Secure computing Sg300 User manual

Secure Computing SG

User Manual

Secure Computing

4810 Harwood Road

San Jose, CA 95124-5206

Email: suppo[email protected]mputing.com

Web: www.securecomputing.com

Revision 3.1.3

March 1st, 2006

Contents

1. Introduction...............................................................................................1

SG Gateway Appliances (SG3xx, SG5xx Series)..................................................1

SG Rack Mount Appliances (SG7xx Series) .........................................................4

SG PCI Appliances (SG6xx Series).......................................................................7

Document Conventions .......................................................................................10

2. Getting Started........................................................................................11

SG Gateway Appliance Quick Setup...................................................................12

SG Rack Mount Appliance Quick Setup..............................................................23

SG PCI Appliance Quick Setup...........................................................................33

The SG Management Console............................................................................40

3. Network Setup.........................................................................................41

Configuring Connections .....................................................................................41

Multifunction vs. Fixed-function Ports..................................................................42

Direct Connection................................................................................................44

ADSL ...................................................................................................................47

Cable Modem ......................................................................................................52

Dialout and ISDN.................................................................................................53

Dialin....................................................................................................................54

Failover, Load Balancing and High Availability....................................................59

Internet Failover...................................................................................................61

Internet Load Balancing.......................................................................................65

High Availability ...................................................................................................68

DMZ Network.......................................................................................................71

Guest Network.....................................................................................................72

Wireless...............................................................................................................75

Bridging................................................................................................................86

VLANs..................................................................................................................90

Port Based VLANs...............................................................................................92

GRE Tunnels.......................................................................................................96

Routes ...............................................................................................................100

System...............................................................................................................108

DNS...................................................................................................................109

DHCP Server.....................................................................................................111

Web Cache........................................................................................................115

QoS Traffic Shaping ..........................................................................................123

IPv6....................................................................................................................125

SIP.....................................................................................................................125

4. Firewall..................................................................................................127

Incoming Access................................................................................................127

Web Server........................................................................................................129

Customizing the Firewall....................................................................................131

Definitions..........................................................................................................132

Packet Filtering..................................................................................................135

Network Address Translation (NAT)..................................................................139

Connection Tracking..........................................................................................151

Intrusion Detection.............................................................................................152

Basic Intrusion Detection and Blocking (IDB)....................................................153

Advanced Intrusion Detection and Prevention (Snort and IPS).........................156

Access Control and Content Filtering ................................................................159

Antivirus.............................................................................................................171

5. Virtual Private Networking...................................................................182

PPTP and L2TP.................................................................................................183

PPTP VPN Server .............................................................................................183

L2TP VPN Server ..............................................................................................191

PPTP and L2TP VPN Client ..............................................................................198

IPSec.................................................................................................................200

Set Up the Branch Office...................................................................................201

Configuring the Headquarters............................................................................213

Tunnel List.........................................................................................................216

NAT Traversal Support......................................................................................219

Dynamic DNS Support.......................................................................................219

Certificate Management.....................................................................................219

IPSec Failover ...................................................................................................224

IPSec Troubleshooting ......................................................................................234

Port Tunnels ......................................................................................................237

6. USB........................................................................................................240

USB Mass Storage Devices ..............................................................................240

USB Printers......................................................................................................247

Printer Troubleshooting .....................................................................................253

USB Network Devices and Modems..................................................................254

7. System...................................................................................................255

Date and Time...................................................................................................255

Backup/Restore Configuration...........................................................................256

Users .................................................................................................................259

Management......................................................................................................263

Diagnostics........................................................................................................266

Advanced...........................................................................................................266

Reboot and Reset..............................................................................................269

Flash upgrade....................................................................................................271

Configuration Files.............................................................................................273

Support..............................................................................................................274

Appendix A – Terminology...........................................................................275

Appendix B – System Log............................................................................281

Access Logging .................................................................................................281

Creating Custom Log Rules...............................................................................283

Rate Limiting......................................................................................................286

Administrative Access Logging..........................................................................287

Boot Log Messages...........................................................................................287

Appendix C – Firmware Upgrade Practices and Precautions ...................288

Appendix D – Recovering From a Failed Upgrade.....................................290

Introduction 1

1. Introduction

This manual describes the features and capabilities of your SG unit, and provides you

with instructions on how to best take advantage of them.

This includes setting up network connections (in the chapter entitled Network

Connections), tailoring the firewall to your network (Firewall), and establishing a virtual

private network (Virtual Private Networking). It also guides you through setting up the SG

unit on your existing or new network using the web management console (Getting

Started).

This chapter provides a high level overview to familiarize you with your SG unit’s features

and capabilities.

SG Gateway Appliances (SG3xx, SG5xx Series)

Note

The SG gateway appliance range includes models SG300, SG530, SG550, SG560,

SG565, SG570, SG575 and SG580.

The SG gateway appliance range provides Internet security and

privacy of communications for small and medium enterprises, and

branch offices. It simply and securely connects your office to the

Internet, and with its robust stateful firewall, shields your computers

from external threats.

With the SG unit’s masquerading firewall, hosts on your LAN (local area network) can

see and access resources on the Internet, but all outsiders see is the SG unit’s external

address.

You may tailor your SG unit to disallow access from your LAN to specific Internet sites or

categories of content, give priority to specific types of network traffic, and allow controlled

access to your LAN from the outside world. You may also choose to enable intrusion

detection and prevention services on your SG unit, to further bolster the security of your

local network.

Introduction 2

The SG565, SG560, SG570, SG575 and SG580 may also connect to a DMZ

(demilitarized zone) network. A DMZ is a separate local network typically used to host

servers accessible to the outside world. It is separated both physically and by the

firewall, in order to shield your LAN from external traffic.

The SG unit allows you to establish a virtual private network (VPN). A VPN enables

remote workers or branch offices to connect securely to your LAN over the public

Internet. The SG unit can also connect to external VPNs as a client. The SG550,

SG560, SG565, SG570, SG575 and SG580 utilize onboard cryptographic acceleration to

ensure excellent VPN throughput.

The SG unit may be configured with multiple Internet connections. These auxiliary

connections may be kept on stand-by should the primary connection become

unavailable, or maintained concurrently with the primary connection for spreading

network load.

The SG565, SG570, SG575 and SG580 incorporate a powerful web proxy cache to

improve web page response time and reduce link loads. It is designed to integrate

seamlessly with upstream proxy caches provided by ISPs.

Front panel LEDs

The front and rear panels contain LEDs indicating status. An example of the front panel

LEDs are illustrated in the following figure and detailed in the following table.

Note

Not all the LEDs described below are present on all SG unit models. Labels vary from

model to model.

Label Activity Description

Power On Power is supplied to the SG unit

Flashing The SG unit is operating correctly

Heart Beat

On If this LED is on and not flashing, an operating

error has occurred.

LAN Activity

Flashing Network traffic on the LAN network interface

Introduction 3

WAN Activity

Flashing Network traffic on the Internet network interface

WLAN Flashing Network traffic on the Wireless network interface

DMZ Activity Flashing Network traffic on the DMZ network interface

Serial

Activity

Flashing For either of the SG unit COM ports, these LEDs

indicate receive and transmit data

HA On The SG unit has switched to a backup device

Online On An Internet connection has been established

VPN On Virtual private networking is enabled

Online On An Internet connection has been established

Note

If Heart Beat does not begin flashing shortly after power is supplied, refer to Appendix D,

Recovering From a Failed Upgrade.

Rear panel

The rear panel contains Ethernet and serial ports, the Reset/Erase button and power

inlet. If network status LEDs are present, the lower or left LED indicates the link

condition, where a cable is connected correctly to another device and the upper or right

LED indicates network activity.

Specifications

Internet link

•10/100baseT Ethernet

•Serial (for dial-up/ISDN)

•Front panel serial status LEDs (for TX/RX)

•Online status LEDs (for Internet/VPN)

•Rear panel Ethernet link and activity status LEDs

Local network link

Introduction 4

•10/100BaseT LAN port (SG530, SG550)

•10/100BaseT 4 port LAN switch (SG300)

•10/100BaseT DMZ port (SG570, SG575)

•10/100BaseT 4 port VLAN-capable switch (SG560, SG565, SG580)

•Rear panel Ethernet link and activity status LEDs

Enviromental

•External power adaptor (voltage/current depends on individual model)

•Front panel operating status LEDs: Power, Heart Beat

•Operating temperature between 0°C and 40°C

•Storage temperature between -20°C and 70°C

•Humidity between 0 to 95% (non-condensing)

SG Rack Mount Appliances (SG7xx Series)

Note

The SG rack mount appliance range includes models SG710 and SG710+.

The SG7xx series is the flagship of Secure Computing’s SG

family. It features multi-megabit throughput, rack-optimized

form factor, two fast Ethernet ports and two 4 port fast Ethernet

switches as standard, and the option for two additional gigabit

ports (SG710+).

In addition to providing all of the features described in SG Gateway Appliances earlier in

this chapter, it equips central sites to securely connect hundreds of mobile employees

and branch offices.

Front panel LEDs

The front panel contains LEDs indicating status. An example of the front panel LEDs are

illustrated in the following figure and detailed in the following table.

Introduction 5

Label Activity Description

Power On Power is supplied to the SG unit

Flashing The SG unit is operating correctlyH/B (Heart

Beat) On If this LED is on and not flashing, an operating

error has occurred.

Failover On The SG unit has switched to the backup Internet

connection

High Avail On The SG unit has switched to a backup device

Online On An Internet connection has been established

Note

If H/B does not begin flashing 20 – 30 seconds after power is supplied, refer to Appendix

E, Recovering From a Failed Upgrade.

Front panel

The front panel contains two 10/100 Ethernet four port switches (Aand B), two 10/100

Ethernet ports (Cand D) and analog/ISDN modem (Serial) as well as operating status

LEDs and the configuration reset button (Erase).

On the front panel Ethernet ports, the right hand LED indicates the link condition, where a

cable is connected correctly to another device. The left hand LED indicates network

activity.

Rear panel

The rear panel contains a power switch and a power inlet for an IEC power cable.

Additionally, the SG710+ has two gigabit Ethernet ports (Eand F).

Introduction 6

Specifications

Internet link

•Two 10/100baseT Ethernet ports (C, D)

•Two GbE ports (E, F – SG710+ only)

•Serial port

•Online status LEDs (Online, Failover)

•Ethernet link and activity status LEDs

LAN/DMZ link

•Two 10/100BaseT 4 port LAN switches

•Ethernet link and activity status LEDs

Enviromental

•Front panel operating status LEDs: Power, H/B

•Operating temperature between 0°C and 40°C

•Storage temperature between -20°C and 70°C

•Humidity between 0 to 95% (non-condensing)

Other manuals for SG300

This manual suits for next models

Table of contents

Other Secure Computing Gateway manuals

Secure Computing

Secure Computing NETWORK INTERFACE CARDS User manual

Secure Computing

Secure Computing SnapGear Installation and operating instructions

Secure Computing

Secure Computing SG300 User manual

Popular Gateway manuals by other brands

Telecom FM

Telecom FM onestream gfx Programming guide

UfiSpace

UfiSpace LoRa GPE810U Quick setup guide

Merak

Merak MMk-736F Quick setup guide

Robustel

Robustel R3010 user guide

turck

turck BL20-PG-EN-V3 user manual

IBM

IBM Security Web Gateway Appliance quick start guide

SSS Siedle

SSS Siedle Smart Gateway Commissioning instructions

ADTRAN

ADTRAN 424RG Installation

Chorus

Chorus Hyperfibre XGS-250WX-A user guide

Dragino

Dragino G308 user manual

Data Domain

Data Domain DD690g Installation and setup guide

Raritan

Raritan Laptop Release notes

Haivision

Haivision Torpedo quick start guide

ATCOM

ATCOM AG-268 user manual

LST

LST M500RFE-AS Specification sheet

Vega

Vega VEGA BS-3 user manual

Kinnex

Kinnex Media Gateway quick start guide

2N Telekomunikace

2N Telekomunikace 2N StarGate user manual