finjan Vital Security NG-1000 Assembly instructions
Vital Security
™
Appliance Series
NG-1000/NG-5000/NG-6000/NG-8000
Installation
and
Setup Guide
Installation and Setup Guide
Vital Security™ Appliance Series NG-1000/NG-5000/NG-6000/NG-8000 Installation and Setup
Guide
© Copyright 1996 - 2007. Finjan Inc. and its affiliates and subsidiaries (“Finjan”). All rights
reserved.
All text and figures included in this publication are the exclusive property of Finjan and are for your
personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform,
reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content
in any way without the express permission in writing from Finjan. Information in this document is
subject to change without notice and does not present a commitment or representation on the part of
Finjan.
The Finjan technology and/or products and/or software described and/or referenced to in this
material are protected by registered and/or pending patents including U.S. Patents No. 6092194,
6154844, 6167520, 6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662,
6965968, 7058822, 7076469, 7155743, 7155744 and may be protected by other U.S. Patents,
foreign patents, or pending applications.
Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and Window-of-Vulnerability are
trademarks or registered trademarks of Finjan. Sophos is a registered trademark of Sophos plc.
McAfee is a registered trademark of McAfee Inc. Kaspersky is a registered trademark of Kaspersky
Lab. SurfControl is a registered trademark of SurfControl plc. Microsoft and Microsoft Office are
registered trademarks of Microsoft Corporation. All other trademarks are the trademarks of their
respective owners. Q1 2007
For additional information, please visit www.finjan.com or contact one of our regional offices:
Catalog number: VSNG_IASG 8.4.3
Email:[email protected]
Internet:www.finjan.com
USA: San Jose
2025 Gateway Place Suite 180 San Jose,
CA 95110, USA
Toll Free: 1 888 FINJAN 8
Tel: +1 408 452 9700 Fax: +1 408 452 9701
Europe: UK
4th Floor, Westmead House,
Westmead,
Farnborough, GU14 7LP, UK
Tel: +44 (0)1252 511118
Fax: +44 (0)1252 510888
USA: New York
Chrysler Building
405 Lexington Avenue, 35th Floor
New York, NY 10174, USA
Tel: +1 212 681 4410 Fax: +1 212 681 4411
Europe: Germany
Alte Landstrasse 27, 85521
Ottobrun, Germany
Tel: +49 (0)89 673 5970
Fax: +49 (0)89 673 597 50
Israel/Asia Pacific
Hamachshev St. 1,
New Industrial Area Netanya, Israel 42504
Tel: +972 (0)9 864 8200
Fax: +972 (0)9 865 9441
Europe: Netherlands
Printerweg 56
3821 AD Amersfoort
Netherlands
Tel: +31 318 693 272
Fax: +31 318 693 274
Contents i
CONTENTS
1 About this Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
2 Finjan Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Appliance Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Management Console System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Connecting your Vital Security Appliance (NG-1000/NG-5000/NG-6000) . . . . . . 10
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Connection Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Update Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Installing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Defining System Device Roles via the Management Console . . . . . . . . . . . . . . . . . 25
Connecting your Vital Security Appliance NG-8000 . . . . . . . . . . . . . . . . . . . . . . . . 27
Initial Procedures for the Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Initial Procedures for the Vital Security Scanning Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Routing Traffic through the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configuring Workstations for Routing Traffic through the Appliance . . . . . . . . . . . . . . . . . . .29
Transparent Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Working with HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
HTTP Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Working with Caching Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
HTTP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Working with ICAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Why work with ICAP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Vital Security as an ICAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
REQMOD – RESPMOD Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
ICAP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
4 Configuring ICAP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Network Appliance Netcache Series (NetApp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Blue Coat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Installation and Setup Guide
Contentsii
5 Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Introduction to Setup Console Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . .49
Configuring Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Appliance Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Custom Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Restart Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Reboot/Shutdown Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Active/Standby Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
A Limited Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
B Installation CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Chapter 1 - About this Manual 1
CHAPTER
A
BOUT
THIS
M
ANUAL
Chapter Description
Chapter 1 About this Manual
Chapter 2 Overview - An introduction to Finjan's Vital Security
Appliance platform, including a brief overview of the
Vital Security Appliances NG-1000/NG-5000/NG-
6000/NG-8000.
Chapter 3 Getting Started – This section tells you everything you
need to know about getting started and lists the
necessary steps to be taken when installing and working
with your appliance.
This includes:
System requirements (hardware and software)
Information on supported protocols (HTTP and ICAP)
Configuration of end-user machines
Transparent proxy configuration
Connecting – describing the steps to be taken prior to
accessing the web-based Management Console
Chapter 4 Configuring the ICAP Clients – Discusses
configuration of Network Appliance (NetApp) and
Blue Coat
Chapter 5 Configuring Advanced Settings – This Chapter
describes how to use the Advanced Settings of the
Setup Console to manage the functionality of the
appliance
Appendix A Limited Shell – This Appendix describes the Limited
Shell feature.
Appendix B Installation CD – This Appendix details the installation
procedure using the Installation CD
Chapter 2 - Finjan Overview 3
CHAPTER
F
INJAN
O
VERVIEW
1 Introduction
Cyber-threats are fast increasing and pose a serious and growing problem for corporate
networks, appearing in different forms and using a variety of tactics – viruses, worms,
Trojans, and more. New, ultra-fast viruses can infect your system within seconds, long
before traditional signature-based solutions can protect you. While waiting for anti-virus
companies to release a new virus signature, thousands of unprotected computers may have
already been infected, leaving no alternative other than to shut down the corporate network.
Finjan's proactive behavior-inspection technology at the gateway provides protection by
examining active content behavior and identifying and blocking malicious mobile code
(viruses, worms, Trojan horses and a myriad of ever-developing attack types). Finjan’s
unique and patented proactive behavior inspection technology offers instant protection
against new virus, worm and malicious mobile code outbreaks without time-sensitive
signature-file updates, thus closing the Window-of-Vulnerability™and providing
networks with true day-zero protection.
Vital Security - Finjan’s Integrated Security Platform - is a complete and integrated
Secure Content Management solution in which individual best-of-breed security
applications work together in concert to respond proactively to the changing security
threats of both today and tomorrow.
This section contains a brief overview of the Vital SecurityAppliances NG-1000/
NG-5000/NG-6000/NG-8000.
1.1 Appliance Types
This manual deals with the following Vital Security Appliances:
1.1.1 Vital Security Appliance Series NG-8000
This appliance is a specially configured chassis containing multiple hot swappable blades,
with redundant power supplies, disks etc. The Vital Security Operating System (VSOS) is
preinstalled and preconfigured.
Installation and Setup Guide
Chapter 2 - Finjan Overview4
Figure 2-1: NG-8000 Superformance Appliance
The following table contains the hardware specifications for the NG-8000 appliance..
1.1.2 Vital Security Appliance Series NG-1000/NG-5000/NG-6000
This appliance is typically deployed to include multiple appliances, each running the Vital
Security Operating System (VSOS). It can, however, also be deployed All-in-one, using a
single appliance.
The different services running on each appliance can be configured according to your
organization's network requirements.
Component Specification
Memory 2 GB
Hard Drive 36 GB SAS (Web appliance)
2 x 73 GB SAS ( RAID 1)
(Policy Server)
CPU Xeon D 2 x 2.0GHz
Gigabit Ethernet NIC 2
NOTE: This document deals with the basic setup of the NG-8000 Appliance. Please
contact Finjan’s Support, or IBM for information about more advanced setup of the
Blade Center.
Installation and Setup Guide
5
Chapter 2 - Finjan Overview
Figure 2-2: NG-5000 Superformance Appliance
The following table contains the hardware specifications for the NG-5000 appliance.
Component Specification
Memory 2GB
Hard Drive 160GB SATA2
CPU Pentium D 3.4 GHz dual core
Flash Card 1024 MB
Rack space (1U) 429 x 382 x 44 mm (WxDxH)
16.9 x 15.0 x 1.8 inches
(WxDxH)
Gigabit Ethernet NIC 4
Built-in LCD display 1
Installation and Setup Guide
Chapter 2 - Finjan Overview6
Figure 2-3: NG-1000 Superformance Appliance
The following table contains the hardware specifications for the NG-1000 appliance.
Component Specification
Memory 1GB
Hard Drive 160GB
CPU Pentium IV 2.8GHz
Flash Card 256 MB
Rack space (1U) 428.6 x 360 x 44 mm (WxDxH)
16.9 x 14.1 x 1.7 inches
(WxDxH)
Fast/Gigabit Ethernet NIC 4 + 2
Built-in LCD display 1
Installation and Setup Guide
7
Chapter 2 - Finjan Overview
Figure 2-4: NG-6000 Superformance Appliance
The following table contains the hardware specifications for the NG-6000 appliance.
Component Specification
Memory 2GB
Hard Drive 2 x 72 GB SAS (RAID 1)
CPU Intel Xeon dual core x 2.0 GHz
Rack space (2U) 445 x 698 x 86 mm (WxDxH)
17.5 x 27.5 x 3.4 inches
(WxDxH)
Gigabit Ethernet NIC 4
Power Supply Redundant
Chapter 3 - Getting Started 9
CHAPTER
G
ETTING
S
TARTED
This section contains the following topics:
Management Console System Requirements
Connecting your Vital Security Appliance (NG-1000/NG-5000/NG-6000)
Update Mechanism
Defining System Device Roles via the Management Console
Connecting your Vital Security Appliance NG-8000
Routing Traffic through the Appliance
Working with HTTP
Working with ICAP
1Management Console System Requirements
1.1 Operating Systems
The following operating systems are supported for the web browser:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows XP Professional
Microsoft Windows 2003 Server
1.2 Software Requirements
The following software is required:
Microsoft Internet Explorer 6.0 (or higher) – for accessing the Management Console
Installation and Setup Guide
Chapter 3 - Getting Started10
2Connecting your Vital Security Appliance (NG-1000/NG-5000/
NG-6000)
2.1 Installation
For installation details, please refer to Appendix B- Installation CD.
2.2 Configuration
We recommend locating the Scanning Servers, accessed via the Load Balancer(s) in the DMZ.
In this case, all network traffic between the Policy Server and Scanning Servers passes through
the internal firewall.
2.3 Connection Procedure
This section contains the following topics:
Accessing the Vital Security Setup Console
Using the Initial Setup Wizard
2.3.1 Accessing the Vital Security Setup Console
The Vital Security Setup Console is a secure, Web-based interface that enables you to
configure initial setup parameters associated with the box itself. The following initial
procedure is slightly different for the different models (as well as the Load Balancer).
To access the Vital Security Setup Console in NG-5000/NG-6000:
1. Plug in the power cable and switch the appliance on.
2. Connect a PC directly to the appliance’s GE3 port (for NG-6000, see Figure 3-1)
using a crossover cable, or, using a standard Ethernet cable, connect the appliance’s
GE3 port to a hub or switch that is on the same network segment as the PC. CAT5e
cables (or better) are recommended.
3. The default IP of the GE3 interface is 10.0.3.1, and its default netmask is
255.255.255.0. Configure the TCP/IP settings of your PC so that it is on the same
logical network subnet as the appliance’s GE3 interface. For example, configure the
IP on the PC as 10.0.3.101 and the PC’s netmask as 255.255.255.0
IMPORTANT: Do not set the PC’s IP to 10.0.3.1, as this will result in an IP
conflict with the appliance.
Installation and Setup Guide
11
Chapter 3 - Getting Started
GE3 GE2 GE1 GE0
Figure 3-1: NG-6000 Back Panel, Network Interfaces
To access the Vital Security Setup Console in NG-1000:
1. Plug in the power cable and switch the appliance on.
2. Connect a PC directly to the appliance’s FE5 port (the left-most port) using a
crossover cable, or, using a standard Ethernet cable, connect the appliance’s FE5
port to a hub or switch that is on the same network segment as the PC. CAT5e
cables (or better) are recommended.
3. The default IP of the FE5 interface is 10.0.5.1, and its default netmask is
255.255.255.0.Configure the TCP/IP settings of your PC so that it is on the same
logical network subnet as the appliance’s FE5 interface. For example, configure the
IP on the PC as 10.0.5.101 and the PC’s netmask as 255.255.255.0
Continue for all appliances as follows:
4. Open your browser and enter the following address: https://10.0.5.1:3012 (for NG-
1000 ) or https://10.0.3.1:3012 (for NG-5000 /NG-6000). A certificate warning pops
up.
5. Click Yes to close the warning. The Vital Security Setup Console login window is
displayed.
Figure 3-2: Setup Console Login
IMPORTANT: Do not set the PC’s IP to 10.0.5.1, as this will result in an IP
conflict with the appliance.
Installation and Setup Guide
Chapter 3 - Getting Started12
6. Log in to the Vital Security Setup Console using admin as the user name and finjan
as the password.
7. Read and accept the End User License Agreement. The Setup Selection screen is
displayed.
Figure 3-3: Setup Selection
2.3.2 Using the Initial Setup Wizard
The Initial Setup Wizard guides you step by step through the initial configuration process. Use
this Wizard to configure the following:
An appliance with one active Ethernet interface with an IP that you have set (all other
interfaces will be deactivated)
Your selected network settings – Default gateway, Hostname, and so on
Time settings that you have manually configured
Active appliance roles that work according to the Ethernet interface and IP that you have
selected
If you have selected the management services to be part of the appliance (All-in-One or
Policy Server) you will also have installed a license (either an evaluation license or a
permanent license)
A new password of your choice for the initial setup Web interface admin user (the
password cannot be finjan or an empty string)
Installation and Setup Guide
13
Chapter 3 - Getting Started
An initial setup Web interface working at https://NEW_IP:3012 (when the IP change
takes place, you will be disconnected)
The next sections detail separately configuration of a Policy Server or All in one, and a
Scanning Server.
2.3.3 Configuring a Policy Server or All in One
To configure a Policy Server or All in One:
1. Click the Initial Setup Wizard icon as appears in Figure 3-3 to begin the setup
procedure, and in the Welcome screen, click Next. The Appliance Role screen is
displayed.
Figure 3-4: Appliance Role: Policy Server
2. From the Select a Role drop-down list, select one of the following appliance roles,
and then click Next:
Vital Security Policy Server – Selecting the Vital Security Policy Server
provides only management and reporting services, and requires an
additional appliance for scanning.
Vital Security Scanning Server – Select the Vital Security Scanning Server
if you want to activate this appliance for scanning, while another appliance
is providing the management and reporting services.
All in One – Selecting the All in One appliance provides management,
reporting and scanning services.
None – Initial mode of the Vital Security Appliance.
Installation and Setup Guide
Chapter 3 - Getting Started14
In this procedure, select either the Policy Server or All in One
3. The License Type screen is displayed if you have selected Policy Server or All-in-
One server. The Licensing option is disabled for other roles. Click the required
License Type option.
Figure 3-5: License Type
4. If you selected an Evaluation license, select the required license and security engine
options, and then click Next. (Go straight to step 6.).
IMPORTANT: In order to change the device role from Scanning Server to Policy
Server or All in one device, the administrator must first Restore Factory Settings. There
are two ways of doing this. If you installed 8.4.0 or higher on your appliance using the
Installation CD, then you will “restore factory settings” by using the Installation CD
(please refer to Appendix B). If, however, you have installed previous Releases using the
standard Update feature, then follow the Restore Factory Settings procedure as outlined
in the Installation and Setup Guide 8.3.5; Appendix A.
Installation and Setup Guide
15
Chapter 3 - Getting Started
Figure 3-6: Evaluation License Options
The following table describes the Evaluation License Options:
5. If you selected a Subscription license, enter the license key that you received from
either Finjan or your reseller, and then click Next.
Field Name Description
Anti-Virus Anti-Virus third party scanning engine
which scans for known viruses (McAfee,
Sophos or Kaspersky depending on your
license)
URL Filtering Third party engine which provides
categorization of Web sites (SurfControl)
Application-Level
Behavior Blocking Finjan’s unique content scanning engine
based on Behavior Profiles (binary or
script)
Vulnerability Anti-
dote Unique Finjan engine that scans content
to identify known vulnerabilities
Anti-Spyware The Anti Spyware engine identifies
spyware sites and block access to those
sites
Installation and Setup Guide
Chapter 3 - Getting Started16
Figure 3-7: Subscription License
6. The License Details are displayed. Click Next.
Figure 3-8: License Details
7. The Network Interface Used by Policy/Scanning Server screen is displayed . If you
are using an NG-1000 appliance, the Network Interface will look as below.
Figure 3-9: Network Interface NG-1000
This manual suits for next models
3
Table of contents
Other finjan Firewall manuals
Popular Firewall manuals by other brands
Authonet
Authonet Firewall F-10 quick start guide
ZyXEL Communications
ZyXEL Communications ADSL 2+ Security Gateway user guide
ZyXEL Communications
ZyXEL Communications ZyWALL/USG Series quick start guide
NETGEAR
NETGEAR FVS336Gv2 - ProSafe Dual WAN Gigabit... Reference manual
Cisco
Cisco S190 quick start guide
Nexcom
Nexcom DNA 1150 user manual
Fortinet
Fortinet FortiGate-60 series install guide
FEITIAN
FEITIAN MultiPass FIDO product manual
Smoothwall
Smoothwall S10 Appliance Getting started guide
inGate
inGate SIParator SBE Application note
NETGEAR
NETGEAR FVS124G - ProSafe VPN Firewall 25 Reference manual
Cisco
Cisco Firepower 2100 Series Getting started guide
