Section |
Page |
About This Guide |
11 |
Introduction |
11 |
How to Use This Guide |
12 |
Conventions |
12 |
Terminology |
13 |
Feedback about this User Guide |
15 |
Registration |
16 |
Introduction |
19 |
What is the SuperStack 3 Firewall? |
19 |
Firewall and 3Com Network Supervisor |
20 |
Firewall Features |
21 |
Firewall Security |
21 |
Web URL Filtering |
23 |
High Availability |
24 |
Logs and Alerts |
24 |
User Remote Access (from the Internet) |
24 |
Automatic IP Address Sharing and Configuration |
24 |
Introduction to Virtual Private Networking (VPN) |
25 |
Virtual Private Networking |
25 |
Installing the Hardware |
27 |
Before You Start |
27 |
Positioning the Firewall |
28 |
Rack Mounting the Units |
28 |
Securing the Firewall with the Rubber Feet |
29 |
Firewall Front Panel |
29 |
Firewall Rear Panel |
31 |
Redundant Power System (RPS) |
31 |
Attaching the Firewall to the Network |
32 |
Quick Setup for the Firewall |
35 |
Introduction |
35 |
Setting up a Management Station |
36 |
Configuring Basic Settings |
36 |
Setting the Password |
37 |
Setting the Time Zone |
38 |
Configuring WAN Settings |
39 |
Automatic WAN Settings |
39 |
Manual WAN Settings |
40 |
Using a Single Static IP Address |
41 |
Using Multiple Static IP Addresses |
42 |
Using an IP Address provided by a PPPoE Server |
44 |
Using a Static IP address provided by a DHCP Server |
44 |
Configuring LAN Settings |
44 |
Automatic LAN Settings |
44 |
Entering information about your LAN |
45 |
Configuring the DHCP Server |
45 |
Confirming Firewall Settings |
46 |
Basic Settings of the Firewall |
51 |
Examining the Unit Status |
52 |
Setting the Administrator Password |
53 |
Setting the Inactivity Timeout |
54 |
Setting the Time |
54 |
Time Zone |
54 |
Use NTP (Network Time Protocol) to set time automatically |
54 |
Automatically adjust clock for daylight savings changes |
55 |
Display UTC (Universal Time) in logs instead of local time |
55 |
Manual Time Set |
55 |
Changing the Basic Network Settings |
56 |
Setting the Network Addressing Mode |
56 |
Standard |
56 |
NAT Enabled |
56 |
NAT with DHCP Client |
57 |
NAT with PPPoE Client |
57 |
Specifying the LAN Settings |
57 |
Firewall LAN IP Address. |
57 |
LAN Subnet Mask |
57 |
Connect/Disconnect |
58 |
Specifying the WAN/DMZ Settings |
58 |
WAN Gateway (router) Address |
58 |
Firewall WAN IP Address |
58 |
WAN/DMZ Subnet Mask |
58 |
User Name |
58 |
Password |
58 |
Gateway (Router) Address: |
58 |
Specifying the DNS Settings |
59 |
Specifying DMZ Addresses |
59 |
Setting up the DHCP Server |
60 |
Global Options |
61 |
Enable DHCP Server |
61 |
Lease Time |
61 |
Client Default Gateway |
61 |
Subnet Mask |
62 |
Domain Name |
62 |
DNS Servers |
62 |
Dynamic Ranges |
62 |
Allow BootP clients to use range |
62 |
Delete Range |
63 |
Static Entries |
63 |
Delete Static |
63 |
Viewing the DHCP Server Status |
63 |
Using the Network Diagnostic Tools |
64 |
Choosing a Diagnostic Tool |
64 |
DNS Name Lookup |
64 |
Find Network Path |
65 |
Ping |
65 |
Packet Trace |
65 |
Technical Support Report |
66 |
Setting up Web Filtering |
67 |
Changing the Filter Settings |
67 |
Restricting the Web Features Available |
68 |
ActiveX |
68 |
Java |
68 |
Cookies |
69 |
Web Proxy |
69 |
Setting Blocking Options |
69 |
Log and Block Access |
69 |
Log Only |
69 |
Specifying the Categories to Filter |
69 |
Specifying When Filtering Applies |
70 |
Always Block |
70 |
Block Between |
70 |
Filtering Web Sites using a Custom List |
70 |
Setting up Trusted and Forbidden Domains |
71 |
Enable Filtering on Custom List |
72 |
Disable all Web traffic except for Trusted Domains |
72 |
Don’t block Java/ActiveX/Cookies to Trusted Domains |
72 |
Changing the Message to display when a site is blocked |
72 |
Updating the Web Filter |
73 |
Checking the Web Filter Status |
73 |
Downloading an Updated Filter List |
74 |
Download Now |
74 |
Automatic Download |
74 |
Setting Actions if no Filter List is Loaded |
74 |
Block traffic to all websites except for Trusted Domains |
74 |
Allow traffic to all websites |
74 |
Blocking Websites by using Keywords |
75 |
Filtering by User Consent |
75 |
Configuring User Consent Settings |
76 |
Require Consent |
76 |
Maximum web usage is |
76 |
User idle timeout |
76 |
Consent page URL (Optional Filtering) |
77 |
“Consent Accepted” URL (Filtering Off) |
77 |
“Consent Accepted” URL (Filtering On) |
77 |
Mandatory Filtered IP addresses |
77 |
Consent Page URL (Mandatory Filtering) |
78 |
Add New Address |
78 |
Using the Firewall Diagnostic Tools |
79 |
Logs and Alerts |
79 |
Viewing the Log |
80 |
TCP, UDP, or ICMP packets dropped |
81 |
Web, FTP, Gopher, or Newsgroup blocked |
81 |
ActiveX, Java, or Code Archive blocked |
81 |
Cookie blocked |
82 |
Ping of Death, IP Spoof, and SYN Flood Attacks |
82 |
Changing Log and Alert Settings |
82 |
Sending the Log |
83 |
Mail Server |
83 |
Send Log To |
83 |
Send Alerts To |
83 |
Firewall Name |
83 |
Syslog Server |
83 |
E-mail Log Now |
84 |
Clear Log Now |
84 |
Changing the Log Automation Settings |
84 |
Send Log |
84 |
When log overflows |
85 |
Selecting the Categories to Log |
85 |
System Maintenance |
85 |
System Errors |
85 |
Blocked Web Sites |
85 |
Blocked Java, ActiveX, and Cookies |
85 |
User Activity |
85 |
Attacks |
86 |
Dropped TCP |
86 |
Dropped UDP |
86 |
Dropped ICMP |
86 |
Network Debug |
86 |
Alert Categories |
86 |
Attacks |
86 |
System Errors |
86 |
Blocked Web Sites |
87 |
Generating Reports |
87 |
Collecting Report Data |
87 |
Start Data Collection |
87 |
Reset Data |
88 |
Current Sample Period |
88 |
Viewing Report Data |
88 |
Web Site Hits |
88 |
Bandwidth Usage by IP Address |
88 |
Bandwidth Usage by Service |
88 |
Restarting the Firewall |
89 |
Managing the Firewall Configuration File |
90 |
Importing the Settings File |
91 |
Exporting the Settings File |
92 |
Restoring Factory Default Settings |
92 |
Using the Installation Wizard to reconfigure the Firewall |
92 |
Upgrading the Firewall Firmware |
92 |
Setting a Policy |
97 |
Changing Policy Services |
97 |
Amending Network Policy Rules |
98 |
LAN Out Checkbox |
98 |
LAN In Checkbox |
98 |
DMZ In Checkbox |
99 |
Public LAN Server Address |
99 |
Changing NetBIOS Broadcast Settings |
99 |
From LAN to DMZ |
99 |
From LAN to WAN |
99 |
Enabling Stealth Mode |
100 |
Allowing Fragmented Packets |
100 |
Allow Fragmented Packets over PPTP/IPSec |
100 |
Setting the Network Connection Inactivity Timeout |
100 |
Adding and Deleting Services |
101 |
Adding Support for a Known Service |
101 |
Adding a Custom Service |
102 |
Disabling Screen Logs |
102 |
Deleting a Service |
102 |
Editing Policy Rules |
103 |
Viewing Network Policy Rules |
103 |
Rule Number (#) |
104 |
Action |
104 |
Service |
104 |
Source |
104 |
Destination |
105 |
Time |
105 |
Day |
105 |
Enable |
105 |
Edit (no column heading) |
105 |
Delete (no column heading) |
105 |
Adding a New Rule |
106 |
Restoring Rules to Defaults |
106 |
Updating User Privileges |
106 |
Changing the Timeout for Privileged Users |
107 |
Adding Users |
107 |
Changing Passwords and Privileges |
108 |
Deleting a User |
108 |
Establishing an Authenticated Session |
108 |
Setting Management Method |
109 |
Manage Using Internet Explorer |
109 |
Selecting Remote Management |
110 |
Using the Firewall with the NBX 100 Business Telephone System |
110 |
Advanced Settings |
111 |
Automatic Proxy/Web Cache Forwarding |
111 |
Deploying the SuperStack3 Webcache as a Proxy of the Firewall |
112 |
Specifying Intranet Settings |
114 |
Installing the Firewall to Protect the Intranet |
115 |
Configuring the Firewall to Protect the Intranet |
115 |
Add Range |
117 |
Setting Static Routes |
117 |
LAN |
119 |
DMZ/WAN |
119 |
Add Route |
119 |
Setting up One-to-One NAT |
119 |
Private Range Begin |
121 |
Public Range Begin |
121 |
Range Length |
121 |
Configuring Virtual Private Network Services |
123 |
Editing VPN Summary Information |
123 |
Changing the Global IPSec Settings |
124 |
Unique Firewall Identifier |
124 |
Enable VPN |
124 |
Disable all Windows Networking (NetBIOS) Broadcasts |
124 |
Enable Fragmented Packet Handling |
125 |
Viewing the Current IPSec Security Associations |
125 |
Configuring a VPN Security Association |
125 |
Adding/Modifying IPSec Security Associations |
126 |
IPSec Keying Mode |
126 |
SA Name |
127 |
Disable This SA |
127 |
IPSec Gateway Address |
127 |
Security Policy |
127 |
Require XAUTH/RADIUS (only allows VPN clients) |
127 |
Enable Windows Networking (NetBIOS) broadcast |
127 |
Enable Perfect Forward Secrecy |
128 |
SA Life time (secs) |
128 |
Incoming SPI and Outgoing SPI |
128 |
Encryption Method |
129 |
Shared Secret |
130 |
Encryption Key |
131 |
Authentication Key |
131 |
Setting the Destination Network for the VPN Tunnel |
131 |
Adding a New Network Range |
132 |
Deleting a Network Range |
132 |
Editing a Network Range |
132 |
Configuring the Firewall to use a RADIUS Server |
132 |
Changing the Global RADIUS Settings |
132 |
RADIUS Server Retries |
132 |
RADIUS Server Timeout in Seconds |
133 |
Changing RADIUS Server Details |
133 |
Name or IP Address |
133 |
Port Number |
133 |
Shared Secret |
133 |
Using the Firewall with Check Point Firewall-1 |
134 |
Configuring the IRE VPN Client |
134 |
Configuring the Firewall |
137 |
Configuring the IRE VPN Client for use with the Firewall |
137 |
Setting up the GroupVPN Security Association |
138 |
Installing the IRE VPN Client Software |
139 |
Configuring the IRE VPN Client |
139 |
Configuring High Availability |
141 |
Getting Started |
141 |
Network Configuration for High Availability Pair |
142 |
Configuring High Availability |
142 |
Configuring High Availability on the Primary Firewall |
143 |
Configuring High Availability on the Backup Firewall |
144 |
Making Configuration Changes |
145 |
Checking High Availability Status |
146 |
High Availability Status Window |
146 |
E-Mail Alerts Indicating Status Change |
147 |
View Log |
147 |
Forcing Transitions |
148 |
Administration and Advanced Operations |
153 |
Introducing the Web Site Filter |
153 |
Activating the Web Site Filter |
156 |
Using Network Access Policy Rules |
157 |
Understanding the Rule Hierarchy |
158 |
Examples of Network Access Policies |
159 |
Blocking LAN Access to Specific Protocols |
159 |
Block Access to Specific Users |
159 |
Enabling the ISP to Ping the Firewall |
160 |
Restore the Default Network Access Rules |
160 |
Protocols/Services to Filter |
161 |
Resetting the Firewall |
162 |
Resetting the Firewall |
163 |
Reloading the Firmware |
163 |
Direct Cable Connection |
164 |
Direct Connection Instructions |
165 |
Troubleshooting Guide |
167 |
Introduction |
167 |
Potential Problems and Solutions |
167 |
Power LED Not Lit |
167 |
Power LED Flashes Continuously |
168 |
Power and Alert LED Lit Continuously |
168 |
Link LED is Off |
168 |
Ethernet Connection is Not Functioning |
168 |
Cannot Access the Web interface |
168 |
LAN Users Cannot Access the Internet |
169 |
Firewall Does Not Save Changes |
169 |
Duplicate IP Address Errors Are Occurring |
169 |
Machines on the WAN Are Not Reachable |
170 |
Troubleshooting the Firewall VPN Client |
170 |
Error Message Explanations |
170 |
The IKE Negotiation on the VPN Client |
170 |
Restarting the Firewall with Active VPN Tunnel |
171 |
Export the VPN Client Security Policy File |
171 |
Import the VPN Client Security Policy File |
171 |
Uninstall the VPN Client |
171 |
Frequently Asked Questions about PPPoE |
172 |
Types of Attack and Firewall Defences |
175 |
Denial of Service Attacks |
175 |
Ping of Death |
175 |
Firewall Response: |
175 |
Smurf Attack |
175 |
Firewall Response as Amplifier: |
176 |
Firewall Response as Victim: |
176 |
SYN Flood Attack |
176 |
Firewall Response: |
176 |
Land Attack |
176 |
Firewall Response: |
176 |
Intrusion Attacks |
176 |
External Access |
176 |
Firewall response: |
176 |
Port Scanning |
177 |
Firewall Response: |
177 |
IP Spoofing |
177 |
Firewall Response: |
177 |
Trojan Horse Attacks |
177 |
Networking Concepts |
179 |
Introduction to TCP/IP |
179 |
IP and TCP |
179 |
IP Addressing |
179 |
IP Address |
180 |
Subnet Mask |
181 |
Default Gateway |
181 |
Network Address Translation (NAT) |
182 |
Limitations of Using NAT |
182 |
Dynamic Host Configuration Protocol (DHCP) |
183 |
Port Numbers |
184 |
Well Known Port Numbers |
184 |
Registered Port Numbers |
184 |
Private Port Numbers |
184 |
Virtual Private Network Services |
184 |
Introduction to Virtual Private Networks |
185 |
VPN Applications |
185 |
Basic VPN Terms and Concepts |
186 |
Safety Information |
193 |
Important Safety Information |
193 |
Wichtige Sicherheitshinweise |
194 |
Consignes Importantes de Sécurité |
195 |
Technical Specifications and Standards |
197 |
Cable Specifications |
199 |
Cable Specifications |
199 |
Pinout Diagrams |
199 |
Technical Support |
201 |
Online Technical Services |
201 |
World Wide Web Site |
201 |
3Com Knowledgebase Web Services |
201 |
3Com FTP Site |
202 |
Support from Your Network Supplier |
202 |
Support from 3Com |
202 |
Returning Products forRepair |
204 |