Norman Network Protection User manual
Norman Network Protection
quick setup guide
For the latest setup guide,
please visit www.norman.com
Norman Network Protection
quick setup guide
For the latest setup guide,
please visit www.norman.com
1
2
3
4
5 6
7
8
Introducon to Norman Network Protecon Appliance
The Norman Network Protecon Appliance provides a front-end protecon soluon
for your enre local area network or segment of your internal network.
Norman Network Protecon is powered by Linux and provides addional security by
using the Norman SandBox technology.
Checking the Package Contents
You will nd the following items in your Network Protecon Appliance package:
1. Norman Network Protecon Appliance
2. A quick setup guide (this document)
3. An AC power cable
4. Two (2) category 6 ethernet standard cable (color “Green”)
5. One (1) category 6 ethernet standard cable (color ”Blue”)
6. A bootable USB memory sck containing recovery soware
(Behind the frontbezel)
If an item is missing from the package, contact your reseller immediately.
Appliance Overview
The Norman Network Protecon Appliance consists of three (3) Network Interface
Cards. The NICs (named “Eth1” and “Eth2”) are used for trac inspecon (inside and
outside interfaces). These interfaces do not need any IP-address
The third interface (named “Eth0”) is used as an interface towards the Linux console,
the NNP command line console and the web administraon interface. This interface
needs an IP-address.
Front R210
1. Power-on indicator,
power buon
2. NMI buon
3. USB connectors (2)
1. iDRAC6 Enterprise port
(oponal)
2. VFlash media slot
3. Serial connector
4. PCIe slot 1
Power up your Network Protecon Appliance
1. Connect the power cable from the power source (typically an UPS) to the power
jack (while facing the back of the appliance). The power cable is included with the
appliance packaging.
Basic Conguraon for the Network Protecon Appliance
IMPORTANT: Do not connect the in and out interfaces to your network
before you have completed the conguraon.
1. Connect a monitor and an USB-keyboard to the Network Protecon Appliance.
2. Power up the Network Protecon Appliance.
3. When the device has nished boong up follow the instrucons as described
below. When asked, use the details from your “Network Planning Worksheet” as
described in chapter 4.
If you have been provided a newer NNP version as ISO image or on USB please
follow the instrucons provided.
Press 1 or Enter to start the installaon.
Compleng the Web based Setup Wizard
IMPORTANT: Do not power up the appliance before connecng
it to the network.
1. Connect only the Admin interface to the appropiate switch in your
network. Make sure this is accessible from your network, and that it
is not connected behind the “Eth1” interface.
2. From another computer connect to the IP-address of the appliance
on port 2868.
Example: hp://<Network Protecon Appliance-IP>:2868
3. Your are now prompted for a username and password.
5. Aer nishing the conguraon wizard connect the device to the network as
described in the next chapter
Checking installaon archives
The installer will check the
integrity of the installaon
archive.
Keyboard
layout
Select your
keyboard
layout, then
click Next.
Timezone
Select your mezone
by rst selecng your
connent, then your
country.
Root password
Enter your desired password. This
password is the same for both the web
based admin interface, and the Linux
console, so please don’t lose it.
Conguring the network cards
NNP appliance comes with four NICs, but only three
will be used in this round. To assist you in idenfy-
ing the NICs you can use the Idenfy funcon.
When pressing this buon the LEDs on the corre-
sponding NIC will start blinking, correctly idenfying
the NIC to the ethx.
The default for NNP NIC conguraon is one admin
NIC and two Bridge NICs.
Admin interface setup
To be able to manage your NNP
an IP-address is necessary. Now
it’s me to use your Network
Planning Worksheet. Insert the
details in the appropriate elds.
Installing les from archive
The installaon will resume.
Click Details to see a more
verbose output.
Complete
Congratulaons, your installaon
is done. Click Reboot to nish
and start your NNP.
Norman Network Protection
Back R210
Back R610
Front R610
Network Planning Worksheet
Host name: . . .
Network Protecon Primary IP address: . . .
Network Protecon subnet: . . .
Default Gateway: . . .
DNS Sux: . . .
DNS Server 1: . . .
DNS Server 2: . . .
Network speed: . . .
Duplex (inside NIC): . . .
Duplex (outside NIC): . . .
5. Video connector
6. USB connectors (2)
7. PCIe slot 2
8. Ethernet connectors (4)
4. Video connector
5. LCD menu buons
6. LCD panel
7. System idencaon buon
8. Hard drives (6)
9. Opcal drive (oponal)
10. System idencaon panel
9. System status indicator connector
10. System status indicator
11. System idencaon buon
12. Power supply 1 (PS1)
13. Power supply 2 (PS2)
1 Power-on indicator, power buon
2 NMI buon
3 Video connector
4 Hard drive acvity indicator
5 Diagnosc indicator lights (4)
6 System status indicator
7 System idencaon buon
8 USB connectors (2)
9 System idencaon panel
10 Opcal drive (oponal)
1 iDRAC6 Enterprise port (oponal)
2 VFlash media slot (oponal)
3 Ethernet connectors (2)
4 serial connector
5 video connector
6 eSATA
7 USB connectors (2)
8 Ethernet connectors (2)
9 System status indicator light
10 System idencaon buon
11 System idencaon connector
12 Power supply
13 Retenon clip
The Norman Network Protecon Appliance can be deployed almost anywhere in
your network. If you already know where to place the Norman Network
Protecon Appliance please skip this part, and go on to chapter 6.
If you are uncertain where to deploy the Norman Network Protecon Appliance
please consider one of the below scenarios.
1. Scan trac to/from the Internet
In this deployment scenario Norman Network Protecon scans supported
trac to/from the Internet.
2. Scan trac to/from an DMZ
In this deployment scenario Norman Network Protecon scans supported trac to/
from the DMZ from both the internal LAN and Internet.
3. Scan trac between LANs or segments
In this deployment scenario Norman Network Protecon scans supported trac to/
from the Internet in addion to trac to/from computers from dierent segments.
4. Scan trac in one or
more VLAN(s):
In this deployment scenario
Norman Network Protecon
scans supported trac com-
ming from VLAN computers
marked with red, in addion
to trac going to/from seg-
ments on each side of the
router.
Deployment Strategy
9
Step 7: How to inform users that they have been blocked
Provides opons for how Norman Network Protecon should nofy users that are
blocked from a network path. (This opon applies only to HTTP trac).
• Display the text below.
Insert the text you want to display to the users and use HTML-tags to format the text.
• Redirect to a customized HTML page on a reachable web server.
Provides, for example, the opon of redirecng users to an HTML page on an internal
web server. This enables you to create a very specic HTML page where the design,
layout and text can be customized to your company colors and logo.
Step 8: Handling messages
Provides the opon of sending e-mail messages about selected events.
• Enable e-mail messages
Forward messages as e-mail.
Mail recipients
Enter the e-mail addresses for the nocaon recipients.
• Click Add to enter the e-mail address for a recipient.
• Select an address from the list and click Remove selected to delete an exisng
address
SMTP server sengs
The SMTP server address, name or IP-address, for the e-mail server recipient of the
SMTP message.
Note:
If you insert the SMTP server name make sure that DNS sengs are veried for the
installed operang system. Otherwise please use the IP-address.
Port
The default SMTP port is 25, which is the correct value unless you explicitly have
selected another port.
Reply-to address
Enter the e-mail address that a recipient can reply to, for example the system admin-
istrator.
Mail message body
Subject
The tle of the e-mail, for example “Message from NNP”.
Common appended text
Enter the text to include as the default e-mail footnote text.
Step 9: Seng Internet Update opons
Step 9: Seng Internet Update opons
Norman Internet Update will keep your denion les and sanner engine up to date.
The opons for automac updates are:
Update manually
Norman Internet Update will never run. All updates must be done manually with the
Update now opon.
Automac update at set intervals
Update intervals: 6 hours, 12 hours, 1 day.
Note:
It is recommended to set the Automac update interval to 6 hours.
Step 10: Reviewing the conguraon
Once the setup wizard is done, Norman Network Protecon is ready for use!
Connecng Norman Network Appliance to your network
Connect the interface named “Eth1” to the inside of your network, and the interface
named “Eth2” to the outside of your network, based on the network scenario you
selected in chapter 5.
Note:
Remember to schedule this installaon to a me of day when interrupted network
connecons can be accepted.
Username and password default sengs
User: admin
Password: admin
Step 1: Start the setup wizard
Step 2: Restricng access to the web interface
You can restrict access to the Norman Network Protecon web-interface either to
single IP-addresses or subnets. The syntax for entering IP-addresses is:
192.168.0.4/255.255.255.0
This entry will accept access from the single IP-address 192.168.0.4
192.168.0.0/255.255.255.0
This entry will accept access from the enre subnet 192.168.0.0
Step 3: Providing the license key
The license key enables Network Protecon to be updated with signature and scan-
ner engine updates. The license key is provided to you by your local vendor. If a li-
cense key was not included when you purchased Network Protecon, please contact
your local vendor or your local Norman oce.
Step 4: Conguring Network Protecon operaon mode
These seng will determine how NNP will operate. Please select the preferred
mode.
Log only
This opon will detect and log malware, but will not block it. Please use with cauon.
Bypass
This opon allows all trac to be transferred through Norman Network Protecon
without being scanned. Using this opon will result in no trac or incident stascs.
Block
This opon will eecvely block all trac from being transferred through Norman
Network Protecon. This opon is known as the “Panic buon”.
Note:
Please use this opon with care as absolutely all trac in the segment/network
where Network Protecon Appliance is installed will be blocked.
Scan
This is the most used opon. By selecng this opon all trac on supported proto-
cols will be scanned for malware.
Sites blocked will be blocked for
The period for which a URL is blocked can be changed with this opon. The default
value is 1 week. Select the desired value for the period a blocked URL/Path should
remain blocked.
Note: This value can also be changed individually per blocked URL in the “Blocked
URL” menu.
Max. le size for scanning
This opon allows you to change the default limit for the le sizes Network Protec-
on Appliance should scan. The default value is 32MB. All les larger than the set
value will not be scanned.
Block les larger than max size
Check this opon to block les that are larger than the maximum allowed lesize.
Step 5: Conguring protocol scanning opons
These sengs decides how each protocol is handled. If you are not sure which scan
seng to use for a certain protocol, set it to bypass for now. You can always change
the scan sengs later.
Note: Please set all protocols to “Bypass” before connecng the appliance to the net-
work. When the appliance is connected to your network you can make the necessary
changes for each protocol.
Protocol scanning opons
Bypass Trac on this protocol will pass through without being scanned.
Block Trac on this protocol will not be allowed through NNP.
Minimal Scan Trac will be scanned using tradional signature scanning.
Archive les are not scanned.
Sandbox is not used.
Medium scan Trac will be scanned using tradional signature scanning.
Archive les are scanned.
Sandbox is not used.
Sandbox scan Trac will be scanned using tradional signature scanning.
Archive les are not scanned.
Sandbox is used.
Full Scan Trac will be scanned using tradional signature scanning.
Archive les are scanned.
Sandbox is used.
Step 6: Selecng logging opons
Provides opons for enabling and handling Norman Network Protecon logs. The
main logs are the Trac log and the Incident logs. These log opons only aect the
Trac log.
• Enable logging/stascs
Select this opon to log all trac, meaning all connecons transferred through Nor-
man Network Protecon are logged to a le. If not selected this opon disables all
trac stascs.
• Log only supported protocols
Select this opon to reduce the number of log entries. Only supported protocols
are logged, and all other connecons are disregarded. The supported protocols are:
HTTP, FTP, SMTP, POP3, TFTP, RPC, IRC, CIFS/SMB
Example:
If this opon is selected and a computer creates a connecon to a Citrix server, this
will not be visible in the log because the ICA protocol is not supported for scan.
• Purge logs older than:
Provides an opon to delete logs that are older than the value selected. This func-
onality can prevent your hard drive from being lled up with legacy logs.
Note:
Even though trac logs are purged aer 1 or 60 days, trac stascs will sll be
available in the management interface. Norman Network Protecon stores digests of
all logs, enabling a digest trac stascs, all the way back to the installaon of Nor-
man Network Protecon in your network.
Other Norman Firewall manuals
Popular Firewall manuals by other brands
Fortinet
Fortinet FortiGate FortiGate-800 install guide
DPS Telecom
DPS Telecom NetGuardian 216T user manual
NETGEAR
NETGEAR FVS336G - ProSafe Dual WAN Gigabit Firewall installation guide
Fortinet
Fortinet FortiBridge 1000 Configuration
Solida systems
Solida systems SL-2000 user manual
Softing
Softing TH LINK PROFINET installation manual
McAfee
McAfee M-1250 - Network Security Platform Deployment guide
Cisco MERAKI
Cisco MERAKI MX250 installation guide
3Com
3Com SUPERSTACK 3CR16110-95 Release notes
NETGEAR
NETGEAR FVS318G - ProSafe Gigabit VPN Firewall Data Sheet... datasheet
Stonesoft
Stonesoft FW-105 series installation instructions
PaloAlto Networks
PaloAlto Networks PA-5200 Seriesp Hardware reference