advertisement
▼
Scroll to page 2
of 34
IPS-1302 Series Appliance Installation Guide Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website: www.stonesoft.com/en/support/eula.html Third Party Licenses The Stonesoft software includes several open source or third-party software packages. The appropriate software licensing information for those products at the Stonesoft website: www.stonesoft.com/en/support/third_party_licenses.html U.S. Government Acquisitions If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense (“DoD”), the Software is subject to “Restricted Rights”, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Government’s rights in the Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions. Product Export Restrictions The products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities. General Terms and Conditions of Support and Maintenance Services The support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/terms/ Replacement Service The instructions for replacement service can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/return_material_authorization/ Hardware Warranty The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/warranty_service/ Trademarks and Patents The products described in these materials are protected by one or more of the following European and US patents: European Patent Nos. 1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290, 1326393, 1379046, 1330095, 131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534; 7,461,401; 7,721,084; and 7,739,727 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners. Disclaimer Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. Copyright © 2011 Stonesoft Corporation. All rights reserved. All specifications are subject to change. Revision: SGAIG_IPS-1302_Series_20111214 2 Introduction Thank you for choosing a Stonesoft appliance. This guide provides instructions for the initial hardware installation and the maintenance of the IPS-1302 Series appliances. See Product Documentation (page 5) for information on other available documentation. The use of the appliance is subject to the acceptance of the End User License Agreement, which can be found at the Stonesoft website. C on t ent s Installation Procedure .................. 4 Product Documentation ................ 5 Safety Precautions ....................... 5 Unpacking the Appliance .............. 8 Front Panel .................................. 9 Back Panel .................................. 10 Installing the Solid State Disk ....... 11 Installing the Interface Module ...... 12 Rack-Mounting ............................. 13 Connecting the Cables ................. 18 Initial Configuration ...................... 21 Maintenance Operations............... 30 Disposal Instructions ................... 33 Caution – Never open the covers of the appliance! There are no user serviceable parts inside. Opening the covers may lead to serious injury and will void the warranty. Read the Front Panel (page 9) before you conduct any installation or maintenance operations on the appliance. Introduction 3 Installation Procedure Note – You must have a working Management Center on a separate server to bring the appliance(s) operational. See the Stonesoft Management Center Installation Guide. To install the appliance 1. Configure the IPS element in the Management Client, and save the initial configuration on a USB memory stick. See the IPS Installation Guide. Management Management Initial USB Memory Client Server Configuration Stick File 2. If the Solid State Disk (SSD) is not pre-installed in the appliance, install the SSD. See Installing the Solid State Disk (page 11). SSD Appliance 3. Install the interface module in the appliance. See Installing the Interface Module (page 12). Interface Appliance Module 4. Install the appliance into a rack and connect the cables. See Rack-Mounting (page 13) and Connecting the Cables (page 18). 5. Insert the USB memory stick in a USB port on the appliance, and turn on the appliance to import the initial configuration. See Initial Configuration (page 21). USB Memory Stick 4 Installation Procedure Appliance Product Documentation Press F1 in any Management Client window to view the Online Help. All PDF guides are available: • On the Management Center CD-ROM (in the Documentation folder) • At the Stonesoft website at http://www.stonesoft.com/en/support/ technical_support_and_documents/manuals/ Install the free Adobe Reader program to view the PDF documents (available at www.adobe.com/reader/). Safety Precautions The following safety information and procedures must be followed whenever working with electronic equipment. However, please be advised that Stonesoft appliances are not end-user serviceable, and you must never open the appliance covers for any reason. Doing so may lead to serious injury and will void any hardware warranty that may be associated with your appliance. Electrical Safety Precautions Basic electrical safety precautions should be followed to protect yourself from harm and the appliance from damage: • Be aware of the locations of the power on/off switch as well as the room's emergency power-off switch, disconnection switch, or electrical outlet. If an electrical accident occurs, you can then quickly cut power to the system. • Do not work alone when working with high voltage components. • Use only one hand when working with powered-on electrical equipment. This is to avoid making a complete circuit, which will cause electrical shock. Use extreme caution when using metal tools, which can easily damage any electrical components or circuit boards they come into contact with. • Do not use mats designed to decrease electrostatic discharge as protection from electrical shock. Instead, use rubber mats that have been specifically designed as electrical insulators. Product Documentation 5 • The power supply cord must include a grounding plug and must be plugged into a grounded electrical outlet. Caution – Never open the appliance covers! There are no user serviceable parts inside. Opening the covers may lead to serious injury and will void the warranty. General Safety Precautions Follow these rules to ensure general safety: • Keep the area around the appliance clean and free of clutter. • We recommend using a regulating uninterruptible power supply (UPS) to protect the appliance from power surges, voltage spikes and to keep your system operating in case of a power failure. Power Supplies Appliances with DC Power Supply • The appliance must be used in a Restricted Access Location and the users must be well-trained to operate it. • The socket-outlet for pluggable equipment must be installed near the equipment and must be easily accessible. • Appliance inlet must have SPS approval or have min. 15 AWG wire provided for the power supply. • The Mains Supply plug on the power supply cord is the disconnect device of the appliance. To disconnect the appliance, you must first disconnect the mains and then disconnect the ground. Appliances with AC Power Supply • The appliance inlet is the disconnect device. 6 Safety Precautions ESD Precautions Electrostatic discharge (ESD) is generated by two objects with different electrical charges coming into contact with each other. An electrical discharge is created to neutralize this difference, which can damage electronic components and printed circuit boards. Use a grounded wrist strap designed to prevent static discharge. Note – Use a UPS (Uninterruptible Power Supply) in critical environments with your Stonesoft appliance. If after a brief power outage your Stonesoft appliance only partially starts up (for example, the power light is on, but the appliance does not connect) turn the appliance off for five seconds and then back on. Laser Precautions Class 1 Laser Product. Caution – Invisible laser radiation is emitted from the end of fiber cable and from fiber port. Do not stare into the beam and avoid direct exposure to the beam. Operating Precautions Care must be taken to assure that the cover is in place when the appliance is operating to ensure proper cooling. If this rule is not strictly followed, the warranty may become void. Do not open the power supply casing. Power supplies can only be accessed and serviced by a qualified technician of the manufacturer. Operating and Storage Temperatures The allowed operating temperature of the appliance and the interface module is +5...+35ºC. The allowed storage temperature is -20...+65ºC. Do not operate or store the appliance or the module in temperatures outside these limits. If the appliance or the module have been stored in temperatures below 0ºC or above +40ºC, allow for 2 hours to bring the appliance and the module to normal operating temperature before turning on the appliance. Otherwise, the appliance or the module may be damaged. Safety Precautions 7 Lithium Battery Precautions Caution – Do not change the battery; the battery must be replaced by authorized service personnel only. Danger of explosion if battery is incorrectly replaced. Replacement battery must be same or equivalent type recommended by the manufacturer. Used batteries must be discarded according to the manufacturer’s instructions. Shortcircuiting the battery may heat the battery and cause severe injuries. For California: Perchlorate Material - special handling may apply. See www.dtsc.ca.gov/ hazardouswaste/perchlorate. This notice is required by California Code of Regulations, Title 22, Division 4.5, Chapter 33: Best Management Practices for Perchlorate Materials. This product/part includes a battery that contains Perchlorate material. Unpacking the Appliance Inspect the box the appliance was shipped in and note if it was damaged in any way. If the Solid State Disk (SSD) is not pre-installed in the appliance, the SSD is delivered in a separate box. The interface module is always delivered in a separate box. Note if any of the boxes are damaged in any way. If the appliance itself or any components delivered with the appliance show any damage, file a damage claim with the carrier who delivered the appliance or the components. Do not remove the anti-tamper tapes on any part of the appliance. 8 Unpacking the Appliance Fr o n t P a n e l Two USB ports Interface module Serial console port 4FSJFT VGA port Fixed Ethernet ports Power button; warning and disk activity indicators The connectors are explained in detail in Connecting the Cables (page 18). The front panel indicator lights are explained below. See the separate Interface Module Guide delivered with the appliance for information on the port indicators for the interface module. Power, Warning, and Disk Activity Indicators Warning Disk Activity Power Table 1 Power, Warning, and Disk Activity Indicators Indicator Status Explanation Green The appliance is in running state. Amber The appliance is in standby state. Warning Red Overheat alert. Blinks on fan failure. Disk Activity Green Indicates hard drive activity when flashing. Power Front Panel 9 Fixed Ethernet Ports Link Activity Table 2 Indicators for Fixed Ethernet Ports Indicator Status Activity Link Explanation Yellow Link ok, blinks on activity. Amber 1G link. Green 100M link. Back Panel Solid State Disk (SSD) Drive AC or DC power connector The indicators for the Solid State Disk (SSD) Drive are explained below. Power Disk Table 3 SSD Drive Indicators 10 Indicator Status Power Blue A Solid State Disk is in the drive. Disk Unlit This indicator is not currently used. Back Panel Explanation Installing the Solid State Disk If the Solid State Disk (SSD) is not pre-installed in the appliance, you must first install the SSD. Caution – We recommend using a grounding strap when handling an SSD. Uninstalled SSDs are sensitive to ESD damage. To install the Solid State Disk 1. Locate the Solid State Disk included in the delivery package. 2. Locate the Solid State Disk drive on the appliance’s back panel (see the illustration in Back Panel (page 10)). 3. Press the release button on the Solid State Disk to release the lever on the disk. Lever Release button 4. Insert the disk into the drive. 5. Press the lever down to lock the disk into position. Proceed to Installing the Interface Module (page 12). Installing the Solid State Disk 11 Installing the Interface Module This section provides information on installing a Stonesoft interface module into the appliance. You must install the interface module before you can configure the appliance. The process of installing the interface module is the same for all module types. Read the Safety Precautions (page 5) before proceeding. Caution – Do not install or remove the interface module if the appliance is powered on to avoid damaging the module and the modular appliance. To install the interface module 1. Make sure that the appliance is turned off and that no cables are connected to the appliance or to wall outlets. 2. (Recommended) Fasten a grounding strap to your wrist so that it contacts your bare skin and attach the other end of the strap to the appliance. 3. Push the module into the slot the sticker side up until the front panel of the module is even with the front panel of the appliance. Caution – Do not insert the interface module upside down. Inserting the module incorrectly may damage the appliance and the module and will void the warranty. Proceed to Rack-Mounting (page 13). 12 Installing the Interface Module Rack-Mounting This section provides information on installing the Stonesoft appliance into a rack unit. You can install the appliance into a two-post or a fourpost rack unit. Caution – Read the Safety Precautions (page 5) before proceeding. Preparing for Rack-Mounting The appliance delivery includes the rail assemblies and the mounting screws you need to install the system into the rack. Read the sections below before you begin the installation. Choosing a Setup Location Decide on a suitable location for the rack unit that will hold the appliance: • The appliance must be situated in a clean, dust-free area that is well ventilated. • Avoid areas where heat, electrical noise, and electromagnetic fields are generated. • Leave enough clearance in front of the rack to enable you to open the front door completely (~63 cm/25 inches). • Leave enough clearance in the back of the rack to allow for sufficient airflow and ease in servicing (~76 cm/30 inches). Rack Precautions • Ensure that the leveling jacks on the bottom of the rack are fully extended to the floor with the full weight of the rack resting on them. • In single rack installation, attach stabilizers to the rack. • In multiple rack installations, couple the racks together. • Always make sure the rack is stable before extending a component from the rack. • Extend only one component at a time—extending two or more simultaneously may cause the rack to become unstable. Rack-Mounting 13 Appliance Precautions • Determine the placement of each component in the rack before starting the installation. • Install the heaviest components on the bottom of the rack first, and then work up. • The appliance must be connected to a grounded power outlet. • Use a regulating uninterruptible power supply (UPS) to protect the appliance from power surges, voltage spikes and to keep your system operating in case of a power failure. • Always keep the rack's front door and all panels and components on the appliances closed when not servicing to maintain proper cooling. Before Installing the Appliance Into a Rack • Make sure that the rack is securely anchored onto an unmovable surface or structure before installing the appliance into the rack. • Make sure that the system is adequately supported. Make sure that all the components are securely fastened to the appliance to prevent components falling off of the appliance. • Be sure to install an AC power disconnect for the entire rack assembly. This power disconnect must be clearly marked. • The rack assembly must be properly grounded to avoid electric shock. • The rack assembly must provide sufficient airflow to the appliance for proper cooling. Installing the Appliance Into a Rack Note – Do not install the appliance upside down. This section provides information on installing the appliance into a rack unit. There are a variety of rack units on the market, so the assembly procedure may differ slightly from what is instructed. If necessary, refer to the instructions that came with the rack unit you are using. If you are installing the appliance into a Telco-type rack, follow the general directions below. The main difference in the installation procedure is the depth of the rack and whether you are installing the appliance into a two-post rack or a four-post rack. Proceed to one of the following: • Installing the Appliance Into a Two-Post Rack (page 15) • Installing the Appliance Into a Four-Post Rack (page 16) 14 Rack-Mounting Installing the Appliance Into a Two-Post Rack To install the appliance into a two-post rack 1. Locate the two rack-mounting brackets that are meant for the twopost rack installation. 2. Attach a bracket to the appliance with three screws. 3. Repeat step 2 on the other side of the appliance. 4. Attach each bracket to the rack with two screws through the holes in the front of the bracket: one screw through the top hole and another through the bottom hole. Caution – You must use two screws to attach each rack-mounting bracket to the rack. Using only a single screw for each bracket does not provide sufficient support and may cause damage to the appliance. Proceed to Connecting the Cables (page 18). Rack-Mounting 15 Installing the Appliance Into a Four-Post Rack If you are installing the appliance into a four-post rack, the rackmounting method depends on the depth at which the brackets are attached to the rack: • If the depth is 40-70 cm (c. 16-28 inches), see To install the appliance with medium-length brackets below. • If the depth is 67-86 cm (c. 27-34 inches), see To install the appliance with long brackets (page 17). To install the appliance with medium-length brackets 1. Locate the two pairs of brackets in the delivery package: two short brackets that attach to the appliance and two longer brackets that attach to the rack. This bracket attaches to the appliance. This bracket attaches to the rack. 2. Attach a short bracket to the appliance with two screws. 3. Repeat step 2 on the other side of the appliance. 4. Attach the two longer brackets to the back of the rack with two screws through the holes at the back of each bracket: one screw through the top hole and another through the bottom hole. Caution – You must use two screws to attach each rack-mounting bracket to the rack. Using only a single screw for each bracket does not provide sufficient support and may cause damage to the appliance. 5. Attach 2 or 3 screws with a wider head to a suitable position on the side of the appliance. 16 Rack-Mounting • These screws support the appliance when it is inserted into the rack. The number and position of the screws depends on the depth of the rack. 6. Repeat step 5 on the other side of the appliance. 7. Line up the screws that you have attached to the side of the appliance with the groove in the brackets attached to the rack. 8. Slide the appliance into the brackets in the rack. 9. Attach the appliance to the rack with two screws through the holes in the front of the shorter brackets: one screw through the top hole and another through the bottom hole. Caution – You must use two screws to attach each rack-mounting bracket to the rack. Using only a single screw for each bracket does not provide sufficient support and may cause damage to the appliance. Proceed to Connecting the Cables (page 18). To install the appliance with long brackets 1. Locate the two pairs of brackets in the delivery package: two inner rails that attach to the appliance and two outer rails that attach to the rack. Inner Rail Outer Rail 2. Detach the inner rails from the outer rails. 3. Attach an inner rail to the appliance with three screws. 4. Repeat step 3 on the other side of the appliance. Rack-Mounting 17 5. Insert the outer rails to the rack. • The rails are marked with L for “left” and R for “right”. 6. Line up the rear of the inner rails with the front of the outer rails. 7. Slide the inner rails into the outer rails, keeping the pressure even on both sides (you may have to depress the locking tabs when inserting). The rails lock when the appliance has been pushed completely into the rack. Proceed to Connecting the Cables. C o n n e c t i n g t h e C a bl e s Two USB ports VGA port 4FSJFT Serial port Slot 0: Slot 1: Interface module (number Fixed Ethernet ports of ports depends on module type) eth0_0 and eth0_1 Ethernet Port Names There are two slots in the appliance. Each Ethernet port has a unique name that indicates also the slot to which the port belongs. • The fixed Ethernet ports eth0_0 and eth0_1 belong to slot 0. • The ports in the interface module belong to slot 1.The port numbers start from 0 and increase from left to right. For example, the port farthest to the left in slot 1 is eth1_0. Connecting the Cables To connect network cables 18 Connect network cables to the Ethernet ports. • You are free to choose which Ethernet ports you connect to which network. The Ethernet ports are mapped to Interface IDs during the initial configuration. See the next section for information on Connecting the Cables connecting network cables to SFP ports of an SFP interface module. Note – When the appliance is powered and you need to unplug it, always wait at least five (5) seconds before plugging in the appliance again. Otherwise, the appliance may not have time to clear properly and fails to start. Connecting Cables to SFP Ports If you have installed an SFP interface module on the appliance, you can use the ports on the module as either copper or fiber ports by inserting a small form-factor pluggable (SFP) transceiver for copper or fiber-optic cable into the ports. To connect cables to SFP ports 1. Insert the SFP transceiver in the port slot until you feel the connector on the transceiver snap into place. The illustration below shows the correct position of inserting the transceiver. SFP transceiver for copper cable SFP transceiver for fiber-optic cable Rubber plug Note – Make sure that the latch on the SFP transceiver is up (see the illustration above) when you insert the SFP transceiver in the port slot. 2. If the SFP transceiver has a rubber plug, remove the plug after inserting the transceiver to the slot. 3. Connect the copper or fiber-optic cable to the SFP transceiver. Note – Each SFP port must match the wavelength specifications at the other end of the cable. The cable must not exceed the stipulated cable length for reliable communications. Cable Types Always use standard cabling methods with inline IPS: use crossover cables to connect the appliance to hosts and straight cables to connect the appliance to switches/hubs. Make sure that the cables are correctly rated (CAT 5e or CAT 6 in gigabit networks). See the IPS Reference Guide for more information on cabling. Connecting the Cables 19 Speed/Duplex Settings Network cards at both ends of each cable must have identical speed/ duplex settings. This also applies to the automatic negotiation setting: if one end of the cable is set to autonegotiate, the other end must also be set to autonegotiate. Gigabit standards require interfaces to use autonegotiation—fixed settings are not allowed at gigabit speeds. The speed/duplex settings of inline interfaces must be matched on both links within each inline interface pair (identical settings on all four interfaces) instead of just matching settings at both ends of each cable (two + two interfaces). If one of the links has a lower maximum speed than the other link, the higher-speed link must be set to use the lower speed. Connecting Management Cables To connect management cables Choose one of the following: • Connect the supplied null-modem cable to the serial port on the appliance’s front panel and to another computer that you will use for a terminal connection. • Or connect a monitor to the VGA port on the appliance’s front panel and a keyboard to a USB port. Note – The monitor and keyboard connection and the serial console are both active by default. However, if you want to connect to the appliance for the initial configuration, you must use the serial console. See Connecting to the Appliance (page 21). Connecting the Appliance to the Power Supply To connect the appliance to the power supply 1. Connect the power cable to the AC or DC power connector on the back of the appliance. 2. Plug the power cord into a grounded, high-quality power strip that offers protection from electrical noise and power surges. • We highly recommend using an uninterruptible power supply (UPS) to ensure continuous operation and minimize the risk of damage to the appliance in case of sudden loss of power. Note – Standby power is supplied to the system even when the appliance is turned off. 20 Connecting the Cables See Safety Precautions (page 5) for more information on the AC and DC power supplies. Proceed to Initial Configuration. I n i t i a l C o n fi g u r a t i o n To start using the appliance, you must activate the network interfaces and establish a secure connection to the Management Server as outlined in the sections below. To successfully complete this configuration, the following prerequisites must be met: • The Sensor, Analyzer, or Sensor-Analyzer element must be defined in the Management Center. • You must have the following engine-specific information from the Management Server: a one-time password or a saved initial configuration file on a USB stick. See the IPS Installation Guide for details. Note – The appliance must contact the Management Server before it can be operational. There are two ways to configure the engine software. • You can configure the engine automatically with a USB stick. See Configuring the Engine Automatically below. • If the automatic configuration is not possible or desired, you can configure the engine manually. See Using the Engine Configuration Wizard (page 23). Caution – The speed/duplex settings of a pair of inline interfaces must match the speed/duplex settings of both links within each inline interface pair (identical settings on all four interfaces). If the settings are not identical, use the configuration wizard to set the correct speed/duplex settings for the inline interfaces. Connecting to the Appliance You do not need to connect to the appliance at this point if you import a configuration from a USB stick as explained in Configuring the Engine Automatically (page 22), and you are not interested in the console messages that are displayed during this process. Initial Configuration 21 In other cases, you need a physical connection to the appliance using a serial cable connection from a computer with a terminal program. To use the serial console, just boot up the appliance. Note – You cannot use a monitor and keyboard connection for the initial configuration. You must use the serial console. Configuring the Engine Automatically The automatic configuration requires that you have a suitable configuration saved on a USB memory stick. See the IPS Installation Guide or the Online Help of the Management Client for details. To configure the engine from a USB memory stick 1. Insert the USB stick in one of the USB ports on the appliance. 2. Turn on the appliance using the power on/off switch. The appliance automatically imports the configuration from the USB stick and then tries to make the initial contact to the Management Server. • If the connection is successful, the appliance automatically reboots itself and the engine configuration is finished. If you configure the engine with a USB stick, you must set a password for the root account in the Management Client to enable command line access to the engine. If you want to allow remote access to the engine using SSH, enable the SSH daemon for the engine in the Management Client. See the Administrator’s Guide for more information. Proceed to After Successful Management Server Contact (page 29). If the Automatic Configuration Fails • If the automatic configuration fails, you can check for the reason in the log (sg_autoconfig.log) written on the USB stick. • If you see a “connection refused” error message, ensure that the Management Server IP address is reachable from the engine and check the IP addresses you have defined in the Management Client. • If the configuration with the USB stick still does not succeed, remove the USB stick from the USB port, and follow the instructions for the manual configuration, see Using the Engine Configuration Wizard (page 23). 22 Initial Configuration Using the Engine Configuration Wizard You can use the engine configuration wizard with all Management Center and IPS engine versions. If you have saved the initial configuration on a USB stick, you can import it in the configuration wizard to reduce typing. To start the configuration wizard 1. Connect appliance to a computer using the serial cable supplied with the appliance. 2. On the computer, open a terminal with settings 9600bps, 8 databits, 1 stopbit, no parity. 3. Turn on the appliance using the power on/off switch. The engine bootup process is shown in the console and, after some time, the engine configuration wizard starts. Note – You can (re)start the engine configuration wizard at any time using the sg-reconfigure command on the engine command line. To select the configuration method 1. Do one of the following: • To import a saved configuration, highlight Import using the arrow keys and press ENTER. • To skip the import, highlight Next and press ENTER. 2. If you selected the Import option, select the configuration file. To set the keyboard layout 1. Highlight the entry field for Keyboard Layout using the arrow keys and press ENTER. The Select Keyboard Layout dialog opens. 1 2. Highlight the correct layout and press ENTER. Initial Configuration 23 Tip: Type in the first letter to move forward more quickly in the list of keyboard layouts. 2 Note – If the desired keyboard layout is not available, use the bestmatching available layout, or select US_English. To set the engine’s timezone 1. Highlight the entry field for Local Timezone using the arrow keys and press ENTER. 1 2. Select the correct timezone in the dialog that opens. Note – The timezone setting affects only the way the time is displayed on the engine command line. The actual operation always uses UTC time. Note – The appliance’s clock is automatically synchronized with the Management Server’s clock. 24 Initial Configuration To set the rest of the OS settings 1. Type in the name of the engine. 1 2 2. Type in the password for the user root. This is the only account for engine command line access. 3. (Optional) Highlight Enable SSH Daemon and press the spacebar on your keyboard to select the option and allow remote access to engine command line using SSH. Note – It is not necessary to enable the SSH daemon now for ongoing management, as this option can also be set through the Management Client. We recommend that you enable the SSH access in the Management Client when needed and then disable the access again when you are done. 4. Highlight Next and press Enter. The Configure Network Interfaces window is displayed. Initial Configuration 25 Configuring the Network Interfaces To map the physical interfaces to Interface IDs 1. Type in the Interface IDs to define how Ethernet ports are mapped to the Interface IDs you defined in the engine element. 1 2 2. Highlight the Media column and press ENTER to match the speed/ duplex settings to those used in each network. • Make sure that the speed/duplex settings of network cards are identical at both ends of each cable. Also make sure that the speed/duplex settings of inline interfaces match the speed/ duplex settings of both links within each inline interface pair. 3. (Optional, only sensors and sensor-analyzers) If you want to set the appliance to initial bypass state, highlight Initial Bypass and press ENTER to define soft-bypass interface pair(s). • Initial bypass allows traffic to flow through one or more softbypass interface pairs until the initial configuration is ready and an IPS policy is installed on the appliance. Caution – Do not set inline interfaces that are in the Bypass mode to the initial bypass state. Select interfaces that are in the Normal mode for the soft-bypass interface pair(s). • In the example below eth1_0 is soft-bypassed with eth1_1. 26 Initial Configuration 4. Highlight the Mgmt column and press the spacebar on your keyboard to select the correct interface for contact with the Management Server. Note – The Management interface must be the same that is configured as the Primary Control Interface for the corresponding engine element in the Management Center. 5. Highlight Next and press ENTER to continue. Contacting the Management Server The Prepare for Management Contact window opens. If the initial configuration was imported, most of this information is filled in. This task has three parts. First, you activate an initial configuration on the engine. The initial configuration contains the information that the engine needs to connect to the Management Server for the first time. The initial configuration is replaced with a working configuration when you install an IPS Policy on this engine using the Management Client. To activate the Initial Configuration 1. Highlight Switch to Initial Configuration and press spacebar to activate. 1 2 2. Fill in the IP Address, Netmask and Gateway to Management information according to your environment. • The information must match what you defined for the engine element (Primary Control IP Address). If the engine and the Management Server are on the same network, you can leave the Gateway to management field empty. Note – The initial configuration does not contain any working IPS policy. You must install an IPS policy on the engine to make it operational. Initial Configuration 27 In the second part of the configuration, you define the information needed for establishing a trust relationship between the engine and the Management Server. To fill in the Management Server information 1. Highlight Contact and press spacebar to select. 1 2 3 2. Fill in the Management Server IP address and the one-time password for this engine. • If you do not have a one-time password for this engine, see the IPS Installation Guide for instructions on how to save an initial configuration. 3. (Optional) Fill in the Key fingerprint (also shown when you saved the initial configuration). This increases the security of the communications. In the third part of the configuration, you select whether you want this engine to work as a Sensor, an Analyzer, or a combined Sensor-Analyzer (depending on the appliance you have purchased). The selection you make must correspond to the element you created for this engine in the Management Client. To select the engine type 1. Select the type of engine using the arrow keys and the spacebar. 2 1 2. Highlight Finish and press ENTER. The engine now tries to contact the Management Server. • If you see a “connection refused” error message, ensure that the one-time password is correct and the Management Server IP address is reachable from the node. Save a new initial configuration if unsure about the password. 28 Initial Configuration • If the engine is unable to contact the Management Server, make sure there are no networking problems and that the IP address defined in the IPS element on the Management Server is also correct. Note – When initial contact succeeds, the engine receives a certificate from the Management Center for identification. The onetime password is not needed anymore and automatically expires. After Successful Management Server Contact After you see a notification that Management Server contact has succeeded or the appliance has rebooted itself after automatic configuration with a USB stick, the IPS engine installation is complete and the engine is ready to receive a policy. In a while, the engine element’s status changes in the Management Client from Unknown to No Policy Installed, and the connection state is Connected indicating that the Management Server can connect to the node. The next step is installing a security policy on the engine to replace the initial configuration you just activated with the working configuration you defined for the corresponding element on the Management Server. See the IPS Installation Guide for basic instructions or the Online Help of the Management Client for detailed instructions. Caution – When using the command prompt, use the reboot command to reboot and halt command to shut down the node. Do not use the init command. You can also reboot the node using the Management Client. Initial Configuration 29 Maintenance Operations Connecting to the Engine Command Line You may need to connect to the engine command line, for example, to undo a software upgrade. To connect to the engine command line 1. Connect the serial cable supplied with the appliance to a computer and to the serial port on the appliance’s front panel. 2. On the computer, open a terminal with settings 9600bps, 8 databits, 1 stopbit, no parity. Reverting to Previously Installed Software Version This procedure allows you to undo a software upgrade. The appliance has two working partitions. One is designated as active and the other as inactive. The inactive partition is used for upgrades and the status is switched between the partitions when the upgrade is ready to be activated. If the appliance does not start up with the new version, it automatically switches to the previous configuration at the next reboot. You can also switch back to the previously installed software version manually as instructed here whenever necessary. To switch back to the previously active version 1. Connect to the engine command line as described above in Connecting to the Engine Command Line. 2. (Re)start the appliance: • If the appliance is powered on, press Enter, log in as the user root with the password you have set for the appliance, and issue the command reboot. 3. Wait until a list of the appliance partitions is shown. The currently active partition is highlighted. 4. Select the inactive partition and press Enter. A list of available commands opens. 5. Select Boot SG IPS <name of partition> and press Enter. The appliance switches partitions and boots up. 30 Maintenance Operations 6. Refresh the policy on the engine to synchronize the policy and other configuration data between components. Note – If the certificate for system communications on the previously used partition is not valid anymore, see the Troubleshooting section in the Management Client’s Online Help for renewal instructions. If you want to undo this operation, repeat the steps exactly as above. Resetting the Appliance to Factory Settings Note – Perform a factory reset only if you have a specific need to do so. Consult Stonesoft Support before performing this operation if you are unsure of whether this operation is necessary or not. To reset to factory settings 1. Connect to the engine command line as described in Connecting to the Engine Command Line (page 30). 2. (Re)start the appliance: • If the appliance is powered on, press Enter, log in as the user root with the password you have set for the appliance, and issue the command reboot. 3. Wait until a list of the appliance partitions is shown. The currently active partition is highlighted. 4. Press Enter. A list of available commands opens. 5. Select System Restore Options and press Enter. 6. Type 1 and press ENTER to clear the settings. A confirmation prompt is shown. 7. Type YES and press ENTER to perform the reset. If you decide to cancel the operation, type NO and press ENTER. Caution – Do not unplug the power from the appliance or interrupt the reset in any way. If the reset is interrupted, the appliance may become unusable until serviced. To use the appliance after a factory reset, you must configure it as explained in Initial Configuration (page 21). Maintenance Operations 31 Replacing the Solid State Disk Caution – We recommend using a grounding strap when handling a Solid State Disk (SSD). Uninstalled SSDs are sensitive to ESD damage. If necessary, you can replace the Solid State Disk in the appliance with another one of the same model. To replace the Solid State Disk 1. Connect to the engine command line as described in Connecting to the Engine Command Line (page 30). 2. Shut down the engine: • If the appliance is powered on, press Enter, log in as the user root with the password you have set for the appliance, and issue the command halt. 3. Unplug all power cords from the system or the wall outlets. 4. Locate the Solid State Disk drive on the appliance’s back panel (see the illustration in Back Panel (page 10)). 5. Press the release button to release the lever that locks the disk into position. Lever Release button 6. 7. 8. 9. 32 Pull the lever carefully to remove the disk from the drive. Press the release button on the new disk to release the lever. Insert the disk into the drive. Press the lever down to lock the disk into position. Maintenance Operations Replacing the Interface Module Caution – Do not install or remove the interface module if the appliance is powered on to avoid damaging the module and the appliance. To replace the interface module 1. Connect to the engine command line as described in Connecting to the Engine Command Line (page 30). 2. Shut down the engine: • If the appliance is powered on, press Enter, log in as the user root with the password you have set for the appliance, and issue the command halt. 3. Unplug all power cords from the system and the wall outlets. 4. Disconnect all the cables from the appliance. 5. (Recommended) Fasten a grounding strap to your wrist so that it contacts your bare skin and attach the other end of the strap to the appliance. 6. Locate the interface module’s release lever on the left of the module’s front panel. 7. Release the module from its locking position by pressing the lever right, hold the lever down, and pull the module carefully out of the slot using the handle on the module’s front panel. Note – If the unlocked module does not move, keep the release lever down, press the module gently toward the back of the slot, and pull the module again by the handle. 8. Replace the module with a new one. See Installing the Interface Module (page 12). Caution – Do not power on the appliance if you have not installed an interface module in the appliance. D i s po s a l I n s t r u c t i o n s Dispose of the appliance separately from household waste at an appropriate waste disposal facility at the end of its useful service life. Disposal Instructions 33 StoneGate Appliance Installation Guide This booklet covers the initial installation and configuration tasks specific to your StoneGate Appliance. For information on how to prepare the Management Center for a new engine installation, see the other available documentation. See inside for further details. All documentation and our technical knowledge base is available at: www.stonesoft.com/suppor t. Stonesoft Corporation International Headquarters Itälahdenkatu 22 A Fl-0021O Helsinki, Finland tel. +358 9 4767 11 fax. +358 9 4767 1349 www.stonesoft.com Copyright 2012 Stonesoft Corporation. Stonesoft Inc. Americas Headquarters 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338, USA tel. +1 866 869 4075 fax. +1 770 668 1131
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project