Symantec 10521148 Implementation Guide

Symantec 10521148 - Network Security 7161 Manual

Get Symantec 10521148 - Network Security 7161 PDF manuals and user guides View all Symantec 10521148 manuals
Add to My Manuals
Save this manual to your list of manuals

Symantec 10521148 manual content summary:

  • Symantec 10521148 | Implementation Guide - Page 1
    Symantec™ Network Security 7100 Series Implementation Guide
  • Symantec 10521148 | Implementation Guide - Page 2
    Decoy Server, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. Symantec AntiVirus, Symantec Enterprise Security Architecture, and Symantec Security Response are trademarks of Symantec Corporation. Other brands and product names mentioned in this manual may be trademarks
  • Symantec 10521148 | Implementation Guide - Page 3
    in a variety of languages ■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features available may vary based on the
  • Symantec 10521148 | Implementation Guide - Page 4
    Problem description ■ Error messages/log files ■ Troubleshooting performed prior to contacting Symantec ■ Recent software configuration changes and/or network changes Customer Service To contact Enterprise Customer Service choose Service and Support. Customer Service is support options ■
  • Symantec 10521148 | Implementation Guide - Page 5
    SECURITY which accompanies the Appliance as necessary to support Your authorized use of the Appliance; and time to time (e.g., antivirus products utilize updated virus material and workmanship under normal use and service and substantially conform to the written documentation accompanying
  • Symantec 10521148 | Implementation Guide - Page 6
    stoppages; (vi) Your failure to follow applicable use or operations instructions or manuals; (vii) Your failure to implement, or to allow Symantec conditions for warranty service. The allegedly defective Appliance, or component thereof, shall be returned to Symantec, securely and properly packaged
  • Symantec 10521148 | Implementation Guide - Page 7
    , 555 International Way, Springfield, OR 97477, USA, or (ii) Symantec Customer Service Center, PO BOX 5689, Dublin 15, Ireland. 8. Excluded Software: The Excluded Software consists of the open source code software known as Linux included with the
  • Symantec 10521148 | Implementation Guide - Page 8
    8
  • Symantec 10521148 | Implementation Guide - Page 9
    Security 7100 Series 9 About the core software 10 About the detection architecture 10 About the management system 10 About the 7100 Series models 11 About this guide additional components 27 Removable disk drive 27 Dual redundant power supplies 28 Deploying the 7100 Series About deploying the
  • Symantec 10521148 | Implementation Guide - Page 10
    unit 40 Clustering ...41 External IDS products 42 Network Security console accessibility 42 SESA server accessibility 42 Symantec LiveUpdate accessibility in-line mode monitoring 50 Cabling a bypass unit for fail-open 51 Powering the 7120 on or off 54 Cabling for model 7160 54 Connecting the
  • Symantec 10521148 | Implementation Guide - Page 11
    node using the serial console 80 Compact flash initial configuration 83 Default login accounts 84 Starting the Network Security console About the Network Security console 85 Network Security console requirements 85 Console requirements on Windows 86 Console requirements on Linux 86 Installing
  • Symantec 10521148 | Implementation Guide - Page 12
    4 Contents Chapter 8 Chapter 9 Chapter 10 Configuring nodes and interfaces About configuring nodes and interfaces 101 Configuring appliance nodes 102 About appliance node fields 102 Node Options tab fields 103 Advanced Network Options tab fields 104 Adding or editing an appliance node 105
  • Symantec 10521148 | Implementation Guide - Page 13
    and upgrading 148 Restarting, rebooting, and powering off 148 Stopping, starting, and restarting Symantec Network Security ........148 Stopping Network Security from the LCD 149 Stopping Network Security from the serial console 149 Starting Network Security from the LCD 150 Starting Network
  • Symantec 10521148 | Implementation Guide - Page 14
    152 Powering off the appliance 152 Powering off the appliance from the LCD 152 Powering manually 165 Stopping the SESA agent manually 165 Re-imaging and unconfiguring About re-imaging and unconfiguring 167 Unconfiguring Symantec Network Security 168 Running Unconfigure in the Network Security
  • Symantec 10521148 | Implementation Guide - Page 15
    Contents 7 Appendix A Appendix B Appendix C Index Troubleshooting About troubleshooting 183 Accessing troubleshooting information 183 Specifications and safety Product Specifications 185 Safety guidelines 186 Product certifications 188 Service Manual About the removable hard drive 191
  • Symantec 10521148 | Implementation Guide - Page 16
    8 Contents
  • Symantec 10521148 | Implementation Guide - Page 17
    includes the following topics: ■ About the Symantec Network Security 7100 Series ■ About this guide ■ About the documentation set ■ About the Web sites ■ Verifying the materials About the Symantec Network Security 7100 Series Symantec Network Security 7100 Series appliances provide real-time network
  • Symantec 10521148 | Implementation Guide - Page 18
    and provides immunity against malicious attacks, including: ■ Denial of service attempts ■ Intrusions and malicious code ■ Network infrastructure attacks ■ Symantec Network Security 4.0 Management Console, a powerful and scalable security management system. The management console supports large,
  • Symantec 10521148 | Implementation Guide - Page 19
    a maximum bandwidth license of 2 Gbps ■ Provides in-line mode maximum bandwidth of 1 Gbps About this guide This manual is intended for system managers or administrators responsible for administering the Symantec Network Security 7100 Series, and is organized as follows: Table 1-1 Implementation
  • Symantec 10521148 | Implementation Guide - Page 20
    12 Introduction About this guide Table 1-1 Implementation Guide structure Chapter Title Content Chapter 3 Deploying the Network Security and how to re-image the appliance. Discusses upgrading the Network Security console. Discusses migration from an existing Symantec supported IDS platform
  • Symantec 10521148 | Implementation Guide - Page 21
    Guide structure Chapter Title Content Appendix A Troubleshooting Appendix B Specifications and safety Appendix C Service Manual Index Index Describes how to access the online knowledge base for troubleshooting information. Lists product specifications and provides safety instructions
  • Symantec 10521148 | Implementation Guide - Page 22
    (on CD). This document provides a feature summary, support and licensing information, key task tips, and provides a link to late-breaking information about the Symantec Network Security 7100 Series, including limitations, workarounds, and troubleshooting tips. About the Web sites You can view the
  • Symantec 10521148 | Implementation Guide - Page 23
    Security Version 4.0 Administration Guide ■ Symantec Network Security 7100 Series Implementation Guide ■ Symantec Network Security 7100 Series Getting Started Card ■ Symantec Network Security 7100 Series Product Specifications and Safety Information ■ Symantec Network Security 716x Service Manual
  • Symantec 10521148 | Implementation Guide - Page 24
    16 Introduction Verifying the materials
  • Symantec 10521148 | Implementation Guide - Page 25
    , compact flash, removable hard drive, and serial port make administration tasks easy and efficient. About 7100 Series models The Symantec Network Security 7100 Series appliance is available in three models. The specific hardware configuration for each model is described in the following sections
  • Symantec 10521148 | Implementation Guide - Page 26
    Model 7120 The 7120 is the Fast Ethernet model of the Symantec Network Security 7100 Series. It has six 10/100Base-T monitoring interfaces, and comes in Description location name 1 Power supply Connection for the AC power cord; standard power supply 2 Master power Switch that turns the
  • Symantec 10521148 | Implementation Guide - Page 27
    Series models Model 7160 The 7160 is the all gigabit copper Symantec Network Security 7100 Series model. It provides eight 10/100/1000Base-T monitoring interfaces, power cords; two redundant power redundant supplies including four fans for cooling the appliance power supplies interior 2 Power
  • Symantec 10521148 | Implementation Guide - Page 28
    20 Introducing the 7100 Series components About 7100 Series models Table 2-2 7160 back panel components Diagram Component Description location name 11 re1000g5 Monitoring interface; 10/100/1000Base-T 12 re1000g6 Monitoring interface; 10/100/1000Base-T 13 re1000g7 Monitoring interface; 10
  • Symantec 10521148 | Implementation Guide - Page 29
    components Diagram Component Description location name 1 Dual Connections for the AC power cords; two redundant power redundant supplies including four fans for cooling the appliance power supplies interior 2 Power switch Switch that turns the appliance on or off 3 USB ports Standard
  • Symantec 10521148 | Implementation Guide - Page 30
    LCD panel The LCD panel includes the LCD screen and six push buttons. These components are located on the front bezel of the Symantec Network Security 7100 Series
  • Symantec 10521148 | Implementation Guide - Page 31
    Introducing the 7100 Series components 23 About core components appliance. There is no significant difference between the models in the arrangement of the LCD panel components. Table 2-4 describes the LCD panel components. Table 2-4 LCD panel components Diagram Component Description location
  • Symantec 10521148 | Implementation Guide - Page 32
    "Restarting, rebooting, and powering off" on page 148. See "Unconfiguring Symantec Network Security" on page 168. Using the Network Security console, you can lock account password with the LCD panel buttons. See "Unlocking the LCD panel" on page 155. The front panel of every Symantec Network Security
  • Symantec 10521148 | Implementation Guide - Page 33
    the appliance. See "Preparing for re-imaging" on page 170. Use the serial console to access the appliance operating system or Symantec Network Security software for troubleshooting. See "Using the serial console" on page 158. USB ports There are two USB ports on the back of every Symantec Network
  • Symantec 10521148 | Implementation Guide - Page 34
    ■ Upgrading to a major new version of the operating system ■ Booting from compact flash during appliance re-imaging or upgrading You can use the Network Security console to access the compact flash adapter. The compact flash card is treated as an internal device, so you must insert the CF card into
  • Symantec 10521148 | Implementation Guide - Page 35
    additional components About additional components The high-end models of the Symantec Network Security 7100 Series include additional features that the 7120 does not. These include a removable hard drive and dual redundant power supplies. Removable disk drive The 7160 and 7161 have a hard drive that
  • Symantec 10521148 | Implementation Guide - Page 36
    The 7160 and 7161 have dual redundant power supplies. The dual power supplies ideally connect to separate power sources. Dual redundant power supplies Each of the redundant power supplies has two internal power-main connections. In the event of a failure of one power-main, the other one continues to
  • Symantec 10521148 | Implementation Guide - Page 37
    , and in combination with third-party IDS products. The Symantec Network Security 7100 Series provides the flexibility to meet the needs of complex enterprise networks. It supports multiple external network connections, asymmetric routing, servers containing sensitive and important information
  • Symantec 10521148 | Implementation Guide - Page 38
    Bandwidth licensing options The Symantec Network Security 7100 Series offers extremely flexible bandwidth deployment performance. Symantec Network Security 4.0 software provides the bandwidth up to 2 Gbps. In passive mode, Network Security detects attacks as they enter the monitored network. You can
  • Symantec 10521148 | Implementation Guide - Page 39
    mode on the 7100 Series utilizes Symantec Network Security's powerful analysis software to identify both zero-day attacks and those with known signatures. You can find more information about Network Security's analysis and detection capabilities in the Symantec Network Security Administration Guide.
  • Symantec 10521148 | Implementation Guide - Page 40
    In-line mode requires two interfaces configured as an in-line pair. The interfaces in each in-line pair are pre-determined, and the Network Security console enforces the pairing. Figure 3-1 shows the interfaces designated for in-line pair 0 and pair 1 on the 7120. Figure 3-1 In-line pairs on the
  • Symantec 10521148 | Implementation Guide - Page 41
    support blocking, and others do not. You can only enable blocking for in-line pairs. For more information about protection policies, see "About protection policies" on page 116, and the Symantec Network Security Administration Guide the same path. Interface grouping is the solution to this problem.
  • Symantec 10521148 | Implementation Guide - Page 42
    up to four monitoring interfaces into one interface group. Symantec Network Security starts a single sensor for the group, with the result include passive mode interfaces. Interface grouping of in-line pairs is not supported. You can only create an interface group using interfaces from the same
  • Symantec 10521148 | Implementation Guide - Page 43
    that allows network traffic to continue even if the Symantec Network Security 7100 Series appliance has a hardware or software failure that affects Feature 2 In-line Bypass unit 4 In-line Bypass unit Supported appliance model 7120 Supported number of in-line interface 2 pairs (equals number of
  • Symantec 10521148 | Implementation Guide - Page 44
    a 7120. Figure 3-4 shows the rear panel of the 2 In-line Bypass unit. Figure 3-4 2 In-line Bypass unit 1 - Serial port 2 - Mgmt USB 3 - Power Supply 1 4 - Power Supply 2 5 - NetA 6 - AppA 7 - AppB 8 - NetB 9 - Port group 1 10 - Port group 0 The 4 In-line Bypass unit You can deploy the 4 In-line
  • Symantec 10521148 | Implementation Guide - Page 45
    Figure 3-5 4 In-line Bypass unit Deploying the 7100 Series 37 Deployment options 1 - Serial port 2 - Mgmt USB 3 - Power Supply 1 4 - Power Supply 2 5 - Port group 0 6 - Port group 1 7 - Port group 2 8 - Port group 3 Port groups and the management port on the bypass unit Each bypass unit
  • Symantec 10521148 | Implementation Guide - Page 46
    passes directly from one side of the network to the other. Also called bypass state. After connecting the bypass unit to the 7100 Series and powering on, all port groups are initially in bypass mode. In bypass mode, network traffic does not pass through the appliance for event detection. To change
  • Symantec 10521148 | Implementation Guide - Page 47
    the connected interfaces are configured for auto-negotiation of link parameters. To verify the link parameters for App A and App B, use the Network Security console. After starting a sensor on the corresponding in-line pair, you can view the link parameters by clicking each interface object in the
  • Symantec 10521148 | Implementation Guide - Page 48
    blinks when the bypass unit is receiving data on the USB connection. Power supply 1 The PS1 LED glows when power supply 1 is connected to a power source. Power supply 2 The PS2 LED glows when power supply 2 is connected to a power source. Rear panel LEDs on the bypass unit The rear panel status
  • Symantec 10521148 | Implementation Guide - Page 49
    at 100 Mbps or 10 Mbps). You can combine the Symantec Network Security 7100 Series appliance with other nodes and appliances into a cluster. One access and configure all nodes in the cluster from the same Network Security console. You can configure cluster parameters on the master node, which
  • Symantec 10521148 | Implementation Guide - Page 50
    the same way that it handles data from its own sensors. For more information, see the Symantec Network Security Administration Guide. Network Security console accessibility The Network Security console is a Java application that runs on a separate computer. You can deploy the console on any computer
  • Symantec 10521148 | Implementation Guide - Page 51
    accessibility Symantec Network Security provides product updates and enhancements in the form of Security Updates, Engine a separate system to receive the updates for later disbursement to Symantec Network Security nodes. Your choice affects whether the 7100 Series node needs access to the Symantec
  • Symantec 10521148 | Implementation Guide - Page 52
    44 Deploying the 7100 Series Symantec LiveUpdate accessibility
  • Symantec 10521148 | Implementation Guide - Page 53
    Series This chapter includes the following topics: ■ About installing the 7100 Series ■ Rack mounting ■ Cabling About installing the 7100 Series To install the Symantec Network Security 7100 Series you need to: ■ Mount it on the rack or shelf ■ Cable it to other network devices The Symantec Network
  • Symantec 10521148 | Implementation Guide - Page 54
    the 7100 Series Rack mounting Access to the LED lights allows you to see indicators for power, disk usage, network traffic in and out, and appliance temperature. Rack mounting The Symantec Network Security 7100 Series comes with two metal L-brackets and eight screws for attaching the brackets to the
  • Symantec 10521148 | Implementation Guide - Page 55
    Installing the 7100 Series 47 Rack mounting 2 Attach the bracket by inserting four of the provided screws through the slots in the bracket into the holes in the appliance casing. Tighten the screws completely. 3 Attach the other L-bracket in the same way to the opposite side of the appliance. 4 With
  • Symantec 10521148 | Implementation Guide - Page 56
    48 Installing the 7100 Series Rack mounting To mount the appliance to a four-post rack 1 Place the long side of an L-bracket against one side of the appliance near either the front or the back of the appliance. Position the bracket so that its short flange is lined up with the front or back of the
  • Symantec 10521148 | Implementation Guide - Page 57
    to connect. You need to connect cables to the monitoring ports, management port, reset ports, and power supply. Optionally, you may wish to cable the serial port and, if you have a Symantec Network Security In-line Bypass unit, a USB port. Cabling for model 7120 This section describes cabling for
  • Symantec 10521148 | Implementation Guide - Page 58
    an interface pair for each monitored network segment. The interface pair can be ports 0 and 1, or ports 2 and 3. Other port combinations are not supported. Within each interface pair, each port is connected to the network, splitting it into two sides. To use in-line mode for monitoring a single
  • Symantec 10521148 | Implementation Guide - Page 59
    unit for fail-open This section describes how to install a Symantec Network Security In-line Bypass unit to provide fail-open capability. The 2 In operation with the 7120 appliance. Note: Only the 2 In-line Bypass unit is supported for use with model 7120. Figure 4-3 shows the 2 In-line Bypass unit
  • Symantec 10521148 | Implementation Guide - Page 60
    AppB NetA NetB Port group 0 Port group 1 7120 0 - Port 0 1 - Port 1 2 - Port 2 3 - Port 3 4 - In-line pair 0 5 - In-line pair 1 Note: Follow the cabling instructions carefully to match each in-line interface pair with its associated port group on the bypass unit. Connect in-line pair 0 (ports
  • Symantec 10521148 | Implementation Guide - Page 61
    the 7120 in-line pair, use the Ethernet cables provided with the bypass unit. Note: After connecting the bypass unit to the 7100 Series and powering both on, all port groups are initially in bypass mode. To change the port group to online mode, you must start a sensor on the in
  • Symantec 10521148 | Implementation Guide - Page 62
    to navigate to the Shutdown Host option on the LCD screen and press e. ■ On the back panel of the 7120, press and hold the master power switch for approximately 5 seconds until you hear the fans stop. Cabling for model 7160 This section describes cabling for model 7160. If you have a different
  • Symantec 10521148 | Implementation Guide - Page 63
    all other cabling is done. An alarm will sound if you connect only one power cord. Figure 4-5 shows the back panel of the 7160. Figure 4-5 7160 back panel 1 - Power supplies 2 - Power switch 3 - USB ports 4 - Serial port 5 - Compact flash adapter 6 - Port 0 7 - Port 1 8 - Port 2 9 - Port 3 10
  • Symantec 10521148 | Implementation Guide - Page 64
    for each monitored network segment. The interface pair can be ports 0 and 1, ports 2 and 3, ports 4 and 5, or ports 6 and 7. Other port combinations are not supported. Within each interface pair, the lower numbered port (the top port on the NIC) connects to one side of the network, while the port
  • Symantec 10521148 | Implementation Guide - Page 65
    port 7 of the appliance to the other side of network segment 4. Cabling a bypass unit for fail-open This section describes how to install a Symantec Network Security In-line Bypass unit to provide fail-open capability. The 4 In-line Bypass unit is recommended for operation with the 7160.
  • Symantec 10521148 | Implementation Guide - Page 66
    58 Installing the 7100 Series Cabling Note: Only the 4 In-line Bypass unit is supported for use with model 7160. Figure 4-7 shows the 4 In-line Bypass unit. Figure 4-7 4 In-line Bypass unit The 4 In-line Bypass unit contains four port
  • Symantec 10521148 | Implementation Guide - Page 67
    Figure 4-8 Installing the 7100 Series 59 Cabling 4 In-line Bypass unit deployed with 7160 Port group 0 Port group 1 7160 Port group 2 Port group 3 0 - Port 0 1 - Port 1 2 - Port 2 3 - Port 3 4 - Port 4 5 - Port 5 6 - Port 6 7 - Port 7 8 - RST0 9 - RST1 10 - RST 2 11 - Management port 12 - Mgmt
  • Symantec 10521148 | Implementation Guide - Page 68
    the 7100 Series Cabling Note: Follow the cabling instructions carefully to match each in-line interface pair with provided with the bypass unit. Note: After connecting the bypass unit to the 7100 Series and powering both on, all port groups are initially in bypass mode. To change the port group
  • Symantec 10521148 | Implementation Guide - Page 69
    Installing the 7100 Series 61 Cabling To cable in-line pair 1 with port group 1 1 Shut down the 7160 appliance if it is running. 2 On the bypass unit, connect Net A of port group 1 to one side of the network. 3 Connect App A of port group 1 to port 2 on your appliance. 4 Connect App B of port group
  • Symantec 10521148 | Implementation Guide - Page 70
    to navigate to the Shutdown Host option on the LCD screen and press e. ■ On the back panel of the 7160, press and hold the master power switch for approximately 5 seconds until you hear the fans stop. Cabling for model 7161 This section describes cabling for the 7161. If you have a different
  • Symantec 10521148 | Implementation Guide - Page 71
    all other cabling is done. An alarm will sound if you connect only one power cord. Figure 4-9 shows the back panel of the 7161. Figure 4-9 7161 back panel 1 - Power supplies 2 - Power switch 3 - USB ports 4 - Serial port 5 - Compact flash adapter 6 - Port 0 7 - Port 1 8 - Port 2 9 - Port 3 10
  • Symantec 10521148 | Implementation Guide - Page 72
    for each monitored network segment. The interface pair can be ports 0 and 1, ports 2 and 3, ports 4 and 5, or ports 6 and 7. Other port combinations are not supported. Within each interface pair, the lower numbered port (the top port on the NIC) connects to one side of the network, while the port
  • Symantec 10521148 | Implementation Guide - Page 73
    Installing the 7100 Series 65 Cabling 6/7). You can use the remaining ports for monitoring other network segments in passive mode. Figure 4-10 depicts a 7161 using in-line mode to monitor four network segments. Figure 4-10 7161 using in-line mode Network segment 1 Network segment 2 Network
  • Symantec 10521148 | Implementation Guide - Page 74
    7161 on or off As the last step in the physical installation of the 7161 appliance, connect and turn on the power. When the appliance powers on, you should hear the hard drive spin up and the fans turn on, and see the LEDs and LCD screen light up. The dual
  • Symantec 10521148 | Implementation Guide - Page 75
    login accounts About initializing Symantec Network Security Initial configuration of the Symantec Network Security 7100 Series in sync with the master. For more information, see the Symantec Network Security Administration Guide. You can choose among three methods for answering the questions: ■ LCD
  • Symantec 10521148 | Implementation Guide - Page 76
    68 Initializing Symantec Network Security LCD panel initial configuration The LCD subsystem contains a 2-line by 16-character liquid crystal diode display screen and six push buttons for entering input. It
  • Symantec 10521148 | Implementation Guide - Page 77
    Initializing Symantec Network Security 69 LCD panel initial configuration Procedures for configuring To use the LCD panel for initial configuration of a master node 1 Use the master power switch to turn on the power, if necessary. During the boot process, the LCD screen displays: Symantec v1.03 OK
  • Symantec 10521148 | Implementation Guide - Page 78
    of the address. Use the right or left buttons to move the cursor brackets. Note: If this node is not behind a NAT router, the Network Security console will use the local IP address to connect to the node. Otherwise, it uses the NAT address that is provided later in the procedure
  • Symantec 10521148 | Implementation Guide - Page 79
    use the arrow buttons to input a 6 to 14 character password to use for: ■ superuser account on the Network Security console ■ Unlocking the LCD panel ■ operating system secadm account ■ operating system root account ■ elevate command used by secadm Note: You can change to separate passwords for root
  • Symantec 10521148 | Implementation Guide - Page 80
    use to connect to the appliance. Press e. 12 For: Configure SNS? [Yes] No do one of the following: ■ To proceed with installation of Symantec Network Security, leave the cursor on Yes. ■ To start the initial configuration process over, use the arrow buttons to move the cursor to No. Press e. 13 For
  • Symantec 10521148 | Implementation Guide - Page 81
    Symantec Network Security Administration Guide. If you wish to configure your appliance as a master node, see "Using the LCD panel to configure a master node" on page 69. To use the LCD panel for initial configuration of a slave node 1 Use the master power switch to turn on the power
  • Symantec 10521148 | Implementation Guide - Page 82
    number. Press e. Note: The node number must match the number you provide when adding the slave node object to the topology tree in the Network Security console. You can assign a unique number between 2 and 120. 8 For: Master Node Nmbr [1] do one of the following: ■ If 1 is the correct master node
  • Symantec 10521148 | Implementation Guide - Page 83
    the slave node object to the topology tree in the Network Security console. See "Configuring appliance nodes" on page 102. Use this password for: ■ Unlocking the LCD panel ■ operating system secadm account ■ operating system root account ■ elevate command used by secadm Note: You can change to
  • Symantec 10521148 | Implementation Guide - Page 84
    the externally visible IP address. Press e. 15 For: Configure SNS? [Yes] No do one of the following: ■ To proceed with installation of Symantec Network Security, leave the cursor on Yes. ■ To start the initial configuration process over, use the arrow buttons to move the cursor to No. Press e. 16
  • Symantec 10521148 | Implementation Guide - Page 85
    Initializing Symantec Network Security 77 Serial console initial configuration serial console stays on while the appliance is running. To use it you must enter the correct login and password,
  • Symantec 10521148 | Implementation Guide - Page 86
    IP address of the administration interface: Type the local IP address of the appliance. Note: If this node is not behind a NAT router, the Network Security console will use the local IP address to connect to the node. Otherwise, it uses the NAT address that is provided later in the procedure
  • Symantec 10521148 | Implementation Guide - Page 87
    change the passwords for root/elevate and secadm / LCD unlocking after initial configuration. You can also change the password for the Network Security console superuser account. 12 Please enter the password again: Re-enter the password for confirmation. 13 Is this node behind NAT? [yes/NO] Do one
  • Symantec 10521148 | Implementation Guide - Page 88
    (this may take a while) ■ Type no if you need to make a correction or are not ready to proceed with the installation of Symantec Network Security. The serial console displays the SNS7100> prompt if you enter no. 16 Done installing. Please reboot. At the SNS7100> prompt, to reboot and start Symantec
  • Symantec 10521148 | Implementation Guide - Page 89
    cannot be changed once you have finished this procedure and installed Symantec Network Security. 9 Enter the master node number (default 1): Press Enter to accept Unlocking the LCD panel ■ operating system secadm account ■ operating system root account and elevate command Note: You can change the
  • Symantec 10521148 | Implementation Guide - Page 90
    82 Initializing Symantec Network Security Serial console initial configuration 12 Please enter the password again: Re-enter the password for confirmation. 13 Enter qspproxy port number (default: 62432): Press Enter
  • Symantec 10521148 | Implementation Guide - Page 91
    (this may take a while) ■ Type no if you need to make a correction or are not ready to proceed with the installation of Symantec Network Security. The serial console displays the SNS7100> prompt if you enter no. 19 Done installing. Please reboot. At the SNS7100> prompt, to reboot and start Symantec
  • Symantec 10521148 | Implementation Guide - Page 92
    to the operating system or the Symantec Network Security filesystem for troubleshooting or to view system log files. You can use the secadm login account to perform certain Symantec Network Security functions on the serial console if the Network Security console is inoperative or unable to connect
  • Symantec 10521148 | Implementation Guide - Page 93
    machine. You can use the console to perform key tasks required to configure and operate Symantec Network Security on your appliance. Network Security console requirements The Network Security console can be installed on a computer that meets the minimum requirements given in the following sections
  • Symantec 10521148 | Implementation Guide - Page 94
    Red Hat Enterprise Linux 3.0 ES 512 MB RAM 100 MB 1024 x 768 Sun Java™ 2 Runtime Environment (J2RE) version 1.4.2 Installing the console The Network Security console application is provided on the Management Console CD that is included with your appliance. You can install it on a Windows or Linux
  • Symantec 10521148 | Implementation Guide - Page 95
    the Java Runtime Environment The Network Security console requires the Java Runtime Environment (JRE) version 1.4.2. You can download this free software from the Internet at: http://java.sun.com The package to download is called J2SE v1.4.2_04 JRE. Installation instructions are also available on the
  • Symantec 10521148 | Implementation Guide - Page 96
    JRE setup is launched. 11 Follow the instructions in the JRE install dialog boxes. When the JRE installation is finished, the Network Security console installation process completes. 12 In Important management network and powered on, you can connect to it by launching the Network Security console.
  • Symantec 10521148 | Implementation Guide - Page 97
    text box, enter superuser The superuser username is configured by default during initial configuration. This account has the highest level of privileges when used to log in on the Network Security console. 5 In the Passphrase text box, enter the superuser passphrase that was set during initial
  • Symantec 10521148 | Implementation Guide - Page 98
    text box, enter superuser The superuser username is configured by default during initial configuration. This account has the highest level of privileges when used to log in on the Network Security console. 6 In the Passphrase text box, enter the superuser passphrase that was set during initial
  • Symantec 10521148 | Implementation Guide - Page 99
    7100 Series node, but not for the console. Symantec Network Security software functionality is activated by license. Only the SuperUser has permission The license automatically includes maintenance and support for the first year. This consists of technical support, content updates via LiveUpdate,
  • Symantec 10521148 | Implementation Guide - Page 100
    . Table 7-2 Additive licenses Model 7120 7160 / 7161 Additive license 50 Mbps 100 Mbps 250 Mbps 500 Mbps 1.0 Gbps Installing licenses The Symantec Network Security software functionality is activated by license. A separate license must be installed for each 7100 Series node, but the console
  • Symantec 10521148 | Implementation Guide - Page 101
    nodes to your network, you must activate them with new licenses. The first time you log into a new 7100 Series master node using the Network Security console, the License Information window appears. When you add a slave node, you can access licensing by first connecting to the master node with the
  • Symantec 10521148 | Implementation Guide - Page 102
    the 7100 Series appliance itself. It includes the letters FLX followed by ten digits. Neither serial number is included in the Symantec Network Security 7100 Series software distribution package. To determine the Symantec Serial Number ◆ Read the license serial number from the Symantec Serial Number
  • Symantec 10521148 | Implementation Guide - Page 103
    and log in with the superuser account. 3 In License Information, in the upper right corner, the Symantec System ID is displayed. Note that the parentheses are part of the ID. To determine the Symantec System ID on a licensed appliance 1 In the Network Security console, on Devices, right-click the
  • Symantec 10521148 | Implementation Guide - Page 104
    licensing Web site at https://licensing.symantec.com 3 Follow the instructions on the Web page to complete and submit the online licensing the Network Security console. You can rename the file with a descriptive name. 2 Log in to the Network Security console with the superuser account. 3 In
  • Symantec 10521148 | Implementation Guide - Page 105
    Licensing 97 Checking the license status 5 Click OK. 6 In License Information, do one of the following: ■ Click Browse to navigate to the location of the license file and select the file. ■ Type in the file name directly. 7 Click Submit. The software indicates whether the license installed
  • Symantec 10521148 | Implementation Guide - Page 106
    each time the network traffic rate exceeds the license. The license is for the total packets seen by all combined interfaces on your Symantec Network Security 7100 Series appliance. Licensing options are based on the amount of traffic handled by the appliance in passive mode. You should choose the
  • Symantec 10521148 | Implementation Guide - Page 107
    https://licensing.symantec.com 3 Follow the instructions on the Web page to complete and descriptive name. 2 Log in to the Network Security console with the superuser account. 3 On Devices, right-click the 7100 current support agreement may contact the Symantec Global Technical Support group by
  • Symantec 10521148 | Implementation Guide - Page 108
    100 Licensing Calling for help ■ Symantec Serial Number: The serial number printed on the Symantec Serial Number certificate. See "Determining the serial numbers" on page 94. ■ Appliance Serial Number: The serial number printed on a label on the back panel of the appliance. See "Determining the
  • Symantec 10521148 | Implementation Guide - Page 109
    database reflect your actual network configuration. This chapter provides detailed instructions for adding and editing 7100 Series nodes and interfaces, including in-line pairs and interface groups. For information about other topology objects, see the Symantec Network Security Administration Guide.
  • Symantec 10521148 | Implementation Guide - Page 110
    slave and master node objects when connected to the master node with the Network Security console. For detailed information about the different types of nodes, see the Symantec Network Security Administration Guide. See "Adding or editing an appliance node" on page 105. About appliance node fields
  • Symantec 10521148 | Implementation Guide - Page 111
    the master and slave nodes. On a master node it is also used to connect to the Network Security console. This is a required field. If you change this field on a master node, you must reboot from selected monitoring groups. See the Symantec Network Security Administration Guide for more information.
  • Symantec 10521148 | Implementation Guide - Page 112
    has master status. If the current master node fails, another node in the group takes over as the functioning master. See the Symantec Network Security Administration Guide for more information. The passphrase that is assigned when adding the node. It is used to allow the master and slave nodes to
  • Symantec 10521148 | Implementation Guide - Page 113
    primary Domain Name Service server for the node, which maps hostnames to IP addresses. The secondary Domain Name Service server for sensor on an appliance interface" on page 115. See the Symantec Network Security Administration Guide for detailed information. To add or edit a 7100 Series node 1 On
  • Symantec 10521148 | Implementation Guide - Page 114
    prefix FLX. 10 Click OK to add the node object to the topology tree. Caution: Click Topology > Save Changes before quitting the Network Security console. Any unsaved changes will be lost upon quitting the console. Configuring appliance interfaces You can configure three types of interface objects on
  • Symantec 10521148 | Implementation Guide - Page 115
    . These interfaces default to passive mode. See "Passive mode" on page 30. You cannot manually add or delete monitoring interfaces, but you must edit them to ensure that Network Security functions properly. It is especially important that you enter monitored network information before allowing the
  • Symantec 10521148 | Implementation Guide - Page 116
    108 Configuring nodes and interfaces Configuring appliance interfaces Table 8-3 Interface tab fields Field Description Expected Throughput TCP Reset Interface Description A drop-down menu that contains throughput ranges in Mbps or Gbps to select from. Choose a value that fits within the node's
  • Symantec 10521148 | Implementation Guide - Page 117
    console when you click the interface object. Configuring an in-line pair An in-line interface pair is required to operate the Symantec Network Security 7100 Series appliance using in-line mode. When using in-line mode, you can configure policies for blocking malicious traffic before it enters your
  • Symantec 10521148 | Implementation Guide - Page 118
    110 Configuring nodes and interfaces Configuring appliance interfaces About In-line Pair tab fields Table 8-5 provides information about the fields in the In-line Pair tab. Table 8-5 In-line Pair tab fields Field Description Name A descriptive name for the in-line pair of up to 40 characters.
  • Symantec 10521148 | Implementation Guide - Page 119
    procedure for adding or editing an in-line pair. Note that the in-line pair choices are pre-defined in the Network Security console. Other interface combinations are not supported as in-line pairs. To add or edit an in-line pair 1 On the Devices tab, do one of the following: ■ Right
  • Symantec 10521148 | Implementation Guide - Page 120
    alerting functionality. 7 Click OK to add the in-line pair object to the topology tree. Note: Click Topology > Save Changes before quitting the Network Security console. Any unsaved changes will be lost upon quitting the console. The in-line pair object is displayed in the topology tree, with the
  • Symantec 10521148 | Implementation Guide - Page 121
    Configuring nodes and interfaces 113 Configuring appliance interfaces Table 8-7 Interface Group tab fields Field Description Expected Throughput The amount of network traffic you expect this interface group to monitor. TCP Reset Interface The designated reset interface to use when sending TCP
  • Symantec 10521148 | Implementation Guide - Page 122
    interface group. 8 Click OK to add the interface group object to the topology tree. Note: Click Topology > Save Changes before quitting the Network Security console. Any unsaved changes will be lost upon quitting the console. The interface group object is displayed in the topology tree, with the
  • Symantec 10521148 | Implementation Guide - Page 123
    . Starting a sensor on an appliance interface You must start a sensor on an interface, interface group, or in-line pair before Symantec Network Security will detect traffic or attacks. Sensors function on a per interface basis. It is possible for sensors to be running on some appliance interfaces
  • Symantec 10521148 | Implementation Guide - Page 124
    , including detection components, sensor parameters, PAD-related port mapping, and custom signatures, see the Symantec Network Security Administration Guide. Symantec Network Security provides a number of predefined protection policies that you can apply directly, or clone and customize to suit
  • Symantec 10521148 | Implementation Guide - Page 125
    117 Creating and applying protection policies All protection policy tasks are available on the Policies tab in the Network Security console. This section describes procedures for: ■ Viewing a protection policy ■ Setting policies to interfaces ■ Unapplying or removing policies from interfaces
  • Symantec 10521148 | Implementation Guide - Page 126
    118 Configuring detection and response Creating and applying protection policies To view a protection policy 1 On the Policies > Protection Policies tab, click a protection policy. 2 Click View. 3 In View Protection Policy, do one of the following: ■ Click Search Events to see all event types plus
  • Symantec 10521148 | Implementation Guide - Page 127
    Configuring detection and response 119 Creating and applying protection policies To unapply a policy on an interface 1 On the Policies > Protection Policies tab, in the right pane, right-click an interface, in-line pair, or interface group. 2 Click Unapply Policy from the pop-up list. Enabling/
  • Symantec 10521148 | Implementation Guide - Page 128
    120 Configuring detection and response Creating and applying protection policies To clone a protection policy 1 In the Policies > Protection Policies tab, click a protection policy. 2 Click Clone. 3 In Clone Policy, enter a name for the new protection policy. 4 Click OK. 5 Modify the cloned
  • Symantec 10521148 | Implementation Guide - Page 129
    Configuring detection and response 121 Creating and applying protection policies ■ Click View > Search Events if the policy is pre-defined. ■ Click Edit if the policy is user-defined. 2 Provide some or all of the following search criteria: ■ In Event Name, enter a name. ■ In Protocol, select a
  • Symantec 10521148 | Implementation Guide - Page 130
    122 Configuring detection and response Creating and applying protection policies To set logging or blocking on events 1 On Policies, on the Protection Policies tab, do one of the following: ■ Click New. ■ Click Edit. 2 In Add Protection Policy, do one of the following: ■ Click Search Events. ■ Click
  • Symantec 10521148 | Implementation Guide - Page 131
    Configuring detection and response 123 Creating and applying protection policies 5 In Event Properties, in Logging Options, to enable logging for the selected events, check Log Event. 6 Do one of the following: ■ To log events for any source or destination, click Log For All IPs. ■ To log events for
  • Symantec 10521148 | Implementation Guide - Page 132
    provides procedures for: ■ Adding response rules ■ Deleting response rules For a full description of all aspects of response rules, see the Symantec Network Security Administration Guide. Adding response rules This section provides the basic procedure for adding a response rule in the Network
  • Symantec 10521148 | Implementation Guide - Page 133
    , and click OK. 14 Click the Response Action cell of the response rules table row. 15 In Configure Response Action, select an action for Network Security to take if the event matches the response rule. 16 Select a Next Action to do one of the following: ■ Stop searching for matching response rules
  • Symantec 10521148 | Implementation Guide - Page 134
    and exit the rule. Deleting response rules This section describes how to delete a response rule. To delete a response rule 1 In the Network Security console, click Configuration > Response Rules. 2 In Response Rules, select the response rule by clicking in the Number cell of the response rule row
  • Symantec 10521148 | Implementation Guide - Page 135
    the event with similar or related events, and creates an incident named after the event with the highest priority. Incidents are displayed in the Network Security console on the Devices tab when you click an interface, and more fully on the Incidents tab. You can view the list of incidents and
  • Symantec 10521148 | Implementation Guide - Page 136
    for more information. Viewing incident data The Incidents tab provides a view of top-level incident data. To view incident data ◆ In the Network Security console, click the Incidents tab. Viewing incident details You can view details derived from the most recent event of the highest priority within
  • Symantec 10521148 | Implementation Guide - Page 137
    table columns. See the Symantec Network Security Administration Guide for more information on these topics. Generating reports Symantec Network Security provides a comprehensive reporting facility that allows you to generate reports manually or automatically using more than twenty predefined
  • Symantec 10521148 | Implementation Guide - Page 138
    report types and report scheduling, see the Symantec Network Security Administration Guide. Monitoring appliance status You can monitor the status of Security console Viewing status on the LEDs There are five LED status indicators on the front bezel of the 7100 Series. They indicate: ■ Power
  • Symantec 10521148 | Implementation Guide - Page 139
    status 131 Monitoring appliance status The power LED glows when the appliance is powered on. The disk activity LED blinks The model number is displayed. ■ SNS S/W version: 4.0 The version of Symantec Network Security that is running on the appliance. ■ CPU Temp(s) 32 34 The internal temperature of
  • Symantec 10521148 | Implementation Guide - Page 140
    the statistics interval is several seconds. If an interface, interface group, or in-line pair is running at a higher bandwidth, Symantec Network Security starts multiple sensor processes to handle the expected throughput. It can start up to four sensor processes. When you click the interface object
  • Symantec 10521148 | Implementation Guide - Page 141
    ■ Current Average Bandwidth The bandwidth averaged over the last statistics interval. Current Versions ■ Network Security Version The version of Symantec Network Security on the node. ■ Security Update The Security Update (SU) level on the node. ■ JLU Version The version of LiveUpdate running
  • Symantec 10521148 | Implementation Guide - Page 142
    Flow Statistics ■ New TCP Flows/Second ■ Established TCP Flows Link Information ■ Link Status ■ Link Speed (Mbps) ■ Link Duplex Explanation The number of security events per second seen on the interface. Displayed for each sensor process. The number of new TCP flows per second on the interface
  • Symantec 10521148 | Implementation Guide - Page 143
    /Second Flow Statistics ■ New TCP Flows/Second ■ Established TCP Flows Explanation The percentage of packets blocked out of total packets seen. The number of security events per second seen on the in-line pair. Displayed for each sensor process. The number of new TCP flows per second on the inline
  • Symantec 10521148 | Implementation Guide - Page 144
    percentage of total packets received over the last statistics interval. Displayed for each sensor process. Event Statistics ■ Events/Second The number of security events per second seen on the interface group. Displayed for each sensor process. Flow Statistics ■ New TCP Flows/Second The number
  • Symantec 10521148 | Implementation Guide - Page 145
    ■ Managing log files and backups ■ Restarting, rebooting, and powering off ■ Using the LCD run menu ■ Using the serial console and administering the appliance Maintenance and administration on the Symantec Network Security 7100 Series is essential for managing the appliance and its software.
  • Symantec 10521148 | Implementation Guide - Page 146
    files reach a certain size. The 7100 Series uses SCP to securely copy the files across the network. The other computer is the target host, and must support SSH and SCP. To use SCP, you must first generate SSH keys for your account on the 7100 Series node and install the resulting public key
  • Symantec 10521148 | Implementation Guide - Page 147
    Security is generating the SSH keys. 4 In Public Key, read the public key filename at the top, and the instructions for installing it on the target host. In the instructions SCP, type the target host name or IP address. 6 In User Account for SCP, type user name to transfer files to on the target host
  • Symantec 10521148 | Implementation Guide - Page 148
    administering the 7100 Series Managing log files and backups 10 Click Apply. Backing up and restoring Symantec Network Security provides a backup and restore facility available from the Network Security console. You can back up all node configuration data and can later restore it to the same node
  • Symantec 10521148 | Implementation Guide - Page 149
    data, using the hard drive to store the files. For more information about backup and restore, see the Symantec Network Security System Administration Guide. Backing up a configuration This section describes the standard procedure for backing up a node configuration. To back up a configuration 1 In
  • Symantec 10521148 | Implementation Guide - Page 150
    restart the node, and overwrite all configuration changes that were made since the backup. About the compact flash All models of the Symantec Network Security 7100 Series have a compact flash (CF) adapter, located on the back panel. The CF adapter is a device that reads from and writes to compact
  • Symantec 10521148 | Implementation Guide - Page 151
    The appliance will try to boot from the empty partition, and must be powered off and then rebooted after ejecting the CF card. You can use disk Create Partition from the pull-down menu. 6 Follow the directions as the Wizard guides you through the process, and select a FAT32 partition. 7 In the Wizard
  • Symantec 10521148 | Implementation Guide - Page 152
    compact flash for backup and restore The compact flash provides a removable media option for storing backups of your configuration. You can use the Network Security console to backup to or restore from compact flash. If the compact flash is mounted as a filesystem when a backup is initiated, it is
  • Symantec 10521148 | Implementation Guide - Page 153
    If a compact flash card is not already accessible, insert a non-bootable CF card into the CF adapter and reboot the appliance. 2 In the Network Security console, on the Devices tab, click Admin > Node > Manage Backups. 3 In Select Node, choose a node from the pull-down list. 4 Click OK. 5 In Backups
  • Symantec 10521148 | Implementation Guide - Page 154
    way to control the configuration of one or more appliances you are adding to a cluster. Before physically installing a new slave appliance, use the Network Security console to add it to your topology. When you add the node, you configure its IP address, node number, information about the master node
  • Symantec 10521148 | Implementation Guide - Page 155
    when you edit the node. 7 Optionally type values for DNS Server 1 and DNS Server 2. 8 Click OK. 9 In the Save Config File window, click Save. Network Security saves the file as appcfg.enc. Note: The enc suffix means the file is encrypted. This encryption is an automatic process and does not require
  • Symantec 10521148 | Implementation Guide - Page 156
    procedures for these tasks: ■ Stopping, starting, and restarting Symantec Network Security ■ Rebooting the appliance ■ Powering off the appliance Stopping, starting, and restarting Symantec Network Security To stop Symantec Network Security, you must use the LCD panel or serial console. The Network
  • Symantec 10521148 | Implementation Guide - Page 157
    149 Restarting, rebooting, and powering off The LCD panel may be locked. If so, you must unlock it before you can perform tasks in the LCD run menu. These procedures are described in the following sections: ■ Stopping Network Security from the LCD ■ Stopping Network Security from the serial console
  • Symantec 10521148 | Implementation Guide - Page 158
    and administering the 7100 Series Restarting, rebooting, and powering off Starting Network Security from the LCD This section describes the procedure for using the LCD panel to start Symantec Network Security on the node. To start Symantec Network Security from the LCD 1 On the appliance front panel
  • Symantec 10521148 | Implementation Guide - Page 159
    151 Restarting, rebooting, and powering off 3 In Confirmation, click Yes. Restarting Network Security from the serial console This section describes the procedures for using the serial console to restart the Network Security application. To restart Symantec Network Security from the serial console
  • Symantec 10521148 | Implementation Guide - Page 160
    to the appliance as secadm. 3 Type the command: reboot Wait for the appliance to reboot. Powering off the appliance Before removing power from the appliance, you must shut down Symantec Network Security and the appliance operating system. The LCD panel and the serial console both provide a command
  • Symantec 10521148 | Implementation Guide - Page 161
    7161 depending on the model. 4 Press e to shut down and power off the appliance. Powering off the appliance from the serial console This section describes the procedure for powering off the appliance from the serial console. To power off the appliance from the serial console 1 Connect your laptop or
  • Symantec 10521148 | Implementation Guide - Page 162
    from the LCD" on page 149. Starts Symantec Network Security if it is currently stopped. See "Starting Network Security from the LCD" on page 150. Shuts downs and powers off the appliance. See "Powering off the appliance from the LCD" on page 152. Reboots the appliance. See "Rebooting the appliance
  • Symantec 10521148 | Implementation Guide - Page 163
    Maintaining and administering the 7100 Series 155 Using the LCD run menu Running commands on the LCD run menu While the LCD panel is not in use, the LCD screen displays a rotating list of appliance health statistics. See "Viewing status on the LCD screen" on page 131. To access the LCD run menu,
  • Symantec 10521148 | Implementation Guide - Page 164
    console to change the IP address of any node in the cluster. See the Symantec Network Security Administration Guide for that procedure. After rebooting with the new IP address, you must restart the Network Security console and connect using the new IP. Slave nodes in the cluster do not require any
  • Symantec 10521148 | Implementation Guide - Page 165
    Address [000]000.000.000 use the arrow buttons to enter the externally visible IP address. On a master node, this is the address the Network Security console will use to connect to the appliance. Press e.
  • Symantec 10521148 | Implementation Guide - Page 166
    is the default login name for the serial console. The secadm account can access basic Symantec Network Security and administrative commands. You can gain root privileges by entering the elevate command if you know the root account password. Once you have root privileges, you can execute any command
  • Symantec 10521148 | Implementation Guide - Page 167
    install-bridge Runs the installation procedure for the Symantec Enterprise Security Architecture (SESA) bridge. SESA provides an option for centralized system knows. ■ elevate Provides a shell prompt with root account privileges, including complete access to the operating system command set.
  • Symantec 10521148 | Implementation Guide - Page 168
    the serial console" on page 152. Shuts down and powers off the appliance. See "Powering off the appliance from the serial console" on page the LCD panel. For security reasons, you should change passwords periodically for the root, secadm, and console user login accounts. This section describes the
  • Symantec 10521148 | Implementation Guide - Page 169
    do two things in preparation: ■ Make sure that the appliance host name can be resolved ■ Make the Symantec Network Security SIP file available on the SESA Manager If your Domain Name Service (DNS) server cannot resolve the appliance host name, you must provide an alternative method for the host name
  • Symantec 10521148 | Implementation Guide - Page 170
    . Making the SIP file available on the SESA manager The Symantec Network Security SIP file is available on the Management Console CD. You can access it the SESA manager. This uses the SESA integration wizard. 3 Follow the instructions in the wizard, and when it asks for the SESA Integration Package
  • Symantec 10521148 | Implementation Guide - Page 171
    " on page 77. 2 At the SNS7100> prompt, type install-bridge 3 The system warns you about stopping Symantec Network Security: To install the SESA Bridge, Symantec Network Security must be stopped and restarted. Continue installing the SESA Bridge? [y] Press Enter to continue. 4 What is the primary
  • Symantec 10521148 | Implementation Guide - Page 172
    the uninstall-bridge procedure, which uninstalls the SESA agent and related bridge software. To uninstall the SESA bridge and SESA agent, Symantec Network Security must be stopped and restarted. To uninstall the SESA bridge 1 At the SNS7100> prompt, type uninstall-bridge 2 The system warns you about
  • Symantec 10521148 | Implementation Guide - Page 173
    /opt/Symantec/sesa and press Enter. 4 Type: ./agentd -start and press Enter. Stopping the SESA agent manually You can stop the SESA agent manually from the serial console. To stop the SESA agent manually 1 Start a serial console on the appliance and log in as secadm. See "Starting a serial console
  • Symantec 10521148 | Implementation Guide - Page 174
    166 Maintaining and administering the 7100 Series Using the serial console
  • Symantec 10521148 | Implementation Guide - Page 175
    Chapter Re-imaging and unconfiguring This chapter includes the following topics: ■ About re-imaging and unconfiguring ■ Unconfiguring Symantec Network Security ■ Preparing for re-imaging ■ Setting up an Imaging Server ■ Re-imaging the appliance ■ Upgrading the console application ■ About migration
  • Symantec 10521148 | Implementation Guide - Page 176
    new Symantec Network Security package that includes the new operating system. Instructions for the Guide. Unconfiguring Symantec Network Security You can unconfigure Symantec Network Security on the appliance if you want to start over with all new settings. All existing configuration is erased
  • Symantec 10521148 | Implementation Guide - Page 177
    the pull-down list in Select Node. Click OK. 2 In Unconfigure, read the message and click Yes to unconfigure Symantec Network Security. The appliance uninstalls Symantec Network Security and reboots. After rebooting, it is ready for initial configuration. See "About initializing Symantec Network
  • Symantec 10521148 | Implementation Guide - Page 178
    using the backup facility on the console. You can use the Network Security console to copy the saved configuration to another node in the cluster or it up to a compact flash card. For directions on using the backup and secure copy facilities on the console, see "Managing log files and backups" on
  • Symantec 10521148 | Implementation Guide - Page 179
    are detailed below. Note: To boot from compact flash you must insert the bootable compact flash card into the CF adapter before rebooting or powering the appliance on. Creating a bootable compact flash via the serial console You can use the serial console on the 7100 Series to create a bootable
  • Symantec 10521148 | Implementation Guide - Page 180
    the computer even before the software is installed from the Recovery Software CD. The USB driver is not provided on the Recovery Software CD. A manually created Imaging Server allows access to files installed on it from the Recovery Software CD, including the bootable CF image. An automatic Imaging
  • Symantec 10521148 | Implementation Guide - Page 181
    CF adapter. Setting up an Imaging Server You can use the Symantec Network Security Recovery Software CD to create an Imaging Server in two ways. The easiest conforms to certain hardware requirements. The alternative method is to manually create an Imaging Server on a RedHat Linux system by
  • Symantec 10521148 | Implementation Guide - Page 182
    as an Imaging Server by following the manual setup process. See "Setting up a . 4 When the Symantec Network Security Appliance License and Warranty Agreement is instructions, while pressing space to continue. The instructions tell you how to connect the Imaging Server to the appliance, and then guide
  • Symantec 10521148 | Implementation Guide - Page 183
    with RedHat Linux 8.0 or 9.0, you can load all the other required software from the Recovery Software CD provided with the Symantec Network Security 7100 Series appliance. See the following section: ■ Installing the Recovery Software CD onto the Imaging Server Installing the Recovery Software CD
  • Symantec 10521148 | Implementation Guide - Page 184
    copies the following files from the CD into these locations: /etc/dhcpd.conf /etc/xinetd.d/tftp 10 The script starts the dhcpd, xinetd, and nfs services that will be needed during imaging. 11 The script copies all files from /mnt/cdrom/home/bto into the /home/bto directory on the Imaging
  • Symantec 10521148 | Implementation Guide - Page 185
    Re-imaging and unconfiguring 177 Setting up an Imaging Server Connecting the Imaging Server to a 7120 Connect the 7120 to the Imaging Server using a crossover cable or a network device such as a hub or switch. To cable the Imaging Server directly to a 7120 1 Plug one end of the provided 10/100Base-T
  • Symantec 10521148 | Implementation Guide - Page 186
    178 Re-imaging and unconfiguring Re-imaging the appliance 2 Connect a second Ethernet cable from the left-most, top, RJ45 port (port 0) on the 7160 to the hub or switch. Note: If you use a switch, configure it so that the two ports can pass network traffic between them. 3 Confirm that the link light
  • Symantec 10521148 | Implementation Guide - Page 187
    . You can do this from the LCD panel or serial console. See "Powering off the appliance" on page 152. 5 Insert the bootable compact flash into the appliance. 6 Connect the Imaging Server to your Symantec Network Security 7100 Series appliance. See "Connecting the Imaging Server to the appliance" on
  • Symantec 10521148 | Implementation Guide - Page 188
    fifteen minutes, and must not be interrupted. Your appliance is now re-imaged and you may proceed with initial configuration. See "About initializing Symantec Network Security" on page 67. Note: The default password for a re-imaged appliance is Symantec
  • Symantec 10521148 | Implementation Guide - Page 189
    is a new release of the Network Security console. You can download the upgrade package from the Symantec support Web site www.symantec.com/techsupp. for instructions. See the Symantec Network Security Administration Guide for more information. About migration The Symantec Network Security 7100
  • Symantec 10521148 | Implementation Guide - Page 190
    182 Re-imaging and unconfiguring About migration
  • Symantec 10521148 | Implementation Guide - Page 191
    from the Symantec Knowledge Base. To access Symantec Network Security 7100 Series troubleshooting information 1 Go to www.symantec.com. 2 Click support. 3 Under Product Support, click enterprise. 4 Under Technical Support, click knowledge base. 5 Under Intrusion Detection, expand Symantec Network
  • Symantec 10521148 | Implementation Guide - Page 192
    184 Troubleshooting Accessing troubleshooting information ■ On the Browse tab, expand a category to see a list of knowledge base articles related to that topic. Click an article to view it.
  • Symantec 10521148 | Implementation Guide - Page 193
    Product certifications Product Specifications Table B-1 provides information about product specifications for models 7120, 7160, and 7161 of the Symantec Network Security 7100 Series appliance. Table B-1 7100 Series specifications Parameter 7120 7160 7161 Length 43.18 cm (17 in) 61 cm (24
  • Symantec 10521148 | Implementation Guide - Page 194
    60 Hz 50/60 Hz Maximum power capability 430 W 800 W 800 W Typical power 190 W draw 240 W 240 W Safety guidelines For your protection, read and follow all safety instructions for the Symantec Network Security 7100 Series before use. ■ Instructions Read and understand all safety and operating
  • Symantec 10521148 | Implementation Guide - Page 195
    and be easily accessible. Warning: The power cord must be plugged into a properly wired, grounded outlet. Do not use an extension cord. Warning: To reduce the risk of electrical shock, do not disassemble the appliance. Return it to Symantec if servicing is required. Opening or removing covers may
  • Symantec 10521148 | Implementation Guide - Page 196
    around the appliance. ■ Ensure that electrical circuits are not overloaded. Consider the power ratings of all connected equipment and ensure that you have overcurrent protection. Product certifications The Symantec Network Security 7100 Series appliances are designed to meet the following regulatory
  • Symantec 10521148 | Implementation Guide - Page 197
    Specifications and safety 189 Product certifications ■ EN61000-4-4 (1995), EFT/Burst: 1kV Power, 0.5 kV Signal Cables ■ EN61000-4-5 (1995), Surge: 1kV (L-L), 2 kV (L-G) ■ EN61000-4-6 (1996), Conducted RF Immunity: 3V, 150 kHz - 80 MHz ■ EN61000-4-11 (1994): >95%/0.5T, 30%/25T, >
  • Symantec 10521148 | Implementation Guide - Page 198
    190 Specifications and safety Product certifications
  • Symantec 10521148 | Implementation Guide - Page 199
    topics: ■ About the removable hard drive ■ Removing the hard drive About the removable hard drive This service manual provides instructions for removing the hard drive from the Symantec Network Security 7100 Series appliance models 7160 and 7161. The 7160 and 7161 have a hard drive that you can
  • Symantec 10521148 | Implementation Guide - Page 200
    Service Manual Removing the hard drive The pullout panel provides a convenient way to extract the hard drive before shipping the appliance to Symantec for support wristband to ground yourself. To remove the hard drive 1 Shut down and power off the appliance by doing one of the following: ■ On the LCD
  • Symantec 10521148 | Implementation Guide - Page 201
    Service Manual 193 Removing the hard drive 4 Optionally remove the appliance from the rack and turn it upside down. 5 away from the appliance. It remains attached to the appliance interior with a safety strap. 7 Detach the power cable from the hard drive. 8 Detach the IDE cable from the hard drive.
  • Symantec 10521148 | Implementation Guide - Page 202
    194 Service Manual Removing the hard drive 9 Using a Phillips screwdriver, loosen the four screws that are holding the hard drive in place. Be sure to leave the metal
  • Symantec 10521148 | Implementation Guide - Page 203
    62 in-line mode 64 passive mode 64 power 66 power supplies 28 removable drive 27 A account root 158 secadm 158 adding appliance 187 host 89 advanced network options 104, 106, 147 alarm 62, 66 power supply 28, 55, 63 alert security 3 alerting capabilities 31 mode 31 alerts in passive mode 30 analysis
  • Symantec 10521148 | Implementation Guide - Page 204
    2 Index B backup CF 145 data included 140 file format 140 file location 140 file size 144 node configuration 141 onto CF 144 bandwidth multiple sensor processes 132 Base-SX 11, 21, 64, 185 Base-T 11, 18, 19, 21, 36 bypass unit port 37, 52, 60 Base-TX 35 bypass unit port 37, 52, 60 blocking enabling/
  • Symantec 10521148 | Implementation Guide - Page 205
    170 slave node, LCD 72 slave node, serial 80 console.See Network Security console; serial console copper gigabit on bypass unit 36 ports 35 correlation 127 105, 161 documentation about the set of 13 about this guide 11 on Web 14 Domain Name Service. See DNS DoS attacks 9, 10 duplex 38 E editing
  • Symantec 10521148 | Implementation Guide - Page 206
    mode 38 bypass unit 35 deployment 35 online mode 38 failover group 104 failure and bypass mode 38 and fail-open 35 causes alarm 28 power supply 28 temperature related 25 fiber interfaces on 7161 20 forcing link parameters 38 fulfillment ID 99, 133 G gateway 70 default 147 generating reports 129
  • Symantec 10521148 | Implementation Guide - Page 207
    sensor on, for bypass unit 38 starting sensor on 115 status 134 installation about 45 in four-post rack 47 in two-post rack 46 power 54, 62, 66 rack mounting 46 installation See also cabling interface about 106 adding 108 editing 108 high bandwidth on 132 in-line pairs 32
  • Symantec 10521148 | Implementation Guide - Page 208
    Security 150 status 131 stopping Network Security 149 unconfiguring Network Security installing on slave 96 requesting 94, 95 support 99 Symantec serial number 94 Symantec System ID in policy 121 viewing rules for 118 login default account 158 root account 158 to Imaging Server 175 to install on
  • Symantec 10521148 | Implementation Guide - Page 209
    , 109 NAT 71 private for imaging 175 segments, passive monitoring 30 SESA 42 topology 101 traffic in bypass unit 38 Index 7 traffic rate 98 Network Security console about 10, 85 connecting to administration IP 89 connecting to node 70, 72, 78, 79 deployment 42 installing on Linux 88 installing on
  • Symantec 10521148 | Implementation Guide - Page 210
    online mode 39 log and database 139 Network Security 124 search, in policy 120 status 132 verify default 68 elevate 159 entering on LCD 71 erase all 168 for serial console 76 in configuration 28 safety warnings 186, 187 power supplies alarm 28 dual redundant 28 powering off before initial config 54,
  • Symantec 10521148 | Implementation Guide - Page 211
    188 warnings 186 SCP destination 139 log rotation 139 logs 138 target host 138 search in policy 120 parameters 119 secadm account 158 commands 158 secure copy. See SCP Security Updates 43 sensor multiple at high bandwidths 132 one for interface group 34 protection policy required to start 115
  • Symantec 10521148 | Implementation Guide - Page 212
    powering off node 153 rebooting Network Security 152 restarting Network Security 151 secadm commands 158 shutting down node 153 starting Network Security 150 starting SESA agent 165 stopping Network Security deployment 42 installing bridge 163 manual agent start 165 manual agent stop 165 preparing
  • Symantec 10521148 | Implementation Guide - Page 213
    interface 108 temperature appliance LED 25 operating 185 storage 185 topology network 101 troubleshooting 183 U unapplying policies before deleting 124 protection policy 118 unconfigure 168 about 167 from Network Security console 168 on LCD 169 on serial console 170 unlocking changing LCD password
  • Symantec 10521148 | Implementation Guide - Page 214
    12 Index
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
Symantec™ Network Security
7100 Series Implementation
Guide