from any menu or sub-menu. It lets you restore a saved
configuration dump file that includes encrypted private keys.
If private keys were included when you created your configuration dump file (/cfg/
dump), you were required to specify a password for encrypting the private keys. When
the paste command is issued, you will be prompted to supply the same password
phrase. You can then open the configuration dump file in your text editor, copy the infor-
mation, and paste it to the CLI window.
When pasted, the configuration content is batch processed by the Alteon Switched Fire-
wall. The pasted commands are entered as pending, and any included private keys are
decrypted. You can view the pending configuration changes resulting from the batch
processing by using use the global diff command. To apply the pending configuration
changes, use the global apply command.
The paste password phrase remains in effect until cleared. To clear the password
phrase, enter the paste command again.

217014-A, November 2004
help [<menu command>]

This global command is available from any menu or sub-menu. It provides brief infor-
mation about any specific command on the current menu.
When used without a parameter, the help command displays a list of global commands.
exit
This global command is available from any menu or sub-menu. It exits the CLI and logs
out the current session. Pending changes made during your current session will be lost if
not applied. This command does not affect other open CLI or BBI sessions.

217014-A, November 2004
/info
Information Menu
[Information Menu]
clu - Display runtime information of all Directors
host - Display runtime information of one Directors
det - Display detected Accelerator(s)
net - Network Display Menu
syslog - Display syslog entries
fw - Display firewall configuration
log - Display Platform Logging configuration
lic - Display installed license(s)
acc - Display Accelerator configuration
telnet - Display Telnet configuration
ssh - Display SSH configuration
snmp - Display SNMP configuration
web - Display Web configuration
time - Display Time Settings
asfnet - Display ASF Internal Network configuration
The Information Menu is used for displaying information about the current status of the Alteon
Switched Firewall.
Table 11-2 Information Menu (/info)
clu
This command displays runtime information for all the Firewall Directors in the cluster.
Information includes CPU usage, hard disk usage, status of important applications such
as Web server, firewall, Inet server, as well as status of firewall acceleration.
host <Firewall Director IP address>

This command displays runtime information for the selected Firewall Director. Informa-
tion includes CPU usage, hard disk usage, status of important applications such as Web
server, firewall, Inet server, as well as status of firewall acceleration.
det
This command displays the MAC addresses and status of the Firewall Accelerators that
are being used by the Firewall Director for the firewall acceleration.

217014-A, November 2004
net
The Network Display Menu is used for displaying current network information for the
Alteon Switched Firewall cluster. Information includes network ports, trunking, inter-
faces, and routing.
syslog
This command displays the last syslog messages. After each set of ten syslog messages
are displayed, your are prompted whether to continue the display (enter y) or exit (enter
n).
fw
This command displays the current firewall configuration settings. Displayed informa-
tion includes firewall status (enabled or disabled), management IP addresses, and syn-
chronization network configuration. This is the same information available using the
/cfg/fw/cur command.
log
This command displays the current system message logging settings. This is the same
information available using the /cfg/sys/log/cur command.
lic <Firewall Director IP address>

This command displays the current Check Point license information for the selected
Firewall Director. Displayed information includes host IP address, license expiration
date, signature string, and feature string. This will display not only the licenses entered
through the CLI/WebUI, but also licenses pushed using SmartUpdate or entered from the
root prompt. This is the same information available using the /cfg/pnp/cur command.
acc
This command displays the current Firewall Accelerator configuration settings. Dis-
played information includes automatic discovery and high-availability settings, a list of
MAC and IP addresses for active Firewall Accelerators, preferred Firewall Accelerator,
and health check settings. This is the same information available using the /cfg/acc/
cur command.
telnet
This command displays the current Telnet configuration settings: enabled or disabled.
This is the same information available using the /cfg/sys/adm/telnet/cur
command.

217014-A, November 2004
ssh
This command displays the current SSH configuration settings: enabled or disabled. This
is the same information available using the /cfg/sys/adm/ssh/cur command.
snmp
This command displays the current SNMP configuration settings. Displayed information
includes a list of trap hosts, and status of event and alarm messages. This is the same
information available using the /cfg/sys/adm/snmp/cur command.
web
This command displays the current BBI configuration settings. Displayed information
includes status (enabled or disabled) and service port number for HTTP and HTTPS
(with SSL), and certificate information for SSL. This is the same information available
using the /cfg/sys/adm/web/cur command.
time
This command displays the current time and date settings, including any NTP server set-
tings. This is the same information available using the /cfg/sys/time/cur command.
asfnet
This command displays the current network settings for the Alteon Switched Firewall
cluster and hosts. This is the same information available using the /cfg/sys/clus-
ter/cur command.

217014-A, November 2004
/info/net
Network Display Menu
[Network Display Menu]
port - Display configured ports
trunk - Display configured trunks
if - Display configured interfaces
gre - Display GRE tunnel interfaces
route - Route Information Menu
dhcprl - DHCP Relay Information Menu
dump - Display all network configuration
The Network Display Menu is used for displaying current network information for the Alteon
Switched Firewall cluster. Information includes network routes, ports, interfaces, and gateways.
Table 11-3 Network Display Menu (/info/net)
port
This command displays information about all ports configured on the Firewall Accelera-
tor. Displayed information includes port name, type (IP or NAAP), assigned interfaces,
VLAN, VLAN tagging status, and filters.
trunk
This command displays information about all port trunks configured on the Firewall
Accelerator. For each trunk, displayed information includes the trunk number, master
port, and a list of other ports that belong to the trunk.
if
This command displays information about all the IP interfaces configured on the system.
Displayed information includes IP addresses, masks, VLANs, and the ports to which the
IP interfaces are assigned. It also displays the names of interfaces devices that are auto-
matically created for each IP interface.
gre
This command displays information about all the GRE tunnel interfaces configured on
the system. Displayed information includes GRE tunnel number, GRE tunnel name,
local and remote GRE tunnel physical interfaces, local and remote GRE tunnel end
points.

217014-A, November 2004
Table 11-3 Network Display Menu (/info/net)
route
The Route Information Menu is used for displaying current information about the various
routing protocols used with the Alteon Switched Firewall. Information includes static
routes, default gateways, RIP and OSPF settings.
dhcprl
The DHCP Relay Information menu is used for displaying current information about the
DHCP servers used with the Alteon Switched Firewall.
dump
This command displays all information for each option in the Information Menu.

217014-A, November 2004
/info/net/route
Route Information Menu
[Route Information Menu]

static - Display configured static routes
gw - Display default gateways
rip - RIP Router Menu
ospf - OSPF Router Menu
table - Display complete unicast route table
find - Find a route in unicast table
The Route Information Menu is used for displaying current information about the various rout-
ing protocols used with the Alteon Switched Firewall cluster.
Table 11-4 Route Information Menu (/info/net/route)
static
This command displays all the static routes configured on the system.
gw
This command displays all the gateways configured and enabled on the system.
rip
The RIP Router Information Menu is used for displaying current RIP information.
ospf
The OSPF Router Information Menu is used for displaying current OSPF information.
table
This command lists all unicast routes on the system.
find
This command can find a route in the unicast route table.

217014-A, November 2004
/info/net/route/rip
RIP Router Information Menu
[RIP Router Information Menu]

routes - Display RIP routes
fib - Display RIP router FIB
The RIP Router Information Menu is used for displaying RIP routing information.
Table 11-5 RIP Router Information Menu (/info/net/route/rip)
routes
This command displays all RIP routes from the unicast table.
fib
This command displays all RIP routes contained in the Forwarding Information-Base
(FIB) advertised by the Alteon Switched Firewall. This includes routes which have been
redistributed from other protocols.

217014-A, November 2004
/info/net/route/ospf
OSPF Router Information Menu
[OSPF Router Information Menu]

routes - Display OSPF routes
lsa - Display OSPF LSA information
dbcnt - Display OSPF LSA database count
neigh - Display OSPF neighbor information
infonbr - Display detailed OSPF neighbor information
spf - Display OSPF spf table
if - Display OSPF interface information
fib - Display OSPF router FIB
The OSPF Router Information Menu is used for obtaining information about OSPF routes,
links, neighbors, and interfaces.
Table 11-6 OSPF Router Information Menu (/info/net/route/ospf)
routes
This command displays all OSPF routes from the unicast table.
lsa
This command displays the OSPF Links State Advertisement (LSA) tables.
dbcnt
This command displays the number of different LSA types per area (router, network,
ABR summary, and ASBR summary) and the number of the LSA external routes in the
domain.
neigh
This command displays a brief summary on the firewall’s OSPF neighbor. Neighbors are
routing devices that maintain information about each others’ health.
infonbr
This command displays detailed information on all the OSPF neighbors.
spf
This command displays the OSPF network routing table, OSPF router routing table, and
the OSPF external routing table (after calculating the SPF). The external LSAs in the
OSPF external routing table are not area specific but are common to the entire OSPF
domain.

217014-A, November 2004
Table 11-6 OSPF Router Information Menu (/info/net/route/ospf)
if
This command displays information about the configured OSPF interfaces.
fib
This command displays all OSPF routes contained in the Forwarding Information-Base
(FIB) advertised by the Alteon Switched Firewall. This includes routes which have been
redistributed from other protocols.

217014-A, November 2004
/info/net/dhcprl
DHCP Relay Information Menu
[DHCP Relay Information Menu]

settings - Current DHCP Relay Settings
locstats - Local DHCP Relay Stats
mipstats - DHCP Relay Stats on MIP
The DHCP Relay Information Menu is used for displaying current information about the
DHCP protocol used with the Alteon Switched Firewall cluster.
Table 11-7 DHCP Relay Information Menu (/info/net/dhcprl)
settings
This command displays the current DHCP relay settings.
locstats
This command displays the local DHCP Relay statistics configured and enabled on the
system.
mipstats
This command is used for displaying DHCP Relay statistics configured and enabled on
the MIP.

217014-A, November 2004
/boot
Boot Menu
[Boot Menu]
software - Software Management Menu
halt - Halt the Firewall Director
reboot - Reboot the Firewall Director
delete - Delete the Firewall Director
The Boot Menu is used for upgrading Alteon Switched Firewall software and for rebooting, if
necessary.
NOTE – The Software Management Menu option is not available using the operator account.
Table 11-8 Boot Menu (/boot)
software
The Software Management Menu is used to load, activate, or remove Alteon Switched
Firewall software upgrade packages.
halt
This command should be used only when the target Firewall Director has been isolated
from the cluster and cannot be halted using the preferred /cfg/sys/clu/
host <host number>/halt command.
After confirmation, this command stops the particular Firewall Director to which you
have connected via Telnet, SSH, or a console terminal. If using Telnet or SSH, use this
command only when you have connected to a particular Firewall Director’s individually
assigned IP address. Do not use the halt command when connected to the Management
IP (MIP) address.

217014-A, November 2004
Table 11-8 Boot Menu (/boot)
reboot
from the cluster and cannot be rebooted using the preferred /cfg/sys/clu/
host <host number>/reboot command.
After confirmation, this command reboots the particular Firewall Director to which you
have connected via Telnet, SSH or console terminal. When using Telnet or SSH, use this
command only when you have connected to a particular Firewall Director’s individually
assigned IP address. Do not use the reboot command when connected to the Manage-
ment IP (MIP) address.
delete
from the cluster and cannot be deleted using the preferred /cfg/sys/clu/
host <host number>/delete command.
After confirmation, this command removes the particular Firewall Director to which you
have connected via Telnet, SSH, or a console terminal. It also resets the removed Fire-
wall Director to its factory default configuration.
If you are using Telnet or SSH, only use this command when you have connected to the
Firewall Director’s individually assigned IP address. Do not use the delete command
when connected to the cluster Management IP (MIP) address.
If there are other Firewall Directors in the cluster, you should also connect to the cluster
MIP address (locally or remotely) and purge the deleted Firewall Director configuration
from the cluster by using the /cfg/sys/cluster/host <host number>/delete
command.
Once you have removed a Firewall Director from the cluster, you can only access the
device through a console terminal attached directly to its local serial port. You can then
log in using the administration account (admin) and the default password (admin) to
access the Setup Menu.

217014-A, November 2004
/boot/software
Software Management Menu
[Software Management Menu]
cur - Display current software status
activate - Select software version to run
download - Download a new software package via TFTP/FTP
cdrom - Get a new software package via CD-ROM
del - Remove downloaded (unpacked) releases
patch - Software Patches Menu
The Software Management Menu is used to load, activate, or remove Alteon Switched Fire-
wall software upgrade packages.
Table 11-9 Software Management Menu (/boot/software)
cur
This command displays the software status of the particular Firewall Director to which
your current Telnet, SSH, or a console terminal is connected.
activate <software version>
This command activates a downloaded and unpacked Alteon Switched Firewall software
upgrade package. Use the cur command to find the version of the downloaded and
unpacked software package. You will be prompted for a confirmation before the soft-
ware is activated.
If serious problems occur while running the new software version, you may revert to
using the previous version by activating the software version labeled as old.
Note that you will be logged out after confirming the activate command.
download <protocol>
This command lets you specify a protocol (FTP or TFTP) to download an ASF software
upgrade package from an FTP or TFTP server that allows anonymous login. Nortel rec-
ommends you to specify FTP, because ASF images are too large for a TFTP server. After
you specify the protocol, you will be prompted for a host name or IP address of the FTP
server, as well as the file name of the software upgrade package.
To use this feature, you must install a firewall rule that allows FTP traffic to pass to and
from the Firewall Directors.
cdrom
This command lets you download a new software package via CD-ROM.

217014-A, November 2004
Table 11-9 Software Management Menu (/boot/software)
del
After confirmation, this command lets you remove a software upgrade package that has
been downloaded using the ftp command. This command removes all upgrades and
changes the Firewall Director to a “new” state.
patch
The Software Patches Menu is used to is install minor, corrective software elements on
the ASF.
/boot/software/patch
Software Patches Menu
[Software Patches Menu]

install - Install a software patch
remove - Remove an installed patch
cur - List currently installed patches
The Software Patches Menu is used to install or remove small Alteon Switched Firewall soft-
ware patches.
Table 11-10 Software Patches Menu (/boot/software/patch)
install <FTP host name or IP address> <patch file name>

This command lets you download an Alteon Switched Firewall software patch from an
FTP server. You need to provide the host name or IP address of the FTP server, as well as
the file name of the software patch.
remove <patch file name>
After confirmation, this command lets you remove a software upgrade package that has
been installed using the install command.
cur
This command lists the names of the ASF software patches currently installed.

217014-A, November 2004
/maint
The Maintenance Menu
[Maintenance Menu]
diag - Diagnostic Tools Menu
debug - Debug Information Menu
tsdump - Tech Support Dump Menu
swfc - SFA Flow Control Configuration Menu
backup - Backup/Restore Firewall Director Menu
The Maintenance Menu is used for system diagnostic and for sending a technical support dump
to an FTP server.
CAUTION—All commands in the Maintenance menu and its submenus are not commonly used,
! and should not be used without proper guidance from Nortel Networks Technical Support.
Table 11-11 Maintenance Menu (/maint)
diag
The Diagnostic Tools Menu is used run diagnostic tools on the ASF.
debug
The Debug Information Menu displays debug information on ASF.
tsdump
The Tech Support Dump Menu is used to provide dumps for Technical Support.

217014-A, November 2004
Table 11-11 Maintenance Menu (/maint)
swfc
The Firewall Accelerator Flow Control Configuration Menu is used to set software flow
control settings to protect the Accelerator from DOS attacks.
backup
The Backup/Restore Firewall Director Menu allows you to backup the Director configu-
ration and restore it later to the same state.

217014-A, November 2004
/maint/diag
Diagnostics Tools Menu
[Diagnostics Tools Menu]
sync - Test sync network
ldplcy - Load Check Point policy
unldplcy - Unload Check Point policy
The Diagnostics Tools Menu is used to run diagnostic tools on the ASF.
Table 11-12 Diagnostics Tools Menu (/maint/diag)
sync
This command allows you to run the diagnostic utility to check connectivity in sync
network. It will ARP for each IP address in the sync network and notify you if that IP
address can be connected over the sync net.
ldplcy
This command uses the Check Point’s fw fetch localhost command to
load the installed policy. You can load the policy on a specific Director or all Directors
in the cluster.
uldplcy
This command uses Check Point’s fw unloadlocal command to
unload the installed policy. You can unload the policy on a specific Director or
all Directors in the cluster.

217014-A, November 2004
/maint/debug
Debug Information Menu
[Debug Information Menu]
aim - AIM Statistics
fw - FW-1 Statistics
ac1 - Accelerator 1 Information
ac2 - Accelerator 2 Information
dbgroute - Debug routes send via ISD-SFA communication
ospf - OSPF Debug Menu
rip - RIP Debug Menu
The Debug Information Menu is used to display debug information on ASF.
Table 11-13 Debug Information Menu (/maint/debug)
aim
This command displays debugging information for the Accelerator Interface Module.
fw
This command displays the FW-1 Statistics menu, which allows you to run certain
Check Point Firewall commands and view the results. This menu is useful for users
already familiar with the Check Point Firewall.
ac1
This command displays debugging information for Firewall Accelerator 1, and allows
you to run certain commonly used commands on the Firewall Accelerator.
ac2
This command displays debugging information for Firewall Accelerator 2, and allows
you to run certain commonly used commands on the Firewall Accelerator. This menu is
the same as ac1 but displays information about the second Firewall Accelerator (if
present).

217014-A, November 2004
Table 11-13 Debug Information Menu (/maint/debug)
dbgroute
This command displays debug routes sent to the Firewall Accelerator from the Firewall
Director.
ospf
This command displays information on OSPF.
rip
This command displays information on RIP.

217014-A, November 2004
/maint/debug/aim
AIM Statistics Menu
[AIM Statistics Menu]

cur - Current AIM state (from /proc/aim/cur)
conns - AIM connection table (from /proc/aim/conns)
naap - NAAP Statistics (from /proc/aim/naap)
accel - Acceleration State (from /proc/aim/accel)
acp - AIM Control Packets statistics (from /proc/aim/acp)
app - AIM Data Packets statistics (from /proc/aim/app)
tng - TNG Statistics (from /proc/net/tng)
The AIM Statistics Menu allows you to run some Firewall Director commands and view the
results.
Table 11-14 AIM Statistics Menu (/maint/debug/aim)
cur
This command displays the current AIM state and is equivalent to the Director’s
/proc/aim/cur command.
conns
This command displays information about the AIM connection table, and is equivalent
to the Director’s /proc/aim/conns command.
naap
This command displays the NAAP statistics, and is equivalent to the Director’s
/proc/aim/naap command.
accel
This command displays the acceleration statistics, and is equivalent to the Director’s
/proc/aim/acp command.
acp
This menu displays the statistics for the AIM control packets.

217014-A, November 2004
Table 11-14 AIM Statistics Menu (/maint/debug/aim)
app
This command displays the statistics for the AIM data packets, and is equivalent to the
Director’s /proc/aim/app command.
tng
This command displays the TNG statistics, and is equivalent to the Director’s
/proc/net/tng command.

217014-A, November 2004
/maint/debug/aim/acp
AIM Control Packets Menu
[AIM Control Packets Menu]

api - Secure XL API Call Statistics
conns - AIM Connection Statistics
ctxt - AIM Call Context Statistics
err - AIM Error Statistics
ha - AIM High Availability Statistics
tbl - AIM Database Usage Statistics
The AIM Control Packets Statistics Menu allows you to display statistics for AIM control
packets.
Table 11-15 AIM Statistics Menu (/maint/debug/aim/acp)
api
This command displays the Secure XL API Call Statistics and is equivalent to the Direc-
tor’s /proc/aim/acp/api command.
conns
This command displays information about the AIM connection table and is equivalent to
the Director’s /proc/aim/acp/conns command.
ctxt
This command displays the AIM Call Context statistics and is equivalent to the Direc-
tor’s /proc/aim/acp/ctxt command.
err
This command displays the AIM error statistics and is equivalent to the Director’s
/proc/aim/acp/err command.
ha
This command displays AIM high availability statistics and is equivalent to the Direc-
tor’s /proc/aim/acp/ha command.
tbl
This command displays the AIM database usage statistics and is equivalent to the Direc-
tor’s /proc/aim/acp/tbl command.

217014-A, November 2004
/maint/debug/fw
FW-1 Statistics Menu
[FW-1 Statistics Menu]

ver - Check Point Version
stat - FW-1 Statistics
lic - Check Point Licenses
ctlpstat - FW-1 Kernel Statistics
The FW-1 Statistics Menu allows you to run some Check Point Firewall commands and view
the results.
Table 11-16 FW-1 Statistics Menu (/maint/debug/fw)
ver
This command displays version information and is equivalent to Check Point’s
fw ver command.
stat
This command displays information about the installed policy, and is equivalent to
Check Point’s fw stat command.
lic
This command displays the installed licenses, and is equivalent to Check Point’s
cplic print -x command.
ctlpstat
This command displays Check Point Firewall internal statistics, and is equivalent to
Check Point’s fw ctl pstat command.

217014-A, November 2004
/maint/debug/ac1
Accelerator 1 Information Menu
[Accelerator 1 Information Menu]

sys - System information for SFA1
boot - Boot settings for SFA1
naap - NAAP statistics for SFA1
vrrp - VRRP info for SFA1
sess - Session table dump for SFA1
prtstat - Port statistics for SFA1
btinfo - Boot information for SFA1
clear - Clear all statistics on SFA1
back - Make SFA1 the backup accelerator
reboot - Reboot SFA1
The Accelerator 1 Information Menu allows you to run CLI commands on the Firewall Accel-
erator and see the output.
Table 11-17 Accelerator 1 Information Menu (/maint/debug/ac1)
sys
This command displays the output of the /info/sys (system information) command
from the Firewall Accelerator.
boot
This command displays the output of the /boot/cur (boot settings) command from
the Firewall Accelerator.
naap
This command displays the output of the /info/naap/dump (NAAP status) com-
mand from the Firewall Accelerator.
vrrp
This command displays the output of the /info/vrrp (VRRP status) command from
sess
This command displays the output of the /info/slb/sess/dump (session table)
command from the Firewall Accelerator.
prtstat
This command displays the output of the /stats/slb/port <#>/maint
(port maintenance status) command from the Firewall Accelerator.

217014-A, November 2004
btinfo
This command displays the output of the /maint/btinfo command from the Fire-
wall Accelerator. The output explains the reason for the last reboot (power cycle, reset
from console, panic, and so on) and also whether a panic dump is present.
clear
This command clears all statistics on Firewall Accelerator 1.
back
This command makes Firewall Accelerator 1 the backup. The command forces the
Accelerator to a backup state using the /oper/vrrp/back command on the Acceler-
ator.
reboot
This command reboots Firewall Accelerator 1 using the /boot/reset command.

217014-A, November 2004
/maint/debug/ac2
Accelerator 2 Information Menu
[Accelerator 2 Information Menu]

sys - System information for SFA2
boot - Boot settings for SFA2
naap - NAAP statistics for SFA2
vrrp - VRRP info for SFA2
sess - Session table dump for SFA2
prtstat - Port statistics for SFA2
btinfo - Boot information for SFA2
clear - Clear all statistics on SFA2
back - Make SFA2 the backup accelerator
reboot - Reboot SFA2
The Accelerator 2 Information Menu allows you to run CLI commands on the Firewall Accel-
erator and see the output.
sys
This command displays the output of the /info/sys (system information) command
from the Firewall Accelerator.
boot
This command displays the output of the /boot/cur (boot settings) command from
naap
This command displays the output of the /info/naap/dump (NAAP status) com-
mand from the Firewall Accelerator.
vrrp
This command displays the output of the /info/vrrp (VRRP status) command from
sess
This command displays the output of the /info/slb/sess/dump (session table)
command from the Firewall Accelerator.
prtstat
This command displays the output of the /stats/slb/port <#>/maint
(port maintenance status) command from the Firewall Accelerator.

217014-A, November 2004
btinfo
This command displays the output of the /maint/btinfo command from the Fire-
wall Accelerator. The output explains the reason for the last reboot (power cycle, reset
from console, panic, and so on) and also whether a panic dump is present.
clear
This command clears all statistics on Firewall Accelerator 2.
back
This command makes Firewall Accelerator 2 the backup. The command forces the
Accelerator to a backup state using the /oper/vrrp/back command on the Acceler-
ator.
reboot
This command reboots Firewall Accelerator 2 using the /boot/reset command.

217014-A, November 2004
/maint/debug/dbgroute
Debug Route Information Menu
[Debug Route Information Menu]

uni - Display complete unicast route table send to accels
igmp - Display complete IGMP route table send to accels
pim - Display complete PIM route table send to accels
The Debug Route Information Menu displays Unicast, IGMP, and PIM routes pushed to the
Firewall Accelerator from the Firewall Director.
Table 11-19 Debug Route Information Menu (/maint/debug/dbgroute)
uni
This command displays the Unicast routes sent to the Firewall Accelerator.
igmp
This command displays the IGMP routes sent to the Firewall Accelerator.
pim
This command displays the PIM routes sent to the Firewall Accelerator.

217014-A, November 2004
/maint/debug/ospf
OSPF Debug Menu
[OSPF Debug Menu]

events - Set log OSPF generic events
ism - Set log OSPF ISM events
lsa - Set log OSPF LSA events
nsm - Set log OSPF NSM events
packets - Set log OSPF packets
msgs - View last 100 debug messages
The OSPF Debug Information Menu provides information to troubleshoot OSPF.
Table 11-20 OSPF Debug Menu (/maint/debug/ospf)
events
This command allows you to turn on debugging for OSPF events.
ism
This command allows you to turn on debugging for the interface state machine.
lsa
This command allows you to turn on debugging for link state advertisements.
nsm
This command allows you to turn on debugging for the neighbor state machine.
packets
This command allows you to turn on debugging for OSPF packets.
msgs
This command displays the last 100 messages from the log file.

217014-A, November 2004
/maint/debug/rip
RIP Debug Menu
[RIP Debug Menu]

events - Set log RIP events
packets - Set log RIP packets
msgs - View last 100 debug messages
The RIP Debug Information Menu is used to display debug information for RIP.
Table 11-21 RIP Debug Menu (/maint/debug/rip)
events
This command allows you to turn on RIP events.
packets
This command displays details on RIP packets.
msgs
This command displays the last 100 messages from the log file.

217014-A, November 2004
/maint/tsdump
Tech Support Dump Menu
[Tech Support Menu]
dump - Create a Tech Support dump
exdump - Create a Tech Support dump including logs
ftp - FTP tech support dump to an FTP server
floppy - Copy Tech Support Dump to Floppy
The Tech Support Dump Menu is used to create dumps for Technical support.
Table 11-22 Tech Support Dump Menu (/maint/tsdump)
dump
This command creates a Technical support dump without including the logs. The size of
the dump is typically small enough to fit on a floppy diskette.
exdump
This command creates a Technical support dump including all available logs. The size of
of the dump is typically more than 1 MB.
ftp <ftp Server> <Dir Name> [<User Name>] [<Password>]

This command allows you to FTP the created tsdump to an FTP server. A file called
asfdump.tgz is created on the FTP server.
floppy
This command copies the tsdump file to a floppy diskette.

217014-A, November 2004
/maint/swfc
SFA Flow Control Configuration Menu
[SFA Flow Control Configuration Menu]
window - Set Window Size
sync - Set Sync Interval
ena - Enable SFA Flow Control
dis - Disable SFA Flow Control
The SFA (switched firewall accelerator) Flow Control Configuration Menu is used to configure
settings to protect the Firewall from a DOS attack.
Table 11-23 SFA Flow Control Configuration Menu (/maint/swfc)
window
This command sets the “window” size for flow control. This is similar to the window
concept for TCP transmission. The Firewall Accelerator makes sure that the outstanding
requests to the Director are within this limit. If it exceeds the limit, the Firewall Acceler-
ator starts dropping packets destined to that Firewall Director. The default value is 1000.
sync
This command sets the interval at which the Firewall Accelerator and the Firewall Direc-
tor exchange flow control information. The default value is 1 second.
ena
This command enables the SFA flow control.
dis
This command disables the SFA flow control.

217014-A, November 2004
/maint/backup
Backup Restore Menu
[Backup Restore Menu]
backup - Backup Firewall Director to FTP server
The Backup Restore Menu allows you to backup the Director configuration and restore it later
to the same state.
The backup and restore feature is for a Director only and not the cluster. To backup an entire
cluster, you must login to each Director and create backups separately. You cannot create a
backup from one member of the cluster and use it to restore another member. A backup taken
from a Director can be used only to restore that same Director or a replacement for that Direc-
tor.
For more information on how to backup the Director configuration, see “Backup and Restore
Firewall Configuration” on page 347.
Table 11-24 Backup Restore Menu (/maint/backup)
backup
This command prompts you to provide an FTP server. The FTP server should allow
anonymous login.

217014-A, November 2004

217014-A, November 2004
CHAPTER 12
The Configuration Menu
This chapter discusses the Configuration Menu in the Command Line Interface for configuring
the Alteon Switched Firewall.
/cfg
Configuration Menu
[Configuration Menu]
sys - System-wide Parameter Menu
pnp - SFD IP and Firewall License Menu
acc - Accelerator Configuration Menu
net - Network Configuration Menu
fw - Firewall Configuration Menu
apps - Third party applications
ptcfg - Backup current configuration to TFTP/FTP server
gtcfg - Restore current configuration from TFTP/FTP server
misc - Miscellaneous Settings Menu
dump - Dump configuration on screen for copy-and-paste
197
217014-A, November 2004
The Configuration Menu is used for configuring the Alteon Switched Firewall. Some com-
mands are available only from the administrator login.
Table 12-1 Configuration Menu (/cfg)
sys
The System Menu is used for configuring system-wide parameters on a per cluster basis.
pnp
The SFD IP and Firewall License (Plug N Play) Menu is used for pre-configuring
resources that are used by the system to automatically configure any new components
when they are added to the cluster. Resources configured under this menu include a pool
of IP addresses and Check Point licences.
acc
The Accelerator Configuration Menu is used to configure parameters for the cluster Fire-
wall Accelerators. This includes the IP addresses and MAC addresses of the Firewall
Accelerators and options for high availability and auto detection.
net
The Network Configuration Menu is used to configure the networks passing traffic
through the firewall.
fw
The Firewall Configuration Menu is used to configure firewall related options such as
enabling firewall or resetting the Check Point Secure Internal Communications (SIC).
apps
The Third-party Applications Menu is used to configure a secure route for a third party
application.
198 Chapter 12: The Configuration Menu

217014-A, November 2004
Table 12-1 Configuration Menu (/cfg)
ptcfg <TFTP/FTP protocol> <server name or IP address> <file name>

This command saves the current configuration, including private keys and certificates, to
a file on the selected TFTP/FTP server. The information is saved in a plain-text file, and
can later be restored by using the gtcfg command. The default protocol is TFTP.
You will be prompted to specify a password phrase before the information is sent to the
TFTP/FTP server. The password phrase is used to encrypt all included private keys. If
you later restore the configuration using the gtcfg command, you will be prompted to
reenter the password phrase.
gtcfg <TFTP/FTP protocol> <server name or IP address> <file name>
This command retrieves and applies a configuration file, including private keys and cer-
tificates, from the selected TFTP/FTP server. You will be prompted to enter the same
password phrase supplied when the file was created using the ptcfg command. The
default protocol is TFTP.
misc
Use the Miscellaneous Settings Menu to turn on or off configuration warning messages.
dump
This command displays the current configuration parameters in CLI compatible format.
You can capture the screen display and save the configuration to a text editor file by per-
forming a copy-and-paste operation. The configuration can later be restored by pasting
the contents of the saved text file at any command prompt in the CLI.
When pasted, the content is batch processed by the Alteon Switched Firewall. To view
the pending configuration changes resulting from the batch processing, use the diff
command. To apply the configuration changes, use the apply command.
If you choose to include private keys in the configuration dump, you are required to
specify a password phrase. The password phrase you specify will be used to encrypt all
secret information. When restoring a configuration that includes secret information, use
the global paste command. Before pasting the configuration, you will be prompted to
reenter the password phrase.

217014-A, November 2004
/cfg/sys
System Menu
[System Menu]
time - Date and Time Menu
dns - DNS Servers Menu
cluster - Cluster Menu
accesslist - Access List Menu
adm - Administrative Applications Menu
log - Platform Logging Menu
user - User access control menu
The System Menu is used for configuring system-wide parameters on a per cluster basis.
Table 12-2 System Menu (/cfg/sys)
time
The Date and Time Menu is used set the cluster date, time, time zone, and NTP options.
dns
The DNS Servers Menu lets you change Domain Name System (DNS) parameters.
cluster
The Cluster Menu is used for assigning the cluster management address and for access-
ing individual Firewall Director menus.
accesslist
The Access List Menu is used to restrict remote access to Alteon Switched Firewall
management features. You can add, delete, or list trusted IP addresses which are allowed
Telnet, Secure Shell (SSH), or Browser-Based Interface (BBI) access to the system. If
the access list is not configured, users will not be able to access remote management fea-
tures even when those features are otherwise enabled.
adm
The Administrative Applications Menu is used to configure Alteon Switched Firewall
remote management features such as Telnet, SSH, SNMP, and the BBI.

217014-A, November 2004
Table 12-2 System Menu (/cfg/sys)
log
The Platform Logging Menu is used to configure system message logging features. Mes-
sages can be logged to the system console terminal, ELA facility, and archived to a file
that can be automatically e-mailed.
user
The User Menu is used to add, modify, delete, or list Alteon Switched Firewall user
accounts, and change passwords.

217014-A, November 2004
/cfg/sys/time
Date and Time Menu
[Date and Time Menu]

date - Set system date
time - Set system time
tzone - Set Timezone
ntp - Configure NTP servers
The Date and Time Menu is used to set the cluster date, time, and time zone options.
Table 12-3 Date and Time Menu (/cfg/sys/time)
date <YYYY-MM-DD>
This command sets the system date according to the specified format.
time <HH:MM:SS>
This command sets the system time using a 24-hour clock format.
tzone [<time zone string>]
This command sets the system time zone. When entered without a parameter, you will be
prompted to select your time zone from a list of continents/oceans, countries, and
regions (if applicable). If you know your time zone from a previous use of this com-
mand, you can set the value directly by including the time zone string within quotes.
ntp
The NTP Servers Menu is used to synchronize system time with Network Time Protocol
(NTP) servers.

217014-A, November 2004
/cfg/sys/time/ntp
NTP Servers Menu
[NTP Servers Menu]

list - List all values
del - Delete a value by number
add - Add a new value
The NTP Servers Menu is used to add or delete Network Time Protocol (NTP) servers to syn-
chronize system time.
NOTE – In order to use this feature, you must install a firewall rule that allows NTP traffic to
pass to and from the Firewall Directors.
Table 12-4 NTP Servers Menu (/cfg/sys/time/ntp)
list
This command lists all configured NTP servers by their index number and IP address.
del <index number>
This command lets you remove an NTP server from the cluster configuration by specify-
ing the server’s index number. Use the list command to display the index numbers
and IP addresses of configured NTP servers.
add <NTP server IP address>
This command lets you add an NTP server. The NTP server with the specified IP address
will be added to the list of NTP servers used to synchronize the Alteon Switched Fire-
wall system clock. A number of NTP servers (at least three) should be available in order
to compensate for any discrepancies among the servers.

217014-A, November 2004
/cfg/sys/dns
DNS Servers Menu
[DNS Servers Menu]

insert - Insert a new value
move - Move a value by number
The DNS Servers Menu lets you change Domain Name System (DNS) parameters.
NOTE – In order to use this feature, you must install a firewall rule that allows DNS traffic to
pass to and from the Firewall Directors.
Table 12-5 DNS Servers Menu (/cfg/sys/dns)
list
This command displays all DNS servers by their index number and IP address.
del <index number>
This command lets you remove a DNS server by index number. Use the list command
to display the index numbers and IP addresses of added DNS servers.
add <DNS server IP address>
This command lets you add a new DNS server. The DNS server with the specified IP
address will be added.
insert <index number> <IP address>
This command lets you add a new DNS server to the list at the specified index position.
All existing items at the specified index number and higher are incremented by one posi-
tion.
move <from index number> <to index number>
This command removes the DNS server of the specified from index number and inserts it
at the specified to index number.

217014-A, November 2004
/cfg/sys/cluster
Cluster Configuration Menu
[Cluster Menu]
net - Set ASF internal subnet network
mask - Set ASF internal subnet mask
mip - Set management IP (MIP) address
host - SFD Host Menu
The Cluster Menu is used for assigning the cluster management address and for accessing indi-
vidual Firewall Director menus.
Table 12-6 Cluster Configuration Menu (/cfg/sys/cluster)
net <cluster network IP address>

This command lets you change the base IP address of the Alteon Switched Firewall
internal network (established during initial configuration).
Note: Disable Check Point antispoofing before changing the internal network address.
mask <IP subnet mask>
This command lets you change the network mask for all Firewall Directors in the cluster.
This mask is used in combination with the net command to create an IP address range for
the Alteon Switched Firewall network.
mip <cluster Management IP address>
This command lets you change the cluster Management IP (MIP) address. The MIP
address identifies the cluster on the network. This address is used when accessing remote
management features such as Telnet, SSH, or the BBI. The address must be unique on
the network.
host <SFD host number>
The SFD Host Menu is used for performing actions on a specific Firewall Director, iden-
tified by its host number. The host number for each specific Firewall Director can be
listed using the cur command.
This menu is used to put the Firewall Director into master or slave mode, set its IP
address, halt it, reboot it, or reset it to factory default configuration in preparation for
removal from the cluster.

217014-A, November 2004
/cfg/sys/cluster/host <host number>

SFD Host Menu
[iSD Host 1 Menu]

type - Set type of the Firewall Director
ip - Set IP address
name - Set System name
license - Set License
hwplatform - Display hardware platform
halt - Halt the Firewall Director
reboot - Reboot the Firewall Director
delete - Remove Firewall Director Host
This menu is used for performing actions on a specific Firewall Director, identified by host
number. The host number can be found using the /cfg/sys/cluster/cur command.

217014-A, November 2004
Table 12-7 SFD Host Menu (/cfg/sys/cluster/host)
type master|slave
This command lets you set the currently selected Firewall Director as master or slave. A
master is capable of hosting the cluster Management IP (MIP) address. Up to four mas-
ters can be present in a cluster. If an active master fails, one of the other masters will
become active and host the MIP address. Depending on the total number of Directors in
a cluster and the desired level of redundancy, it is recommended that two to four Director
hosts are configured as masters.
When installing the first Firewall Director in a new cluster (by selecting new in the
Setup Menu), it is automatically configured as master. When adding more Firewall
Directors to the same cluster (by selecting join in the Setup Menu), the first three addi-
tional Firewall Directors in a cluster will also be masters.
When adding one or more Firewall Directors to a cluster that already contains four mas-
ters, any added Firewall Directors are automatically configured as slave.
Normally, you will only need to change the type setting when you have removed one or
more master Firewall Directors from a cluster. In this case, if there are any slave devices,
you may want to promote one of them to become a master.
To determine which Firewall Director is currently hosting the MIP address, use the /
info/clu command. To view the host number of each Firewall Director in a cluster,
use the /cfg/sys/cluster/cur command.
ip <Firewall Director IP address>

This command is used to set the IP address of the currently selected Firewall Director.
Changing this address does not affect the Management IP address which defines the
cluster itself. The IP address is specified using dotted decimal notation.
Note that you will be logged out when you apply the new IP address.
name
This command allows you to give a user friendly name to each director. When you login
as “admin,” the name of the director is displayed as part of the banner. This allows you
to easily identify the Firewall Director.
license
This command allows you to enter your Firewall license. Paste the license and press
<Enter> to create a new line. Type "..." (without the quotation marks) at the end of the
license to terminate.
hwplatform
This command displays the Firewall Director type.

217014-A, November 2004
Table 12-7 SFD Host Menu (/cfg/sys/cluster/host)
halt
After confirmation, this command stops the currently selected Firewall Director. Always
use this command before turning off the device.
If the Firewall Director you want to halt has become isolated from the cluster, you will
receive an error message when performing the halt command. You can then try log-
ging in to the specific Firewall Director using its local serial port (or a Telnet or SSH
connection to the Firewall Director’s individually assigned IP address) and use the /
boot/halt command.
reboot
After confirmation, this command reboots the currently selected Firewall Director.
If the Firewall Director you want to reboot has become isolated from the cluster, you will
receive an error message when performing the reboot command. You can then try log-
ging in to the specific Firewall Director using its local serial port (or a Telnet or SSH
connection to the Firewall Director’s individually assigned IP address) and use the /
boot/reboot command.
delete
This command lets you remove the currently selected Firewall Director “cleanly” from
the cluster, and resets the removed Firewall Director to its factory default configuration.
Other Directors in the cluster are unaffected.
To ensure that you remove the intended Firewall Director, view the current settings by
using the cur command. To view the host number, type (master or slave), and IP
address for all Firewall Directors in a cluster, use the /cfg/sys/cluster/cur com-
mand.
Once you have removed a Firewall Director from the cluster using the delete com-
mand, you can only access the device through a console terminal attached directly to its
local serial port. You can then log in using the administration account (admin) and the
default password (admin) to access the Setup Menu.
When multiple Firewall Directors are present in a cluster, you cannot delete a particular
Firewall Director if it is the only one that has a health status “up.” If that is the case, you
will receive an error message when performing the delete command. To delete a Fire-
wall Director from the cluster while all the other cluster members are down, see the
/boot/delete command on page 173.

217014-A, November 2004
/cfg/sys/accesslist
Access List Menu
[Access List Menu]

The Alteon Switched Firewall can be managed remotely using Telnet, SSH, or the BBI. For
security purposes, access to these features is restricted through the cluster access list.
The access list allows the administrator to specify IP addresses or address ranges that are per-
mitted remote access to the system. There is only one access list which is shared by all remote
management features.
Requests for remote management access from any client whose IP address is not on the access
list are dropped. By default, the access list is empty, meaning that all remote management
access is initially disallowed.
When a client’s IP address is added to the access list, that client is permitted to access all
enabled remote management features, provided that a firewall rule exists to allow the type of
traffic, and that the user supplies the appropriate password.
The following options are available on the Access List Menu:
Table 12-8 Access List Menu (/cfg/sys/accesslist)
list
This command displays all index and IP address information for all trusted clients which
can access enabled remote management features.
del <index number>
This command lets you remove an access entry by index number. Use the list com-
mand to display the index numbers and IP addresses of access entries.
add <user IP address> <IP subnet mask>
This command lets you add a new IP address or range of addresses to the access list. Any
added clients are considered trusted and have access to any enabled remote management
features.

217014-A, November 2004
/cfg/sys/adm
Administrative Applications Menu
[Administrative Applications Menu]

idle - Set CLI idle timeout
telnet - Telnet Administration Menu
ssh - SSH Administration Menu
snmp - SNMP Administration Menu
web - Web Administration Menu
audit - Audit Settings Menu
The Administrative Applications Menu is used to configure Alteon Switched Firewall remote
management features such as Telnet, SSH, SNMP, and the BBI.
Table 12-9 Administrative Application Menu (/cfg/sys/adm)
idle <CLI time-out period in seconds (300-3600)>

This command sets amount of time that a local or remote CLI session can remain inac-
tive before being automatically logged out. The time period is specified in seconds, from
300 to 3600. The default is 600 seconds (10 minutes).
telnet
The Telnet Administration Menu is used to enable or disable Telnet for remote access to
the Alteon Switched Firewall management CLI.
ssh
This menu is used to enable or disable Secure Shell (SSH) for remote access to the ASF
management CLI. This menu is also used for generating SSH host keys.
snmp
The SNMP Administration Menu is used to enable or disable Simple Network Manage-
ment Protocol (SNMP) for remote management of the Alteon Switched Firewall. This
menu is also used for defining SNMP information, permission levels, and traps.

217014-A, November 2004
Table 12-9 Administrative Application Menu (/cfg/sys/adm)
web
The Web Administration Menu is used to configure the Browser-Based Interface (BBI).
The BBI provides HTTP or Secure Socket Layer (SSL) access for remote management
of the Alteon Switched Firewall using a Web browser.
audit
The Audit Settings Menu is to used to configure the servers to receive log messages on
the commands executed in the CLI and the Web UI.

217014-A, November 2004
/cfg/sys/adm/telnet
Telnet Administration Menu
[Telnet Administration Menu]

ena - Enable Telnet
dis - Disable Telnet
The Telnet Administration Menu is used to enable or disable remote Telnet access to the
Alteon Switched Firewall CLI. By default, Telnet access is disabled. Depending on the sever-
ity of your security policy, you may enable Telnet access and restrict it to one or more trusted
clients.
NOTE – Telnet is not a secure protocol. All data (including the password) between a Telnet cli-
access is required, see “Using Secure Shell” on page 150. For more information on the Telnet
feature, see “Using Telnet” on page 148.
Table 12-10 Telnet Administration Menu (/cfg/sys/adm/telnet)
ena
This command enables the Telnet management feature. When enabled, Telnet access to
the cluster MIP address is allowed for trusted clients which have been added to the clus-
ter access list (see “Defining the Remote Access List” on page 146).
dis
This command disables the Telnet management feature. This is the default. When dis-
abled, all active Telnet administration sessions will be terminated, and all net Telnet
requests sent to the MIP address will be dropped.

217014-A, November 2004
/cfg/sys/adm/ssh
SSH Administration Menu
[SSH Administration Menu]

ena - Enable SSH
dis - Disable SSH
gensshkeys - Generate new SSH host keys
The SSH Administration Menu is used to enable or disable Secure Shell (SSH) for remote
access to the Alteon Switched Firewall management CLI. This menu is also used for generat-
ing SSH host keys.
An SSH connection allows secure management of the Alteon Switched Firewall from any
workstation connected to the network. SSH access provides server host authentication, encryp-
tion of management messages, and encryption of passwords for user authentication. By
default, SSH is disabled.
NOTE – To use this feature, you must install a firewall rule that allows SSH traffic to pass to
and from the Firewall Directors.
For more information on the SSH feature, see “Using Secure Shell” on page 150.
Table 12-11 SSH Administration Menu (/cfg/sys/adm/ssh)
ena
This command enables the SSH management feature. When enabled, SSH access to the
cluster MIP address is allowed for trusted clients which have been added to the cluster
access list (see “Defining the Remote Access List” on page 146).
dis
This command disables the SSH management feature. This is the default. When dis-
abled, all active SSH administration sessions will be terminated, and all net SSH
requests sent to the MIP address will be dropped.
gensshkeys
This command generates new SSH host keys.

217014-A, November 2004
/cfg/sys/adm/snmp
SNMP Administration Menu
[SNMP Administration Menu]

ena - Enable SNMP
dis - Disable SNMP
model - Set security model
level - Set usm security level
access - Set read access control
events - Set trap events
alarms - Set trap alarms
rcomm - Set v2c read community
wcomm - Set v2c write community
users - SNMP USM Users Menu
hosts - Trap Hosts Menu
system - SNMP System Information Menu
adv - Advanced SNMP Options Menu
The Alteon Switched Firewall software supports elements of the Simple Network Management
Protocol (SNMP). If you are running an SNMP network management station on your network,
you can read and write ASF configuration information and collect statistics using the following
SNMP Managed Information Bases (MIBs):
MIB II (RFC 1213)

Ethernet MIB (RFC 1643)
Bridge MIB (RFC 1493)
NOTE – To use this feature, you must install a firewall rule that allows SNMP traffic to pass to
and from the Firewall Directors.
Table 12-12 SNMP Administration Menu Options (/cfg/sys/adm/snmp)
ena
This command enables the SNMP features.
dis
This command disables the SNMP features. This is the default.

217014-A, November 2004
model v1|v2c|usm
This command is used to specify which form of SNMP security will be used by the ASF:
v1c: Use the SNMP version 1C security model.
v2c: Use the SNMP version 2C security model. (Default)
usm: Use the SNMP version 3 User-based Security Model (USM).
level none|auth|priv
This command is used only when usm is selected. It is used to specify the desired degree
of SNMPv3 (also called USM) security:
none: No SNMPv3 encryption/authentication.
auth: SNMPv3 authentication only. Verify the SNMP user password before granting
SNMP access. SNMP information is transmitted in plain text.
priv: SNMPv3 authentication and encryption. Verify the SNMP user password
before granting SNMP access and encrypt all SNMP information with the user’s indi-
vidual key. (Default)
USM user names, along with their passwords and encryption keys, are defined in the
SNMP Users Menu (/cfg/sys/adm/snmp/users)
access d|r|rw
This command sets the SNMP access control:
d: Disable SNMP read capability. Users will be sent only enabled event and alarm
messages and are not permitted to read SNMP information from the ASF. (Default)
r: Enable SNMP read capability. Users will be sent enabled event and alarm mes-
sages and are also allowed to read SNMP information from the supported ASF MIBs.
rw: Enable SNMP read and write capability. Users will be sent enabled event and
alarm messages and are also allowed to read and write SNMP information from the
supported ASF MIBs.
events y|n
This command is used to enable or disable sending cluster event messages to the SNMP
trap hosts. When enabled, messages regarding general occurrences (such as detection of
a new components) are sent. The default is disabled.
alarms y|n
This command is used to enable or disable sending cluster alarm messages to the SNMP
trap hosts. Alarm messages indicate serious conditions which may require administrative
action. The default is disabled.

217014-A, November 2004
rcomm <read community string>

This command is used only when the v2c security model is selected. The read commu-
nity string controls SNMP “get” access to the cluster. It can have a maximum of 32 char-
acters. The default read community string is public and should be changed for
security.
wcomm <write community string>
This command is used only when the v2c security model is selected. The write commu-
nity string controls SNMP “set” access to the cluster. It can have a maximum of 32 char-
acters. The default put community string is public and should be changed to private
for security.
users
The SNMP Users Menu is used to list, add, and remove USM users. When usm is
selected as the security model, SNMP access is granted for user/password defined in the
SNMP Users Menu.
hosts
The Trap Hosts Menu is used to add, remove, or list hosts which will receive cluster
event or alarm messages.
system
The SNMP System Information Menu is used to configure basic identification informa-
tion such as support contact name, system name, and system location.
adv
The Advanced SNMP Settings Menu is used to configure less common SNMP options.

217014-A, November 2004
/cfg/sys/adm/snmp/users
SNMP Users Menu
[SNMP Users Menu]

list - List all users
del - Delete a user by name
add - Add a new user
The SNMP Users Menu is used list, add, and remove USM users. When usm is selected as the
security model (/cfg/sys/adm/snmp/model), SNMP access is granted for user/pass-
word defined in this menu.
Table 12-13 SNMP Users Menu Options (/cfg/sys/adm/snmp/users)
list
This command lists all configured USM users.
del <user name>
This command lets you remove a USM user from the cluster configuration. Use the
list command to display the configured USM users.
add <user name>
This command lets you add a USM user. When the command is initiated, you will be
prompted to enter the following:
get and/or trap: specify whether the user is authorized to perform SNMP get
requests and/or receive enabled trap event and alarm messages. Enter get trap to
specify that both are allowed.
user password (and confirmation): password the user must enter for access.

217014-A, November 2004
/cfg/sys/adm/snmp/hosts
Trap Hosts Menu
[Trap Hosts Menu]

The Trap Hosts Menu is used to add, remove, or list hosts which will receive SNMP event or
alarm messages from the cluster.
Table 12-14 Trap Hosts Menu Options (/cfg/sys/adm/snmp/hosts)
list
This command lists all configured trap hosts which will receive SNMP event or alarm
messages from the cluster.
del <index number>
This command lets you remove an SNMP trap host from the cluster configuration by
specifying the trap host’s index number. Use the list command to display the index
numbers and IP addresses of configured trap hosts.
add <trap host IP address> <port number> <community string> <trap user (usm)>
This command lets you add an SNMP trap host. The trap host with the specified IP
address will receive any enabled SNMP messages from the cluster. Event messages and
alarm messages can be independently enabled or disabled in the SNMP Administration
Menu (see page 214). The default port number is 162 and the default community string
is v2c.
If the traps are sent in SNMPv1 or SNMPv2c, then the community string should be set.
Note that the firewall supports a single version only, so the ASF configuration deter-
mines if the community string is used (for example, if the firewall is set to v1 or v2, then
a community string is required).
If the traps are sent in SNMPv3 (USM), then specify the trap user. This is only needed if
you configure usm.

217014-A, November 2004
/cfg/sys/adm/snmp/system
SNMP System Information Menu
[SNMP System Information Menu]

contact - Set Contact
name - Set Name
loc - Set Location
The SNMP System Information Menu is used to configure basic identification information
such as support contact name, system name, and system location.
Table 12-15 SNMP System Information Options (/cfg/sys/adm/snmp/system)
contact <new string, maximum 64 characters>

Configures the name of the system contact. The contact can have a maximum of 64 characters.
name <new string, maximum 64 characters>

Configures the name for the system. The name can have a maximum of 64 characters.
loc <new string, maximum 64 characters>

Configures the name of the system location. The location can have a maximum of 64 characters.

217014-A, November 2004
/cfg/sys/adm/snmp/adv
Advanced SNMP Settings Menu
[SNMP Advanced Settings Menu]

allinf - Set allow snmp requests through all interfaces
trapsrcip - Set source IP of traps
The Advanced SNMP Options Menu is used to configure less common SNMP options.
Table 12-16 Advanced SNMP Menu Options (/cfg/sys/adm/snmp/adv)
allinf y|n
This command determines which interfaces will accept SNMP requests. If enabled (y), SNMP
requests will be accepted on all interfaces. If disabled (n), SNMP requests will be accepted only at
the cluster MIP address or individual Firewall Director IP address. This option is disabled by
default.
trapsrcip auto|unique|mip
This command is used to configure which source IP address will be used with SNMP
traps generated from the Alteon Switched Firewall.
auto: The IP address of the outgoing interface is used. This is the default.
unique: The IP address of the individual Firewall Director is used.
mip: The IP address of the cluster MIP is used. This setting is useful with applications
(such as some versions of HP OpenView) that expect devices to be limited to only one
IP address.

217014-A, November 2004
/cfg/sys/adm/web
Web Administration Menu
[Web Administration Menu]

http - HTTP Configuration Menu
ssl - SSL Configuration Menu
The Web Administration Menu is used to configure the Browser-Based Interface (BBI). The
BBI allows for refined, intuitive remote management of the Alteon Switched Firewall using a
Web browser. The BBI can be configured to use HTTP (non-secure), HTTPS with Secure
Socket Layer (SSL), or both.
NOTE – In order to use this feature, you must install a firewall rule that allows HTTP or
HTTPS traffic to pass to and from the Firewall Directors.
For more information, see the Alteon Switched Firewall Browser-based Interface Guide.
Table 12-17 Web Administration Menu (/cfg/sys/adm/web)
http
The HTTP Configuration Menu is used to configure BBI access using HTTP (non-
secure).
ssl
The SSL Configuration Menu is used to configure BBI access using HTTPS with Secure
Socket Layer (SSL). For security reasons, using SSL with the BBI is highly recom-
mended.

217014-A, November 2004
/cfg/sys/adm/web/http
HTTP Configuration Menu
[HTTP Configuration Menu]

port - Set HTTP Port number
ena - Enable HTTP
dis - Disable HTTP
The HTTP Configuration Menu is used to configure Browser-Based Interface (BBI) access
using HTTP. By default, HTTP access is enabled, but restricted to trusted clients. Depending
on the severity of your security policy, you may disable HTTP access and refine the list of
trusted clients.
NOTE – HTTP is not a secure protocol. All data (including passwords) between an HTTP cli-
access is required, see the “SSL Configuration Menu” on page 223.
For more information on using the BBI, see Alteon Switched Firewall Browser-based Inter-
face Guide.
Table 12-18 HTTP Configuration Menu (/cfg/sys/adm/web/http)
port <HTTP port number>

This command sets the logical HTTP port which is used by the built-in BBI Web server.
By default, the Web server uses well-known HTTP port 80. This can be changed to use
any port number, but should not be set to any port which is being used by other services.
ena
This command enables HTTP access to the BBI. This is the default. When enabled,
HTTP access to the cluster MIP address is allowed for trusted clients which have been
added to the cluster access list (see “Defining the Remote Access List” on page 146).
dis
This command disables HTTP access to the BBI. When disabled, HTTP requests to the
MIP address are dropped.

217014-A, November 2004
/cfg/sys/adm/web/ssl
SSL Configuration Menu
[SSL Configuration Menu]

port - Set SSL port number
ena - Enable SSL
dis - Disable SSL
tls - Set TLS
sslv2 - Set SSL version 2
sslv3 - Set SSL version 3
certs - Certificate Management Menu
The SSL Configuration Menu is used to configure BBI access using HTTPS. HTTPS uses
Secure Socket Layer (SSL) to provide server host authentication, encryption of management
messages, and encryption of passwords for user authentication. Using SSL with the BBI is
highly recommended for security reasons. By default, SSL is disabled.
In addition to enabling/disabling the HTTPS feature, this menu allows you to set the HTTPS
port, set SSL version, and access menus for generating SSL certificates.
For more information on using the BBI, see the Alteon Switched Firewall Browser-based
Interface Guide.
Table 12-19 SSL Configuration Menu (/cfg/sys/adm/web/ssl)
port <HTTPS port number>

This command sets the logical HTTPS port which is used by the built-in BBI Web
server. By default, the Web server uses well-known HTTPS port 443. This can be
changed to use any port number, but should not be set to any port which is being used by
other services.
ena
This command enables HTTPS access to the BBI. When enabled, HTTPS access to the
cluster MIP address is allowed for trusted clients which have been added to the cluster
access list (see “Defining the Remote Access List” on page 146).
Note that an SSL certificate must be generated using the Certificate Management Menu
(certs) before HTTPS will function.
dis
This command disables HTTPS access to the BBI. This is the default. When disabled,
HTTPS requests to the MIP address will be dropped.

217014-A, November 2004
Table 12-19 SSL Configuration Menu (/cfg/sys/adm/web/ssl)
tls y|n
This command enables or disables Transport Level Security (TLS) for SSL.The default
value is enabled.
sslv2 y|n
This command enables or disables SSL Version 2. The default value is enabled.
sslv3 y|n
This command enables or disables SSL Version 3. The default value is enabled.
certs
The Certificate Management Menu is used to configure server certificates and external
Certificate Authority certificates required for SSL.

217014-A, November 2004
/cfg/sys/adm/web/ssl/certs
Certificate Management Menu
[Certificate Management Menu]
serv - Server Certificate Management Menu
ca - Certificate Authority Management Menu
The Certificate Management Menu is used to add or remove server certificates and external
Certificate Authority certificates required for SSL.
Table 12-20 Certificate Management Menu (/cfg/sys/adm/web/ssl/certs)
serv
The Server Certificate Management Menu is used to generate a certificate request or cre-
ate a self-signed certificate.
ca
The Certificate Authority Management Menu is used to manage CA (Certification Author-
ity) certificates. This is required if server certificates from external CAs are being used.

217014-A, November 2004
/cfg/sys/adm/web/ssl/certs/serv
Server Certificate Management Menu
[Server Certificate Management Menu]

gen - Generate certificate request - this erases old key
exp - Export certificate request
list - List server certificates
del - Delete a server certificate
add - Add a server certificate
The Server Certificate Management Menu is used to administer SSL server certificates.
Table 12-21 Server Certificate Management (/cfg/sys/adm/web/ssl/certs/serv)
gen <Common Name> <Country Code> <Key Size>

This command will generate a certificate request or a self-signed certificate. Specify a
name for the certificate, a 2-letter country code, and a key size of 512, 1024, or 2048.|
exp
This command is used for exporting certificate requests to an external Certificate
Authority (CA). This command produces output that can be copied and pasted into a text
file and sent to the CA to be signed. Do not use this if creating a self-signed certificate.
Once the CA has responded with a PEM encoded certificate, use the add command to
enter the certificate into the system.
list
This command displays a list of configured server certificates.
del
This command is used for deleting a server certificate.
add
This command is used for adding a signed server certificate. After you have entered this
command, the system will expect you to paste the PEM encoded certificate into the CLI.
When done pasting the certificate, add three periods (...) and press <Enter> to return
to the CLI.

217014-A, November 2004
/cfg/sys/adm/web/ssl/certs/ca
CA Certificate Management Menu
[CA Certificate Management Menu]

list - List CA certificates
del - Delete a CA certificate
add - Add a CA certificate
The CA Certificate Management Menu is used to administer SSL external Certificate Author-
ity (CA) certificates.
Table 12-22 CA Certificate Management Menu (/cfg/sys/adm/web/ssl/certs/ca)
list
This command lists all configured CA certificates.
del
This command is used to remove a CA certificate from the cluster configuration.
add
This command is used to add a CA certificate. After you have entered this command, the
system will expect you to paste the PEM encoded certificate into the CLI. When done
pasting the certificate, add three periods (...) and press <Enter> to return to the CLI.

217014-A, November 2004
/cfg/sys/adm/audit
Audit Menu
[Audit Menu]
servers - Radius Servers Menu
vendorid - Set vendor id for group attribute
vendortype - Set vendor type for audit attribute
ena - Enable Server
dis - Disable Server
The Audit menu is used for configuring a RADIUS server to receive log messages about com-
mands executed in the CLI or the Web User Interface. If auditing is enabled but no RADIUS
server is configured, events will still be generated to the event log and any configured syslog
servers. Auditing is disabled by default.
An event is generated whenever a user logs in/logs out or issues a command from a CLI ses-
sion. The event contains information about user name and session id as well as the name of
executed commands. This event is optionally sent to a RADIUS server for audit trail logging
according to RFC 2866 (RADIUS Accounting).
Table 12-23 Audit Menu (/cfg/sys/adm/audit)
servers
This command displays the RADIUS Audit servers menu.
To view menu options, see page 230.
vendorid
Assigns the SMI Network Management Private Enterprise Code—as defined by IANA in the file
http://www.iana.org/assignments/enterprise-numbers—to the following vendor specific attribute:
Vendor-Id.
The Vendor-Id—represented by the private enterprise number—is one of the RADIUS vendor-
specific attributes.
The default vendor-Id is set to 1872 (Alteon).
Note: If another vendor-Id is used by your RADIUS system, you can use the vendorid com-
mand to bring the RADIUS configuration in line with the value used by the remote RADIUS sys-
tem. Contact your RADIUS system administrator for more information.

217014-A, November 2004
Table 12-23 Audit Menu (/cfg/sys/adm/audit)
vendortype
Assigns a number to the following vendor specific attribute used in RADIUS: Vendor type
Used in combination with the Vendor-Id number, the vendor type number identifies the audit
attribute which will contain the audit information.
The default vendor type value is set to 2.
Tip! Finding audit entries in the RADIUS server’s log can be made easier by defining a suitable
string in the RADIUS server’s dictionary (for example, Alteon-ASF-Audit-Trail) and mapping this
string to the vendor type value.
Note: If another number for vendor type is used by your RADIUS system, you can use the ven-
dortype command to bring the RADIUS configuration in line with the value used by the remote
RADIUS system. Contact your RADIUS system administrator for more information.
ena
This command enables the Radius server.
dis
This command disables the Radius server.

217014-A, November 2004
/cfg/sys/adm/audit/servers
Radius Audit Servers Menu
[Radius Audit Servers Menu]

The RADIUS Audit servers menu is used for adding, modifying and deleting information
about RADIUS audit servers.
Table 12-24 Radius Audit Servers Menu Options (/cfg/sys/adm/audit/servers)
list
Lists the IP addresses of currently configured RADIUS audit servers, along with their correspond-
ing index numbers.
del
Removes the specified RADIUS audit server from the configuration. Use the list command to
display the index numbers of all added RADIUS audit servers.
add <IP address> <TCP port number> <shared secret>

Adds a RADIUS audit server to the configuration. Specify the IP address, a TCP port number, and
the shared secret. The next available index number is assigned automatically by the system.
For backup purposes, several RADIUS audit servers can be added. The ASF will contact the server
with lowest index number first. If contact could not be established, the ASF will try to contact the
server with the next index number in sequence and so on.
Note: The default port number used for RADIUS audit is 1813.

217014-A, November 2004
/cfg/sys/log
Platform Logging Menu
[Platform Logging Menu]

syslog - Syslog Logging Menu
ela - ELA Logging Menu
arch - Log Archiving Menu
debug - Set syslog debugging
srcip - Set syslog source IP mode
The Platform Logging Menu is used to configure system message logging features. Messages
can be logged to the system console terminal, ELA facility, archived to a file which can be
automatically e-mailed, and used for debugging.
Table 12-25 Platform Logging Menu (/cfg/sys/log)
syslog
The System Logging Menu is used to configure syslog servers. The Alteon Switched
Firewall software can send log messages to specified syslog hosts.
ela
The ELA Menu is used to configure the Event Logging API (ELA) feature. ELA allows
cluster log messages to be sent to a Check Point management server for display through
the Check Point SmartView Tracker.
arch
The Log Archiving Menu is used to archive log files when the file reaches a specific size
or age. When log rotation occurs, the current log file is set aside or e-mailed to a speci-
fied address and a new log file is begun.

217014-A, November 2004
Table 12-25 Platform Logging Menu (/cfg/sys/log)
debug y|n
This command is used to enable or disable specialized debugging log messages. This is
disabled by default and should be enabled only as directed by Nortel Networks technical
support.
srcip auto|unique|mip
This command is used to configure which source IP address will be used with logs gen-
erated from the Alteon Switched Firewall.
auto: The IP address of the outgoing interface is used. This is the default.
unique: The IP address of the individual Firewall Director is used.
mip: The IP address of the cluster MIP is used. This setting is useful with applications
(such as some versions of HP OpenView) that expect devices to be limited to only one
IP address.

217014-A, November 2004
/cfg/sys/log/syslog
System Logging Menu
[System Logging Menu]

insert - Insert a new value
move - Move a value by number
The System Logging Menu is used to configure syslog servers. The Alteon Switched Firewall
software can send log messages to specified syslog hosts.
Table 12-26 System Log Menu (/cfg/sys/log/syslog)
list
This command displays all configured syslog servers by their index number, IP address,
and facility number.
del <syslog index number>
This command lets you remove a syslog server from the cluster configuration by specify-
ing the server’s index number.
add <syslog server IP address> <severity level>
This command lets you add a new syslog server, including its IP address and local facil-
ity number. The local facility number can be used to uniquely identify syslog entries. For
more information, see the UNIX manual page for syslog.conf.
The severity level is used to set the logging severity level. All messages at the specified
level of severity or higher will be logged to the ELA. The severity level can be emerg,
alert, crit, err, notice, info, or debug. The default value is set to err.
insert <index number> <IP address> <severity level>
This command lets you add a new IP address to the access list at the specified index
position. All existing items at the specified index number and higher are incremented by
one position. Obtain the index number from the above list command.
The severity level is used to set the logging severity level. All messages at the specified
level of severity or higher will be logged to the ELA. The severity level can be emerg,
alert, crit, err, notice, info, or debug. The default value is set to err.
move <from index number> <to index number>
This command removes the IP address of the specified from index number and inserts it
at the specified to index number in the access list.

217014-A, November 2004
/cfg/sys/log/ela
ELA Logging Menu
[ELA Logging Menu]

ena - Enable ELA
dis - Disable ELA
addr - Set management station IP address
sev - Set minimum logging severity
dn - Set management station DN
pull - Pull SIC certificate
The ELA Logging Menu is used to configure the Event Logging API (ELA) feature. ELA
allows cluster log messages to be sent to a Check Point management server for display through
the Check Point SmartView Tracker.
ELA configuration requires steps at both the Alteon Switched Firewall and at Check Point
management server. For configuration details, see Appendix A, “Event Logging API,” on
page 335.
The ELA Logging Menu has the following options:
Table 12-27 ELA Logging Menu (/cfg/sys/log/ela)
ena
This command is used to enable the ELA feature. When enabled, system log messages
will be sent to the Check Point management server.
dis
This command is used to disable ELA. This is the default.
addr <IP address>
This command is used to set the IP address of the management server to which cluster
log messages will be sent. Specify the IP address in dotted decimal notation. The default
address is set to 0.0.0.0.

217014-A, November 2004
Table 12-27 ELA Logging Menu (/cfg/sys/log/ela)
sev emerg|alert|crit|err|notice|info|debug
This command is used to set the severity of the log messages that is sent to the Check
Point logger. All messages at the specified level of severity or higher is logged to the
ELA. The default value is set to err. The list of severities below goes from most severe
to least severe:
emerg: Emergency
alert: Alert
crit: Critical
err: Error
notice: Notice
info: Info
debug: Debug
dn <OPSEC SIC name>
This command is used to set the Distinguished Name (DN) of management server. The
DN is defined in the Check Point SmartDashboard tool under the management server
properties. The DN is found in the Secure Internal Communication (SIC) area.
pull
This command is used to obtain a certificate for secure communication from the manage-
ment server.

217014-A, November 2004
/cfg/sys/log/arch
Log Archiving Menu
[Log Archiving Menu]

email - Set e-mail address to send log
smtp - Set SMTP server address
int - Set log archive interval
size - Set maximum size of archived log
The Log Archiving Menu is used to archive log files when the file reaches a specific size or
age. When log rotation occurs, the current log file is set aside or e-mailed to a specified address
and a new log file is begun.
If the rotate size is set above 0, then log rotation occurs when the log surpasses the rotate size,
or when the log rotation interval is reached, whichever occurs first. If the rotate size is set to 0,
the file size is ignored and only the rotate interval is used. If an e-mail address and SMTP
Server IP address are set, then the log file is e-mailed when rotated.
Table 12-28 Log Archiving Menu (/cfg/sys/log/arch)
email <e-mail address>

This command is used in conjunction with smtp to set the e-mail address where log files
will be sent when the log interval or maximum log size is reached.
smtp <SMTP server IP address>
This command is used to set the IP address of the SMTP mail server that holds the e-mail
address specified in the email command. The IP address should be specified in dotted
decimal notation. The default IP address is 0.0.0.0.
Note that the specified SMTP server must be configured to accept messages from the
cluster. Also, a Check Point policy should be present to allow these messages through
the firewall.
int <days> <hours>
This command is used to set the time interval at which the log files are rotated. The inter-
val is specified in number of days and number of hours. The default values are 1 day and
0 hour.
size <max size (kb)>
This command is used to set the maximum size a log file is allowed to reach before trig-
gering rotation. The size is specified in kilobytes. If set to 0, the file size is ignored and
only the interval (int) is used to determine rotation. The default value is 0.

217014-A, November 2004
/cfg/sys/user
User Menu
[User Menu]
passwd - Change own password
expire - Set password expire time interval
list - List all users
del - Delete a user
add - Add a new user
edit - Edit a user
adv - Advanced User Configuration Menu
The User Menu is used to add, modify, delete, or list Alteon Switched Firewall user accounts,
and change passwords.
There are four default user accounts which cannot be deleted: admin, oper, root, and
boot. See “Users and Passwords” on page 141 for information about default passwords and
privileges. Only the administrator can change the passwords.
The password for the boot user cannot be changed. This ensures that if you were to lose all
system passwords, the boot user would be able to access the system through the local serial port.
Table 12-29 User Menu (/cfg/sys/user)
passwd
This command is used to change the administrator password. Only the admin user can
perform this action. You will be prompted to enter the current administrator password.
Then, you will be prompted to enter and confirm the new administrator password.
expire [<days>d][<hours>h][<minutes>m][<seconds>s]
This command sets the interval that user passwords expire. Time can be specified in sec-
onds (s), minutes (m), hours (h), or days (d). When a user attempts to log in using the
expired password, they will be prompted to change the password. When the expiration
value is set to 0 (zero), passwords do not expire. The default is 0.
list
This command lists all editable user accounts. The boot user is not listed because this
account cannot be altered.
del <user name>
This command lets you delete user accounts. Only the admin user can perform this action.
Of the four default users (admin, oper, root, and boot), only oper can be deleted.

217014-A, November 2004
Table 12-29 User Menu (/cfg/sys/user)
add <user name>

This command lets you add a user account. Only the admin user can perform this
action. After adding a user account, you must also assign the account to a group using
the Edit User Menu (edit).
edit <user name>
The Edit User Menu is used to change user passwords and assign group privileges.
adv
The Advanced User Configuration Menu allows you to manage remote SSH users.
/cfg/sys/user/edit <user name>

Edit User Menu
[User name Menu]

password - Login password
groups - Groups menu
The Edit User Menu is used to change passwords and assign group privileges for the user
account specified by the user name.
Table 12-30 Edit User Menu (/cfg/sys/user/edit)
password
This command is available for admin user only. The command lets you change the
password for the admin user. You will be prompted to enter the current administrator
password; then, you will be prompted to enter and confirm the new user password.
groups <group name>
This command lets you assign the selected user to a group. By default there are three pre-
defined groups: admin, oper, and root. For the privileges of each group, see “Users
and Passwords” on page 141.
You can also define your own groups. Any user placed in a group other than one of the
predefined groups will be given oper privileges only.

217014-A, November 2004
/cfg/sys/user/edit <user>/groups
Groups Menu
[Groups Menu]
The Groups Menu is used to assign the selected user to one or more groups.
By default there are three predefined groups: admin, oper, and root. For the privileges of
each group, see “Users and Passwords” on page 141. You can also define your own groups.
Any user placed in a group other than one of the predefined groups will be given oper privi-
leges only.
Table 12-31 Groups Menu (/cfg/sys/user/edit <user>/groups)
list
This command displays all configured groups to which the user belongs by their index
number.
del <group index number>
This command lets you remove the user from a group by specifying the group’s index
number.
add <group name>
This command lets you add the user to the specified group.
/cfg/sys/user/adv
Advanced User Configuration Menu
[Advanced User <user name> Configuration Menu]

user - SSH User Menu

217014-A, November 2004
This menu allows you to configure advanced user parameters.
Table 12-32 Advanced User Configuration Menu (/cfg/sys/user/adv)
User
This command allows you to manage remote SSH users.
/cfg/sys/user/adv/user
SSH User <user name> Menu
[SSH User <user name> Menu]

name - Set Full name of User
pubkey - Set RSA/DSA Public Key for User
ena - Enable User Account
dis - Disable User Account
del - Remove SSH User
This menu allows remote users to login to troubleshoot or perform maintenance on the fire-
wall. This feature must be used cautiously, because it provides users with the ability to login
the Linux utility, su and run “su root”. By default the remote SSH user account is disabled.

217014-A, November 2004
the ASF.
Table 12-33 Remote SSH Users Menu (/cfg/sys/user/adv/user)
name
This command sets the full name of the user.
pubkey
This command allows you to set the RSA or DSA public key for the user. The user will
not be able to login until this value is set correctly and the SSH client is configured to use
the corresponding private key for authentication. The RSA or DSA key has to be in
OpenSSH v2 format only.
ena
This command enables the user account.
dis
This command disables the user account.
del
This command removes the user account.

217014-A, November 2004
/cfg/pnp
SFD IP and Firewall License Menu
[SFD IP and Firewall License Menu]
list - List detailed status of current IPs and Licenses
del - Delete IP address and firewall license
add - Add new IP address and firewall license
ena - Enable Plug N Play
dis - Disable Plug N Play
The SFD IP and Firewall License Menu is used for pre-configuring resources that allow the
system to automatically configure any new Firewall Directors that are added to the cluster.
Resources configured under this menu include a pool of IP addresses and Check Point
licences. When Plug N Play is enabled and if resources are available, a new Firewall Director
attached to the cluster will automatically be configured and brought into service.
See “Adding Firewall Directors” on page 111 for more information.
Table 12-34 SFD IP and Firewall License Menu (/cfg/pnp)
list
This command is used list the IP addresses and Check Point licenses currently in the
Plug N Play resource pool. Listed data includes the expiration dates of the licenses.
Licenses configured using the Check Point central licensing mechanism will not be listed
using this command.
del
This command is used to remove an IP address and/or Check Point license from the
Plug N Play resource pool. You will be prompted to enter the IP address you wish to
have removed from the pool. Only unused resources can be deleted. To remove a Fire-
wall Director which is presently a member of the cluster, see the delete command in
the Firewall Director Host Menu on page 208.
add
This command is used to add and IP address and/or Check Point license to the
Plug N Play resource pool. You will be prompted to enter an IP address and Check Point
license information.

217014-A, November 2004
Table 12-34 SFD IP and Firewall License Menu (/cfg/pnp)
ena
This command is used to turn on the Plug N Play feature. This is the default. If resources
are available (using the add command), Plug N Play allows the cluster to automatically
detect new Firewall Directors, join them to the cluster, configure them, and start them
participating in firewall processing.
dis
This command is used to turn off the Plug N Play feature. When Plug N Play is disabled,
you must manually configure each new Firewall Director being added to the cluster.

217014-A, November 2004
/cfg/acc
Accelerator Configuration Menu
[Accelerator Configuration Menu]
auto - Set auto discovery
ha - Set high availability
vma - Set VMA-based performance
rearp - Set re-ARP period in minutes
passwd - Set accelerator password
ac1 - Accelerator 1 Menu
ac2 - Accelerator 2 Menu
master - preferred HA master
det - Display detected accelerators
hc - Health Check Menu
mgmtnet - Set higher priority management network
The Accelerator Configuration Menu is used to configure parameters for the cluster Firewall
Accelerators. This includes the IP addresses and MAC addresses of the Firewall Accelerators
and options for high availability and auto detection.
Table 12-35 Accelerator Configuration Menu (/cfg/acc)
auto y|n
This command is used to configure the automatic discovery feature. If this feature is
enabled, when the Firewall Director boots up, it will automatically detect the attached
Firewall Accelerator and use it for acceleration when the firewall software starts. By
default this command is enabled.
If auto detect is disabled, the administrator must manually configure the MAC addresses
of the Firewall Accelerators which will be used by the Firewall Directors to accelerate
firewall processing (see ac1 and ac2).
ha y|n
This command is used to enable or disable the high-availability feature. This is disabled by
default. High-availability requires two Firewall Accelerators installed in a redundant con-
figuration. See Chapter 7, “Expanding the Cluster,” on page 105 for more information.

217014-A, November 2004
vma on|off
This command is used to configure the Virtual Matrix Architecture (VMA) feature on
on: All Firewall Accelerator ports share session resource information. This is used
primarily in complex network environments where a session’s responses may use a
different port path than the session’s requests. VMA is on by default.
off: All Firewall Accelerator ports are responsible for their own session information.
This increases firewall speed, but requires simpler network structures where a ses-
sion’s responses return on the same port path as the session’s requests.
rearp <time period (2 to 120 minutes)>
Sets the re-ARP period in minutes. The Alteon Switched Firewall periodically sends
ARP (Address Resolution Protocol) requests to refresh its address database. This com-
mand is used for setting the interval between ARP refreshes of the next IP address in the
database. The default interval is 10 minutes.
passwd
This command lets you change the password used for direct access to the Firewall
Accelerator console port. The default password is admin, but can be changed for secu-
rity purposes. When this command is entered, you will be prompted to enter and confirm
the new password.
ac1
The Accelerator 1 Menu is used to configure the MAC and IP addresses of the first Fire-
wall Accelerator in the cluster.
ac2
The Accelerator 2 Menu is used to configure the MAC and IP addresses of the second
Firewall Accelerator in the cluster. This is needed only in high-availability configura-
tions.
master 1|2
This command is used to select which Firewall Accelerator is preferred for firewall
acceleration in a high-availability configuration. This setting is ignored when the auto-
matic discovery feature is enabled (see the auto command on page 244).
Specify 1 to use the Firewall Accelerator defined in ac1, and 2 for ac2.

217014-A, November 2004
det
When automatic discovery (auto) is enabled, the first discovered Firewall Accelerator in
a high-availability configuration is used for the firewall acceleration. This command lists
the MAC address and IP address of the active Firewall Accelerator that is currently
being used for firewall acceleration.
hc
The Health Check Parameters Menu is used to configure parameters to determine when a
Firewall Accelerator should be determined up or down.
mgmtnet <management network IP address> <subnet mask>
This command is used to configure a priority management network for the Alteon
Switched Firewall. Traffic on the priority management network is favored from being
dropped under conditions of excessive firewall load. This prevents the Alteon Switched
Firewall from losing contact with management tools during denial-of-service attacks.
The default values are set to 0.0.0.0 with mask 255.0.0.0.

217014-A, November 2004
/cfg/acc/ac1
Accelerator 1 Menu
[Accelerator 1 Menu]
mac - Set MAC Address
addr - Set IP Address
iap - Set inter-accelerator Port
The Accelerator 1 Menu is used to configure the MAC and IP addresses of the first Firewall
Accelerator in the cluster.
Table 12-36 Accelerator 1 Menu (/cfg/acc/ac1)
mac <MAC address>

This command is used to manually configure the MAC address for the first Firewall
Accelerator in the cluster. This is only required if the automatic discovery feature is dis-
abled. This MAC address is ignored if automatic discovery is enabled. See the auto
command on page 244 for details.
addr <Firewall Accelerator IP address>
This command is used to set the IP address for the first Firewall Accelerator in the clus-
ter. This address must be in the same subnet as the cluster MIP address and must be spec-
ified in dotted decimal notation.
iap <inter-accelerator port>
This command is used to select the port used to connect Firewall Accelerators together
in a high-availability configuration. For Firewall Accelerator 6600, you must configure
the IAP port. Any Firewall Accelerator port can be used as the IAP, but must have
NAAP enabled. It is recommended to configure port 12 as the IAP port. For Firewall
Accelerator 6400, you must configure the IAP port. Any Firewall Accelerator port can
be used as the IAP, but must have NAAP enabled.

217014-A, November 2004
/cfg/acc/ac2
Accelerator 2 Menu
[Accelerator 2 Menu]
mac - Set MAC Address
addr - Set IP Address
iap - Set inter-accelerator Port
The Accelerator 2 Menu is used to configure the MAC and IP addresses of the second Firewall
Accelerator in the cluster. This is needed only in high-availability configurations.
Table 12-37 Accelerator 2 Menu (/cfg/acc/ac2)
mac <MAC address>

This command is used to manually configure the MAC address for the second Firewall
Accelerator in the cluster. This is only required if the automatic discovery feature is dis-
abled. This MAC address is ignored if automatic discovery is enabled. See the auto
command on page 244 for details.
addr <Firewall Accelerator IP address>
This command is used to set the IP address for the second Firewall Accelerator in the
cluster. This address must be in the same subnet as the cluster MIP address and must be
specified in dotted decimal notation.
iap <Inter-Accelerator Port>
This command is used to select the port used to connect Firewall Accelerators together
in a high-availability configuration. For Firewall Accelerator 6600, you must configure
the IAP port. Any Firewall Accelerator port can be used as the IAP, but must have
NAAP enabled. It is recommended to configure port 12 as the IAP port. For Firewall
Accelerator 6400, you must configure the IAP port. Any Firewall Accelerator port can
be used as the IAP, but must have NAAP enabled.

217014-A, November 2004
/cfg/acc/hc
Health Check Parameters Menu
[Health Check Parameters Menu]

ret - Set retry count
int - Set health check interval in seconds
The Health Check Parameters Menu is used to configure parameters to determine when a Fire-
wall Accelerator should be determined up or down.
Each Firewall Accelerator tests the status of the other. These tests are performed at regular,
definable intervals. If a Firewall Accelerator fails its test a definable number of times, the
device is classified as down. If the master Firewall Accelerator in a high-availability configu-
ration is down, the backup will take over.
Table 12-38 Health Check Parameter Menu (/cfg/acc/hc)
ret <number of retries>

This command is used to specify the number of tests which are permitted to fail before
classifying a Firewall Accelerator as down. The default is 30.
int <interval in seconds>
This command is used to specify the time between health checks. This is specified in
seconds. The default is 1.

217014-A, November 2004
/cfg/net
Network Configuration Menu
[Network Configuration Menu]
port - Port Menu
vlan - VLAN Menu
if - Interface Menu
gre - GRE Tunnel Menu
route - Routing Settings Menu
dhcprl - DHCP Relay Menu
mirr - Port Mirroring Menu
idslb - IDS Load Balancing Menu
adv - Advanced Settings Menu
Use the Network Configuration Menu to configure networks passing traffic through the firewall.
Table 12-39 Network Configuration Menu (/cfg/net)
port <port number>

The Network Port Menu is used for configuring the specified physical port on the Fire-
wall Accelerator. In addition to enabling or disabling ports and specify port link charac-
teristics, this menu is used to apply port filters.
vlan <VLAN number (1-4093)>
The VLANs Menu is used to configure Virtual Local Area Networks (VLANs). VLANs
are required where multiple networks are attached to a single Firewall Accelerator port
or for participation in networks where VLAN tagging is used.
Up to 253 VLANs can be configured, though each can be given an identifying number
between 1 and 4093. VLAN 4092 is reserved for internal use. If you configure VLAN 1
however, then you can configure up to 252 VLANs.
if <IP interface number>
The IP Interface Menu is used to configure IP interfaces. An IP interface is required for
each network which will be attached to the cluster. Up to 255 IP interfaces can be config-
ured.

217014-A, November 2004
Table 12-39 Network Configuration Menu (/cfg/net)
gre
The Generic Routing Encapsulation Menu is used to configure GRE tunneling in the
Alteon Switched Firewall.
route
The Routing Settings Menu is used to configure default IP gateways, static routes, RIP,
and OSPF parameters.
dhcprl
The DHCP Relay Menu is used to configure DHCP relaying with Alteon Switched Fire-
wall.
mirr
The Port Mirroring Menu is used to monitor ports for diagnostics.
idslb
The IDS Load Balancing Menu is used to load balance IDS servers.
adv
The Advanced Settings Menu is used to configure domain name, port filter, local route
caching, VRRP, and proxy ARP parameters.

217014-A, November 2004
/cfg/net/port <port number>

Port Menu
[Port 1 Menu]
name - Set port name
copper - Copper Physical Link Menu
fiber - Fiber Physical Link Menu
pref - Set preferred physical connector
back - Set backup physical connector
trunk - Set trunk membership
ena - Enable port
dis - Disable Port
del - Remove Port
o------- - --When trunked, items below are set by master port--o
filt - Port Filters Menu
enf - Set filtering
naap - Set NAAP
vtag - Set VLAN tagging
The Network Port Menu is used for configuring the specified physical port on the Firewall
Accelerator. In addition to enabling or disabling a port, this menu is used to specify port link
characteristics, apply port filters, and trunk ports together. A port is disabled by default.
Physical Port Connector Characteristics

Different models of the Firewall Accelerator have different port connector arrangements:
Table 12-40 Port Connectors by Firewall Accelerator Model
Firewall Accelerator RJ-45 (Copper gig) LC (Fiber gig) Dual: RJ-45 and LC
6600 Ports 1— 8 Ports 3 — 6 Ports 3 — 6

Ports 9 — 12
6400 Ports 1 through 24 Ports 1 through 28
The LC fiber optic connectors are for attaching Gigabit Ethernet (1000Base-SX) segments to
the port. The RJ-45 copper connector are for attaching 10/100/1000 Mbps Ethernet (10Base-T,
100Base-TX, or 1000Base-TX) segments.
On ports with dual physical connectors, either connector may be used, depending on the net-
work devices being attached to the system. When connecting devices which use dual-homing
technology to achieve link redundancy, one of the dual connectors can be used as the preferred
link, and the other can be used as a backup.

217014-A, November 2004
On ports with only one physical connector, some of the options described in the Port Menu and
submenus do not apply. Although all options appear on all models of Firewall Accelerator, any
configuration settings for options which do not apply are disregarded.
For physical port specifications and LED behavior, see the section “Connecting Network Cables”
in the Alteon Switched Firewall Hardware Installation Guide.
Port Menu Options
Table 12-41 Port Menu (/cfg/net/port)
name <port name>

This command sets a name for the port. The assigned port name appears next to the port
number on some information screens. The default is set to None.
copper
If an RJ-45 connector is available on the Firewall Accelerator port, the Copper Physical
Link Menu is used to configure its link characteristics. You can set port speed, duplex
mode, flow control, and negotiation mode for the port link.
fiber
If an LC connector is available on the Firewall Accelerator port, the Fiber Physical Link
Menu is used to configure its link characteristics. You can set port flow control, and
negotiation mode for the port link.
pref copper|fiber
If dual physical connectors are available on the port, this option defines the preferred
connector used for the link. Choices are:
copper: Fast Ethernet Port, RJ-45 connector
fiber: Gigabit Ethernet Port, LC fiber connector (default)
back copper|fiber
If dual physical connectors are available on the port, this option defines the physical con-
nector to use when the preferred choice fails or is unavailable. Choices are:
copper: Fast Ethernet Port, RJ-45 connector
fiber: Gigabit Ethernet Port, LC fiber connector

217014-A, November 2004
trunk <master port number>|no|master

This command manages the current port’s participation in trunks. The default value is set
to no for trunk membership. The following options can be used:
master port number: group the current port into a trunk with the indicated master port.
The current port will adopt all filtering, NAAP, and VLAN tagging settings from the
specified master port.
no: Release the current port from its trunk. If the master port is removed from the
trunk, a new one must be designated.
master: Designate the current port as the master for its trunk group. All other ports
in the trunk will automatically adopt all filtering, NAAP, and VLAN tagging changes
from the master port.
For more information, see “Port Trunking” on page 256.
ena
This command enables the port.
dis
This command disables the port. A port is disabled by default.
del
This command resets the port parameters to default values and then disables the port.
The port can be reconfigured and reenabled at any time.
filt
The Port Filters Menu is used to assign, remove, or list port filters for this port. Before
filters can be assigned to specific ports, they must first be creating using the Advanced
Filtering Menu (see page 316). If the port belongs to a trunk, settings for this menu are
taken from the master trunk port.
See page 260 for items under the Port Filters Menu.
enf y|n
This command enabled or disabled filtering on this port. When enabled, the filters
assigned in the Port Filters Menu (filt) are applied to traffic on this port. When dis-
abled (the default), not port filtering is performed by the Firewall Accelerator. If the port
belongs to a trunk, settings for this item are taken from the master trunk port.
See the “Filter Definition Menu” on page 316 for more information.

217014-A, November 2004
naap y|n
This command enables or disables Nortel Appliance Acceleration Protocol (NAAP) on
the port. NAAP is required to be enabled for any Firewall Accelerator port connected to
one or more Firewall Directors. NAAP should be disabled for Firewall Accelerator ports
connected to trusted, untrusted, or semi-trusted networks.
The default settings for Firewall Accelerator 6600 depends on the port number:
Ports 1 through 10 are initially reserved for network traffic and have NAAP disabled.
Ports 11 and 12 are initially reserved for Firewall Director connections and have
NAAP enabled.
The default settings for Firewall Accelerator 6400 is as follows:
Ports 1, 24, 27, and 28 are initially reserved for Firewall Director connections or for
connecting to a redundant Firewall Accelerator and have NAAP enabled.
Ports 2–23, 25, and 26 are initially reserved for network traffic and have NAAP dis-
abled.
If the port belongs to a trunk, settings for this item are taken from the master trunk port.
vtag y|n
This command enables or disables VLAN tagging for this port. It is disabled by default.
VLAN tagging is required whenever the port participates in multiple VLANs. If the port
belongs to a trunk, settings for this item are taken from the master trunk port.

217014-A, November 2004
Port Trunking
Port trunks can provide super-bandwidth connections between the ASF and other trunk-capa-
ble devices. A trunk is a group of ports that act together, combining their bandwidth to create a
single, larger capacity port with built-in fault tolerance. Port trunking has the following rules:
Up to four trunk groups can be configured on the ASF.

Any physical Firewall Accelerator port can belong to no more than one trunk group.
Up to eight network ports can belong to the same trunk group.
Best performance is achieved when all ports in a trunk are configured for the same speed.
Trunking with non-Alteon devices must comply with RFC 802.1Q or Cisco® EtherChan-
nel® technology.
One physical port in the trunk group must be designated as the master. The master port retains
control of those port settings which must be the same for each port in the trunk: filtering
(filt and enf), NAAP (naap), and VLAN tagging (vtag). For these options, the settings
for the master port override those of the other ports as long as they remain in the trunk. When a
port is released from the trunk, it’s regular port settings are restored. Physical link options,
such as port speed, flow control, and such, can be different for each port in the trunk.
To specify a trunk group consisting of ports 1, 2, and 3, with port 1 as the master, the following
commands could be used:
>> # /cfg/net/port 1 (Select Accelerator port 1)

>> Port 1# trunk master (Select port 1 as the trunk master)
>> Port 1# ../port 2 (Select port 2)
>> Port 2# trunk 1 (Trunk port 2 with master port 1)
>> Port 2# ../port 3 (Select port 3)
>> Port 3# trunk 1 (Trunk port 3 with master port 1)
>> Port 3# apply (Apply configuration changes)
NOTE – If you trunk ports to a non-master port or fail to define a master port, the CLI will
report configuration errors when the apply command is given, and the apply will fail.

217014-A, November 2004
/cfg/net/port <port number>/copper

Copper Physical Link Menu
[Copper Physical Link Menu]

speed - Set link speed
mode - Set full or half duplex mode
fctl - Set flow control
auto - Set autonegotiation
The Copper Physical Link Menu is used to configure link characteristic when using the RJ-45
copper connector on the Firewall Accelerator ports. You can set port speed, duplex mode, flow
control, and negotiation mode for the port link.
NOTE – Fast Physical Link Menu options are disregarded if the port has no RJ-45 connector.
Table 12-42 Fast Physical Link Menu (/cfg/net/port <#>/copper)
speed 10|100|1000|any
When autonegotiation (auto) is disabled, this command specifies the link speed. The
choices include:
10: 10 Mbps
100: 100 Mbps
1000: 1000 Mbps
any: automatic detection (default)
mode full|half|any
When autonegotiation (auto) is disabled, this command specifies the duplex operating
mode. The choices include:
full: Full-duplex
half: Half-duplex
any: automatic negotiation (default)

217014-A, November 2004
Table 12-42 Fast Physical Link Menu (/cfg/net/port <#>/copper)
fctl rx|tx|both|none
When autonegotiation (auto) is disabled, this command specifies the flow control. The
choices include:
rx: Receive flow control
tx: Transmit flow control
both: Both receive and transmit flow control (default)
none: No flow control
auto y|n
This command enables or disables autonegotiation for the port. This is enabled by
default. When enabled, the Firewall Accelerator negotiates with the connected device to
find the best port speed, duplex mode, and flow control, and overrides the manual
speed, mode, and fctl settings. When autonegotiation is disabled, manual port set-
tings are used.
If you have difficulty establishing a link with other network devices, turn autonegotia-
tion off and set the port properties manually.

217014-A, November 2004
/cfg/net/port <port number>/fiber

Fiber Physical Link Menu
[Fiber Physical Link Menu]

fctl - Set flow control
auto - Set autonegotiation
The Fiber Physical Link Menu is used to configure link characteristic when using the LC fiber
optic connector on the Firewall Accelerator ports. You can set port flow control, and negotia-
tion mode for the port link.
NOTE – Fiber Physical Link Menu options are disregarded if the port has no LC connector.
Table 12-43 Fiber Physical Link Menu (/cfg/net/port <#>/fiber)
fctl rx|tx|both|none
When autonegotiation (auto) is disabled, this command specifies the flow control. The
choices include:
rx: Receive flow control
tx: Transmit flow control
both: Both receive and transmit flow control (default)
none: No flow control
auto y|n
This command enables or disables autonegotiation for the port. This is enabled by
default. When enabled, the Firewall Accelerator negotiates with the connected device to
find the best flow control, and overrides the manual fctl setting. When autonegotiation
is disabled, the fctl setting is used.
If you have difficulty establishing a link with other network devices, turn autonegotia-

217014-A, November 2004
/cfg/net/port <port number>/filt

Port Filters Menu
[Port Filters Menu]

The Port Filters Menu is used to assign, remove, or list port filters for a specific port. Port fil-
ters can allow or deny traffic according to a variety of address and protocol specifications.
Table 12-44 Port Filters Menu (/cfg/net/port <#>/filt
list
This command displays all filters assigned to this port by their index number.
del <index number>
This command lets you remove a filter from this port by specifying its index number.
Use the list command to display the index numbers of filters on this port.
add <filter number>
This command lets you assign a filter to this port. Before filters can be assigned, they
must first be created using the Advanced Filtering Menu (see page 316).

217014-A, November 2004
/cfg/net/vlan <VLAN number>

VLAN Menu
[VLAN 1 Menu]
name - Set VLAN Name
port - VLAN Ports Menu
jumbo - Set Jumbo Frames
idsgrp - Set IDS group to which traffic will be mirrored
ena - Enable VLAN
dis - Disable VLAN
del - Remove VLAN
The VLAN Menu is used to configure Virtual Local Area Networks (VLANs). By default
VLAN is disabled. VLANs are commonly used to split up groups of network users into man-
ageable broadcast domains, to create logical segmentation of workgroups, and to enforce secu-
rity policies among logical segments. For the Alteon Switched Firewall, VLANs are
configured for various reasons:
If any of the networks attached to the cluster use VLAN tagging, then VLANs must be
configured and VLAN tagging must be enabled on participating ports.
If there are two IP interfaces on the same port which belong to two different networks,
then the IP interface must be placed in separate VLANs. If this is not configured, it will be
done automatically.
Up to 253 VLANs can be configured, though each can be given an identifying number
between 1 and 4093. However, VLAN 4092 is reserved for internal use. If you configure
VLAN 1, then you can configure up to 252 VLANs.
The default VLAN is 0, however, if required VLANs are not configured by the administrator,
they will be automatically assigned an appropriate VLAN number in the 1–4093 range.
VLANs are assigned on a per-port basis. Each port on the Firewall Accelerator can belong to
one or more VLANs, and each VLAN can have any number of Firewall Accelerator ports in its
membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging
enabled (see the “Port Menu” on page 252).

217014-A, November 2004
The VLAN Menu has the following items:
Table 12-45 VLAN Menu (/cfg/net/vlan)
name <VLAN name>

This command assigns a name to the VLAN or changes the existing name. To clear the
VLAN name, specify the default value none.
port
The VLAN Ports Menu is used to assign, remove, or list Firewall Accelerator ports for
this VLAN.
jumbo y|n
This command enables or disables Jumbo Frame support on this VLAN. The default
value is set to disable. When this feature is enabled, the ASF can handle frames that are
far larger than the maximum normal Ethernet frame size (up to 9018 octets), reducing
the overhead for host frame processing.
Do not enable Jumbo Frame support on a VLAN with any device that cannot process
frame sizes larger than Ethernet maximum frame size. Use additional VLANs to isolate
traffic into Jumbo Frame and regular traffic.
idsgrp <IDS group number>
The command allows you to set the IDS group for the VLAN. The defined IDS group
will monitor traffic on the selected VLAN. The IDS group number can be between 1
through 5. The default value zero means that no IDS group is specified.
A single IDS group can monitor traffic for multiple VLANs. The IDS port on the accel-
erator is automatically VLAN-tagged.
For other commands to define IDS load balancing, see page 312.
ena
This command enables this VLAN.
dis
This command disables this VLAN.
del
This command removes this VLAN from the cluster configuration.

217014-A, November 2004
/cfg/net/vlan <VLAN number>/port

VLAN Ports Menu
[VLAN Ports Menu]

The VLAN Ports Menu is used to assign, remove, or list Firewall Accelerator ports for this
VLAN.
Table 12-46 VLAN Ports Menu (/cfg/net/vlan <#>/port)
list
This command displays all ports assigned to this VLAN by their index number.
del <index number>
This command lets you remove a port from the VLAN by specifying the port’s index
number. Use the list command to display the index numbers of assigned ports.
add <port number>
This command lets you add the specified port to the VLAN.
NOTE – All ports must belong to at least one VLAN. Any port that is removed from a VLAN
and that is not a member of any other VLAN is automatically assigned a unique VLAN
number.
Also, you cannot add a port to more than one VLAN unless the port has VLAN tagging turned
on (see the vtag command on page 255).

217014-A, November 2004
/cfg/net/if <IP Interface number>

Interface Menu
[Interface 1 Menu]
port - Interface Ports Menu
addr - Set IP address
mask - Set subnet mask
broad - Set broadcast address
vlan - Set VLAN number
vrrp - VRRP Menu
ena - Enable interface
dis - Disable interface
del - Remove Interface
The Interface Menu is used to configure IP interfaces for the cluster. Primarily, each IP inter-
face represents a network attached to the Firewall Accelerator. Up to 255 IP interfaces can be
configured. The default value for the interface is disabled.
In essence, IP interfaces play a role similar to that of the Network Interface Cards (NICs) in a
typical firewall. A typical firewall usually has only two NICs: one for connecting to the exter-
nal, untrusted network on the outside of the firewall, and another for connecting to the internal,
trusted side of the firewall. The NICs provide the physical port connections for the firewall,
and the NIC IP addresses are used as the default gateway in the network devices attached to
them, thus directing traffic to the firewall.
The Alteon Switched Firewall IP interfaces are similar, but far more versatile. Up to 255 IP
interfaces can be defined, and each IP interface can be assigned to multiple physical ports on
the Firewall Accelerator. This allows the cluster to have a presence on many networks. Just as

217014-A, November 2004
with typical NICs, network devices attached to the Firewall Accelerator ports must be config-
ured to use an IP interface as their default gateway. Do not use the MIP address or any IP
address in the cluster subnet as the default gateway for a network.
Table 12-47 Interface Menu (/cfg/net/if)
port
The Interface Ports Menu is used to assign, remove, or list ports for this IP interface.
addr <interface IP address (such as 192.4.17.101)>
This command configures the IP address of the IP interface using dotted decimal nota-
tion. This gives the cluster a presence on a connected trusted, untrusted, or semi-trusted
network. Devices on the connected networks should use this IP address as their default
gateway to that their outbound traffic is directed to the firewall. The default address is set
to 0.0.0.0.
mask <IP subnet mask (such as 255.255.255.0)>
This command configures the IP subnet address mask for the IP interface using dotted
decimal notation. The default mask is set to 0.0.0.0.
broad <broadcast address (such as 192.4.17.255)>
This command configures the IP broadcast address for the IP interface using dotted dec-
imal notation. The default broadcast address is set to 0.0.0.0.
vlan <VLAN number>
This command configures the VLAN number for this IP interface. Each interface can
belong to one VLAN, though any VLAN can have multiple IP interfaces in it. The
default VLAN number is 0.
vrrp
The VRRP Menu is used for configuring a the IP interface for high-availability when
redundant Firewall Accelerators are used. Virtual Router Redundancy Protocol (VRRP)
ensures that if the active Firewall Accelerator fails, the redundant Firewall Accelerator
will take over. In a high-availability configuration, each participating IP interface must
be configured separately for VRRP.
ena
This command enables this IP interface.

217014-A, November 2004
Table 12-47 Interface Menu (/cfg/net/if)
dis
This command disables this IP interface.
del
This command removes this IP interface from the cluster configuration.
/cfg/net/if <IP Interface number>/port

Interface Ports Menu
[Interface Ports Menu]

The Interface Ports Menu is used to assign, remove, or list ports for the specified IP interface.
Table 12-48 Interface Ports Menu (/cfg/net/if <#>/port)
list
This command displays all ports assigned to this IP interface by their index number.
del <index number>
This command lets you remove a port from the IP interface by specifying the port’s
index number. Use the list command to display the index numbers of assigned ports.
add <port number>
This command lets you add the specified port to the IP Interface.

217014-A, November 2004
/cfg/net/if <IP Interface number>/vrrp

VRRP Menu
[VRRP Menu]
vrid - Set virtual router ID
ip1 - Set IP1
ip2 - Set IP2
The VRRP Menu is used for configuring a cluster for high-availability when redundant Fire-
wall Accelerators are used. Virtual Router Redundancy Protocol (VRRP) ensures that if the
active Firewall Accelerator fails, the redundant Firewall Accelerator will take over. In a high-
availability configuration, each participating IP interface must be configured separately with
its own VRRP parameters.
VRRP is enabled or disabled cluster-wide using the ha command under the Accelerator Con-
figuration Menu (see page 244).
When VRRP is used, the IP interface acts as a virtual router. This means that the IP interface’s
IP address is shared by both Firewall Accelerators, but is only active on the master. To accom-
plish this without duplicating the shared IP address on two physical devices on the network,
the IP interface is assigned two sub-addresses: one new IP address on the same subnet for each
Firewall Accelerator.
Table 12-49 VRRP Menu (/cfg/net/if/vrrp)
vrid <virtual router ID (1-255)>

This command assigns a virtual router ID for the IP interface. The vrid must be unique
in your network. The default virtual router ID is 0.
ip1 <IP address>
This command defines the IP address used to represent Firewall Accelerator #1 in this
virtual router. The IP address must be in the same subnet as the IP interface and is speci-
fied using dotted decimal notation. The default IP address for ip1 is 0.0.0.0.
ip2 <IP address>
This command defines the IP address used to represent Firewall Accelerator #2 in this
virtual router. The IP address must be in the same subnet as the IP interface and is speci-
fied using dotted decimal notation. The default IP address for ip2 is 0.0.0.0.

217014-A, November 2004
/cfg/net/gre <gre_tunnel number>

GRE Tunnel 1 Menu
[GRE Tunnel 1 Menu]

name - Set GRE Tunnel Name
phyif - Set Physical Interface number
remoteaddr - Set Remote IP address
sip - Set 32 bit tunnel source IP address
dip - Set 32 bit tunnel destination IP address
mask - Set Tunnel IP mask
ena - Enable GRE Tunnel
dis - Disable GRE Tunnel
del - Remove GRE Tunnel
The GRE Settings Menu is used to configure the GRE tunnel parameters and create a GRE tun-
nel over an OSPF network.
Table 12-50 GRE Settings Menu (/cfg/net/gre)
name <gre_tunnel name>

This command allows you to define a unique name of up to 16 characters.
phyif <physical interface_number>
This command is used to define the local GRE tunnel end point.
remoteaddr
This command is used to define the address of the remote GRE tunnel end point.
sip <IP address>
This command is used to define the GRE IP address of the local tunnel end point. For
example, if you are running OSPF over GRE, sip is the OSPF interface IP address on
the local system.
dip <IP address>
This command is used to define the GRE IP address of the remote tunnel end point. For
example, if you are running OSPF over GRE, dip is the OSPF interface IP address on
the remote system.
mask
This command is used to define the mask for the GRE Tunnel interface.
ena
This command is used to enable the GRE tunnel.

217014-A, November 2004
Table 12-50 GRE Settings Menu (/cfg/net/gre)
dis
This command disables this GRE tunnel.
del
This command removes this GRE tunnel from the configuration.

217014-A, November 2004
/cfg/net/route
Routing Settings Menu
[Routing Settings Menu]

gate - Default Gateways Menu
static - Static Routing Table Menu
rip - RIP Routing Menu
ospf - Open Shortest Path First (OSPF) Menu
The Routing Settings Menu is used to configure routing parameters. Firewall Accelerator 6600
supports up to a total of 8K routes which can be defined among default gateways, static routes,
RIP routes, and OSPF routes.
Table 12-51 Routing Settings Menu (/cfg/net/route)
gate
The Default Gateways Menu is used to configure default IP gateways for the cluster.
static
The Static Routing Table Menu is used to add, delete, or list static routes. The cluster
uses these routes to route packets within the attached networks.
rip
The RIP Menu is used to configure Router Interface Protocol (RIP) parameters for RIP
version 1 and RIP version 2 (multicasting) networks.
ospf
The OSPF Menu is used to configure the ASF for use with Open Shortest Path First
(OSPF) routing protocol.

217014-A, November 2004
/cfg/net/route/gate
Default Gateways Menu
[Default Gateways Menu]

gw - Default gateway menu
metric - Set default gateway metric
The Default Gateways Menu is used to configure up to four default IP gateways for the cluster.
The default IP gateways are used to route the network traffic.
Table 12-52 Default Gateways Menu (/cfg/net/route/gate)
gw <gateway number (1-4)>

The Gateway Settings Menu is used to configure up to four default IP gateways for the
cluster. The default IP gateways are used to route the network traffic.
metric strict|roundrobin
This command is used to control default gateway load-balancing. The default value for
metric is strict. If multiple default gateways are configured and enabled, the following
metrics can be specified to determine which default gateway is selected:
strict: The gateway number determines its level of preference. Gateway #1 acts as the pre-
ferred default IP gateway until it fails or is disabled, at which point the next in line will take
over as the default IP gateway.
roundrobin: This provides basic gateway load balancing. The ASF sends each new gate-
way request to the next healthy, enabled gateway in line. All gateway requests to the same des-
tination IP address are resolved to the same gateway.

217014-A, November 2004
/cfg/net/route/gate/gw <gateway number>

Default Gateway Menu
[Default gateway 1 Menu]

intr - Set interval between ping attempts in seconds
retry - Set number of failed attempts to declare gateway DOWN
arp - Set ARP-only health checks
ena - Enable default gateway
dis - Disable default gateway
del - Remove Default Gateway
The Default Gateway Menu is used to configure up to four default IP gateways for the cluster.
The default IP gateways are used to route traffic through the firewall. For example, packets
from the internal networks that arrive at the firewall with an external destination address are
typically sent to the default gateway as their next hop toward an external router. By default, the
newly created gateway is disabled.
If multiple default gateways are configured and healthy, the cluster will use the metric
option (see page 271) on the Default Gateways Menu (/cfg/net/route/gate) to deter-
mine the appropriate default gateway.
NOTE – The default gateways configured here are for routing traffic away from the firewall, not
to it. To direct traffic to the firewall, networks attached to the Firewall Accelerators use IP inter-
faces for their default gateways. See the “Interface Menu” on page 264 for more information.
Table 12-53 Default Gateway Menu Options (/cfg/net/route/gate/gw)
addr <default gateway address>

This command configures the IP address of the default IP gateway using dotted decimal
notation. The default gateway address is 0.0.0.0.
intr <health interval (0-60 seconds)>
The cluster pings the default IP gateways to verify that they are up. The intr option
sets the time between health checks. The range is from 1 to 60 seconds. The default is 2
seconds.
retry <number of attempts (1-120)>
This command sets the number of failed health check attempts required before declaring
a default IP gateway inoperative. The range is from 1 to 120 attempts. The default is 8
attempts.

217014-A, November 2004
Table 12-53 Default Gateway Menu Options (/cfg/net/route/gate/gw)
arp y|n
This command enables or disables ARP-only (Address Resolution Protocol) health
checks. This option is disabled by default.
ena
This command enables this default IP gateway for use.
dis
This command disables this default IP gateway.
del
This command removes this default IP gateway from the cluster configuration.

217014-A, November 2004
/cfg/net/route/static
Static Routing Table Menu
[Static Routing Table Menu]

The Static Routing Table Menu is used to add, delete, or list static routes. The cluster uses
these routes to route packets within the attached networks. The ASF routing table is shared by
the static and dynamic routes. If you configure more static routes, then you have less space for
the dynamic routes.
Firewall Accelerators 6600 allows you to configure a total of 8K static and dynamic routes.
Firewall Accelerators 6400 allows you to configure a total of 4K static and dynamic routes.
Each interface on the ASF adds three entries to the routing table. The Firewall Accelerator will
have an additional interface than the user-defined interface on the Firewall Director.
Table 12-54 Static Routing Table Menu (/cfg/net/route/static)
list
This command lists all configured routes by their index number and IP address informa-
tion.
del <index number>
This command lets you remove a route from the cluster configuration by specifying the
routes index number. Use the list command to display the index numbers of config-
ured routes.
add <destination IP address> <destination mask> <gateway IP address> <interface number>
This command adds a static route based on destination IP address, destination subnet
mask, and gateway IP address. Enter all addresses using dotted decimal notation.

217014-A, November 2004
/cfg/net/route/rip
RIP Menu
[RIP Menu]
vlan - RIP Vlan Menu
version - Set default RIP version
redist - Route Redistribute Menu
metric - Set Default RIP metric
distance - Set Default RIP distance
update - Set RIP Update broad/multicast interval
timeout - Set RIP route timeout
ena - Enable RIP
dis - Disable RIP
The RIP Menu is used to configure Router Interface Protocol (RIP) parameters. The Alteon
Switched Firewall supports either RIP version 1 or RIP version 2 (multicasting) networks.
Table 12-55 RIP Menu (/cfg/net/route/rip)
vlan <1-4093>
The RIP VLAN Menu is used to configure VLANs for use with RIP. Do not define
VLAN ID 4092, because it is used internally. You can configure up to 253 VLANs. If
you configure VLAN 1 however, then you can configure up to 252 VLANs.
version v1|v2
This command is used to specify which version of RIP is used on the Alteon Switched
Firewall: version 1 (v1) or multicast version 2 (v2). The default is v2.
redist
The Route Redistribution Menu is used to define how routes from other protocols are
converted for use with RIP.
metric <default RIP metric value (1-16)>
This command sets the default RIP metric used for advertising RIP routes.
The default is 1.

217014-A, November 2004
Table 12-55 RIP Menu (/cfg/net/route/rip)
distance <default RIP distance value (1-255)>

This command sets the administrative distance used for route selection. The default is
120. The administrative distance is updated for the new routes that are learned; the dis-
tance for the old routes remain the same. The route with the least administrative distance
is used for selection into the routing information base (RIB)/forwarding information base
(FIB) tables.
update <RIP update interval in seconds (1-600)>
This command sets the interval between RIP update broadcasts. The default is 30 sec-
onds.
timeout <RIP route time-out value in seconds (6-3600)>
This command sets the amount of time a RIP route will be allowed to remain idle until it
expires. Expired routes are given a hop count of 16 (infinite). The default is 180 seconds.
ena
This command enables RIP forwarding for the cluster.
dis
This command disables RIP forwarding for the cluster. This is the default.

217014-A, November 2004
/cfg/net/route/rip/vlan <vlan number>

RIP VLAN Menu
[RIP VLAN 1 Menu]

splithz - Set Split-horizon
listen - Set Listen-only
txver - Set Version of Transmitted RIP packets
rxver - Set Version of Received RIP packets
auth - Set Authentication type
key - Set password authentication key
md5key - MD5 authentication keychain
ena - Enable VLAN
dis - Disable VLAN
The RIP VLAN Menu is used to configure VLANs for use with RIP. A VLAN is required for
each network which will be attached to the cluster. RIP is is disabled by default and must be
enabled on VLAN basis.
Table 12-56 RIP VLAN Menu (/cfg/net/route/rip/vlan)
splithz y|n
This command enables or disables split horizon with poison reverse for this VLAN. The
split horizon algorithm helps prevent broadcast loops. When enabled (y), learned routes
are not advertised back to the router from which they were learned. The default is
enabled (y). When disabled (n), the command does poison reverse which advertises
back all the learned routes with a metric of 16.
listen y|n
This command enables or disables listen only for this VLAN. When enabled (y), the
VLAN will learn routes from other routers, but will not transmit RIP updates. When dis-
abled (n), the VLAN will learn routes and transmit updates. The default is disabled.
txver default|v1|v2|v1v2
This command sets the RIP version used to transmit RIP updates from this VLAN:
default: The version specified in the RIP Menu (/cfg/net/route/rip/ver-
sion) is used.
v1: RIP version 1 is used.
v2: RIP version 2 is used.
v1v2: Both RIP version 1 and RIP version 2 are used.

217014-A, November 2004
Table 12-56 RIP VLAN Menu (/cfg/net/route/rip/vlan)
rxver default|v1|v2|v1v2
This command sets the RIP version accepted for RIP updates on this VLAN:
default: The version specified in the RIP Menu (/cfg/net/route/rip/ver-
sion) is accepted.
v1: RIP version 1 is accepted.
v2: RIP version 2 is accepted.
v1v2: Both RIP version 1 and RIP version 2 are accepted.
auth none|password|md5
This command sets the authentication type for this VLAN:
none turns off RIP authentication. This is the default value.
password turns on plain text password authentication. The passwords are set using
the key option.
md5 turns on MD5 (strong encryption) password authentication. For more informa-
tion, see “RIP Authentication” on page 278.
key <plain text password (1-8 characters)>

This option is used with the RIP auth option. When the auth option is set to pass-
word, the key option sets the password to be used for RIP authentication on this
VLAN. Specify a plain text password of up to 8 characters.
To clear the key, specify none as the value.
md5key <MD5 authentication key (1-16 characters)>
The RIP VLAN MD5 Keychain Menu is used for defining MD5 passwords. MD5 is a
strong encryption technique used to protect RIP data and passwords. For more informa-
tion, see “RIP Authentication” on page 278.
ena
This command enables this VLAN for this RIP network.
dis
This command disables this VLAN for this RIP network. This is the default.
RIP Authentication
RIP protocol exchanges can be authenticated so that only trusted devices can participate. The
Alteon Switched Firewall 4.0.2 supports simple authentication (plain text passwords) and MD5
authentication (encrypted data and passwords) among neighboring routing devices in an area.

217014-A, November 2004
RIP simple passwords are enabled or disabled individually for each defined interface using the
following CLI commands:
>> # /cfg/net/route/rip/vlan <vlan number> (Select VLAN number)

>> RIP VLAN# auth password|none (Set simple authentication on/off)
RIP MD5 passwords use strong cryptographic to protect data and passwords.
MD5 passwords are enabled or disabled individually for each defined interface using the fol-
lowing CLI commands:
>> # /cfg/net/route/rip/vlan <vlan number> (Select VLAN number)

>> RIP VLAN# auth md5|none (Set MD5 authentication on/off)
MD5 passwords up to 16 characters are defined using the following CLI command:
>> RIP VLAN# md5key <password> (Set MD5 password)

217014-A, November 2004
/cfg/net/route/rip/redist
Route Redistribution Menu
[Route Redistribution Menu]

connected - Connected Route Redistribution Menu
static - Static Route Redistribution Menu
ospf - OSPF Route Redistribution Menu
defaultgw - Default Gateway Redistribution Menu
fictitious - Fictitious Route Redistribution Menu
The Route Redistribution Menu is used to advertise routes from other protocols into RIP.
Table 12-57 Route Redistribution Menu (/cfg/net/route/rip/redist)
connected
The Connected Route Redistribution Menu is used for advertising connected routes via
RIP.
static
The Static Route Redistribution Menu is used for advertising static routes via RIP.
ospf
The OSPF Route Redistribution Menu is used for advertising OSPF routes via RIP.
defaultgw
The Default Gateway Redistribution Menu is used for advertising default gateway routes
via RIP.
fictitious
The Fictitious Route Redistribution Menu is used as a diagnostics tool to troubleshoot
routes that are not installed.

217014-A, November 2004
/cfg/net/route/rip/redist/connected
RIP Connected Route Redistribution Menu
[RIP Connected Route Redistribution Menu]

metric - Set metric assigned to connected routes
ena - Enable redistribution of connected routes
dis - Disable redistribution of connected routes
The RIP Connected Route Redistribution Menu is used to redistribute connected routes into
RIP. By default advertising of connected routes is disabled.
Table 12-58 RIP Connected Route Redist. (/cfg/net/route/rip/redist/connected)
metric <value (0-16)>

Sets metric of advertised connected routes. Ranges from 0 to 16 and indicates the rela-
tive cost of this route. The larger the cost, the less preferable the route. The default is 1.
enable
Enables advertising of connected routes.
disable
Disables advertising of connected routes.

217014-A, November 2004
/cfg/net/route/rip/redist/static
RIP Static Route Redistribution Menu
[RIP Static Route Redistribution Menu]

metric - Set metric assigned to static routes
ena - Enable redistribution of static routes
dis - Disable redistribution of static routes
The RIP Static Route Redistribution Menu is used to redistribute static routes into RIP. Adver-
tising static routes is disabled by default.
Table 12-59 RIP Static Route Redistribution Menu (/cfg/net/route/rip/redist/static)

Sets metric of advertised static routes. Ranges from 0 to 16 and indicates the relative cost of
this route. The larger the cost, the less preferable the route. The default is 0.
enable
Enables advertising static routes.
disable
Disables advertising static routes.

217014-A, November 2004
/cfg/net/route/rip/redist/ospf
RIP OSPF Route Redistribution Menu
[RIP OSPF Route Redistribution Menu]

metric - Set metric assigned to OSPF routes
ena - Enable redistribution of OSPF routes
dis - Disable redistribution of OSPF routes
The RIP OSPF Route Redistribution Menu is used to redistribute OSPF routes into RIP.
Advertising OSPF routes is disabled by default.
Table 12-60 RIP OSPF Route Redistribution Menu (/cfg/net/route/rip/redist/ospf)

Sets metric of advertised OSPF routes. Ranges from 0 to 16 and indicates the relative cost of
this route. The larger the cost, the less preferable the route. The default is 0.
enable
Enables advertising of OSPF routes.
disable
Disables advertising of OSPF routes.

217014-A, November 2004
/cfg/net/route/rip/redist/defaultgw
RIP Default Gateway Route Redistribution Menu
[RIP Default Gateway Route Redistribution Menu]

metric - --Default gateway routes use the default metric--
ena - Enable redistribution of default gateway routes
dis - Disable redistribution of default gateway routes
The RIP Default Gateway Route Redistribution Menu is used to redistribute default gateway
routes into RIP. Advertising default gateway routes is disabled by default
Table 12-61 RIP Default Route Redistribution Menu (/cfg/net/route/rip/redist/

defaultgw)
metric
Uses the metric of the advertised default gateway routes. The metric for the default gateway
routes is defined under cfg/net/route/gate/metric. For more information on
the metric, see page 271.
enable
Enables advertising of default routes.
disable
Disables advertising of default routes.

217014-A, November 2004
/cfg/net/route/rip/redist/fictitious
RIP Fictitious Route Redistribution Menu
[RIP Fictitious Route Redistribution Menu]

networks - Fictitious reachable networks list
ena - Enable redistribution of fictitious routes
dis - Disable redistribution of fictitious routes
The RIP Fictitious Route Redistribution Menu is used as a diagnostic tool to troubleshoot
routes that are not installed into the RIP domain. Advertising fictitious routes is disabled by
default
Table 12-62 RIP Fictitious Route Redistribution (/cfg/net/route/rip/redist/fictitious)
networks
Lists fictitious networks that can be reached.
enable
Enables advertising of fictitious routes.
disable
Disables advertising of fictitious routes.

217014-A, November 2004
/cfg/net/route/rip/redist/fictitious/networks
Fictitious RIP Reachable Networks Menu
[Fictitious RIP Reachable Networks Menu]

The Fictitious RIP Reachable Networks Menu is used to add and delete fictitious networks to
the currently configured networks.
Table 12-63 Fictitious RIP Networks (/cfg/net/route/rip/redist/fictitious/networks)
list
This command displays all currently configured networks.
del
This command deletes a configured network.
add <IP address, such as 10.10.10.1 and mask 255.255.255.0>

This command adds the network to the currently configured networks.
/cfg/net/route/ospf
OSPF Menu
[OSPF Menu]
aindex - OSPF Area (index) Menu
range - OSPF Summary Range Menu
if - OSPF Interface Menu
gre - OSPF GRE Tunnel Menu
virt - OSPF Virtual Link Menu
redist - Route Redistribution Menu
metric - Set default metric
rtrid - Set OSPF router ID
spf - Set time interval between two SPF calculations
ena - Enable OSPF
dis - Disable OSPF

217014-A, November 2004
The OSPF Menu is used to configure the ASF for use with Open Shortest Path First (OSPF)
routing protocol. OSPF uses flooding to exchange link state updates between routers. Any
change in routing information is flooded to all routers in the network in an area. The default
value for OSPF is disabled.
For more information on using OSPF, see Chapter 5, “Open Shortest Path First.”
Table 12-64 OSPF Menu Options (/cfg/net/route/ospf)
aindex <area index (1-16)>

The OSPF Area Index Menu is used for defining OSPF area numbers and parameters.
range <range number (1-256)>

The OSPF Summary Range Menu is used for defining OSPF summary routes and con-
densing OSPF routing information.
if <IP interface number (1-255)>

The OSPF Interface Menu is used for attaching IP interface networks to OSPF areas.
gre <tunnel number (1-5)>

The OSPF GRE interface tunnel menu is used for attaching OSFP networks to the GRE
interface.
virt <virtual link number (1-64)>

The OSPF Virtual Link Menu is used for connecting partitioned areas together.
redist
This command displays Route Redistribution menu.

217014-A, November 2004
Table 12-64 OSPF Menu Options (/cfg/net/route/ospf)
metric <metric value (0-16777214)> | none>

This command sets the priority for choosing the ASF for default routes where multiple
Area Boundary Routers (ABR) or Autonomous System Boundary Routers (ASBR) exist
in an area. Selecting none sets no default routes. The default value none sets a metric
cost of 1.
This value is the global default-metric for redistribution of static/connected/RIP routes
into OSPF. The global default value gets overwritten by the redistribute specific metric
value. It is recommended to configure the metric in the redistribute specific metric value.
rtrid <IP address, such as 10.10.10.1>

This command sets a static router ID for this ASF cluster. The router ID is expressed in dot-
ted decimal IP address format. The default value is 0.0.0.0.
OSPF, when enabled, uses the router ID to identify the routing device. If no router ID is
specified, or if the router ID is set to 0.0.0.0 and the ASF is rebooted, the cluster dynam-
ically selects one of the active IP interfaces on the cluster as the router ID.
When using OSPF virtual links, the router ID must be set. If OSPF is already enabled,
then you must disable and enable OSPF to activate the updated router ID.
spf <spf calculation interval in seconds (0-65535) spf calculation hold time in seconds (0-65535)>
This command sets the time interval, in seconds, between each calculation of the shortest
path tree. The default for spf calculation interval is 5 seconds and the default for spf cal-
culation hold time is 10 seconds.
ena
This command globally turns on OSPF.
dis
This command globally turns off OSPF.

217014-A, November 2004
/cfg/net/route/ospf/aindex <area index>

OSPF Area Index Menu
[OSPF Area Index 1 Menu]

id - Set area ID
type - Set area type
metric - Set stub area metric
ena - Enable area
dis - Disable area
del - Delete OSPF Area Index
The OSPF Area Index Menu is used for defining OSPF area numbers and parameters. By
default the OSPF area is disabled.
Table 12-65 OSPF Area Index Menu Options (/cfg/net/route/ospf/aindex)
id <area ID, such as 0.0.0.0>

This command sets the OSPF area number in dotted decimal notation. The area number
can be set using the last octet format (0.0.0.1 for area 1) or using multi-octet format
(1.1.1.1), though the same format should be used throughout an area. The default value is
0.0.0.0.
type transit|stub|nssa
This command sets the area type:
transit for the backbone or any area that contains a virtual link.
stub for any area that contains no external routes.
nssa for any area that can process external routes but does not advertise external
routes originating from outside its area.
The default type is transit.
metric <0-16777215>
This command sets the stub area metric. Other routing devices add this value to the cost
of routing to this stub area when building their SPF tree.
ena
This command enables this area.

217014-A, November 2004
Table 12-65 OSPF Area Index Menu Options (/cfg/net/route/ospf/aindex)
dis
This command disables this area.
del
This command deletes this area index from the configuration.
/cfg/net/route/ospf/range <range
number>
OSPF Summary Range Menu
[OSPF Summary Range 1 Menu]

mask - Set IP mask
aindex - Set area index
hide - Set range hiding
ena - Enable range
dis - Disable range
del - Remove OSPF Summary Range
This menu is used for defining OSPF summary routes. Without summarization, each routing
device in an OSPF network would retain a route to every subnet in the network. With summa-
rization, routing devices can reduce some sets of routes to a single advertisement, reducing
both the load on the routing device and the perceived complexity of the network. The impor-
tance of route summarization increases with network size. The default value for OSPF sum-
mary range is disabled.
Table 12-66 OSPF Summary Range Menu Options (/cfg/net/route/ospf/range)
addr <IP address, such as 10.10.10.1>

This command sets the base IP address for the summary range, using dotted decimal
notation. The default IP address is 0.0.0.0.
mask <IP mask, such as 255.255.255.0>

This command sets the IP mask for the summary range, using dotted decimal notation.
The default mask is 0.0.0.0.

217014-A, November 2004
Table 12-66 OSPF Summary Range Menu Options (/cfg/net/route/ospf/range)

Sets the area index number into which the summary range is to be injected. The default
value is 1.
hide y|n
When enabled, this command forces the address range to be removed from any other
summary ranges being injected into the defined area by the Firewall. This is useful for
removing sections from large summary ranges that are not fully contiguous or contain
gaps. This option is disabled by default.
ena
This command enables this range.
dis
This command disables this range.
del
This command removes this range from the configuration.

217014-A, November 2004
/cfg/net/route/ospf/if <interface number>

OSPF Interface Menu
[OSPF Interface 1 Menu]

prio - Set interface router priority
cost - Set interface cost
hello - Set hello interval in seconds
dead - Set dead interval in seconds
trans - Set transmit delay in seconds
retra - Set retransmit delay in seconds
auth - Set authentication type
md5key - Set MD5 authentication key
The OSPF Interface Menu is used for attaching IP interface networks to OSPF areas. The
default value for the OSPF area is disabled.
NOTE – The hello interval (hello), dead interval (dead), transmit interval (trans) and
retransmit interval (retra) must be the same on all OSPF routing devices within an area.
Using incompatible values could keep adjacencies from forming and could stop or loop routing
updates.
The OSPF Interface Menu has the following items:
Table 12-67 OSPF Interface Menu Options (/cfg/net/route/ospf/if)

This command sets the OSPF area index to attach to the network for the current IP inter-
face. The default value is 0.
prio <priority value (0-255)>

This command sets the IP interface (IF) priority that is used when electing a Designated
Router (DR) and Backup Designated Router (BDR) for the area. The default is 0 (prior-
ity none). A value of 0 specifies that the elected interface is DROTHER and cannot be
used as a DR or BDR.

217014-A, November 2004
cost <output cost (1-65535)>

This command sets the cost of output routes on this interface. Cost is used in calculating
the shortest path tree throughout the AS. Cost is based on bandwidth. Low cost indicates
high bandwidth. The default is 10.
hello <hello interval(1-65535)>

This command sets the hello interval in seconds. The Firewall Director holding the MIP
sends hello messages to inform neighbors that the link is up. The default is 10 seconds.
This value must be the same on all routing devices within the area.
dead <dead interval (1-65535)>

This command sets the router dead interval, in seconds. If the Firewall Director holding
the MIP does not receive hello on the IP interface within the dead interval, the Fire-
wall Director holding the MIP will declare the interface to be down. Typically, the dead
value is four times the value of hello. The default is 40 seconds. This value must be
the same on all routing devices within the area.
trans <transmit delay (1-3600)>

This command sets the transmit delay, in seconds. This is the estimated time required to
transmit an LSA to adjacencies on this interface, taking into account transmission and
propagation delays. The default is 1 second. This value must be the same on all routing
devices within the area.
retra <time interval (3-3600)>

This command sets the time interval, in seconds, between each transmission of LSAs to
adjacencies on this interface. The default value is five seconds. This value must be the
same on all routing devices within the area.
This command sets the authentication type for this interface:
none turns off OSPF authentication. This is the default value.
password turns on plain text password authentication. The password is set using the
key option.
md5 turns on MD5 (strong encryption) password authentication. The password is
defined using the md5key option.
For more information, see “Authentication” on page 72.

217014-A, November 2004
key <plain text password>

This option is used with the OSPF auth option. When the auth option is set to pass-
word, the key option sets the password to be used for OSPF authentication on this IP
interface. Specify a plain text password of up to eight characters.
md5key <MD5 authentication key, upto 16 characters>

This option is used to define a password for OSPF authentication on this IP interface.
Assigned passwords are ignored until MD5 authentication is enabled in the auth
option.
ena
This command enables this interface.
dis
This command disables this interface.

217014-A, November 2004
/cfg/net/route/ospf/gre <tunnel number>

OSPF GRE Tunnel Configuration
[OSPF GRE Tunnel 1 Menu]

prio - Set interface router priority
cost - Set interface cost
The OSPF GRE tunnel menu is used to attach the GRE tunnel interface to the OSPF areas. For
more information on using OSPF, see Chapter 5, “Open Shortest Path First.”
NOTE – The hello interval (hello), dead interval (dead), transmit delay (trans) and
retransmit delay (retra) must be the same on all OSPF routing devices within an area. Using
incompatible values could keep adjacencies from forming and may stop or loop routing
updates.
The OSPF GRE Tunnel Menu has the following items:
Table 12-68 OSPF GRE Tunnel Interface Menu Options (/cfg/net/route/ospf/gre)

This command sets the OSPF area index to attach to the network for the current IP inter-
face.
prio <priority value (0-255)>

This command sets the IP interface (IF) priority that is used when electing a Designated
Router (DR) and Backup Designated Router (BDR) for the area. The default is 1 (lowest
priority). A value of 0 specifies that the elected interface is DROTHER and cannot be
used as a DR or BDR.

217014-A, November 2004
cost <output cost (1-65535)>

This command sets the cost of output routes on this interface. Cost is used in calculating
the shortest path tree throughout the AS. Cost is based on bandwidth. Low cost indicates
high bandwidth. The default is 10.
hello <hello interval(1-65535)>

This command sets the hello interval in seconds. The Firewall Director holding the MIP
sends hello messages to inform neighbors that the link is up. The default is 10 seconds.
This value must be the same on all routing devices within the area.

This command sets the router dead interval, in seconds. If the Firewall Director holding
the MIP does not receive hello on the IP interface within the dead interval, the Fire-
wall Director holding the MIP will declare the interface to be down. Typically, the dead
value is four times the value of hello. The default is 40 seconds. This value must be
the same on all routing devices within the area.

transmit an LSA to adjacencies on this interface, taking into account transmission and
propagation delays. The default is 1 second. This value must be the same on all routing

adjacencies on this interface. The default value is five seconds. This value must be the
none turns off OSPF authentication.
key option.
defined using the md5key option.

217014-A, November 2004

md5key <MD5 authentication key>

option.
ena
This command enables this interface.
dis
This command disables this interface.

217014-A, November 2004
/cfg/net/route/ospf/virt <link number>

OSPF Virtual Link Configuration
[OSPF Virtual Link 1 Menu]

nbr - Set virtual neighbor router
ena - Enable virtual link
dis - Disable virtual link
del - Remove OSPF Virtual Link
Virtual links are typically created to connect one area to the backbone through another non-
backbone area. The virtual link must be configured at each endpoint of the virtual link, though
they may traverse multiple routing devices. The default value for this virtual link is disabled.
The minimum requirements for configuring a virtual link are the aindex and nbr options in
this menu and the rtrid option in the OSPF Menu (see page 286).
NOTE – The hello interval (hello), dead interval (dead), transmit delay (trans) and
retransmit delay (retra) must be the same on all OSPF routing devices within an area. Using
incompatible values could keep adjacencies from forming and may stop or loop routing
updates.
Table 12-69 OSPF Virtual Link Menu Options (/cfg/net/route/ospf/virt)
aindex <area number (1-16)>

This command sets the OSPF area index through which the virtual link passes. The
default area index is set to 1.
nbr <router ID, such as 192.4.17.101>

This command sets the router ID of the recipient neighbor (endpoint of the virtual link).
The neighbor router ID is specified in dotted decimal format. The default virtual neigh-
bor router is set to 0.0.0.0.

217014-A, November 2004
hello <value (1-65535)>

This command sets the hello interval, in seconds. The Firewall Director holding the MIP
sends hello messages to inform other network devices that the virtual link is up. The
default is 10 seconds. This value must be the same on all routing devices within the area.

This command sets the dead interval, in seconds. If the Firewall Director holding the
MIP does not receive a hello on the IP interface within the deal interval, the Firewall
Director holding the MIP will declare the virtual link to be down. Typically, the dead
value is four times the hello value. The default is 40 seconds. This value must be the

transmit an LSA to adjacencies, taking into account transmission and propagation
delays. The default is one second. This value must be the same on all routing devices
within the area.

adjacencies. The default is five seconds. This value must be the same on all routing
none turns off OSPF authentication. This is the default value.
key option.
defined using md5key option.


217014-A, November 2004
md5key <MD5 authentication key (1-16 characters)>

option.
ena
This command enables this virtual link.
dis
This command disables this virtual link.
del
This command deletes this virtual link from the configuration.

217014-A, November 2004
/cfg/net/route/ospf/redist
OSPF Route Redistribution Menu
[Route Redistribution Menu]

connected - Connected Route Redistribution Menu
static - Static Route Redistribution Menu
rip - RIP Route Redistribution Menu
defaultgw - Default Gateway Redistribution Menu
The Route Redistribution Menu is used to redistribute static, RIP, and default gateway routes
via OSPF. If the routes are learned from a certain routing protocol, you have to enable that pro-
tocol for those routes to be redistributed into the network.
Table 12-70 Route Redistribution Menu (/cfg/net/route/ospf/redist)
connected
The Connected Route Redistribution Menu is used for advertising connected routes via
OSPF.
static
The Static Route Redistribution Menu is used for advertising static routes via OSPF.
rip
The RIP Route Redistribution Menu is used for advertising RIP routes via OSPF.
defaultgw
The Default Gateway Redistribution Menu is used for advertising default gateway routes
via OSPF.

217014-A, November 2004
/cfg/net/route/ospf/redist/connected
OSPF Connected Route Redistribution Menu
[OSPF Connected Route Redistribution Menu]

metric - Set metric assigned to connected routes
ena - Enable redistribution of connected routes
dis - Disable redistribution of connected routes
The OSPF Connected Route Redistribution Menu is used to redistribute connected routes into
OSPF. By default the value for redistributing connected routes is disabled.
Table 12-71 OSPF Connected Route Redistribution Menu (/cfg/net/route/ospf/

redist/connected)
metric <value (0-16777214)> <type (t1 | t2)>

Sets metric of advertised connected routes. Ranges from 0 to 16777214 and indicates the
relative cost of this route. The larger the cost, the less preferable the route. The default is
10 and 0 indicates a null metric value.
t1: Sets OSPF external Type 1 metric.
t2: Sets OSPF external Type 2 metric.
enable
Enables advertising of connected routes.
disable
Disables advertising of connected routes.

217014-A, November 2004
/cfg/net/route/ospf/redist/static
OSPF Static Route Redistribution Menu
[OSPF Static Route Redistribution Menu]

metric - Set metric assigned to static routes
ena - Enable redistribution of static routes
dis - Disable redistribution of static routes
The OSPF Static Route Redistribution Menu is used to redistribute static routes into OSPF. By
default the value for redistributing static routes is disabled.
Table 12-72 OSPF Static Route Redistribution Menu (/cfg/net/route/ospf/redist/

static)

Sets metric of advertised static routes. Ranges from 1 to 16777214 and indicates the rel-
ative cost of this route. The larger the cost, the less preferable the route. The default is 10
and 0 indicates a null metric value.
enable
Enables advertising static routes.
disable
Disables advertising static routes.

217014-A, November 2004
/cfg/net/route/ospf/redist/rip
OSPF RIP Route Redistribution Menu
[OSPF RIP Route Redistribution Menu]

metric - Set metric assigned to routes originating from RIP
ena - Enable redistribution of RIP routes
dis - Disable redistribution of RIP routes
The OSPF RIP Route Redistribution Menu is used to redistribute RIP routes into OSPF. By
default the value for redistributing RIP routes is disabled.
Table 12-73 OSPF RIP Route Redistribution Menu (/cfg/net/route/ospf/redist/rip)

Sets metric of advertised RIP routes. Ranges from 1 to 16777214 and indicates the rela-
tive cost of this route. The larger the cost, the less preferable the route. The default is 10
and 0 indicates a null metric value.
enable
Enables advertising of RIP routes.
disable
Disables advertising of RIP routes.

217014-A, November 2004
/cfg/net/route/ospf/redist/defaultgw
OSPF Default Gateway Route Redistribution Menu
[OSPF Default Gateway Route Redistribution Menu]

metric - Set metric assigned to default gateway routes
ena - Enable redistribution of default gateway routes
dis - Disable redistribution of default gateway routes
The OSPF Default Gateway Route Redistribution Menu is used to redistribute default gateway
routes into OSPF. By default the value for redistributing default gateway routes is disabled.
Table 12-74 OSPF Default Gateway Route Redistribution Menu (/cfg/net/route/

ospf/redist/defaultgw)

Sets metric of advertised default gateway routes. Ranges from 1 to 6777214 and indi-
cates the relative cost of this route. The larger the cost, the less preferable the route. The
default is 10 and 0 indicates a null metric value.
enable
Enables advertising of default gateway routes.
disable
Disables advertising of default gateway routes.

217014-A, November 2004
/cfg/net/dhcprl
DHCP Relay Menu
[DHCP Relay Menu]

if - DHCP Relay Interface Menu
server - DHCP Server Menu
ena - Enable DHCP Relay
dis - Disable DHCP Relay
clrlocsts - Clear local DHCP Relay stats
clrmipsts - Clear DHCP Relay stats on MIP
The DHCP Relay Menu is used to configure DHCP relay commands for ASF. The default
value for DHCP Relay is disabled.
Table 12-75 DHCP Relay Menu (/cfg/net/dhcprl)
if <value 1-255>
This command is used to specify the interface to allow DHCP requests to enter the net-
work.
server <value 1-8>
This command is used to add the DHCP server information to the ASF configuration.
ena
Enables the use of DHCP relaying globally.
dis
Disables the use of DHCP relaying globally.
clrlocsts
This commands clears DHCP statistics on the local Firewall Director.
clrmipsts
This commands clears DHCP statistics on the MIP. All DHCP statistics are sent to the
MIP.

217014-A, November 2004
/cfg/net/dhcprl/if <number>
DHCP Relay Interface <number> Menu
[DHCP Relay Interface 1 Menu]

ena - Allow DHCP Relay on Interface
dis - Disable DHCP Relay on Interface
The DHCP Relay Interface Menu is used to configure DHCP Relay requests into the network.
The default value for DHCP Relay Interface is disabled.
Table 12-76 DHCP Relay Interface Menu (/cfg/net/dhcprl/if)
ena
This command allows DHCP clients to enter the network through this interface.
dis
This command does not allow DHCP clients to enter the network through this interface.

217014-A, November 2004
/cfg/net/dhcprl/server <number>
DHCP Server <number> Menu
[DHCP Server 1 Menu]

addr - Set DHCP Server IP address
ena - Enable DHCP Server
dis - Disable DHCP Server
del - Remove DHCP Server
The DHCP Server Menu is used to add DHCP server information to the ASF configuration.
The DHCP server is disabled by default.
Table 12-77 DHCP Relay Server Menu (/cfg/net/dhcprl/server)
addr <IP address of DHCP server>

This command adds a DHCP server to the system configuration. The DHCP server added here
will supply clients entering the network with an IP address and a default gateway.
When the DHCP server receives the IP address request from the client, the DHCP server will look
up the client’s source network to identify a valid range of IP addresses.The default value is set to
0.0.0.0.
ena
This command enables the use of this DHCP server.
dis
This command disables the use of this DHCP server.
del
This command removes this DHCP server from being used by ASF.

217014-A, November 2004
/cfg/net/mirr
Port Mirroring Menu
[Port Mirroring Menu]

ena - Enable Port Mirroring
dis - Disable Port Mirroring
monport - Monitoring Port-based PM Menu
The Port Mirroring Menu is used to monitor ports.
Table 12-78 Port Mirroring Menu (/cfg/net/mirr)
ena
This command enables port mirroring.
dis
This command disables port mirroring.
monport <port number>
The Monitoring port-based menu is used to configure ports for monitoring. The <port
number> must be a network port on the Firewall accelerator.

217014-A, November 2004
/cfg/net/mirr/monport
Monitoring Port <number> Menu
[Monitoring Port <number> Menu]

edit - Add/Delete Ports to be Mirrored
del - Remove Monitoring Ports
The Monitoring Port Menu is used to configure the ports that you want to monitor.
Table 12-79 Monitoring Port Menu (/cfg/net/mirr/monport)
edit
This command adds and deletes ports to be mirrored.
del
This command removes the monitoring port.

217014-A, November 2004
/cfg/net/mirr/monport/edit
Mirrored Ports Menu
[Mirrored Ports Menu]

The Mirrored Ports Menu is used to configure the mirrored ports that you want to monitor.
Table 12-80 Mirrored Ports Menu (/cfg/net/mirr/monport/edit)
list
This command lists the mirrored ports.
del
This command deletes the mirrored port.
add
This command adds ports to be monitored.

217014-A, November 2004
/cfg/net/idslb
IDS Load Balancing Menu
[IDS Load Balancing Menu]

group - IDS Server Group Menu
ena - Enables IDS Load Balancing
dis - Disables IDS Load Balancing
The IDS Load Balancing Menu is used to load balance IDS servers connected to the Firewall
Accelerators.
Table 12-81 IDS Load Balancing Menu (/cfg/net/idslb)
group <IDS group number (1-5)>

The group menu is used to configure ports for IDS load balancing. The <IDS group num-
ber> must be a number between 1 through 5.
ena
This command enables IDS load balancing.
dis
This command disables IDS load balancing.

217014-A, November 2004
/cfg/net/idslb/group <IDS group number>

IDS Group <number> Menu
[IDS Group <number> Menu]

port - IDS Group Member Ports Menu
ena - Enable IDS group
dis - Disable IDS group
del - Remove IDS Server Group
The IDS Group Menu is used to configure the ports for load balancing IDS servers.
Table 12-82 IDS Group Menu (/cfg/net/idslb/group)
port
This command lists the ports in the IDS group <number>.
ena
This command enables the IDS group.
dis
This command disables the IDS group.

217014-A, November 2004
/cfg/net/idslb/group <number>/port
IDS Group <number> Ports Menu
[IDS Group Ports <number> Menu]

list - List current ports in IDS group
del - Remove port from IDS group
add - Add ports to the IDS group
The IDS Group Ports Menu is used to define IDS ports for the IDS group.
Table 12-83 IDS Group Ports Menu (/cfg/net/idslb/group/port)
list
This command lists the current IDS ports in the IDS group <number>.
del
This command removes IDS ports from the IDS group <number>.
add
This command allows you to add ports to the IDS group <number>. In High Availability
scenarios, when you add a port to an IDS group, the same port number is configured as
an IDS ports on both accelerators. An IDS port can be a member of a single IDS group
only. You can configure a maximum of 10 IDS ports in a single group.
A NAAP or enforcement port or a monitor port cannot be configured as an IDS port.
/cfg/net/adv
Advanced Settings Menu
[Advanced Settings Menu]

domain - Set Domain Name
filt - Filter Definition Menu
parp - Proxy ARP Menu
vrrp - Advanced VRRP Configuration Menu

217014-A, November 2004
The Advanced Settings Menu is used to configure the domain name, port traffic filters, proxy
ARP options, and high availability settings.
Table 12-84 Advanced Settings Menu (/cfg/net/adv)
domain <domain_name>
This command is used to set the NIS domain name that is used by Check Point SMTP
server.
filt <filter number (1-2048)>
This menu is used to create or modify port traffic filters. Port traffic filtering is a feature
of the Firewall Accelerator and occurs prior to inspection by the Check Point FireWall-1
NG software.
parp
This command is used to configure IP addresses which the cluster should respond to on
behalf of Network Address Translation (NAT) features.
vrrp
This menu allows you to set the group ID for the virtual router and the time interval
between VRRP advertisements broadcast.

217014-A, November 2004
/cfg/net/adv/filt <filter number>

Filter Definition Menu
[Filter Definition 1 Menu]

name - Set filter name
smac - Set source MAC address
dmac - Set destination MAC address
sip - Set source IP address
smask - Set source IP mask
dip - Set destination IP address
dmask - Set destination IP mask
proto - Set IP protocol
sport - Set source TCP/UDP port range
dport - Set destination TCP/UDP port range
action - Set filter action
inv - Set inversion
log - Set logging
cache - Set Enable/disable caching sessions that match
filter
ena - Enable filter
dis - Disable filter
del - Remove Filter Definition
The Filter Definition Menu is used to create or modify port traffic filters. The Alteon Switched
Firewall supports up to 2048 port traffic filters. Each filter can be configured to allow or deny
traffic according to a variety of address and protocol specifications, and each physical Firewall
Accelerator port can be configured to use any combination of filters. The filter is disabled by
default.
Port traffic filtering is a feature of the Firewall Accelerator and occurs prior to inspection by
the Check Point FireWall-1 NG software. Traffic that has been dropped by a port traffic filter
will not be forwarded to the firewall. Traffic that has been allowed by a port traffic filter will
be sent though the firewall, bypassing Check Point FireWall-1 NG inspection. Only traffic
which is not matched by any port traffic filter will be passed to the firewall for Check Point
FireWall-1 NG inspection.
The following parameters are required for filtering:
Set the address, masks, and/or protocol that will be affected by the filter
Set the filter action (allow or deny)
Enable the filter
Add the filter to a Firewall Accelerator port
Enable filtering on the Firewall Accelerator port

217014-A, November 2004
NOTE – Filtering criteria options can be used in combination. If criteria is left to default set-
tings, the filter will be broad and will affect more traffic. The more criteria which is specifi-
cally set, the narrower the filter becomes, affecting a smaller portion of the traffic.
The Filter Definition Menu has the following items:
Table 12-85 Filter Definition Menu Options (/cfg/net/adv/filt)
name <filter name>

This command sets the filter name. This allows you to provide a comment for the
intended function of the filter.
smac any|<MAC address>
If defined, traffic with this source MAC address will be affected by this filter. The
default is any.
dmac any|<MAC address>
If defined, traffic with this destination MAC address will be affected by this filter. The
default is any.
sip any|<IP address>
If defined, traffic with this source IP address will be affected by this filter. Specify an IP
address in dotted decimal notation, or any. A range of IP addresses is produced when
used with smask below. The default is any if the source MAC address is any.
smask <IP address>
This IP address mask is used with the sip to select a range of source IP addresses which
this filter will affect. See “Defining IP Address Ranges for Filters” on page 319 for
details on producing address ranges. The default address is set to 0.0.0.0.
dip any|<IP address>
If defined, traffic with this destination IP address will be affected by this filter. Specify
an IP address in dotted decimal notation, or any. A range of addresses is produced when
used with dmask below. The default is any if the destination MAC address is any.
dmask <IP subnet mask (such as 255.255.255.0)>
This IP address mask is used with the dip to select traffic which this filter will affect.
See “Defining IP Address Ranges for Filters” on page 319 for details on producing
address ranges. The default address is set to 0.0.0.0.
proto any|<number>|<name>
If defined, traffic from the specified protocol is affected by this filter. Specify the protocol
number, name, or any. The default is any. Below are some of the well-known protocols.

217014-A, November 2004
Number Name Number Name

1 icmp 17 udp
2 igmp 89 ospf
6 tcp 112 vrrp
sport <start port number> <end port number>

If defined, traffic with the specified TCP or UDP source port range will be affected by
this filter.
To specify a single port, rather than a range, use the chosen port number as both the start
and end number. For example, to select only port 80, use the following command:
sport 80 80
To specify matching for any port (the default), use the following command:
sport 0 0
Listed below are some of the well-known ports:
Number Name Number Name
20 ftp-data 111 sunrpc
21 ftp 119 nntp
22 ssh 123 ntp
23 telnet 143 imap
25 smtp 144 news
37 time 161 snmp
42 name 162 snmptrap
43 whois 179 bgp
53 domain 194 irc
69 tftp 220 imap3
70 gopher 389 ldap
79 finger 443 https
80 http 520 rip
109 pop2 554 rtsp
110 pop3 1985 hsrp
dport any|<name>|<port>|<port>-<port>
If defined, traffic with the specified real server TCP or UDP destination port will be
affected by this filter. Specify the port number, range, name, or any. The default is any.
action allow|deny
This specify the action this filter takes when traffic matched the specified criteria:
allow Allow the frame to pass through the firewall with no further inspection.
deny Discard the frame before it can be inspected by the firewall (default).

217014-A, November 2004
inv e|d
This command lets you enable or disable inverting the filter logic. When disabled (the
default), the filter behaves normally. When enabled, if the conditions of the filter are
met, the filter takes no action. Otherwise, if the conditions for the filter are not met, the
filter performs the assigned action.
log e|d
This command enables or disables logging for this filter. If enabled, each time the filter
action is taken, a message is sent to the system log. By default, this is disabled.
cache
This command allows you to disable session table caching for the specified filter. Use
this option to prevent the session table from being swamped with entries. The default
cache option is enabled for all filters.
ena
This command enables this filter.
dis
This command disables this filter.
del
This command removes this filter from the cluster configuration.
Defining IP Address Ranges for Filters

You can specify a range of IP address for filtering both the source and/or destination IP address
for traffic. When a range of IP addresses is needed, the sip (source) or dip (destination)
defines the base IP address in the desired range, and the smask (source) or dmask (destina-
tion) is the mask which is applied to produce the range.
For example, to determine if a client request’s destination IP address should be allowed, the
destination IP address is masked (bitwise AND) with the dmask and then compared to the
dip.

217014-A, November 2004
As another example, you could configure two filters so that each would handle traffic filtering
for one half of the Internet. To do this, you could define the following parameters:
Table 12-86 Filtering IP Address Ranges
Filter Internet Address Range dip dmask
#1 0.0.0.0 - 127.255.255.255 0.0.0.0 128.0.0.0
#2 128.0.0.0 - 255.255.255.255 128.0.0.0 128.0.0.0
/cfg/net/adv/parp
Proxy ARP Menu
[Proxy ARP Menu]

parp - Proxy ARP List Menu
sfd - Set proxying of SFD's IPs & MIP
The Proxy ARP Menu is used to configure IP addresses which the cluster should respond to on
behalf of Network Address Translation (NAT) features configured in the Check Point Fire-
Wall-1 NG software.
Table 12-87 Proxy ARP Menu (/cfg/net/adv/parp)
parp
The Proxy ARP List Menu is used to add, delete, or list proxied addresses.
sfd e|d
This command enables or disables whether the cluster will respond to Address Resolu-
tion Protocol (ARP) requests for the cluster Firewall Director and Management IP (MIP)
addresses. The default value is disabled.

217014-A, November 2004
/cfg/net/adv/parp/parp
Proxy ARP List Menu
[Proxy ARP List Menu]

The Proxy ARP List Menu is used to add, delete, or list IP addresses which the cluster should
serve as proxy.
Table 12-88 Proxy ARP List Menu (/cfg/net/adv/parp/parp)
list
This command displays all proxy ARP addresses by their index number.
del <index number>
This command lets you remove a proxy ARP address by specifying its index number.
Use the list command to display the proxy ARP index numbers.
add <IP address>
This command lets you add the specified proxy ARP address. The IP address should be
specified in dotted decimal notation. The maximum number of entries is 2,000 minus
one for each Firewall Director and Firewall Accelerator in the cluster.

217014-A, November 2004
/cfg/net/adv/vrrp
Advanced VRRP Configuration Menu
[Advanced VRRP Configuration Menu]

vrid - Set virtual router group ID
adver - Set advertisement interval
The Advanced VRRP Configuration Menu is used to configure advanced VRRP settings.
Table 12-89 Advanced VRRP Configuration Menu (/cfg/net/adv/vrrp)
vrid <virtual router group ID (1-255)>

This command sets the group ID for the virtual router.The default group ID for a virtual
router is 255.
adver <time interval (1 - 255)>
This command sets the time interval between VRRP advertisements broadcast from the
Alteon Switched Firewall. The default value is 1

217014-A, November 2004
/cfg/fw
Firewall Configuration Menu
[Firewall Configuration Menu]
ena - Enable firewall
dis - Disable firewall
sic - Reset Check Point SIC
accel - Set automatic acceleration restart
sync - Sync Configuration Menu
software - Firewall Software Menu
smart - SmartUpdate Configuration Menu
sxl - SecureXL Configuration Menu
The Firewall Configuration Menu is used to configure firewall related options such as enabling
firewall or resetting the Check Point Secure Internal Communications (SIC). The firewall is
disabled by default.
Table 12-90 Firewall Configuration Menu (/cfg/fw)
ena
Enable the Check Point FireWall-1 NG processing on all healthy Firewall Directors in
the cluster.
dis
Disable the Check Point FireWall-1 NG processing on the cluster and mark all Firewall
Directors as down. The Check Point management server cannot be used to manage clus-
ter firewall policies in the disabled state.
sic
This command is used to reset the Check Point Secure Internal Communication (SIC)
state for a specific Firewall Director in the cluster. You will be prompted to enter the IP
address of the target Firewall Director in dotted decimal notation.
accel y|n
This command is used to enable or disable the automatic restart feature for Firewall
Accelerators. This is disabled by default.
sync
The Synchronization Configuration Menu is used to configure stateful failover of ses-
sions among Firewall Director in the cluster. With synchronization, if a Firewall Director
fails, its open sessions will be transparently reassigned to a healthy Firewall Director.

217014-A, November 2004
Table 12-90 Firewall Configuration Menu (/cfg/fw)
software
Use the Firewall Software Menu to update the built-in Check Point FireWall-1 NG soft-
ware.
smart
This command enables you to use the Check Point SmartUpdate tool on the management
station.
sxl
Use the Firewall Software Menu to update the built-in Check Point FireWall-1 NG software.

217014-A, November 2004
/cfg/fw/sync
Synchronization Menu
[Sync Configuration Menu]

ena - Enable sync
dis - Disable sync
net - Set sync network address
host - Host Specific Sync Settings
The Synchronization Configuration Menu is used to configure sync devices and stateful
failover of sessions among Firewall Director in the cluster. The Firewall Director 5014 has 2
onboard 10/100/1000 interfaces, so this menu allows you configure the Sync device. This
capability allows you to configure the speed, auto-negotiation features of the Sync device.
With synchronization, if a Firewall Director fails, its open sessions is transparently reassigned
to a healthy Firewall Director. Stateful failover may require additional hardware and Check
Point software configuration. See “Synchronizing Firewall Directors” on page 122 for details.
Table 12-91 Synchronization Menu (/cfg/fw/sync)
ena
This command is used to enable synchronization for stateful failover among multiple
Firewall Directors in the cluster.
dis
This command is used to disable synchronization for stateful failover. This is the default.
net <base IP address>
This command is used to configure the base IP address of the Firewall Director synchroni-
zation network. This command is used in conjunction with the /cfg/sys/netmask
option (see page 205) to define the synchronization network range. The default value for
firewall synchronization network is set to 0.0.0.0.
host <host_number>
This command is used to specify the synchronization parameters for the Firewall Direc-
tor.

217014-A, November 2004
/cfg/fw/sync/host <host number>

Host Sync Settings 1 Menu
[Host Sync Settings 1 Menu]

dev - Set Sync Device Name
autoneg - Set autonegotiation
speed - Set Speed
mode - Set full or half duplex mode
The Host Sync Settings Menu is used to specify synchronization parameters for the Firewall
Director.
Table 12-92 Firewall Software Menu (/cfg/fw/sync/host)
dev <device name>

This command sets the synchronization device name. This represents the copper Net-
work Interface port or the Gig port used to connect each Firewall Director to the syn-
chronization network. By default, this is FE2, representing network port 1 on the back of
the Firewall Director. All Firewall Directors in the cluster must use the same port for
synchronization.
autoneg y|n
This command enables or disables autonegotiation for the sync ports on the Firewall
Director. This is enabled by default. When enabled, the Firewall Director negotiates with
the connected device to find the best port speed, duplex mode, and flow control, and
overrides the manual speed, mode, and fctl settings. When autonegotiation is disabled,
manual port settings are used.
If you have difficulty establishing a link with other Firewall Directors, turn autonegotia-

217014-A, November 2004
Table 12-92 Firewall Software Menu (/cfg/fw/sync/host)
speed 10|100|1000
When autonegotiation (autoneg) is disabled, this command specifies the link speed. The
choices include:
10: 10 Mbps
100: 100 Mbps (default)
1000: 1000 Mbps
mode full|half
When autonegotiation (autoneg) is disabled, this command specifies the duplex operat-
ing mode. The choices include:
full: Full-duplex (default)
half: Half-duplex

217014-A, November 2004
/cfg/fw/software
Firewall Software Menu
[Firewall Software Menu]

cur - Display current version of firewall software
The Firewall Software Menu is used to update the built-in Check Point FireWall-1 NG soft-
ware.
Table 12-93 Firewall Software Menu (/cfg/fw/software)
cur
This command displays the current settings for items in the Firewall Software Menu.

217014-A, November 2004
/cfg/fw/smart
SmartUpdate Configuration Menu
[Smart Update Configuration Menu]

ena - Enable Smart Update Mode
dis - Disable Smart Update Mode
The Firewall SmartUpdate Menu allows you to use the Check Point SmartUpdate tool on the
management station. This command is disabled by default.
Table 12-94 Firewall SmartUpdate Menu (/cfg/fw/smart)
ena
This command enables you to use the SmartUpdate tool on the management station.
dis
This command prevents you from using the SmartUpdate tool on the management sta-
tion.

217014-A, November 2004
/cfg/fw/sxl
SecureXL Configuration Menu
[SecureXL Configuration Menu]

conns - Set SecureXL Connection table size per Director
The SecureXL Menu allows you to set the connection table size for each Director.
Table 12-95 Firewall SecureXL Menu (/cfg/fw/sxl)
conns <0-1000000>
Specify a value less than 250,000 for ASF 6614 or 6414. The default value is dependant
on the Firewall Accelerator and Firewall Director.
/cfg/apps
Application Configuration Menu
[Application Configuration Menu]
Securid - SecurID configuration
The Application Configuration Menu is used to configure third party applications.
Table 12-96 Application Configuration Menu (/cfg/apps)
Securid
This command is used to configure secure servers for third party applications.

217014-A, November 2004
/cfg/apps/securid
SecurID Configuration Menu
[SecurID Configuration Menu]

Servers - SecurID Server configuration
The SecurID Configuration Menu is used to configure the SecurID servers.
Table 12-97 SecurID Configuration Menu (/cfg/apps/securid)
Servers
This command is used to configure a secure route for the SecureID servers.
/cfg/apps/securid/servers
SecurID Configuration Menu
[SecurID Server Configuration Menu]

The SecurID Server Configuration Menu is used to configure the SecurID servers.
Table 12-98 SecurID Configuration Menu (/cfg/apps/securid)
list
This command lists the SecurID servers.
del <index number>
This command lets you remove a securID server by specifying its index number. Use the
list command to display the SecurID index numbers.
add <IP address>
This command lets you add the specified securID server. The IP address should be spec-
ified in dotted decimal notation. The maximum number of entries is 2,000 minus one for
each Firewall Director and Firewall Accelerator in the cluster.

217014-A, November 2004
/cfg/misc
Miscellaneous Settings Menu
[Miscellaneous Settings Menu]
warn - Set warnings when configuration is applied
The Miscellaneous Settings Menu is used to turn on or off configuration warning messages.
Table 12-99 Miscellaneous Settings Menu (/cfg/misc)
warn y|n
This command is used to turn on or off warning messages. When enabled (the default),
whenever the global apply command is issued, applicable warning are displayed if
problems are found in the pending configuration changes. Warnings will not cause the
apply command to fail, but can be helpful for managing configuration issues.

217014-A, November 2004
Part 3: Appendices
Appendix A, “Event Logging API
Appendix B, “Common Tasks
Appendix C, “Troubleshooting
Appendix D, “Software Licenses
217014-A, November 2004

334 Appendices
217014-A, November 2004
APPENDIX A
Event Logging API
The Alteon Switched Firewall Event Logging API (ELA) is an OPSEC™ application that
allows system log messages to be sent to a Check Point management station for display
through the Check Point SmartView Tracker. Log messages are transported to the management
server through a secure, encrypted channel.
For information on configuring and administering OPSEC applications in Check Point, please
refer to your complete Check Point FireWall-1 NG documentation at http://www.check-
point.com/support/technical/documents/index.html (ID and password required).
ELA configuration requires steps at both the Check Point management server and at the Alteon
Switched Firewall. For each Firewall Director in the cluster, you must create a new OPSEC
application at the Check Point management server, and initialize Secure Internal Communica-
tion (SIC). For each Firewall Director, the certificate associated with the SIC must be pulled to
the Firewall Director before the ELA will operate.
The following sections in this chapter details the steps required to use ELA:
“Configure the Check Point Management Server” on page 336

“Configure the Firewall Directors” on page 341
“The Check Point SmartView Tracker” on page 343
335
217014-A, November 2004
Configure the Check Point Management Server

At the management server, use the following procedure to create a different ELA OPSEC
application for each of the Firewall Directors in the cluster.
1. Create a new OPSEC application.

In the tabbed menu on the left, click on the OPSEC Applications tab and choose New OPSEC
Application.
336 Appendix A: Event Logging API

217014-A, November 2004
2. Initialize the OPSEC application.
Fill in the following fields:
The Name field should be given an appropriate identifier. You will need to use this name
when pulling the certificate to the Firewall Director.
The Host field should refer to the management station.
The Vendor should be “User defined.”
“ELA” should be checked in the Client Entries box.
Secure Internal Communication needs to be initialized (see next step).

217014-A, November 2004
3. Initialize Secure Internal Communication (SIC).

Click on the Communication button and choose a Password in the box provided. You will need
to use this password later when pulling the certificate to an Firewall Director.
NOTE – When initialized, the trust state will be displayed as “Initialized but trust not estab-
lished.” This is normal and will not change even after an SIC certificate is pulled from the
Check Point management server (see Step 5 on page 342).

217014-A, November 2004
4. Repeat for all Firewall Directors in the cluster.

You should see the OPSEC Application listed in the Policy Manager when the OPSEC tab is
chosen. One application should be created for each Firewall Director in the cluster.
5. Install the policy rulebase to the Firewall Director.

From the menu bar, select Policy | Install:
When the Install Policy window appears, select the cluster object and click on the OK button.

217014-A, November 2004
NOTE – If the Check Point antispoofing feature is not enabled, a warning message will appear.
See your Check Point documentation at http://www.checkpoint.com/support/technical/docu-
ments/index.html (ID and password required) to determine whether antispoofing is necessary
for your firewall.
Click on the OK button to initiate installing the rulebase.
Close the Install Policy window when the process is complete.

217014-A, November 2004
Configure the Firewall Directors

Configuration of all Firewall Directors is performed through the CLI or the BBI. The follow-
ing steps use the BBI method. For configuring the ELA using the CLI, see “ELA Logging
1. Log on to the BBI using the cluster MIP address.
2. Select the Cluster / ELA form and define the general settings.
Set the following items:
Set Status to “enabled.”

Set Management Station IP to the IP address of the Check Point management station, in
dotted decimal notation.
Set Minimum Severity if a different level is desired. All messages at the specified level of
severity or higher will be logged to ELA.
Set the Server Distinguished Name (see the next section to find out how to determine it).

217014-A, November 2004
3. Get Distinguished Name of server.

In the Check Point SmartDashboard management tool, access the properties of the manage-
ment server by double clicking on its displayed icon. The distinguished name (DN) is found in
the Secure Internal Communication area.
Be sure to set the Server Distinguished Name in the BBI window.
4. In the BBI Cluster / ELA form, save and apply the settings.
Click on the Update button to submit your changes. Then use the global apply button to make
your changes take effect.
5. Pull the SIC certificate from the management server.

In order for ELA to function, a separate certificate for SIC communication needs to be
installed on each of the individual Firewall Directors.
In the Pull SIC Certificate section of the Cluster / ELA form, set the following parameters:
Set the Host IP to the IP address of the individual Firewall Director being updated (not the
MIP address).
Set the Client SIC Name to match the name specified when creating an OPSEC applica-
tion in the Check Point SmartDashboard management tool. Each host should map to a
unique OPSEC application. In the example, we set host 10.10.1.1 to the OPSEC applica-
tion “ela1.”

217014-A, November 2004
Set the Password to match that specified when configuring SIC for the OPSEC application.
6. Click the Submit Certificate button to finish.
The Check Point SmartView Tracker

To view the logs, open the Check Point SmartView Tracker.
In this release of Check Point FireWall-1 NG, the “Origin” of the logs may be incorrect in the
SmartView Tracker tool. The text of the log messages themselves (which contains the source
Firewall Director) may be more reliable in determining from which Firewall Director the log
message originated.
The logging will not occur unless the firewall and registry are up and running on the Firewall
Director. This happens late in the booting process. Messages are cached locally until they can
be sent to the ELA logging server. It therefore may take a few moments before messages begin
appearing after a reboot.

217014-A, November 2004

217014-A, November 2004
APPENDIX B
Common Tasks
This appendix describes the some of the common Alteon Switched Firewall management
tasks:
“Managing Check Point Central Licenses” on page 346

“Backup and Restore Firewall Configuration” on page 347
“Remote Login via SSH” on page 348
“Mounting a Floppy Disk on the Firewall Director” on page 349
“Manually Upgrading the Firewall Accelerator” on page 351
“Tuning Check Point NG Performance” on page 352
“Reading System Memory Information” on page 354
“Verifying VNIC Configuration” on page 354
“Recovering from a Lock-Out” on page 355
345
217014-A, November 2004
Managing Check Point Central Licenses
Installing Central Licenses with SmartUpdate

Installing Check Point central licenses is best done using the Check Point tools on your man-
agement client. The license will be automatically sent to the Check Point Management Console
license repository and then installed to the Firewall Director. For detailed information on Check
Point licenses or the tools such as the Smart Dashboard and SmartUpdate, see your complete
Check Point documentation at http://www.checkpoint.com/support/technical/docu-
ments/index.html (ID and password required).
Use the following procedure to install a central license onto the Firewall Director. Steps 1-5 is
used to create a new Gateway object. If you have already created a Gateway object, then go to
Step 5 to install a central license:
1. Launch the SmartDashboard management tool on the management client Start menu.
2. Create a new gateway object for the Firewall Director.
Select Network Objects | New | Gateway and assign and assign its IP address.
3. Establish trusted communication.

Click on the Communication button and type the Check Point SIC one-time password.
4. Click OK to save the object.

5. Launch the SmartUpdate program from the Start menu.
6. When SmartUpdate starts, select the object that represents the target Firewall Director
from the Managed Modules window.
7. Import the license file.
From the menu bar, select Licenses | New License | Import File and then choose the license file
(for example, 172.21.9.200_module.lic).
8. Follow onscreen prompts until the installation is complete.

9. When the license is installed, load the firewall policy to the Firewall Director.
Deleting or Reinstalling Central Licenses

The SmartUpdate tool is best used for managing Check Point central licenses. See your com-
plete Check Point documentation at http://www.checkpoint.com/support/technical/docu-
ments/index.html (ID and password required) for details on using SmartUpdate or any other
Check Point management tool.
346 Appendix B: Common Tasks

217014-A, November 2004
Backup and Restore Firewall Configuration

ASF 4.0.2 allows you to backup the Director configuration and restore it later to the same state.
The restore operation will restore the configuration in the registry as well as the Check Point
SIC and policy.
The backup and restore feature is for a Director only and not the cluster. To backup an entire
cluster, you must login to each Director and create backups separately. You cannot create a
backup from one member of the cluster and use it to restore another member. A backup taken
from a Director can be used only to restore that same Director or a replacement for that Direc-
tor.
Creating a Backup
To create a backup of a Director, do the following using the Command Line Interface (CLI):
1. Login as “admin” and run the command, /maint/backup/backup.

You will be prompted to provide an FTP server.
2. Provide the name of the FTP server to backup.

The FTP server should allow anonymous login.
Restoring the Director

The restore process cannot fix a corrupt file system. If the Director becomes unusable because
of a file system corruption, re-image the box before attempting to restore. The recommended
way to restore is to re-image the Director and restore. However, you may restore the Director,
by doing the following:
1. Copy the backup file to a CDROM.

You can also restore from a local file on the hard disk, but by default, the restore process
checks the CDROM for the backup file.
2. Disconnect the Director from the cluster if your Director is already part of a cluster.
If you /boot/delete the Director while it is still connected to the cluster, it cannot be
restored since the cluster will no longer consider that Director as part of the cluster.
3. Restore the Director to its factory default configuration with the command
/boot/delete.
This is mandatory as restore can be done only on a Director in factory default configuration.
4. Login as admin to see the Setup menu.

217014-A, November 2004
5. Choose restore from the list of options.

You will be prompted to insert the CDROM.
6. Insert the CDROM and press <Enter>.

A list of all .tar files in the root directory of the CDROM is displayed.
7. Select the backup file.

When prompted for the filename, either accept the default choice or enter your own. The file is
copied to the hard drive and the CD ejected. It will take about 30 seconds for the restore to
complete. When restore is complete, you will be logged out of the CLI.
8. Login again as admin and you will see the Configuration menu instead of the Setup
menu.
Remote Login via SSH

ASF 4.0.2 allows remote users to login to troubleshoot or perform maintenance on the firewall.
the ASF.

217014-A, November 2004
Mounting a Floppy Disk on the Firewall

Director
The following procedure can be used for mounting a floppy disk to read or write files on the
Firewall Director.
1. Insert a DOS-formatted floppy into the Firewall Director.
2. Login as root.
root
3. Enter the following command:
# mount /mnt/floppy
4. Copy files (if you need the log files). For example:
# cp /var/log/message /mnt/floppy
5. To unmount the floppy disk, enter the following command:
# sync
# umount /mnt/floppy
6. Remove the floppy disk from the Firewall Director by pressing the eject button.

217014-A, November 2004
Mounting a CD-ROM on the Firewall Director

The following procedure can be used for mounting a CDROM to read files on the Firewall
Director.
1. Insert a CDROM into the Firewall Director.
2. Login as root.
root
3. Enter the following command:
# mount /mnt/cdrom
4. To unmount the CDROM enter the following command:
# sync
# umount /mnt/cdrom

217014-A, November 2004
Manually Upgrading the Firewall Accelerator

Normally, the cluster Firewall Accelerator software is automatically upgraded along with the
cluster Firewall Directors. However, if required, the Firewall Accelerator software can be man-
ually upgraded or reloaded. To manually install Firewall Accelerator software, the following is
required:
A computer running ASCII terminal emulation software.

A standard serial cable with a male DB9 connector (included with the Firewall Director).
See page 46 of the manual for cable specifications.
A binary upgrade image for the Firewall Accelerator.
To install the upgrade image, perform the following steps:
1. Connect a terminal directly to the Firewall Accelerator console port.

Set the communications parameters as shown in the table below:
Table 2 Console Configuration Parameters
Parameter Value
Baud Rate 9600

Data Bits 8
Parity None
Stop Bits 1
Flow control None
2. Turn off the Firewall Accelerator and then turn it back on.
3. Press <Shift-F> while the Firewall Accelerator is attempting to boot (while the
“AceSwitch BootMon...” message is displayed).
4. Reconfigure your terminal to use a baud rate of 57600.
5. Transfer the binary upgrade image from the terminal to the Firewall Accelerator using
Xmodem protocol.
For example, if using Hyperterminal, select the Transfer | Send File command and select Xmo-
dem or 1K-Xmodem (faster) as the protocol.
6. When the transfer is complete, return your terminal to a baud rate of 9600.
7. Turn off the Firewall Accelerator and then turn it back on.
8. If using a high-availability configuration, repeat this process on the redundant Firewall

Accelerator.

217014-A, November 2004
Tuning Check Point NG Performance

The firewall performance can be enhanced by modifying the following parameters in the
Check Point NG software:
connections_limit
connections_hashsize
If a NAT policy is being used by a large number of concurrent sessions, then the following two
parameters should be modified:
nat_hash_size: The default 16,384 (16K). It should be increased to 131,072.

nat_limit: The default is 25,000. It should be increased to 180,000.
Increasing Concurrent Connections

By default, Check Point sets the connection limit of the firewall to 25000 and the default con-
nection hash size is 65536 (64K). The values for the connection limit and connection hash size
fields is dependent on the ASF model as shown in the Table B-1.
Table B-1 Increasing Connections
Accelerator Model Connections_limit Connections_hashsize
6600 500000 2097152

6400 500000 2097152
Edit the gateway cluster object property to increase connection limit on the Application Intelli-
gence management server. To edit the gateway cluster object representing the ASF cluster, do
the following:
1. Go to the “Capacity Optimization” tab and increase the “Maximum concurrent connec-
tions” parameter.
2. Set the “Calculate connections hash size and memory pool” parameter to “Automati-
cally.”

217014-A, November 2004
Increasing NAT Connections

By default, Check Point sets the NAT connection limit of the firewall to 25000. To increase the
value, use the dbedit utility provided by Check Point. You can increase the NAT limit up to the
connection limit that you set for your ASF.
1. Close all GUI clients.
2. Run dbedit on the Check Point management station at the MS DOS prompt:
c:\> dbedit
Enter Server name:<IP address of the Check Point host>
Enter User name:<login using admin account>
Enter User password:
dbedit> modify properties firewall_properties nat_limit 180000
dbedit> modify properties firewall_properties nat_hashsize 1048576
dbedit> update properties firewall_properties
dbedit> quit <Do not enter Ctrl-c or the changes will be aborted>

217014-A, November 2004
3. Reinstall the policy
4. Login to the ASF. Stop and start the firewall.
NOTE – You may set the nat_limit parameter to be less than the connection_limit.
Make sure the nat_hashsize value is close to the nat_limit and a power of 2. For
example, if nat_limit is 50000, nat_hashsize should be 65535.
Reading System Memory Information

General Linux memory information:
free or vmstat <seconds> or cat /proc/meminfo or top
Kernel modules information:
lsmod
NG memory information:
fw ctl pstat
Verifying VNIC Configuration

A VNIC is a virtual network interface card.
1. Dump information about all the VNICs
/opt/tng/bin/vnic dump
2. Dump information about VNIC 1
/opt/tng/bin/vnic info v1

217014-A, November 2004
Recovering from a Lock-Out

If all Firewall passwords are changed or lost and you are locked out from the Firewall, then
you must use the boot user account and reinstall the Firewall Director software. Because the
boot user password cannot be changed, this one avenue of access is always available. To main-
tain security, boot user access is limited to direct connection to the console port.
When the reinstallation is performed, the Firewall Director is reset to its factory default config-
uration. All previous configuration data and software are erased, including old software image
versions or upgrade packages.
NOTE – Because a reinstallation erases all configuration data (including network settings), it is
recommended that you first save all configuration data to a file on an FTP server.
To reinstall software on an Firewall Director, you will need the following:
Access to the target Firewall Director through a direct connection to its serial port. Remote
Telnet or SSH connections cannot be used for reinstalling software.
An install image must be loaded on an FTP server on your network.
The name of a valid .img Firewall Director installation image.
Software reinstallation is performed using the following procedure.
1. Log in as the boot user. The password is ForgetMe.
2. After a successful login, follow the onscreen prompts and provide the required informa-
tion.
If the Firewall Director has not been configured for network access previously, you must pro-
vide information about network settings such as IP address, network mask, and gateway IP
address. After the new boot image has been installed, the Firewall Director will reboot and you
can log in again using default passwords when the login prompt appears.
The new Firewall Director is now ready to be installed as part of a new cluster (see Chapter 2,
“Initial Setup,” on page 25) or added to an existing cluster (see Chapter 7, “Expanding the
Cluster,” on page 105).

217014-A, November 2004

217014-A, November 2004
APPENDIX C
Troubleshooting
This appendix provides solutions for problems that you may encounter using the Alteon
Switched Firewall.
“Unable to Locate the Firewall Accelerator” on page 358

“Failed to Establish Trust between Management Station and Firewall Director” on page
359
“Cannot Check Communication or Download Policy on Firewall Director” on page 361
“Low Performance with Other Devices” on page 362
“Cannot Log in to SmartCenter Station from SmartClient” on page 362
“Check Point Sends Connection Failed Messages to Firewall Director” on page 363
“Low Performance Under Heavy Traffic” on page 363
“Cannot Contact to Default Gateway” on page 363
“Log Messages Do Not Appear” on page 364
“Cannot Push Policy” on page 365
“Before You Open a Support Ticket” on page 365
357
217014-A, November 2004
Unable to Locate the Firewall Accelerator

In this scenario, when the Firewall Director boots up, it is not able to discover the Firewall
Accelerator (when auto discovery is on) within 50 seconds. The /cfg/acc/det com-
mand does not display the MAC address of the Firewall Accelerator.
Actions
Power on the Firewall Accelerator.
Make sure the Firewall Accelerator has the Firewall Accelerator software installed.
Make sure the Firewall Accelerator boots with the factory default settings.
Connect the Firewall Director to one of the NAAP ports on the Firewall Accelerator.
Enable the NAAP ports to which the Firewall Director is connected. The link and active
indicator lights on the Firewall Accelerator should be on and not blinking.
Connect the Firewall Accelerator NAAP ports to the 1st Gig port on the Firewall Director.
See the Alteon Switched Firewall Hardware Installation Guide for more information on
the Firewall Director ports.
Switch the power off and on, on both the Firewall Director and the Firewall Accelerator.
358 Appendix C: Troubleshooting

217014-A, November 2004
Failed to Establish Trust between

Management Station and Firewall Director
In this scenario, the user is unable to establish trust between the management station and the
Firewall Director.
Actions
Use the following procedure to verify the trust status:
Check the communication status.

In the Check Point SmartDashboard management tool, view the Firewall Director proper-
ties and click on the “Communication” button. Continue if the “Trust Status” does not dis-
play “Trust Established.”
Test the SIC status.
Click on “Test-Sic-Status.” Continue if the result displays “communicating.”
Verify network connectivity.
If using host names, verify that the Firewall Director name is resolved to the correct IP
address.
Verify that the firewall software is enabled on the Firewall Director.
Log in to the Firewall Director using the administrator account and enter the following
CLI command:
>> # /cfg/fw/cur
If the firewall is not enabled, enter the following CLI commands:
>> # /cfg/fw/ena
>> # apply
NOTE – After enabling the firewall, it may take several minutes before it is fully operational.
Once the firewall is operational, recheck the communication status and SIC status in the
SmartDashboard management tool.

217014-A, November 2004
Verify that theFirewall Director is not too busy to process the SIC request from the man-
agement station (SmartCenter).
If traffic is under excessive load, decrease the traffic and try to establish trust again.
Verify the interface updates
If you updated your topology or modified IP interfaces, then “Get Interfaces” for the
updated topology and verify your configuration. Make sure the link is up to see the
updated interfaces.
Verify whether the Firewall Director is dropping the traffic from the management station.
Log in to the Firewall Director using the root account. From the root account, run the fol-
lowing command:
# fw monitor
If the packets from the management station are being dropped, log in as admin and unload
the firewall policy using the following CLI command:
>> # /maint/diag/unldplcy
Once the firewall policy is unloaded, try to establish trust again.

Reset the SIC
On the SmartCenter station, reset SIC on the Firewall Director object
Initialize SIC again from the SmartDashboard
Reset SIC on the Firewall Director
>> # /cfg/fw/sic
Enter the host IP address:10.10.1.1
Enter the new Check Point SIC Password:
Confirm password:
Reboot the Firewall Director, the Check Point SmartCenter, and the Check Point Smart-
Client. When all systems have rebooted, unload the firewall policy again. Wait for a
minute and then try to establish trust again.

217014-A, November 2004
Cannot Check Communication or Download

Policy on Firewall Director
After you download a policy into the Firewall Director, you cannot check the communication
or download the policy again.
Actions
Verify the link between the Firewall Director and the Check Point management server is
up.
Verify the IP address on the Check Point management server
Make sure the management server object has the correct IP address. If the management
server has multiple NIC adapters, then make sure the IP address is of the one connected to
the Firewall Director.
Log in to the Firewall Director using the admin account and use the following CLI com-
mand to delete the existing policy on the firewall:
>> # /maint/diag/unldplcy
Then get the interfaces on the management client.

Check communication and download the policy
NOTE – Often, users forget to update the SmartDashboard management tool after
add/delete interfaces from Firewall Director console. As a result, anti-spoofing blocks the
traffic because incorrect interfaces were used.

217014-A, November 2004
Low Performance with Other Devices

In this scenario, you are seeing a decrease in performance when using the Alteon Switched
Firewall with other routers.
Actions
Do the following from the Firewall Accelerator console,
Manually configure the link parameters for the ports that connect to the other devices.
Turn auto negotiation off.
Set the right speed (10, 100, 1000) and set to duplex mode (full, half).
Do the same on the other router/Firewall Accelerator.
Reboot the Firewall Accelerators.
Cannot Log in to SmartCenter Station from

SmartClient
The management client cannot log in to the Check Point SmartCenter station.
Actions
If the management client and SmartCenter station are not in the same network, add a rule
to allow Check Point Management Interface (CPMI) to go through these two networks.
Enter the cpconfig command on the SmartCenter station to see if the management cli-
ent IP address is on the approved list.

217014-A, November 2004
Check Point Sends Connection Failed

Messages to Firewall Director
In this scenario, you receive fwconn_record_conn: Id_set_wto(connections)
failed messages during the session. This occurs when the session limit of Check Point is
reached. The default is 25000 connections.
Action
Increase the session limit on the SmartCenter station and reduce the TCP end timeout (15 sec-
onds) limit in the Policy | Global Properties menu, under the Stateful Inspection tab. To edit the
gateway cluster object property and increase connection limit on the Application Intelligence
management server, see “Tuning Check Point NG Performance” on page 352.
Low Performance Under Heavy Traffic

In this scenario, you notice some reduced performance under heavy traffic.
Make sure the SmartCenter station is configured as explained in “Tuning Check Point NG
Performance” on page 352.
Log in using the administrator account and run the command from the CLI:
/info/clu. If the firewall status of the Firewall Director is not accelerating, run the
command: /cfg/fw/accel y. Once enabled, firewall acceleration will automatically
restart without user intervention.
Cannot Contact to Default Gateway

In this scenario, you notice the default gateway’s return packets are not passed back to the Fire-
wall Accelerator because the local policy does not allow for ICMP packets on the ASF inter-
face.
Actions
Set the health check type to ARP on the Firewall Director using the
/cfg/net/route/gate/gw <gateway_number>/ arp y.
Verify if the gateway is up using the command /info/acc.

217014-A, November 2004
Verify from another Firewall Director that when you ping the next hop you get a valid
ARP response in the host ARP cache. If you get a ARP response back and your gateway is
still down, then make sure you haven’t configured duplicate IP addresses on the ASF.
Enter the additional addresses using /cfg/net/if x/addr n or /cfg/net/if x
vrrp/ip1 (ip2).
Log Messages Do Not Appear

In this scenario, log messages do not appear on the Check Point Log Server.
Actions
Verify SIC communication between the Management Server and the Firewall Director. If
the verification fails, unload the Director by entering the following commands:
Login as admin and enter
/cfg/fw/accel/n
Login as root and enter
fw unloadlocal
Ping the management interface. If ping works and SIC fails, then reset SIC on all devices
and verify that there are no ACLs or firewall rules blocking communication in the logical
data path. If SIC still fails then delete the object out of the Management Server, recreate
the object and attempt to establish SIC.
If SIC is working, then do the following:
(i) Run cpstop and then cpstart on the management server.
(ii) Log in to the CLI and disable and enable the Firewall.
(iii) Log in as root on each firewall and fetch the policy from the management server as
follows:
fw fetch ip <ip_address_of_the_management_server>
(iv) Perform Step (iii) on each Firewall Director.

217014-A, November 2004
Cannot Push Policy

In this scenario, you cannot connect to or from the Management Interface.
Actions
Verify that the gateway or next hop between the ASF and the requesting hop are up and
active. This can be done by pinging the next hop interface from another device or by using
the /info/ip command on the Firewall Accelerator. If you do not receive a reply, then
go to the section, “Cannot Contact to Default Gateway” on page 363.
Attempt to contact the management interface again by entering the following commands:
Login as admin and enter
/cfg/fw/accel/n
Login as root and enter
fw unloadlocal
Verify that there are no ACLs, filters or firewall rules in the logical data path that may be
preventing communication.
Before You Open a Support Ticket

Before you call Nortel Customer Support for help, collect the following information to expe-
dite the technical support process. While there may be additional information needed to
resolve your issue, gathering the following information ensures a timely response from
Nortel’s Support team.
1. EXDUMP from each Firewall Director

Collect the information using the command /maint/tsdump/exdump. This creates the
dump that you will need to FTP the file off to the device using the /maint/tsdump/ftp
command to initiate. Alternately, if EXDUMP cannot execute because of high resource utiliza-
tion, the TSDUMP script can be loaded from a floppy disk and executed to prune the data
needed out of the logs automatically. The TSDUMP script can be obtained from Nortel’s Tier 2
support team.
2. Network diagram
This must encompass both logical and physical architecture. If necessary two diagrams can be
used to meet this requirement. To minimize the size of the file, the preferred format is .jpg or
.gif.

217014-A, November 2004
3. Provide a detailed description of the problem

Any troubleshooting information collected from the ASF or devices connected to the ASF will
help in quickly isolating the problem.
4. Information from the Management Station

Close the GUI while collecting the Check Point information.
5. (optional) Export the Check Point log during the time of the problem
Collect the log from the Check Point Log Viewer.
6. (optional) Sniffer traces

Capture sniffer traces of the problem after opening the ticket. The traces may not be required
immediately, but may prove to be necessary after reviewing the initial data.
After you gather all of the above information, call 1-800-4NORTEL, press option 1 and use
ERC 343. Create a new ticket and email your information to alteon-support@nortelnet-
works.com referencing your case number in the subject heading.

217014-A, November 2004
APPENDIX D
Software Licenses
The Alteon Switched Firewall includes software which is covered by the following licenses.
Apache Software Licence

The Apache Software License, Version 1.1
Copyright (c) 2000 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the follow-
ing disclaimer in the documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must include the following acknowledg-
ment:
“This product includes software developed by the Apache Software Foundation (http://www.apache.org/).”
Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowl-
edgments normally appear.
4. The names “Apache” and “Apache Software Foundation” must not be used to endorse or promote products
derived from this software without prior written permission. For written permission, please contact
apache@apache.org.
5. Products derived from this software may not be called “Apache”, nor may “Apache” appear in their name, with-
out prior written permission of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PAR-
TICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION
OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEM-
PLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABIL-
ITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foun-
dation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.
Portions of this software are based upon public domain software originally written at the National Center for Super-
computing Applications, University of Illinois, Urbana-Champaign.
367
217014-A, November 2004
mod_ssl License
LICENSE
The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license.
The detailed license information follows.
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.

disclaimer.
3. All advertising materials mentioning features or use of this software must display the following acknowledg-
ment:
“This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/).”
4. The names “mod_ssl” must not be used to endorse or promote products derived from this software without prior
written permission. For written permission, please contact rse@engelschall.com.
5. Products derived from this software may not be called “mod_ssl” nor may “mod_ssl” appear in their names with-
out prior written permission of Ralf S. Engelschall.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/).”
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL “AS IS” AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABIL-
ITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S.
ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPE-
CIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCURE-
MENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
368 Appendix D: Software Licenses

217014-A, November 2004
OpenSSL and SSLeay Licenses

LICENSE ISSUES
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original
SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open
Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
OpenSSL License
Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
disclaimer.
3. All advertising materials mentioning features or use of this software must display the following acknowledg-
ment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(http://www.openssl.org/)”
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived
from this software without prior written permission. For written permission, please contact openssl-
core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names
without prior written permission of the OpenSSL Project.
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)”
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABIL-
ITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPE-
CIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCURE-
MENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes soft-
ware written by Tim Hudson (tjh@cryptsoft.com).

217014-A, November 2004
Original SSLeay License

Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The
following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just
the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except
that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library
used.
This can be in the form of a textual message at program startup or in documentation (online or textual) provided with
the package.
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following dis-
claimer.
3. All advertising materials mentioning features or use of this software must display the following acknowledge-
ment:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”
The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code)
you must include an acknowledgement:
“This product includes software written by Tim Hudson (tjh@cryptsoft.com)”
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRAN-
TIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFT-
WARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e.
this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

217014-A, November 2004
PHP License
The PHP License, version 2.02
Copyright (c) 1999, 2000 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the follow-
ing conditions are met:
disclaimer.
3. The name “PHP” must not be used to endorse or promote products derived from this software without prior per-
mission from the PHP Group. This does not apply to add-on libraries or tools that work in conjunction with PHP.
In such a case the PHP name may be used to indicate that the product supports PHP.
4. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be
given a distinguishing version number.
Once covered code has been published under a particular version of the license, you may always continue to use
it under the terms of that version. You may also choose to use such covered code under the terms of any subse-
quent version of the license published by the PHP Group. No one other than the PHP Group has the right to mod-
ify the terms applicable to covered code created under this License.
“This product includes PHP, freely available from http://www.php.net/”.
6. The software incorporates the Zend Engine, a product of Zend Technologies, Ltd. (“Zend”). The Zend Engine is
licensed to the PHP Association (pursuant to a grant from Zend that can be found at
http://www.php.net/license/ZendGrant/) for distribution to you under this license agreement, only as a part of
PHP. In the event that you separate the Zend Engine (or any portion thereof) from the rest of the software, or
modify the Zend Engine, or any portion thereof, your use of the separated or modified Zend Engine software
shall not be governed by this license, and instead shall be governed by the license set forth at
http://www.zend.com/license/ZendLicense/.
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIM-
ITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group.
The PHP Group can be contacted via E-mail at group@php.net.
For more information on the PHP Group and the PHP project, please see <http://www.php.net>.

217014-A, November 2004
SMTPclient License
LICENSE
SMTPclient—simple SMTP client
Copyright (C) 1997 Ralf S. Engelschall, All Rights Reserved.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later
version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.
You should have received a copy of the GNU General Public License in the file COPYING along with this program; if
not, write to:
Free Software Foundation, Inc.,

675 Mass Ave, Cambridge,
MA 02139, USA.
Notice, that “free software” addresses the fact that this program is distributed under the term of the GNU General
Public License and because of this, it can be redistributed and modified under the conditions of this license, but the
software remains copyrighted by the author. Don't intermix this with the general meaning of Public Domain software
or such a derivative distribution label.
The author reserves the right to distribute following releases of this program under different conditions or license
agreements.
Ralf S. Engelschall
rse@engelschall.com
www.engelschall.com

217014-A, November 2004
GNU General Public License

GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.

59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU
General Public License is intended to guarantee your freedom to share and change free software--to make sure the
software is free for all its users. This General Public License applies to most of the Free Software Foundation's soft-
ware and to any other program whose authors commit to using it. (Some other Free Software Foundation software is
covered by the GNU Library General Public License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to
make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that
you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free pro-
grams; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surren-
der the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or
if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the
rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them
these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal
permission to copy, distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that there is no war-
ranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know
that what they have is not the original, so that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors
of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we
have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.

217014-A, November 2004
GNU GENERAL PUBLIC LICENSE

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains a notice placed by the copyright holder saying
it may be distributed under the terms of this General Public License. The “Program”, below, refers to any such
program or work, and a “work based on the Program” means either the Program or any derivative work under
copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifica-
tions and/or translated into another language. (Hereinafter, translation is included without limitation in the term
“modification”.) Each licensee is addressed as “you”.
Activities other than copying, distribution and modification are not covered by this License; they are outside its
scope. The act of running the Program is not restricted, and the output from the Program is covered only if its
contents constitute a work based on the Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, pro-
vided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and dis-
claimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and
give any other recipients of the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty pro-
tection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Pro-
gram, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you
also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the files and the date
of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from
the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of
this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started
running for such interactive use in the most ordinary way, to print or display an announcement including an
appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a war-
ranty) and that users may redistribute the program under these conditions, and telling the user how to view
a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an
announcement, your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived
from the Program, and can be reasonably considered independent and separate works in themselves, then this
License, and its terms, do not apply to those sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based on the Program, the distribution of the
whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and
thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you;
rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the
Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based
on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope
of this License.

217014-A, November 2004
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable
form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed
under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more
than your cost of physically performing source distribution, a complete machine-readable copy of the cor-
responding source code, to be distributed under the terms of Sections 1 and 2 above on a medium custom-
arily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code.
(This alternative is allowed only for noncommercial distribution and only if you received the program in
object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an execut-
able work, complete source code means all the source code for all modules it contains, plus any associated inter-
face definition files, plus the scripts used to control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include anything that is normally distributed (in either
source or binary form) with the major components (compiler, kernel, and so on) of the operating system on
which the executable runs, unless that component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then
offering equivalent access to copy the source code from the same place counts as distribution of the source code,
even though third parties are not compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License.
Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically ter-
minate your rights under this License. However, parties who have received copies, or rights, from you under this
License will not have their licenses terminated so long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you per-
mission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do
not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Pro-
gram), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distrib-
uting or modifying the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives
a license from the original licensor to copy, distribute or modify the Program subject to these terms and condi-
tions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are
not responsible for enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited
to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict
the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distrib-
ute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then
as a consequence you may not distribute the Program at all. For example, if a patent license would not permit
royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Pro-
gram.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of
the section is intended to apply and the section as a whole is intended to apply in other circumstances.

217014-A, November 2004
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to con-
test validity of any such claims; this section has the sole purpose of protecting the integrity of the free software
distribution system, which is implemented by public license practices. Many people have made generous contri-
butions to the wide range of software distributed through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing to distribute software through any other sys-
tem and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted
interfaces, the original copyright holder who places the Program under this License may add an explicit geo-
graphical distribution limitation excluding those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this
License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time
to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new
problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this License
which applies to it and “any later version”, you have the option of following the terms and conditions either of
that version or of any later version published by the Free Software Foundation. If the Program does not specify a
version number of this License, you may choose any version ever published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are differ-
ent, write to the author to ask for permission. For software which is copyrighted by the Free Software Founda-
tion, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided
by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing
and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE
PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE
STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PRO-
GRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUD-
ING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF
THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE
COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE
PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GEN-
ERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAIL-
URE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR
OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS

217014-A, November 2004
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve
this is to make it free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most
effectively convey the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to
where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Pub-
lic License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any
later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the
Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author

Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type ‘show w’.
This is free software, and you are welcome to redistribute it under certain conditions; type 'show c' for details.
The hypothetical commands ‘show w’ and ‘show c’ should show the appropriate parts of the General Public License.
Of course, the commands you use may be called something other than ‘show w’ and ‘show c’; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright dis-
claimer” for the program, if necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program

'Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into proprietary programs. If your program is
a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this
is what you want to do, use the GNU Library General Public License instead of this License.

217014-A, November 2004

217014-A, November 2004
Index
Symbols B
/ 155 Browser-Based Interface 73
? (help) 155
[ ] 13 C
central licensing 51
A certificate authority 43
abbreviating commands (CLI) 158 Check Point
accessing the CLI 146 management tools 35
actio (SLB filtering option) 318 Check Point components
activate management clients 21
software upgrade package 135 SmartCenter 21
software version 135 cluster
add adding Firewall Director 106
Firewall Accelerator 107 configuring 112
Firewall Director 106, 111 properties 112
RADIUS Audit Server menu command 230 Command-Line Interface (CLI) 145
Address Resolution Protocol (ARP) commands
interval 245 abbreviations 158
Alteon Switched Firewall install 137
basics 20 main menu 159
configuration requirements 26 shortcuts 158
expanding the cluster 106 stacking 158
features 17 tab completion 158
IDS servers 100 using CLI 158
models supported 17 configuration
sample network 27 basic 28
setting up 28 firewall policies 45
upgrading 128 flow control 258, 259
using the CLI 153 GRE tunneling example 80
area ID 75 licenses and interfaces 32
area index, assigning 74 operating mode 257
ARP. See Address Resolution Protocol. OSPF examples 83
auto-negotiation port link speed 257
enable/disable on port 258, 259 route redistribution, OSPF 91
autonomous systems (AS) 72 route redistribution, RIP 63
configuration menu 197
379
217014-A, November 2004
configuring G
command reference 197
DHCP relay 58 global commands
Firewall Accelerator 109 commands
licenses 32 global 155
load balancing IDS servers 96 nslookup 155
cryptographic seed 43 GRE tunnel
configuration example 80
GRE tunnels 79
D
del H
RADIUS Audit Server menu command 230
DHCP Relay 58 help 155
configuring 58
dip (destination IP address for filtering) 319 I
disconnect idle timeout 154
idle timeout
dmask
overview 154
destination mask for filtering 319
IDS servers
DNS servers
load balancing 96
add to configuration 204
sample configuration 96, 100
list configured 204
installing 28
remove configured 204
commands 137
licenses 32
E upgrading to a minor or major release 133
establish trust 115 installing Firewall Accelerator 107
establishing trust 49 install-tng command 137
EtherChannel inter-accelerator port 125
as used with port trunking 256 internal routing 72
expanding the cluster 106 Intrusion Detection System (IDS) 95
external routing 72 IP address
filter ranges 319
management IP 26
F
factory default configuration L
after reinstalling software 137, 355
feature string 32 licenses 32, 51
filters lines (display option) 155
IP address ranges 319 link
Firewall Accelerator speed, configuring 257
configuring 109 link settings 125
installing 107 link state database 71
Firewall Director list
adding 111 RADIUS Audit Server menu command 230
synchronizing 122 load balancing
firewall policies 114 IDS traffic 95
creating 53 load balancing IDS servers 96
firewall policies, installing 45 login 141
flow control
configuring 258, 259
380 Index
217014-A, November 2004
M pwd 156
main menu 154, 159
management Q
passwords 141 quiet (screen display option) 156
remote 146
users 141 R
management IP (MIP) 26, 113
management tools 140 receive flow control 258, 259
installing 35 Redistributing routes, OSPF 63
redistributing routes, OSPF 91
redistributing routes, RIP 63
N reinstalling software 137
NAAP remote access list 146
ports 126 RIP (Routing Information Protocol)
network ports 126 advertisements 62
NTP servers distance vector protocol 61
add to configuration 203, 217, 218 hop count 61
list configured 203, 217, 218 metric 61
remove configured 203, 217, 218 route redistribution 63
NTP setting menu 203 routing table 62
UDP 62
O version 1 61
root login 141
online help 155 router ID 77
operating mode, configuring 257 routers
OSPF border 72
authenticating 78 peer 72
configuration examples 83 routes, advertising 72
creating a virtual link 85 routing
creating virtual links 77 internal and external 72
database 71 Routing Information Protocol. See RIP
defining an OSPF domain 83
route redistribution 63, 91
router ID 77 S
router types 69 serial port 146
summarizing routes 76, 89 Server Load Balancing
IDS 95
P servers
Audit menu command 228
passwords 141 shortcuts (CLI) 158
ping 156 SIP (source IP address for filtering) 319
port trunking SmartCenter 27, 35, 44
description 256 smask
ports source mask for filtering 319
inter-accelerator 125 SNMP
NAAP 126 menu options 214, 217, 218, 219, 220
network 126
physical. See switch ports.
serial 146
Index 381
217014-A, November 2004
software U
activate downloaded upgrade package 135
reinstall 137 UDP
version handling when upgrading 135 RIP 62
SSH 146 source and destination ports 318
stacking commands (CLI) 158 upgrade
summarizing routes 76 activate software package 135
example 89 handling software versions 135
switch ports VLANs membership 261 upgrading the software 128
synchronizing Firewall Directors 122 upgrading to a minor or major release 133
user names 141
using the CLI 153
T
tab completion (CLI) 158 V
TCP
source and destination ports 318 vendorid
Telnet 146, 148 Audit menu command 228
timeouts vendortype
idle connection 154 Audit menu command 229
traceroute 156 verbose 156
transmit flow control 258, 259 virtual link 77
Tunneling, GRE 79 configuration example 85
VLAN tagging
port restrictions 263
VLANs
port members 261
tagging 261, 263
382 Index
217014-A, November 2004

A

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A

Uploaded by

Copyright:

Available Formats

TM

Alteon Switched Firewall 4.0.2

User’s Guide and

part number: 217014-A, November 2004

4655 Great America Parkway

This product includes software developed by Check Point Software Technologies

See Appendix D, “Software Licenses,” for more information.

Common Criteria Certified Software

For more details, see Appendix E, “Common Criteria Certified Software.”

Part 1: Getting Started 15

Chapter 2: Initial Setup 25

Establish Secure Internal Communications 49

Chapter 3: Dynamic Host Configuration Protocol 57

Chapter 4: Routing Information Protocol 61

Chapter 5: Open Shortest Path First 67

Example 2: Virtual Links 85

Chapter 6: Load Balancing IDS Servers 95

Chapter 7: Expanding the Cluster 105

Chapter 8: Upgrading the Software 127

Chapter 9: Basic System Management 139

Part 2: Command Reference 143

Chapter 10: The Command Line Interface 145

Chapter 11: The Main Menu 159

Chapter 12: The Configuration Menu 197

Part 3: Appendices 333

Appendix A: Event Logging API 335

Appendix B: Common Tasks 345

Appendix C: Troubleshooting 357

Cannot Log in to SmartCenter Station from SmartClient 362

Appendix D: Software Licenses 367

 “Who Should Use This Book” on page 10

Who Should Use This Book

How This Book Is Organized

Part 1: Getting Started

Part 2: Command Reference

Appendix B, “Common Tasks,” describes routine management functions.

Appendix C, “Troubleshooting,” provides suggestions for troubleshooting basic problems.

How to Get Help

Technical Solutions Center Telephone

Europe, Middle East, and Africa 00800 8008 9009

North America (800) 4NORTEL or (800) 466-7835

Asia Pacific (61) (2) 8870-8800

China (800) 810-5000

Table 1 Typographic Conventions

Typeface or Meaning Example

It also depicts on-screen computer output and Main#

AaBbCc123 This bold type appears in command exam- Main# sys

[ ] Command items shown inside brackets are host# ls [-a]

 Understanding the Alteon Switched Firewall

217014-A, November 2004

 Supports Check Point™ FireWall-1® NG with

 Supports SmartView Monitor

Alteon Switched Firewall Basics

Alteon Check Point

Figure 1-1 Alteon Switched Firewall Network Elements

The Management Interfaces

To enhance versatility, the Alteon Switched Firewall is a multi-component solution. Hardware

Figure 1-2 Classic Firewall versus the Alteon Switched Firewall

Each port of a Firewall Accelerator is connected to a high-capacity, multi-Gigabit backplane.

The following topics are discussed in this chapter:

 “Overview of Initial Setup Tasks” on page 2-26

Overview of Initial Setup Tasks

 Collect basic system information (page 26)

“Who Should Use This Book” on page 10

Understanding the Alteon Switched Firewall

Supports Check Point™ FireWall-1® NG with

Supports SmartView Monitor

“Overview of Initial Setup Tasks” on page 2-26

Collect basic system information (page 26)

A Check Point license for each Firewall Director in the cluster.

26 Chapter 2: Initial Setup

Alteon Switched Firewall cluster MIP address: 10.10.1.10

Chapter 2: Initial Setup 27

Network B (Trusted) IP addresses: 30.1.1.0/16, with 30.1.1.1 reserved for firewall

28 Chapter 2: Initial Setup

Chapter 2: Initial Setup 29

30 Chapter 2: Initial Setup

Chapter 2: Initial Setup 31

Expiry date: 02aug2004

32 Chapter 2: Initial Setup

Chapter 2: Initial Setup 33

34 Chapter 2: Initial Setup

Check Point SmartCenter station.

Chapter 2: Initial Setup 35

Processor: Intel Pentium II 300 MHz or better

36 Chapter 2: Initial Setup

Chapter 2: Initial Setup 37

38 Chapter 2: Initial Setup

Chapter 2: Initial Setup 39

40 Chapter 2: Initial Setup

Chapter 2: Initial Setup 41

42 Chapter 2: Initial Setup

Chapter 2: Initial Setup 43

44 Chapter 2: Initial Setup