FireBrick FB6402 User manual
FireBrick FB6402
User Manual
FB6000 Versatile Network Appliance
FireBrick FB6402 User Manual
This User Manual documents Software version V1.46.100
Copyright © 2012-2017 FireBrick Ltd.
iv
Table of Contents
Preface ................................................................................................................................. xvii
1. Introduction .......................................................................................................................... 1
1.1. The FB6000 ............................................................................................................... 1
1.1.1. Where do I start? .............................................................................................. 1
1.1.2. What can it do? ................................................................................................ 1
1.1.2.1. FB6402 Gigabit stateful firewall ............................................................... 2
1.1.3. Ethernet port capabilities .................................................................................... 2
1.1.4. Product variants in the FB6000 series ................................................................... 2
1.2. About this Manual ....................................................................................................... 2
1.2.1. Version ........................................................................................................... 2
1.2.2. Intended audience ............................................................................................. 3
1.2.3. Technical details ............................................................................................... 3
1.2.4. Document style ................................................................................................. 3
1.2.5. Document conventions ....................................................................................... 3
1.2.6. Comments and feedback .................................................................................... 4
1.3. Additional Resources ................................................................................................... 4
1.3.1. Technical Support ............................................................................................. 4
1.3.2. IRC Channel .................................................................................................... 4
1.3.3. Application Notes ............................................................................................. 4
1.3.4. White Papers .................................................................................................... 4
1.3.5. Training Courses ............................................................................................... 5
2. Getting Started ...................................................................................................................... 6
2.1. IP addressing .............................................................................................................. 6
2.2. Accessing the web-based user interface ........................................................................... 6
2.2.1. Add a new user ................................................................................................ 7
3. Configuration ........................................................................................................................ 9
3.1. The Object Hierarchy ................................................................................................... 9
3.2. The Object Model ....................................................................................................... 9
3.2.1. Formal definition of the object model ................................................................. 10
3.2.2. Common attributes .......................................................................................... 10
3.3. Configuration Methods ............................................................................................... 10
3.4. Web User Interface Overview ...................................................................................... 10
3.4.1. User Interface layout ........................................................................................ 11
3.4.1.1. Customising the layout .......................................................................... 11
3.4.2. Config pages and the object hierarchy ................................................................. 12
3.4.2.1. Configuration categories ......................................................................... 12
3.4.2.2. Object settings ...................................................................................... 13
3.4.3. Navigating around the User Interface .................................................................. 15
3.4.4. Backing up / restoring the configuration .............................................................. 16
3.5. Configuration using XML ........................................................................................... 16
3.5.1. Introduction to XML ........................................................................................ 16
3.5.2. The root element - <config> ............................................................................. 17
3.5.3. Viewing or editing XML .................................................................................. 17
3.5.4. Example XML configuration ............................................................................. 17
3.6. Downloading/Uploading the configuration ...................................................................... 19
3.6.1. Download ...................................................................................................... 19
3.6.2. Upload .......................................................................................................... 20
4. System Administration .......................................................................................................... 21
4.1. User Management ...................................................................................................... 21
4.1.1. Login level ..................................................................................................... 21
4.1.2. Configuration access level ................................................................................ 22
4.1.3. Login idle timeout ........................................................................................... 22
4.1.4. Restricting user logins ...................................................................................... 22
4.1.4.1. Restrict by IP address ............................................................................ 22
FireBrick FB6402 User Manual
v
4.1.4.2. Logged in IP address ............................................................................. 23
4.1.4.3. Restrict by profile ................................................................................. 23
4.1.5. Password change ............................................................................................. 23
4.1.6. One Time Password (OTP) ............................................................................... 23
4.2. General System settings .............................................................................................. 24
4.2.1. System name (hostname) .................................................................................. 24
4.2.2. Administrative details ...................................................................................... 24
4.2.3. System-level event logging control ..................................................................... 24
4.2.4. Home page web links ...................................................................................... 24
4.3. Software Upgrades ..................................................................................................... 25
4.3.1. Software release types ...................................................................................... 25
4.3.1.1. Breakpoint releases ............................................................................... 25
4.3.2. Identifying current software version .................................................................... 26
4.3.3. Internet-based upgrade process .......................................................................... 26
4.3.3.1. Manually initiating upgrades ................................................................... 26
4.3.3.2. Controlling automatic software updates ..................................................... 27
4.3.4. Manual upgrade .............................................................................................. 27
4.4. Boot Process ............................................................................................................. 28
4.4.1. LED indications .............................................................................................. 28
4.4.1.1. Power LED status indications ................................................................. 28
4.4.1.2. Port LEDs ........................................................................................... 28
5. Event Logging ..................................................................................................................... 29
5.1. Overview .................................................................................................................. 29
5.1.1. Log targets ..................................................................................................... 29
5.1.1.1. Logging to Flash memory ...................................................................... 29
5.1.1.2. Logging to the Console .......................................................................... 30
5.2. Enabling logging ....................................................................................................... 30
5.3. Logging to external destinations ................................................................................... 30
5.3.1. Syslog ........................................................................................................... 30
5.3.2. Email ............................................................................................................ 31
5.3.2.1. E-mail process logging .......................................................................... 32
5.4. Factory reset configuration log targets ........................................................................... 32
5.5. Performance .............................................................................................................. 32
5.6. Viewing logs ............................................................................................................. 32
5.6.1. Viewing logs in the User Interface ..................................................................... 32
5.6.2. Viewing logs in the CLI environment ................................................................. 33
5.7. System-event logging ................................................................................................. 33
5.8. Using Profiles ........................................................................................................... 33
6. Interfaces and Subnets .......................................................................................................... 34
6.1. Relationship between Interfaces and Physical Ports .......................................................... 34
6.1.1. Port groups .................................................................................................... 34
6.1.2. Interfaces ....................................................................................................... 34
6.2. Defining an interface .................................................................................................. 34
6.2.1. Defining subnets ............................................................................................. 35
6.2.1.1. Source filtering ..................................................................................... 36
6.2.1.2. Using DHCP to configure a subnet .......................................................... 36
6.2.2. Setting up DHCP server parameters .................................................................... 36
6.2.2.1. Fixed/Static DHCP allocations ................................................................ 37
6.2.2.2. Restricted allocations ............................................................................. 38
6.2.2.3. Special DHCP options ........................................................................... 39
6.2.3. DHCP Relay Agent ......................................................................................... 39
6.3. Physical port settings .................................................................................................. 39
6.3.1. Setting duplex mode ........................................................................................ 40
6.3.2. Defining port LED functions ............................................................................. 40
7. Session Handling ................................................................................................................. 41
7.1. Routing vs. Firewalling ............................................................................................... 41
FireBrick FB6402 User Manual
vi
7.2. Session Tracking ....................................................................................................... 41
7.2.1. Session termination .......................................................................................... 42
7.3. Session Rules ............................................................................................................ 42
7.3.1. Overview ....................................................................................................... 42
7.3.2. Processing flow ............................................................................................... 43
7.3.3. Defining Rule-Sets and Rules ............................................................................ 46
7.3.3.1. Recommended method of implementing firewalling .................................... 47
7.3.3.2. Changes to session traffic ....................................................................... 48
7.3.3.3. Graphing and traffic shaping ................................................................... 49
7.3.3.4. Configuring session time-outs ................................................................. 49
7.3.3.5. Load balancing ..................................................................................... 49
7.3.3.6. NAT-PMP / PCP (Port Control Protocol) .................................................. 50
7.4. Network Address Translation ....................................................................................... 51
7.4.1. When to use NAT ........................................................................................... 51
7.4.2. NAT ALGs .................................................................................................... 51
7.4.3. Setting NAT in rules ........................................................................................ 52
7.4.4. What NAT does .............................................................................................. 52
7.4.5. NAT with PPPoE ............................................................................................ 52
7.4.6. NAT with other types of external routing ............................................................ 53
7.4.7. Mixing NAT and non NAT ............................................................................... 53
7.4.8. Carrier grade NAT .......................................................................................... 53
7.4.9. Using NAT setting on subnets ........................................................................... 53
8. Routing .............................................................................................................................. 55
8.1. Routing logic ............................................................................................................ 55
8.2. Routing targets .......................................................................................................... 56
8.2.1. Subnet routes .................................................................................................. 56
8.2.2. Routing to an IP address (gateway route) ............................................................. 56
8.2.3. Special targets ................................................................................................ 57
8.3. Dynamic route creation / deletion ................................................................................. 57
8.4. Routing tables ........................................................................................................... 57
8.5. Bonding ................................................................................................................... 57
8.6. Route overrides ......................................................................................................... 58
9. Profiles ............................................................................................................................... 59
9.1. Overview .................................................................................................................. 59
9.2. Creating/editing profiles .............................................................................................. 59
9.2.1. Timing control ................................................................................................ 59
9.2.2. Tests ............................................................................................................. 60
9.2.2.1. General tests ........................................................................................ 60
9.2.2.2. Time/date tests ..................................................................................... 60
9.2.2.3. Ping tests ............................................................................................. 60
9.2.3. Inverting overall test result ................................................................................ 60
9.2.4. Manual override .............................................................................................. 61
10. Traffic Shaping .................................................................................................................. 62
10.1. Graphs and Shapers .................................................................................................. 62
10.1.1. Graphs ......................................................................................................... 62
10.1.2. Shapers ........................................................................................................ 63
10.1.3. Ad hoc shapers ............................................................................................. 63
10.1.4. Long term shapers ......................................................................................... 63
10.2. Multiple shapers ...................................................................................................... 63
10.3. Basic principles ....................................................................................................... 64
11. Tunnels ............................................................................................................................. 65
11.1. IPsec (IP Security) ................................................................................................... 65
11.1.1. Introduction .................................................................................................. 65
11.1.1.1. Integrity checking ................................................................................ 65
11.1.1.2. Encryption ......................................................................................... 65
11.1.1.3. Authentication .................................................................................... 66
FireBrick FB6402 User Manual
vii
11.1.1.4. IKE ................................................................................................... 66
11.1.1.5. Manual Keying ................................................................................... 66
11.1.1.6. Identities and the Authentication Mechanism ............................................ 67
11.1.2. Setting up IPsec connections ........................................................................... 67
11.1.2.1. Global IPsec parameters ....................................................................... 67
11.1.2.2. IKE proposals ..................................................................................... 68
11.1.2.3. IKE roaming IP pools .......................................................................... 68
11.1.2.4. IKE connections .................................................................................. 68
11.1.2.4.1. IKE connection mode and type ................................................... 68
11.1.2.4.2. IKE and IPsec proposal lists ....................................................... 68
11.1.2.4.3. Authentication and IKE identities ................................................ 69
11.1.2.4.4. IP addresses ............................................................................. 69
11.1.2.4.5. Road Warrior connections .......................................................... 70
11.1.2.4.6. Routing ................................................................................... 70
11.1.2.4.7. Other parameters ...................................................................... 70
11.1.2.5. Setting up Manual Keying .................................................................... 70
11.1.2.5.1. IP endpoints ............................................................................. 71
11.1.2.5.2. Algorithms and keys ................................................................. 71
11.1.2.5.3. Routing ................................................................................... 71
11.1.2.5.4. Mode ...................................................................................... 71
11.1.2.5.5. Other parameters ...................................................................... 72
11.1.3. Using EAP with IPsec/IKE ............................................................................. 72
11.1.4. Using certificates with IPsec/IKE ..................................................................... 72
11.1.4.1. Creating certificates ............................................................................. 74
11.1.5. Choice of algorithms ...................................................................................... 74
11.1.6. NAT Traversal .............................................................................................. 75
11.1.7. Configuring a Road Warrior server ................................................................... 76
11.1.8. Connecting to non-FireBrick devices ................................................................. 77
11.1.8.1. Using StrongSwan on Linux ................................................................. 77
11.1.8.2. Setting up a Road Warrior VPN on an Android client ................................ 78
11.1.8.3. Setting up a Road Warrior VPN on an iOS (iPhone/iPad) client .................... 79
11.1.8.4. Manual keying using Linux ipsec-tools ................................................... 79
11.2. FB105 tunnels ......................................................................................................... 80
11.2.1. Tunnel wrapper packets .................................................................................. 81
11.2.2. Setting up a tunnel ......................................................................................... 81
11.2.3. Viewing tunnel status ..................................................................................... 82
11.2.4. Dynamic routes ............................................................................................. 82
11.2.5. Tunnel bonding ............................................................................................. 82
11.2.6. Tunnels and NAT .......................................................................................... 82
11.2.6.1. FB6000 doing NAT ............................................................................. 83
11.2.6.2. Another device doing NAT ................................................................... 83
11.3. Ether tunnelling ....................................................................................................... 83
12. System Services ................................................................................................................. 85
12.1. Protecting the FB6000 .............................................................................................. 85
12.2. Common settings ..................................................................................................... 85
12.3. HTTP Server configuration ........................................................................................ 86
12.3.1. Access control ............................................................................................... 86
12.3.1.1. Trusted addresses ................................................................................ 86
12.4. Telnet Server configuration ........................................................................................ 86
12.4.1. Access control ............................................................................................... 87
12.5. DNS configuration ................................................................................................... 87
12.5.1. Blocking DNS names ..................................................................................... 87
12.5.2. Local DNS responses ..................................................................................... 87
12.5.3. Auto DHCP DNS .......................................................................................... 87
12.6. NTP configuration .................................................................................................... 88
12.7. SNMP configuration ................................................................................................. 88
FireBrick FB6402 User Manual
viii
13. Network Diagnostic Tools .................................................................................................... 89
13.1. Firewalling check ..................................................................................................... 89
13.2. Access check ........................................................................................................... 90
13.3. Packet Dumping ...................................................................................................... 90
13.3.1. Dump parameters ........................................................................................... 91
13.3.2. Security settings required ................................................................................ 91
13.3.3. IP address matching ....................................................................................... 91
13.3.4. Packet types .................................................................................................. 92
13.3.5. Snaplen specification ...................................................................................... 92
13.3.6. Using the web interface .................................................................................. 92
13.3.7. Using an HTTP client .................................................................................... 92
13.3.7.1. Example using curl and tcpdump ........................................................... 93
14. VRRP ............................................................................................................................... 94
14.1. Virtual Routers ........................................................................................................ 94
14.2. Configuring VRRP ................................................................................................... 95
14.2.1. Advertisement Interval .................................................................................... 95
14.2.2. Priority ........................................................................................................ 95
14.3. Using a virtual router ................................................................................................ 95
14.4. VRRP versions ........................................................................................................ 95
14.4.1. VRRP version 2 ............................................................................................ 95
14.4.2. VRRP version 3 ............................................................................................ 96
14.5. Compatibility ........................................................................................................... 96
15. BGP ................................................................................................................................. 97
15.1. What is BGP? ......................................................................................................... 97
15.2. BGP Setup .............................................................................................................. 97
15.2.1. Overview ..................................................................................................... 97
15.2.2. Standards ..................................................................................................... 97
15.2.3. Simple example setup ..................................................................................... 98
15.2.4. Peer type ...................................................................................................... 98
15.2.5. Route filtering ............................................................................................... 99
15.2.5.1. Matching attributes .............................................................................. 99
15.2.5.2. Action attributes .................................................................................. 99
15.2.6. Well known community tags .......................................................................... 100
15.2.7. Announcing black hole routes ........................................................................ 100
15.2.8. Announcing dead end routes .......................................................................... 101
15.2.9. Bad optional path attributes ........................................................................... 101
15.2.10. <network> element ..................................................................................... 101
15.2.11. <route>, <subnet> and other elements ............................................................ 101
15.2.12. Route feasibility testing ............................................................................... 101
15.2.13. Diagnostics ................................................................................................ 102
15.2.14. Router shutdown ........................................................................................ 102
15.2.15. TTL security ............................................................................................. 102
16. Command Line Interface .................................................................................................... 103
A. CIDR and CIDR Notation ................................................................................................... 104
B. MAC Addresses usage ........................................................................................................ 106
B.1. Multiple MAC addresses? ......................................................................................... 106
B.2. How the FireBrick allocates MAC addresses ................................................................ 107
B.2.1. Interface ...................................................................................................... 107
B.2.2. Subnet ......................................................................................................... 107
B.2.3. PPPoE ......................................................................................................... 107
B.2.4. Base MAC ................................................................................................... 107
B.2.5. Running out of MACs ................................................................................... 108
B.3. MAC address on label .............................................................................................. 108
B.4. Using with a DHCP server ........................................................................................ 109
C. VLANs : A primer ............................................................................................................. 110
D. FireBrick specific SNMP objects .......................................................................................... 111
FireBrick FB6402 User Manual
ix
D.1. Monitoring information ............................................................................................ 111
D.2. BGP information ..................................................................................................... 111
E. Command line reference ...................................................................................................... 113
E.1. General commands ................................................................................................... 113
E.1.1. Trace off ...................................................................................................... 113
E.1.2. Trace on ...................................................................................................... 113
E.1.3. Uptime ........................................................................................................ 113
E.1.4. General status ............................................................................................... 113
E.1.5. Memory usage .............................................................................................. 113
E.1.6. Process/task usage ......................................................................................... 113
E.1.7. Login .......................................................................................................... 113
E.1.8. Logout ......................................................................................................... 114
E.1.9. See XML configuration .................................................................................. 114
E.1.10. Load XML configuration .............................................................................. 114
E.1.11. Show profile status ...................................................................................... 114
E.1.12. Enable profile control switch ......................................................................... 114
E.1.13. Disable profile control switch ........................................................................ 114
E.1.14. Show RADIUS servers ................................................................................. 114
E.1.15. Show DNS resolvers .................................................................................... 114
E.2. Networking commands ............................................................................................. 115
E.2.1. Subnets ........................................................................................................ 115
E.2.2. Ping and trace ............................................................................................... 115
E.2.3. Show a route from the routing table ................................................................. 115
E.2.4. List routes .................................................................................................... 115
E.2.5. List routing next hops .................................................................................... 115
E.2.6. See DHCP allocations .................................................................................... 116
E.2.7. Clear DHCP allocations .................................................................................. 116
E.2.8. Lock DHCP allocations .................................................................................. 116
E.2.9. Unlock DHCP allocations ............................................................................... 116
E.2.10. Name DHCP allocations ............................................................................... 116
E.2.11. Show ARP/ND status ................................................................................... 116
E.2.12. Show VRRP status ...................................................................................... 116
E.2.13. Send Wake-on-LAN packet ........................................................................... 116
E.3. Firewalling commands .............................................................................................. 117
E.3.1. Check access to services ................................................................................. 117
E.3.2. Check firewall logic ...................................................................................... 117
E.4. BGP commands ....................................................................................................... 117
E.5. Advanced commands ................................................................................................ 117
E.5.1. Panic ........................................................................................................... 117
E.5.2. Reboot ......................................................................................................... 117
E.5.3. Screen width ................................................................................................ 117
E.5.4. Make outbound command session .................................................................... 118
E.5.5. Show command sessions ................................................................................ 118
E.5.6. Kill command session .................................................................................... 118
E.5.7. Flash memory list .......................................................................................... 118
E.5.8. Delete block from flash .................................................................................. 118
E.5.9. Boot log ...................................................................................................... 118
E.5.10. Flash log .................................................................................................... 118
F. Constant Quality Monitoring - technical details ....................................................................... 120
F.1. Access to graphs and csvs ......................................................................................... 120
F.1.1. Trusted access ............................................................................................... 120
F.1.2. Dated information .......................................................................................... 120
F.1.3. Authenticated access ...................................................................................... 121
F.2. Graph display options ............................................................................................... 121
F.2.1. Data points ................................................................................................... 121
F.2.2. Additional text .............................................................................................. 121
FireBrick FB6402 User Manual
x
F.2.3. Other colours and spacing ............................................................................... 122
F.3. Overnight archiving .................................................................................................. 122
F.3.1. Full URL format ........................................................................................... 123
F.3.2. load handling ................................................................................................ 123
F.4. Graph scores ........................................................................................................... 124
F.5. Creating graphs, and graph names ............................................................................... 124
G. Hashed passwords .............................................................................................................. 125
G.1. Password hashing .................................................................................................... 125
G.1.1. Salt ............................................................................................................. 125
G.2. One Time Password seed hashing .............................................................................. 126
H. Configuration Objects ......................................................................................................... 128
H.1. Top level ............................................................................................................... 128
H.1.1. config: Top level config ................................................................................. 128
H.2. Objects .................................................................................................................. 129
H.2.1. system: System settings .................................................................................. 129
H.2.2. link: Web links ............................................................................................. 130
H.2.3. user: Admin users ......................................................................................... 130
H.2.4. eap: User access controlled by EAP ................................................................. 131
H.2.5. log: Log target controls .................................................................................. 131
H.2.6. log-syslog: Syslog logger settings .................................................................... 131
H.2.7. log-email: Email logger settings ...................................................................... 132
H.2.8. services: System services ............................................................................... 133
H.2.9. snmp-service: SNMP service settings ............................................................... 133
H.2.10. ntp-service: NTP service settings ................................................................... 133
H.2.11. telnet-service: Telnet service settings .............................................................. 134
H.2.12. http-service: HTTP service settings ................................................................. 135
H.2.13. dns-service: DNS service settings ................................................................... 135
H.2.14. dns-host: Fixed local DNS host settings .......................................................... 136
H.2.15. dns-block: Fixed local DNS blocks ................................................................. 136
H.2.16. ethernet: Physical port controls ...................................................................... 137
H.2.17. sampling: Packet sampling configuration ......................................................... 137
H.2.18. portdef: Port grouping and naming ................................................................. 138
H.2.19. interface: Port-group/VLAN interface settings .................................................. 138
H.2.20. subnet: Subnet settings ................................................................................. 139
H.2.21. vrrp: VRRP settings ..................................................................................... 140
H.2.22. dhcps: DHCP server settings ......................................................................... 141
H.2.23. dhcp-attr-hex: DHCP server attributes (hex) ..................................................... 142
H.2.24. dhcp-attr-string: DHCP server attributes (string) ............................................... 142
H.2.25. dhcp-attr-number: DHCP server attributes (numeric) .......................................... 143
H.2.26. dhcp-attr-ip: DHCP server attributes (IP) ......................................................... 143
H.2.27. route: Static routes ...................................................................................... 143
H.2.28. network: Locally originated networks ............................................................. 144
H.2.29. blackhole: Dead end networks ....................................................................... 144
H.2.30. loopback: Locally originated networks ............................................................ 145
H.2.31. namedbgpmap: Mapping and filtering rules of BGP prefixes ............................... 145
H.2.32. bgprule: Individual mapping/filtering rule ........................................................ 146
H.2.33. bgp: Overall BGP settings ............................................................................ 146
H.2.34. bgppeer: BGP peer definitions ....................................................................... 147
H.2.35. bgpmap: Mapping and filtering rules of BGP prefixes ........................................ 148
H.2.36. cqm: Constant Quality Monitoring settings ...................................................... 149
H.2.37. fb105: FB105 tunnel definition ...................................................................... 151
H.2.38. fb105-route: FB105 routes ............................................................................ 152
H.2.39. ipsec-ike: IPsec configuration (IKEv2) ............................................................ 152
H.2.40. ike-connection: connection configuration ......................................................... 153
H.2.41. ipsec-route: IPsec tunnel routes ...................................................................... 154
H.2.42. ike-roaming: IKE roaming IP pools ................................................................ 155
FireBrick FB6402 User Manual
xi
H.2.43. ike-proposal: IKE security proposal ................................................................ 155
H.2.44. ipsec-proposal: IPsec AH/ESP proposal ........................................................... 156
H.2.45. ipsec-manual: peer configuration .................................................................... 156
H.2.46. profile: Control profile ................................................................................. 157
H.2.47. profile-date: Test passes if within any of the time ranges specified ........................ 158
H.2.48. profile-time: Test passes if within any of the date/time ranges specified ................. 158
H.2.49. profile-ping: Test passes if any addresses are pingable ....................................... 159
H.2.50. shaper: Traffic shaper .................................................................................. 159
H.2.51. shaper-override: Traffic shaper override based on profile .................................... 160
H.2.52. ip-group: IP Group ...................................................................................... 160
H.2.53. route-override: Routing override rules ............................................................. 161
H.2.54. session-route-rule: Routing override rule ......................................................... 161
H.2.55. session-route-share: Route override load sharing ............................................... 162
H.2.56. rule-set: Firewall/mapping rule set .................................................................. 162
H.2.57. session-rule: Firewall rules ............................................................................ 163
H.2.58. session-share: Firewall load sharing ................................................................ 164
H.2.59. etun: Ether tunnel ........................................................................................ 165
H.2.60. dhcp-relay: DHCP server settings for remote / relayed requests ............................ 165
H.3. Data types .............................................................................................................. 166
H.3.1. autoloadtype: Type of s/w auto load ................................................................. 166
H.3.2. config-access: Type of access user has to config ................................................. 166
H.3.3. user-level: User login level ............................................................................. 166
H.3.4. eap-subsystem: Subsystem with EAP access control ............................................ 166
H.3.5. eap-method: EAP access method ..................................................................... 167
H.3.6. syslog-severity: Syslog severity ....................................................................... 167
H.3.7. syslog-facility: Syslog facility ......................................................................... 167
H.3.8. month: Month name (3 letter) ......................................................................... 168
H.3.9. day: Day name (3 letter) ................................................................................ 168
H.3.10. port: Physical port ....................................................................................... 169
H.3.11. Crossover: Crossover configuration ................................................................ 169
H.3.12. LinkSpeed: Physical port speed ..................................................................... 169
H.3.13. LinkDuplex: Physical port duplex setting ......................................................... 169
H.3.14. LinkFlow: Physical port flow control setting .................................................... 169
H.3.15. LinkClock: Physical port Gigabit clock master/slave setting ................................ 170
H.3.16. LinkLED-y: Yellow LED setting ................................................................... 170
H.3.17. LinkLED-g: Green LED setting ..................................................................... 170
H.3.18. LinkPower: PHY power saving options ........................................................... 170
H.3.19. LinkFault: Link fault type to send .................................................................. 171
H.3.20. sampling-protocol: Sampling protocol ............................................................. 171
H.3.21. trunk-mode: Trunk port more ........................................................................ 171
H.3.22. ramode: IPv6 route announce level ................................................................. 171
H.3.23. dhcpv6control: Control for RA and DHCPv6 bits .............................................. 172
H.3.24. bgpmode: BGP announcement mode ............................................................... 172
H.3.25. sampling-mode: Sampling mode .................................................................... 172
H.3.26. sfoption: Source filter option ......................................................................... 172
H.3.27. peertype: BGP peer type ............................................................................... 172
H.3.28. ipsec-type: IPsec encapsulation type ............................................................... 173
H.3.29. ike-authmethod: authentication method ............................................................ 173
H.3.30. ike-mode: connection setup mode ................................................................... 173
H.3.31. ipsec-auth-algorithm: IPsec authentication algorithm .......................................... 173
H.3.32. ipsec-crypt-algorithm: IPsec encryption algorithm ............................................. 174
H.3.33. ike-PRF: IKE Pseudo-Random Function .......................................................... 174
H.3.34. ike-DH: IKE Diffie-Hellman group ................................................................ 174
H.3.35. ike-ESN: IKE Sequence Number support ......................................................... 174
H.3.36. ipsec-encapsulation: Manually keyed IPsec encapsulation mode ........................... 175
H.3.37. switch: Profile manual setting ........................................................................ 175
FireBrick FB6402 User Manual
xii
H.3.38. dynamic-graph: Type of dynamic graph .......................................................... 175
H.3.39. firewall-action: Firewall action ...................................................................... 175
H.4. Basic types ............................................................................................................. 175
Index .................................................................................................................................... 178
xiii
List of Figures
2.1. Initial web page in factory reset state ...................................................................................... 7
2.2. Initial "Users" page .............................................................................................................. 7
2.3. Setting up a new user .......................................................................................................... 8
2.4. Configuration being stored .................................................................................................... 8
3.1. Main menu ....................................................................................................................... 11
3.2. Icons for layout controls ..................................................................................................... 12
3.3. Icons for configuration categories ......................................................................................... 12
3.4. The "Setup" category .......................................................................................................... 13
3.5. Editing an "Interface" object ................................................................................................ 14
3.6. Show hidden attributes ....................................................................................................... 14
3.7. Attribute definitions ........................................................................................................... 14
3.8. Navigation controls ............................................................................................................ 15
4.1. Setting up a new user ......................................................................................................... 21
4.2. Software upgrade available notification ................................................................................. 26
4.3. Manual Software upload ..................................................................................................... 27
7.1. Example sessions created by drop and reject actions ................................................................ 43
7.2. Processing flow chart for rule-sets and session-rules ................................................................ 45
B.1. Product label showing MAC address range .......................................................................... 108
xiv
List of Tables
2.1. IP addresses for computer ..................................................................................................... 6
2.2. IP addresses to access the FireBrick ....................................................................................... 6
2.3. IP addresses to access the FireBrick ....................................................................................... 6
3.1. Special character sequences ................................................................................................. 17
4.1. User login levels ............................................................................................................... 22
4.2. Configuration access levels .................................................................................................. 22
4.3. General administrative details attributes ................................................................................. 24
4.4. Attributes controlling auto-upgrades ...................................................................................... 27
4.5. Power LED status indications .............................................................................................. 28
5.1. Logging attributes .............................................................................................................. 30
5.2. System-Event Logging attributes .......................................................................................... 33
7.1. Action attribute values ........................................................................................................ 43
8.1. Example route targets ......................................................................................................... 56
11.1. IPsec algorithm key lengths ............................................................................................... 71
11.2. IKE / IPsec algorithm proposals .......................................................................................... 75
12.1. List of system services ...................................................................................................... 85
12.2. List of system services ...................................................................................................... 85
13.1. Packet dump parameters .................................................................................................... 91
13.2. Packet types that can be captured ........................................................................................ 92
15.1. Peer types ....................................................................................................................... 98
15.2. Communities ................................................................................................................. 100
15.3. Network attributes .......................................................................................................... 101
B.1. DHCP client names used .................................................................................................. 109
D.1. iso.3.6.1.4.1.24693.1 ........................................................................................................ 111
D.2. iso.3.6.1.4.1.24693.179 ..................................................................................................... 111
F.1. File types ....................................................................................................................... 120
F.2. Colours .......................................................................................................................... 121
F.3. Text ............................................................................................................................... 122
F.4. Text ............................................................................................................................... 122
F.5. URL formats ................................................................................................................... 123
H.1. config: Attributes ............................................................................................................ 128
H.2. config: Elements ............................................................................................................. 128
H.3. system: Attributes ............................................................................................................ 129
H.4. system: Elements ............................................................................................................. 130
H.5. link: Attributes ................................................................................................................ 130
H.6. user: Attributes ............................................................................................................... 130
H.7. eap: Attributes ................................................................................................................ 131
H.8. log: Attributes ................................................................................................................. 131
H.9. log: Elements .................................................................................................................. 131
H.10. log-syslog: Attributes ..................................................................................................... 132
H.11. log-email: Attributes ....................................................................................................... 132
H.12. services: Elements ......................................................................................................... 133
H.13. snmp-service: Attributes .................................................................................................. 133
H.14. ntp-service: Attributes ..................................................................................................... 133
H.15. telnet-service: Attributes ................................................................................................. 134
H.16. http-service: Attributes .................................................................................................... 135
H.17. dns-service: Attributes .................................................................................................... 135
H.18. dns-service: Elements ..................................................................................................... 136
H.19. dns-host: Attributes ........................................................................................................ 136
H.20. dns-block: Attributes ...................................................................................................... 137
H.21. ethernet: Attributes ......................................................................................................... 137
H.22. sampling: Attributes ....................................................................................................... 137
H.23. portdef: Attributes .......................................................................................................... 138
H.24. interface: Attributes ........................................................................................................ 138
FireBrick FB6402 User Manual
xv
H.25. interface: Elements ......................................................................................................... 139
H.26. subnet: Attributes ........................................................................................................... 140
H.27. vrrp: Attributes .............................................................................................................. 140
H.28. dhcps: Attributes ............................................................................................................ 141
H.29. dhcps: Elements ............................................................................................................ 142
H.30. dhcp-attr-hex: Attributes ................................................................................................. 142
H.31. dhcp-attr-string: Attributes ............................................................................................... 142
H.32. dhcp-attr-number: Attributes ............................................................................................ 143
H.33. dhcp-attr-ip: Attributes .................................................................................................... 143
H.34. route: Attributes ............................................................................................................ 143
H.35. network: Attributes ........................................................................................................ 144
H.36. blackhole: Attributes ...................................................................................................... 144
H.37. loopback: Attributes ....................................................................................................... 145
H.38. namedbgpmap: Attributes ................................................................................................ 145
H.39. namedbgpmap: Elements ................................................................................................. 145
H.40. bgprule: Attributes ......................................................................................................... 146
H.41. bgp: Attributes .............................................................................................................. 146
H.42. bgp: Elements ............................................................................................................... 146
H.43. bgppeer: Attributes ......................................................................................................... 147
H.44. bgppeer: Elements ......................................................................................................... 148
H.45. bgpmap: Attributes ......................................................................................................... 148
H.46. bgpmap: Elements ......................................................................................................... 149
H.47. cqm: Attributes .............................................................................................................. 149
H.48. fb105: Attributes ............................................................................................................ 151
H.49. fb105: Elements ............................................................................................................ 152
H.50. fb105-route: Attributes .................................................................................................... 152
H.51. ipsec-ike: Attributes ....................................................................................................... 152
H.52. ipsec-ike: Elements ........................................................................................................ 153
H.53. ike-connection: Attributes ................................................................................................ 153
H.54. ike-connection: Elements ................................................................................................ 154
H.55. ipsec-route: Attributes ..................................................................................................... 155
H.56. ike-roaming: Attributes ................................................................................................... 155
H.57. ike-proposal: Attributes ................................................................................................... 155
H.58. ipsec-proposal: Attributes ................................................................................................ 156
H.59. ipsec-manual: Attributes .................................................................................................. 156
H.60. ipsec-manual: Elements .................................................................................................. 157
H.61. profile: Attributes .......................................................................................................... 157
H.62. profile: Elements ........................................................................................................... 158
H.63. profile-date: Attributes .................................................................................................... 158
H.64. profile-time: Attributes ................................................................................................... 159
H.65. profile-ping: Attributes ................................................................................................... 159
H.66. shaper: Attributes ........................................................................................................... 159
H.67. shaper: Elements ............................................................................................................ 160
H.68. shaper-override: Attributes .............................................................................................. 160
H.69. ip-group: Attributes ........................................................................................................ 160
H.70. route-override: Attributes ................................................................................................ 161
H.71. route-override: Elements ................................................................................................. 161
H.72. session-route-rule: Attributes ........................................................................................... 161
H.73. session-route-rule: Elements ............................................................................................ 162
H.74. session-route-share: Attributes .......................................................................................... 162
H.75. rule-set: Attributes ......................................................................................................... 162
H.76. rule-set: Elements .......................................................................................................... 163
H.77. session-rule: Attributes ................................................................................................... 163
H.78. session-rule: Elements .................................................................................................... 164
H.79. session-share: Attributes .................................................................................................. 164
H.80. etun: Attributes .............................................................................................................. 165
FireBrick FB6402 User Manual
xvi
H.81. dhcp-relay: Attributes ..................................................................................................... 165
H.82. dhcp-relay: Elements ...................................................................................................... 165
H.83. autoloadtype: Type of s/w auto load .................................................................................. 166
H.84. config-access: Type of access user has to config ................................................................. 166
H.85. user-level: User login level .............................................................................................. 166
H.86. eap-subsystem: Subsystem with EAP access control ............................................................. 166
H.87. eap-method: EAP access method ...................................................................................... 167
H.88. syslog-severity: Syslog severity ........................................................................................ 167
H.89. syslog-facility: Syslog facility .......................................................................................... 167
H.90. month: Month name (3 letter) .......................................................................................... 168
H.91. day: Day name (3 letter) ................................................................................................. 168
H.92. port: Physical port ......................................................................................................... 169
H.93. Crossover: Crossover configuration ................................................................................... 169
H.94. LinkSpeed: Physical port speed ........................................................................................ 169
H.95. LinkDuplex: Physical port duplex setting ........................................................................... 169
H.96. LinkFlow: Physical port flow control setting ...................................................................... 169
H.97. LinkClock: Physical port Gigabit clock master/slave setting .................................................. 170
H.98. LinkLED-y: Yellow LED setting ...................................................................................... 170
H.99. LinkLED-g: Green LED setting ....................................................................................... 170
H.100. LinkPower: PHY power saving options ............................................................................ 170
H.101. LinkFault: Link fault type to send ................................................................................... 171
H.102. sampling-protocol: Sampling protocol .............................................................................. 171
H.103. trunk-mode: Trunk port more ......................................................................................... 171
H.104. ramode: IPv6 route announce level ................................................................................. 171
H.105. dhcpv6control: Control for RA and DHCPv6 bits .............................................................. 172
H.106. bgpmode: BGP announcement mode ............................................................................... 172
H.107. sampling-mode: Sampling mode ..................................................................................... 172
H.108. sfoption: Source filter option .......................................................................................... 172
H.109. peertype: BGP peer type ............................................................................................... 173
H.110. ipsec-type: IPsec encapsulation type ................................................................................ 173
H.111. ike-authmethod: authentication method ............................................................................ 173
H.112. ike-mode: connection setup mode ................................................................................... 173
H.113. ipsec-auth-algorithm: IPsec authentication algorithm .......................................................... 173
H.114. ipsec-crypt-algorithm: IPsec encryption algorithm .............................................................. 174
H.115. ike-PRF: IKE Pseudo-Random Function .......................................................................... 174
H.116. ike-DH: IKE Diffie-Hellman group ................................................................................. 174
H.117. ike-ESN: IKE Sequence Number support ......................................................................... 174
H.118. ipsec-encapsulation: Manually keyed IPsec encapsulation mode ............................................ 175
H.119. switch: Profile manual setting ........................................................................................ 175
H.120. dynamic-graph: Type of dynamic graph ........................................................................... 175
H.121. firewall-action: Firewall action ....................................................................................... 175
H.122. Basic data types ........................................................................................................... 175
xvii
Preface
The FB6000 device is the result of several years of intensive effort to create products based on state of the
art processing platforms, featuring an entirely new operating system and IPv6-capable networking software,
written from scratch in-house by the FireBrick team. Custom designed hardware, manufactured in the UK, hosts
the new software, and ensures FireBrick are able to maximise performance from the hardware, and maintain
exceptional levels of quality and reliability.
The result is a product that has the feature set, performance and reliability to handle mission-critical functions,
effortlessly handling huge volumes of traffic, supporting thousands of customer connections.
The software is constantly being improved and new features added, so please check that you are reading the
manual appropriate to the version of software you are using. This manual is for version V1.46.100.
1
Chapter 1. Introduction
1.1. The FB6000
1.1.1. Where do I start?
The FB6000 is shipped in a factory reset state. This means it has a default configuration that allows the unit
to be attached directly to a computer, or into an existing network, and is accessible via a web browser on a
known IP address for further configuration.
Besides allowing initial web access to the unit, the factory reset configuration provides a starting point for you
to develop a bespoke configuration that meets your requirements.
A printed copy of the QuickStart Guide is included with your FB6000 and covers the basic set up required to
gain access to the web based user interface. If you have already followed the steps in the QuickStart guide, and
are able to access the FB6000 via a web browser, you can begin to work with the factory reset configuration
by referring to Chapter 3.
Initial set up is also covered in this manual, so if you have not already followed the QuickStart Guide, please
start at Chapter 2.
Tip
The FB6000's configuration can be restored to the state it was in when shipped from the factory. The
procedure requires physical access to the FB6000, and can be applied if you have made configuration
changes that have resulted in loss of access to the web user interface, or any other situation where it
is appropriate to start from scratch - for example, commissioning an existing unit for a different role,
or where you've forgotten an administrative user password. It is also possible to temporarily reset the
FB6000 to allow you to recover and edit a broken configuration (though you still need to know the
password you had). You can also go back one step in the config.
The remainder of this chapter provides an overview of the FB6000's capabilities, and covers your product
support options.
Tip
The latest version of the QuickStart guide for the FB6000 can be obtained from the FireBrick website
at : http://www.firebrick.co.uk/pdfs/quickstart-6000.pdf
1.1.2. What can it do?
The FB6000 series of products is a family of high speed ISP/telco grade routers and firewalls providing a range
of specific functions.
Key features of the FB6000 family:
• 1U 19" rack mount
• Very low power consumption (typical 20W) - all important with today's power charges in data centres
• Two small fans are the only moving parts for high reliability
• Dual 120/230V AC power feed
• IPv6 built in from the start
Introduction
2
• Gigabit performance
The FB600 series are provided in a number of variants. This manual is for the FB6402. This variant includes:
• Border Gateway Protocol, to allow routes to be announced and accepted from peering BGP routers.
• IPsec/IKEv2 implementation for providing secure tunnelling and roaming VPN capability.
1.1.2.1. FB6402 Gigabit stateful firewall
The FB6402 provides a larger scale firewall than the FB2500 and FB2700, handling millions of active sessions
with comprehensive IP and port mapping. The FB6402 makes an ideal head of rack unit for hosted servers
allowing multiple VLANs each with independant firewalling rules, DHCP assignments, traffic shaping and
VPN support.
1.1.3. Ethernet port capabilities
The FB6000 has two Ethernet network ports that operate at 1Gb/s. The ports implement auto-negotiation by
default, but operation can be fine-tuned to suit specific circumstances. The function of these ports is very
flexible, and defined by the device's configuration. The ports implement one or more interfaces.
Multiple interfaces can be implemented on a single physical port via support for IEEE 802.1Q VLANs, ideal
for using the FB6000 with VLAN-capable network switches. In this case, a single physical connection can be
made between a VLAN-capable switch and the FB6000, and with the switch configured appropriately, this
physical connection will carry traffic to/from multiple VLANs, and the FB6000 can do Layer 3 processing
(routing/firewalling etc.) between nodes on two or more VLANs.
1.1.4. Product variants in the FB6000 series
•FB6102 High capacity ping monitoring box
•FB6202 Gigabit L2TP LNS with detailed monitoring of all lines
•FB6302 Gigabit BGP router
•FB6402 Gigabit stateful firewall
•FB6502 Gigabit core VoIP SIP switch for ISTP use
•FB6602 Mobile GTPv1 GGSN/L2TP gateway
•FB6702 Tunnel endpoint / gateway
1.2. About this Manual
1.2.1. Version
Every major FB6000 software release is accompanied by a release-specific version of this manual. This manual
documents software version V1.46.100 - please refer to Section 4.3 to find out more about software releases,
and to see how to identify which software version your FB6000 is currently running.
If your FB6000 is running a different version of system software, then please consult the version of this manual
that documents that specific version, as there may be significant differences between the software versions.
Also bear in mind that if you are not reading the latest version of the manual (and using the latest software
release), references in this manual to external resources, such as the FireBrick website, may be out of date.
Introduction
3
You can find the latest revision of a manual for a specific software version on the FB6000 software downloads
website [http://www.firebrick.co.uk/software.php?PRODUCT=6000]. This includes the revision history for all
software releases.
1.2.2. Intended audience
This manual is intended to guide FB6000 owners in configuring their units for their specific applications. We
try to make no significant assumption about the reader's knowledge of FireBrick products, but as might be
expected given the target market for the products, it is assumed the reader has a reasonable working knowledge
of common IP and Ethernet networking concepts. So, whether you've used FireBrick products for years, or
have purchased one for the very first time, and whether you're a novice or a network guru, this Manual sets out
to be an easy to read, definitive guide to FireBrick product configuration for all FireBrick customers.
1.2.3. Technical details
There are a number of useful technical details included in the apendices. These are intended to be a reference
guild for key features.
1.2.4. Document style
At FireBrick, we appreciate that different people learn in different ways - some like to dive in, hands-on,
working with examples and tweaking them until they work the way they want, referring to documentation
as required. Other people prefer to build their knowledge up from first principles, and gain a thorough
understandingofwhatthey'reworkingwith.Mostpeoplewesuspectfallsomewherebetweenthesetwolearning
styles.
This Manual aims to be highly usable regardless of your learning style - material is presented in an order that
startswith fundamental concepts, andbuilds to more complexoperation of your FireBrick.At all stages wehope
to provide a well-written description of how to configure each aspect of the FireBrick, and - where necessary
- provide enough insight into the FireBrick's internal operation that you understand why the configuration
achieves what it does.
1.2.5. Document conventions
Various typefaces and presentation styles are used in this document as follows :-
• Text that would be typed as-is, for example a command, or an XML attribute name is shown in
monospaced_font
• Program (including XML) listings, or fragments of listings are shown thus :-
/* this is an example program listing*/
printf("Hello World!\n");
• Text as it would appear on-screen is shown thus :-
This is an example of some text that would
appear on screen.
Note that for documentation purposes additional
line-breaks may be present that would not be in the on-screen text
Table of contents
Other FireBrick Gateway manuals
