AIG Stonesoft 1301

Embed Size (px)

Citation preview

  • 8/10/2019 AIG Stonesoft 1301

    1/36

    Appliance Installation Guide

    Stonesoft 1301

  • 8/10/2019 AIG Stonesoft 1301

    2/36

    2

    Legal Information

    End-User License AgreementThe use of the products described in these materials is subject to the then current end-user license

    agreement, which can be found at the Stonesoft website:

    www.stonesoft.com/en/support/eula.html

    Third Party LicensesThe Stonesoft software includes several open source or third-party software packages. The appropriate

    software licensing information for those products can be found at the Stonesoft website:

    www.stonesoft.com/en/customer_care/support/third_party_licenses.html

    U.S. Government AcquisitionsIf Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S.

    Government, the following provisions apply. If the Software is supplied to the Department of Defense

    (DoD), the Software is subject to Restricted Rights, as that term is defined in the DOD Supplement to

    the Federal Acquisition Regulations (DFAR) in paragraph 252.227-7013(c) (1). If the Software is supplied

    to any unit or agency of the United States Government other than DOD, the Governments rights in the

    Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (FAR).

    Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor

    provisions.

    Product Export RestrictionsThe products described in this document are subject to export control under the laws of Finland and the

    European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the

    control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft

    software in any manner is restricted and requires a license by the relevant authorities.

    General Terms and Conditions of Support and Maintenance ServicesThe support and maintenance services for the products described in these materials are provided pursuant

    to the general terms for support and maintenance services and the related service description, which can be

    found at the Stonesoft website:

    www.stonesoft.com/en/customer_care/support/

    Replacement ServiceThe instructions for replacement service can be found at the Stonesoft website:

    www.stonesoft.com/en/customer_care/support/rma/

    Hardware WarrantyThe appliances described in these materials have a limited hardware warranty. The terms of the hardware

    warranty can be found at the Stonesoft website:

    www.stonesoft.com/en/customer_care/support/warranty_service/

    Trademarks and PatentsThe products described in these materials are protected by one or more of the following European and US

    patents: European Patent Nos. 1065844, 1189410, 1231538, 1231754, 1259028, 1271283, 1289183,

    1289202, 1304830, 1304849, 1313290, 1326393, 1361724, 1379037, and 1379046 and US PatentNos. 6,650,621; 6,856,621; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305;

    7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,325,248; 7,360,242; 7,386,525;

    7,406,534; 7,461,401; 7,573,823; 7,721,084; and 7,739,727 and may be protected by other EU, US, or

    other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or

    registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property

    of their respective owners.

    DisclaimerAlthough every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED

    "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility

    for errors, omissions, or resulting damages from the use of the information contained herein. All IP

    addresses in these materials were chosen at random and are used for illustrative purposes only.

    Copyright 2013 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

    Revision: AIG_Stonesoft_1301_20131211

    http://www.stonesoft.com/en/support/eula.htmlhttp://www.stonesoft.com/en/customer_care/support/third_party_licenses.htmlhttp://www.stonesoft.com/en/customer_care/support/http://www.stonesoft.com/en/customer_care/support/rma/http://www.stonesoft.com/en/customer_care/support/warranty_service/http://www.stonesoft.com/en/customer_care/support/warranty_service/http://www.stonesoft.com/en/customer_care/support/rma/http://www.stonesoft.com/en/customer_care/support/http://www.stonesoft.com/en/customer_care/support/http://www.stonesoft.com/en/customer_care/support/third_party_licenses.htmlhttp://www.stonesoft.com/en/customer_care/support/third_party_licenses.htmlhttp://www.stonesoft.com/en/support/eula.html
  • 8/10/2019 AIG Stonesoft 1301

    3/36

    Introduction 3

    Introduction

    Thank you for choosing a Stonesoft appliance. This guide providesinstructions for the initial hardware installation and the maintenance of

    the Stonesoft 1301 appliances. See Product Documentation(page 5)forinformation on other available documentation.

    The use of the appliance is subject to the acceptance of the End User

    License Agreement, which can be found at the Stonesoft website.

    Contents

    Installation Procedure .................. 4

    Product Documentation ................ 5

    Safety Precautions ....................... 5

    Unpacking the Appliance .............. 8

    Front Panel .................................. 9

    Back Panel .................................. 10

    Installing the Solid State Disk ....... 11

    Installing the Interface Module...... 12

    Rack-Mounting............................. 13

    Connecting the Cables ................. 18

    Initial Configuration ...................... 21

    Maintenance Operations............... 31

    Disposal Instructions ................... 35

    Caution Read the Safety Precautions(page 5)before you conductany installation or maintenance operations on the appliance.

  • 8/10/2019 AIG Stonesoft 1301

    4/36

    4 Installation Procedure

    Instal lat ion Procedure

    The appliance installation involves the following mandatory steps:

    1. Configure the Security Engine element (Firewall, IPS, or Layer 2

    Firewall) in the Management Client, and save the initialconfiguration on a USB stick. See the Firewall Installation Guide orthe IPS and Layer 2 Firewall Installation Guide.

    2. If the Solid State Disk (SSD) is not pre-installed in the appliance,install the SSD. See Installing the Solid State Disk(page 11).

    3. Install the interface module in the appliance. See Installing theInterface Module(page 12).

    4. Install the appliance into a rack and connect the cables. SeeRack-Mounting(page 13)and Connecting the Cables(page 18).

    5. Insert the USB memory stick into a USB port on the appliance,

    and turn on the appliance to import the initial configuration. See

    Initial Configuration(page 21).

    Note You must have a working Management Center on a separate

    server to bring the appliance(s) operational. See the StonesoftManagement Center Installation Guide.

    Management

    Client

    Management

    Server

    Initial

    ConfigurationFile

    USB Stick

    ApplianceSSD

    ApplianceInterfaceModule

    ApplianceUSB Stick

  • 8/10/2019 AIG Stonesoft 1301

    5/36

    Product Documentation 5

    Product Documentation

    Press F1in any Management Client window to view the Online Help.

    All PDF guides are available:

    On the Management Center DVD (in the Documentationfolder)

    At the Stonesoft website at https://www.stonesoft.com/en/customer_care/documentation/current/.

    Install the free Adobe Reader program to view the PDF documents(available at www.adobe.com/reader/).

    Safety Precautions

    The following safety information and procedures must be followedwhenever working with electronic equipment. However, please be

    advised that Stonesoft appliances are not end-user serviceable, and youmust never open the appliance covers for any reason. Doing so may leadto serious injury and will void any hardware warranty that may be

    associated with your appliance.

    Electrical Safety Precautions

    Basic electrical safety precautions should be followed to protect yourselffrom harm and the appliance from damage:

    Be aware of the locations of the power on/off switch as well as theroom's emergency power-off switch, disconnection switch, or

    electrical outlet. If an electrical accident occurs, you can then quicklycut power to the system.

    Do not work alone when working with high-voltage components.

    Use only one hand when working with powered-on electrical

    equipment. This is to avoid making a complete circuit, which willcause electrical shock. Use extreme caution when using metal tools,which can easily damage any electrical components or circuit boardsthey come into contact with.

    Do not use mats designed to decrease electrostatic discharge asprotection from electrical shock. Instead, use rubber mats that havebeen specifically designed as electrical insulators.

    https://www.stonesoft.com/en/customer_care/documentation/current/https://www.stonesoft.com/en/customer_care/documentation/current/http://www.adobe.com/reader/http://www.adobe.com/reader/https://www.stonesoft.com/en/customer_care/documentation/current/https://www.stonesoft.com/en/customer_care/documentation/current/
  • 8/10/2019 AIG Stonesoft 1301

    6/36

    6 Safety Precautions

    The power supply cord must include a grounding plug and must beplugged into a grounded electrical outlet.

    General Safety PrecautionsFollow these rules to ensure general safety:

    Keep the area around the appliance clean and free of clutter.

    We recommend using a regulating uninterruptible power supply (UPS)to protect the appliance from power surges and voltage spikes, and

    to keep your system operating in case of a power failure.

    Power Supplies

    Appliances with DC Power Supply The appliance must be used in a restricted access location and the

    users must be well-trained to operate it.

    The socket-outlet for pluggable equipment must be installed near the

    equipment and must be easily accessible. The appliance inlet must have SPS approval or have, at minimum, a

    15 AWG wire provided for the power supply.

    The mains supply plug on the power supply cord is the disconnect

    device of the appliance. To disconnect the appliance, you must firstdisconnect the mains and then disconnect the ground.

    Appliances with AC Power Supply

    The appliance inlet is the disconnect device.

    Caution Never open the appliance covers! There are no user

    serviceable parts inside. Opening the covers may lead to seriousinjury and will void the warranty.

  • 8/10/2019 AIG Stonesoft 1301

    7/36

    Safety Precautions 7

    ESD PrecautionsElectrostatic discharge (ESD) is generated by two objects with differentelectrical charges coming into contact with each other. An electricaldischarge is created to neutralize this difference, which can damage

    electronic components and printed circuit boards. Use a grounded wriststrap designed to prevent static discharge.

    Laser PrecautionsClass 1 Laser Product.

    Operating PrecautionsCare must be taken to ensure that the cover is in place when theappliance is operating to ensure proper cooling. If this rule is not strictlyfollowed, the warranty may become void. Do not open the power supplycasing. Power supplies can only be accessed and serviced by a qualifiedtechnician of the manufacturer.

    Operating and Storage TemperaturesThe allowed operating temperature of the appliance and the interface

    module is +5...+35C. The allowed storage temperature is-20...+65C. Do not operate or store the appliance or the module intemperatures outside these limits. If the appliance or the module have

    been stored in temperatures below 0C or above +40C, allow for 2hours to bring the appliance and the module to normal operatingtemperature before turning on the appliance. Otherwise, the applianceor the module may be damaged.

    Note Use a UPS (Uninterruptible Power Supply) in criticalenvironments with your Stonesoft appliance. If after a brief power

    outage your Stonesoft appliance only partially starts up (for example,the power light is on, but the appliance does not connect), turn theappliance off for five seconds and then back on.

    Caution Invisible laser radiation is emitted from the end of the fiber-optic cable and from the fiber port. Do not stare into the beam and

    avoid direct exposure to the beam.

  • 8/10/2019 AIG Stonesoft 1301

    8/36

    8 Unpacking the Appliance

    Lithium Battery Precautions

    For California:Perchlorate Material - special handling may apply. See www.dtsc.ca.gov/

    hazardouswaste/perchlorate.This notice is required by California Code of Regulations, Title 22,Division 4.5, Chapter 33: Best Management Practices for PerchlorateMaterials. This product/part includes a battery that contains Perchloratematerial.

    Unpacking the Appliance

    Inspect the box the appliance was shipped in and note if it wasdamaged in any way. If the Solid State Disk (SSD) is not pre-installed in

    the appliance, the SSD is delivered in a separate box. The interfacemodule is always delivered in a separate box. Note if any of the boxesare damaged in any way. If the appliance itself or any componentsdelivered with the appliance show any damage, file a damage claim with

    the carrier who delivered the appliance or the components.

    Caution The battery must be replaced by authorized service

    personnel only. There is a risk of explosion if the battery is incorrectly

    replaced. The replacement battery must be the same as or theequivalent to the type recommended by the manufacturer. Used

    batteries must be discarded according to the manufacturersinstructions. Short-circuiting the battery may heat the battery andcause severe injuries.

    http://www.dtsc.ca.gov/hazardouswaste/perchloratehttp://www.dtsc.ca.gov/hazardouswaste/perchloratehttp://www.dtsc.ca.gov/hazardouswaste/perchloratehttp://www.dtsc.ca.gov/hazardouswaste/perchlorate
  • 8/10/2019 AIG Stonesoft 1301

    9/36

    Front Panel 9

    Front Pane l

    The connectors are explained in detail in Connecting the Cables(page 18). The front panel indicator lights are explained below. See the

    separateinterface Module Guidedelivered with the appliance forinformation on the port indicators for the interface module.

    Power, Warning, and Disk Activity Indicators

    Table 1 Power, Warning, and Disk Activity Indicators

    Indicator Status Explanation

    PowerGreen

    Indicates power is being supplied to the

    system's power supply unit. This LED is

    illuminated when the system is operatingnormally.

    Yellow The appliance is in standby mode.

    Warning Red Overheat alert. Blinks on fan failure.

    Disk Activity GreenIndicates Solid State Disk (SSD) activity

    when flashing.

    Interface moduleFixed Ethernet ports

    Serial console port

    Two USB ports

    Power button;

    warning and disk

    activity indicators

    Disk Activity

    Warning

    Power

  • 8/10/2019 AIG Stonesoft 1301

    10/36

    10 Back Panel

    Fixed Ethernet Ports

    Back Panel

    The indicators for the Solid State Disk (SSD) Drive are explained below.

    Table 2 Indicators for Fixed Ports

    Indicator Status Explanation

    Activity Green Link ok, blinks on activity.

    Link

    Green 1 Gbps link.

    Amber 100 Mbps link.

    Table 3 SSD Drive Indicators

    Indicator Status Explanation

    Power Blue A Solid State Disk is in the drive.

    Disk Unlit This indicator is not currently used.

    Link Activity

    AC or DC power connector

    Solid State Disk (SSD) Drive

    Disk

    Power

  • 8/10/2019 AIG Stonesoft 1301

    11/36

    Installing the Solid State Disk 11

    Instal l ing the Solid State Disk

    If the Solid State Disk (SSD) is not pre-installed in the appliance, you

    must first install the SSD.

    To install the Solid State Disk1. Locate the Solid State Disk included in the delivery package.

    2. Locate the Solid State Disk drive on the appliances back panel(see the illustration in Back Panel(page 10)).

    3. Press the release button on the Solid State Disk to release thelever on the disk.

    4. Insert the disk into the drive.

    5. Press the lever down to lock the disk into position.Proceed to Installing the Interface Module(page 12).

    Caution We recommend using a grounding strap when handling anSSD. Uninstalled SSDs are sensitive to ESD damage.

    Release buttonLever

  • 8/10/2019 AIG Stonesoft 1301

    12/36

    12 Installing the Interface Module

    Instal l ing the Interface Module

    This section provides information on installing an interface module into

    the appliance. You must install the interface module before you can

    configure the appliance. The process of installing the interface moduleis the same for all module types.

    Read the Safety Precautions(page 5)before proceeding.

    To install the interface module1. Make sure that the appliance is turned off and that no cables areconnected to the appliance or to wall outlets.

    2. (Recommended) Fasten a grounding strap to your wrist so that it

    contacts your bare skin and attach the other end of the strap tothe appliance.

    3. Push the module into the slot the sticker side up until the frontpanel of the module is even with the front panel of the appliance.

    Proceed to Rack-Mounting(page 13).

    Caution Do not install or remove the interface module if theappliance is powered on to avoid damaging the module and the

    modular appliance.

    Caution Do not insert the interface module upside down. Inserting

    the module incorrectly may damage the appliance and the moduleand will void the warranty.

  • 8/10/2019 AIG Stonesoft 1301

    13/36

    Rack-Mounting 13

    Rack-Mounting

    This section provides information on installing the Stonesoft appliance

    into a rack unit. You can install the appliance into a two-post or a four-

    post rack unit.

    Preparing for Rack-MountingThe appliance delivery includes the rail assemblies and the mountingscrews you need to install the system into the rack.

    Read the sections below before you begin the installation.

    Choosing a Setup LocationDecide on a suitable location for the rack unit that will hold theappliance:

    The appliance must be situated in a clean, dust-free area that is wellventilated.

    Avoid areas where heat, electrical noise, and electromagnetic fields

    are generated.

    Leave enough clearance in front of the rack to enable you to open thefront door completely (~63 cm/25 inches).

    Leave enough clearance in the back of the rack to allow for sufficientairflow and ease in servicing (~76 cm/30 inches).

    Rack Precautions Ensure that the leveling jacks on the bottom of the rack are fully

    extended to the floor with the full weight of the rack resting on them.

    In a single rack installation, attach stabilizers to the rack. In a multiple rack installation, couple the racks together.

    Always make sure the rack is stable before extending a componentfrom the rack.

    Extend only one component at a timeextending two or more

    simultaneously may cause the rack to become unstable.

    Caution Read the Safety Precautions(page 5)before proceeding.

  • 8/10/2019 AIG Stonesoft 1301

    14/36

    14 Rack-Mounting

    Appliance Precautions Determine the placement of each component in the rack before

    starting the installation.

    Install the heaviest components on the bottom of the rack first, and

    then work up. The appliance must be connected to a grounded power outlet.

    Use a regulating uninterruptible power supply (UPS) to protect the

    appliance from power surges and voltage spikes, and to keep yoursystem operating in case of a power failure.

    Always keep the rack's front door and all panels and components on

    the appliances closed when not servicing to maintain proper cooling.

    Before Installing the Appliance Into a Rack Make sure that the rack is securely anchored onto an unmovable

    surface or structure before installing the appliance into the rack.

    Make sure that the system is adequately supported. Make sure thatall the components are securely fastened to the appliance to preventcomponents falling off of the appliance.

    Be sure to install an AC power disconnect for the entire rackassembly. This power disconnect must be clearly marked.

    The rack assembly must be properly grounded to avoid electric shock.

    The rack assembly must provide sufficient airflow to the appliance forproper cooling.

    Installing the Appliance Into a Rack

    This section provides information on installing the appliance into a rackunit. There are a variety of rack units on the market, so the assemblyprocedure may differ slightly from what is instructed. If necessary, refer

    to the instructions that came with the rack unit you are using.

    If you are installing the appliance into a Telco-type rack, follow thegeneral directions below. The main difference in the installationprocedure is the depth of the rack and whether you are installing theappliance into a two-post rack or a four-post rack. Proceed to one of the

    following: Installing the Appliance Into a Two-Post Rack(page 15)

    Installing the Appliance Into a Four-Post Rack(page 16)

    Note Do not install the appliance upside down.

  • 8/10/2019 AIG Stonesoft 1301

    15/36

    Rack-Mounting 15

    Installing the Appliance Into a Two-Post Rack

    To install the appliance into a two-post rack1. Locate the two rack-mounting brackets that are meant for the two-

    post rack installation.

    2. Attach a bracket to the appliance with three screws.

    3. Repeat step 2 on the other side of the appliance.

    4. Attach each bracket to the rack with two screws through the holes

    in the front of the bracket: one screw through the top hole andanother through the bottom hole.

    Proceed to Connecting the Cables(page 18).

    Caution You must use two screws to attach each rack-mountingbracket to the rack. Using only a single screw for each bracket doesnot provide sufficient support and may cause damage to theappliance.

  • 8/10/2019 AIG Stonesoft 1301

    16/36

    16 Rack-Mounting

    Installing the Appliance Into a Four-Post RackIf you are installing the appliance into a four-post rack, the rack-mounting method depends on the depth at which the brackets are

    attached to the rack:

    If the depth is 40-70 cm (c. 16-28 inches), see To install theappliance with medium-length bracketsbelow.

    If the depth is 67-86 cm (c. 27-34 inches), see To install theappliance with long brackets(page 17).

    To install the appliance with medium-length brackets1. Locate the two pairs of brackets in the delivery package: two short

    brackets that attach to the appliance and two longer brackets that

    attach to the rack.

    2. Attach a short bracket to the appliance with two screws.

    3. Repeat step 2 on the other side of the appliance.

    4. Attach the two longer brackets to the back of the rack with two

    screws through the holes at the back of each bracket: one screwthrough the top hole and another through the bottom hole.

    5. Attach 2 or 3 screws with a wider head to a suitable position on

    the side of the appliance.

    Caution You must use two screws to attach each rack-mounting

    bracket to the rack. Using only a single screw for each bracket doesnot provide sufficient support and may cause damage to theappliance.

    This bracket attachesto the appliance.

    This bracket attaches tothe rack.

    http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-
  • 8/10/2019 AIG Stonesoft 1301

    17/36

    Rack-Mounting 17

    These screws support the appliance when it is inserted into therack. The number and position of the screws depends on thedepth of the rack.

    6. Repeat step 5 on the other side of the appliance.

    7. Line up the screws that you have attached to the side of the

    appliance with the groove in the brackets attached to the rack.

    8. Slide the appliance into the brackets in the rack.

    9. Attach the appliance to the rack with two screws through the holes

    in the front of the shorter brackets: one screw through the top

    hole and another through the bottom hole.

    Proceed to Connecting the Cables(page 18).

    To install the appliance with long brackets1. Locate the two pairs of brackets in the delivery package: two inner

    rails that attach to the appliance and two outer rails that attach to

    the rack.

    2. Detach the inner rails from the outer rails.

    3. Attach an inner rail to the appliance with three screws.

    4. Repeat step 3 on the other side of the appliance.

    Caution You must use two screws to attach each rack-mountingbracket to the rack. Using only a single screw for each bracket does

    not provide sufficient support and may cause damage to theappliance.

    Inner Rail Outer Rail

  • 8/10/2019 AIG Stonesoft 1301

    18/36

    18 Connecting the Cables

    5. Insert the outer rails to the rack.

    The rails are marked with L for left and R for right.

    6. Line up the rear of the inner rails with the front of the outer rails.

    7. Slide the inner rails into the outer rails, keeping the pressure even

    on both sides (you may have to depress the locking tabs wheninserting). The rails lock when the appliance has been pushedcompletely into the rack.

    Proceed to Connecting the Cables.

    Connecting the Cables

    Ethernet Port NamesThere are two slots in the appliance. Each Ethernet port has a unique

    name that indicates also the slot to which the port belongs.

    The fixed Ethernet ports eth0_0, eth0_1, eth0_2, eth0_3, eth0_4,and eth0_5 belong to slot 0.

    The ports in the interface module belong to slot 1.The port numbersstart from 0 and increase from left to right. For example, the port

    farthest to the left in slot 1 is eth1_0.

    Connecting the Cables

    To connect network cables Connect network cables to the Ethernet ports.

    You are free to choose which Ethernet ports you connect to whichnetwork. The Ethernet ports are mapped to Interface IDs during

    the initial configuration. See the next section for information on

    Two USB ports

    Serial port Slot 0:

    Fixed Ethernet ports

    eth0_0 - eth0_5

    Slot 1: Interface module (numberof ports depends on module type)

  • 8/10/2019 AIG Stonesoft 1301

    19/36

    Connecting the Cables 19

    connecting network cables to SFP ports of an SFP interfacemodule.

    Connecting Cables to SFP PortsIf you have installed an SFP interface module on the appliance, you can

    use the ports on the module as either copper or fiber ports by insertinga small form-factor pluggable (SFP) transceiver for copper or fiber-opticcables into the ports.

    To connect cables to SFP ports1. Insert the SFP transceiver in the port slot until you feel the

    connector on the transceiver snap into place. The illustration

    below shows the correct position of inserting the transceiver.

    2. If the SFP transceiver has a rubber plug, remove the plug afterinserting the transceiver in the slot.

    3. Connect the copper or fiber-optic cable to the SFP transceiver.

    Note When the appliance is powered and you need to unplug it,always wait at least five (5) seconds before plugging in the appliance

    again. Otherwise, the appliance may not have time to clear properlyand fails to start.

    Note Make sure that the latch on the SFP transceiver is up (see theillustration above) when you insert the SFP transceiver in the port

    slot.

    Note Each SFP port must match the wavelength specifications atthe other end of the cable. The cable must not exceed thestipulated cable length for reliable communications.

    SFP transceiverfor copper cable

    SFP transceiver forfiber-optic cable

    Rubber plug

  • 8/10/2019 AIG Stonesoft 1301

    20/36

    20 Connecting the Cables

    Cable TypesMake sure that the copper cables you use are correctly rated (CAT 5e orCAT 6 in gigabit networks).

    (IPS and Layer 2 Firewall only) Always use standard cabling methods with

    inline IPS or Layer 2 Firewalls: use crossover cables to connect theappliance to hosts and straight cables to connect the appliance toswitches/hubs. See the IPS and Layer 2 Firewall Reference Guideformore information on cabling.

    Speed/Duplex SettingsNetwork cards at both ends of each cable must have identical speed/

    duplex settings. This also applies to the automatic negotiation setting: if

    one end of the cable is set to autonegotiate, the other end must also beset to autonegotiate. Gigabit standards require interfaces to use

    autonegotiationfixed settings are not allowed at gigabit speeds.

    (IPS and Layer 2 Firewall only) The speed/duplex settings of inline

    interfaces must be matched on both links within each inline interfacepair (identical settings on all four interfaces) instead of just matchingsettings at both ends of each cable (two + two interfaces). If one of the

    links has a lower maximum speed than the other link, the higher-speedlink must be set to use the lower speed.

    Connecting the Appliance to the Power Supply

    To connect the appliance to the power supply1. Connect the power cable to the AC or DC power connector on the

    back of the appliance.

    2. Plug the power cord into a grounded, high-quality power strip thatoffers protection from electrical noise and power surges.

    We highly recommend using an uninterruptible power supply(UPS) to ensure continuous operation and minimize the risk ofdamage to the appliance in case of sudden loss of power.

    See Safety Precautions(page 5)for more information on the AC and DCpower supplies.

    Proceed to Initial Configuration(page 21).

    Note Standby power is supplied to the system even when theappliance is turned off.

  • 8/10/2019 AIG Stonesoft 1301

    21/36

    Initial Configuration 21

    Initial Configuration

    Your appliance comes pre-loaded with Stonesoft Security Engine

    software. If you have a Security Engine license, you can configure the

    engine in any of the three Security Engine roles (either as a Firewall/VPN, IPS, or Layer 2 Firewall engine). If you have a license for a specific

    type of engine (Firewall/VPN or IPS), you can only use the engine in thatspecific role.

    Before a policy can be loaded on the appliance, you must configure

    some permanent and some temporary network settings for the engine.To successfully complete the configuration:

    The Security Engine element (Firewall, IPS, or Layer 2 Firewall) must

    be defined in the Management Center. You must have the following engine-specific information from the

    Management Server: a one-time password or a saved initialconfiguration file on a USB stick.

    See the Firewall/VPN Installation Guideor the IPS and Layer 2 FirewallInstallation Guide for details.

    Connecting to the ApplianceYou do not need to connect to the appliance at this point if you want to

    configure the engine automatically with a USB stick (as explained inConfiguring the Engine Automatically(page 22)), and you are not

    interested in the console messages that are displayed during thisprocess.

    In other cases, you need a physical connection to the appliance using a

    monitor and keyboard or a serial cable connection from a computer witha terminal program. By default, the monitor and keyboard connection isenabled and the serial console is inactive. If you want to use a serialconnection, follow the instructions directly below. To use a monitor and

    keyboard, just boot up the appliance.

    To connect using a serial cable1. Connect the serial cable supplied with the appliance to a computer

    and to the serial port on the appliances front panel.

    2. On the computer, open a terminal with the following settings:9600 bps, 8 databits, 1 stopbit, no parity.

    3. Power on the appliance.

    Note The appliance must contact the Management Server before it

    can be operational.

  • 8/10/2019 AIG Stonesoft 1301

    22/36

    22 Initial Configuration

    4. Press a key on your keyboard when you see Press any key. Themessage is shown four times. If you do not press a key within thistime, the serial console remains inactive and you must reboot the

    appliance to try again.

    5. A list of the appliance partitions is shown. The currently activepartition is highlighted.

    6. Press Enter. A list of available commands opens.

    7. Select Switch to Serial Consoleand press Enter. The applianceboots up with the serial console activated.

    The keyboard and display console is now inactive and must beactivated in a similar way before you can use it.

    To define two active consoles, use the command

    sg-bootconfig. For usage, see Command Line Tools in theFirewall/VPN Reference Guide, IPS and Layer 2 Firewall ReferenceGuide, or theStonesoft Administrators Guide.

    There are two ways to configure the engine software.

    You can configure the engine automatically with a USB stick. See

    Configuring the Engine Automaticallybelow.

    If the automatic configuration is not possible or desired, you can use

    the Engine Configuration Wizard. See Using the Engine ConfigurationWizard(page 23).

    Configuring the Engine AutomaticallyThe automatic configuration requires that you have a suitable

    configuration saved on a USB stick. See the Firewall/VPN InstallationGuide, theIPS and Layer 2 FirewallInstallation Guide, or the Stonesoft

    Administrators Guide.

    If you want to check the configuration before it is activated, follow the

    instructions in Using the Engine Configuration Wizard(page 23), andimport the configuration manually.

    To import and activate a configuration from a USB stick1. Insert the USB stick that contains the configuration saved in your

    Management Client in one of the USB ports on the appliance.

    Caution (IPS and Layer 2 Firewall only)The speed/duplex settings of

    a pair of inline interfaces must match the speed/duplex settings ofboth links within each inline interface pair (identical settings on all

    four interfaces). If the settings are not identical, use the EngineConfiguration Wizard to set the correct speed/duplex settings for the

    inline interfaces.

  • 8/10/2019 AIG Stonesoft 1301

    23/36

    Initial Configuration 23

    2. Power on the appliance. The appliance automatically imports theconfiguration from the USB stick and then tries to make initialcontact with the Management Server.

    If the connection is successful, the appliance automatically

    reboots itself and the engine configuration is finished.If you configure the engine with a USB stick, you must set a password

    for the rootaccount in the Management Client to enable command lineaccess to the engine. If you want to allow remote access to the engineusing SSH, enable the SSH daemon for the engine in the Management

    Client. See the Stonesoft Administrators Guide for more information.

    Proceed toAfter Successful Management Server Contact(page 30).

    If the Automatic Configuration Fails If the automatic configuration fails, and you do not have a displayconnected, you can check for the reason in the log(sg_autoconfig.log) written to the USB stick.

    If you see a connection refused error message, ensure that theManagement Server IP address is reachable from the engine andcheck the IP addresses you have defined in the Management Client.

    If the configuration with the USB stick still does not succeed, follow

    the instructions for the manual configuration. See Using the EngineConfiguration Wizardbelow.

    Using the Engine Configuration WizardYou can use the Engine Configuration Wizard with all ManagementCenter and engine versions. If you have saved the initial configuration ona USB stick, you can import it in the Engine Configuration Wizard to

    reduce typing.

    To start the Engine Configuration Wizard1. Connect the appliance to a computer using the serial cable

    supplied with the appliance.

    2. On the computer, open a terminal with the following settings:9600 bps, 8 databits, 1 stopbit, no parity.

    3. Turn on the appliance using the power button. The engine bootup

    process is shown in the console.

    4. The appliance automatically tries to connect to the StonesoftInstallation Server in preparation for plug-and-play configuration.

    5. The following message is displayed:Stonesoft Security Engine is trying to connect to the Stonesoft

  • 8/10/2019 AIG Stonesoft 1301

    24/36

    24 Initial Configuration

    Installation Server.Do you want to stop this process?N)o to log in and leave the process running.

    Y)es to stop the process and start the Security Engine

    configuration wizard.Please answer Y or N.

    6. Type Y and press Enter to stop the process of contacting theInstallation Server, as plug-and-play configuration is not supportedon 1301 appliances. After some time, the Engine Configuration

    Wizard starts.

    To select the Security Engine role1. Make sure thatRoleis selected on the Welcome page and press

    Enter. The Security Engine Role dialog opens.

    2. Select the role for the Security Engine:

    If you have a Security Engine license, you can select any of theSecurity Engine roles. The role must correspond to the engineelement (Firewall, Layer 2 Firewall, or IPS) that you defined in the

    Management Client. You can later change the engines role. Seethe Stonesoft Administrators Guidefor more information.

    If you have a license for a specific type of engine (Firewall/VPN orIPS), you must select the role that corresponds to the type oflicense you have.

    3. Press Enter. The role-specific Engine Configuration Wizard starts.

    To select the configuration method1. Do one of the following:

    To import a saved configuration, highlight Importusing the arrowkeys and press Enter.

    To skip the import, highlight Nextand press Enter.

    2. If you selected the Import option, select the configuration file.

    Note You can (re)start the Engine Configuration Wizard at any timeusing the sg-reconfigurecommand on the engine command line.

  • 8/10/2019 AIG Stonesoft 1301

    25/36

    Initial Configuration 25

    To set the keyboard layout1. Highlight the entry field for Keyboard Layoutusing the arrow keys

    and press Enter. The Select Keyboard Layout dialog opens.

    2. Highlight the correct layout and press Enter.

    Tip: Type in the first letter to move forward more quickly in the list of keyboard

    layouts.

    To set the engines timezone1. Highlight the entry field for Local Timezoneusing the arrow keys

    and press Enter.

    Note If the desired keyboard layout is not available, use the best-

    matching available layout, or select US_English.

    1

    2

    1

  • 8/10/2019 AIG Stonesoft 1301

    26/36

    26 Initial Configuration

    2. Select the correct timezone in the dialog that opens.

    To set the rest of the OS settings1. Type in the name of the Firewall, IPS, or Layer 2 Firewall.

    2. Type in the password for the user root. This is the only account forengine command line access.

    3. (Optional) Highlight Enable SSH Daemonand press the spacebaron your keyboard to select the option and allow remote access to

    the engine command line using SSH.

    4. Highlight Nextand press Enter. The Configure Network Interfaces

    page opens.

    Note The timezone setting only affects the way the time is displayedon the engine command line. The actual operation always uses UTC

    time.

    Note The appliances clock is automatically synchronized with theManagement Servers clock.

    Note It is not necessary to enable the SSH daemon now for ongoingmanagement, as this option can also be set through the Management

    Client. We recommend that you enable the SSH access in theManagement Client when needed and then disable the access againwhen you are done.

    1

    2

  • 8/10/2019 AIG Stonesoft 1301

    27/36

    Initial Configuration 27

    Configuring the Network Interfaces

    To map the physical interfaces to interface IDs1. Type in the Interface IDs to define how physical interfaces are

    mapped to the Interface IDs you defined for the Security Engineelement in the Management Client. Ethernet ports are detailed in

    Connecting the Cables(page 18).

    2. Highlight the Mediacolumn and press Enter to match the speed/duplex settings to those used in each network.

    Make sure that the speed/duplex settings of network cards areidentical at both ends of each cable.

    (IPS and Layer 2 Firewall only) Also make sure that the speed/duplex settings of the inline interfaces match the speed/duplexsettings of both links within each inline interface pair.

    3. Highlight the Mgmtcolumn and press the spacebar on yourkeyboard to select the correct interface for contact with the

    Management Server.

    4. (Optional, IPS only) Highlight Initial Bypassand press Enter if youwant to set the IPS engine temporarily to the initial bypass state

    and define one or more soft-bypass interface pairs through whichtraffic flows.

    Note The illustrations below show examples of configuring network

    interfaces. The number of network interfaces and the drivers depend

    on the network interface module in the appliance.

    Note The Management interface must be the same interface thatyou selected as the Primary Control Interface for the Firewall, IPS, orLayer 2 Firewall element in the Management Center.

    2

    1

  • 8/10/2019 AIG Stonesoft 1301

    28/36

    28 Initial Configuration

    Setting the appliance to the initial bypass state can be usefulduring IPS appliance deployment if bypass network interfacepairs on the appliance are in the Normal mode. Initial bypassallows traffic to flow through the IPS appliance until the initialconfiguration is ready and an IPS policy is installed on theappliance. Do not set the initial bypass state when the bypassnetwork interface pairs are in the Bypass mode.

    In the illustration below, eth1_0 is soft-bypassed with eth1_1.

    5. Highlight Nextand press Enter to continue.

    Contacting the Management ServerThe Prepare for Management Contact page opens. If the initialconfiguration was imported in the Engine Configuration Wizard, most of

    this information is filled in.

    This task has three parts. First, you activate an initial configuration onthe Security Engine.

    The initial configuration contains the information that the engine

    needs to connect to the Management Server for the first time.

    The initial configuration is replaced with a working configuration when

    you install a Policy from the Management Server on this engine usingthe Management Client.

    To activate the initial configuration1. Highlight Switch Engine Node to Initial Configurationand press

    spacebar to activate.

    1

  • 8/10/2019 AIG Stonesoft 1301

    29/36

    Initial Configuration 29

    2. Fill in according to your environment. The information must matchwhat you defined for the Firewall, IPS, or Layer 2 Firewall element(Primary Control IP Address).

    If the engine and the Management Server are on the same

    network, you can leave the Gateway to Managementfield empty.The initial configuration contains a simple policy that allows only

    administration-related connections and blocks everything else.

    In the second part of the configuration, you define the information

    needed for establishing a connection between the engine and theManagement Server.

    To fill in the Management Server information

    1. Highlight Contact and press the spacebar to activate.

    2. Fill in the Management Server IP address and the one-time

    password that was created for this engine when you saved theinitial configuration.

    If you do not have a one-time password for the Security Engine,see the Firewall/VPN Installation Guideor the IPS and Layer 2Firewall Installation Guidefor instructions on how to save aninitial configuration.

    3. (Optional) Fill in the Key fingerprint (also shown when you saved theinitial configuration). Filling it in increases the security of the

    communications.

    4. Highlight Finishand press Enter.

    The engine now tries to make initial Management Server contact.

    If you see a connection refused error message, ensure that theone-time password is correct and the Management Server IP addressis reachable from the node. Save a new initial configuration if you are

    unsure of the password. If the engine is unable to contact the Management Server, make sure

    that there are no networking problems, and that all informationdefined in the Security Engine element corresponds to what you

    1

    2

  • 8/10/2019 AIG Stonesoft 1301

    30/36

    30 Initial Configuration

    entered in the Engine Configuration Wizard. If NAT is in use, alsomake sure that you have configured contact addresses for NAT asexplained in the Firewall/VPN Installation Guideor the IPS and Layer 2

    Firewall Installation Guide.

    After Successful Management Server ContactAfter you see a notification that Management Server contact has

    succeeded or the appliance has rebooted itself after configuration with aUSB stick, the Security Engine installation is complete and the engine isready to receive a policy. After some time, the engines status changes

    in the Management Client from Unknownto No Policy Installed, andthe connection state is Connected, indicating that the Management

    Server can connect to the node.

    The next step is creating a security policy and installing it on the engine.See the Online Helpof the Management Client for detailed instructions.

    Note Once initial contact has been made, the engine receives acertificate from the Management Center for authentication. If the

    certificate is deleted or expires, you must repeat the initial contactusing a new one-time password.

    Caution When using the command prompt, use the rebootcommand to reboot and haltcommand to shut down the node. Donot use the initcommand. You can also reboot the node using theManagement Client.

  • 8/10/2019 AIG Stonesoft 1301

    31/36

    Maintenance Operations 31

    Maintenance Operations

    Connecting to the Engine Command Line

    You may need to connect to the engine command line, for example, toundo a software upgrade.

    To connect to the engine command line1. Connect the serial cable supplied with the appliance to the serial

    port on the appliance and to a computer.

    2. On the computer, open a terminal with the following settings:

    9600bps, 8 databits, 1 stopbit, no parity.

    Reverting to Previously Installed Software VersionThis procedure allows you to undo a software upgrade.

    The appliance has two working partitions. One is designated as activeand the other as inactive. The inactive partition is used for upgrades andthe status is switched between the partitions when the upgrade is readyto be activated. If the appliance does not start up with the new version,

    it automatically switches to the previous configuration at the nextreboot. You can also switch back to the previously installed softwareversion manually as instructed here whenever necessary.

    To switch back to the previously active version1. Connect to the engine command line as described above in

    Connecting to the Engine Command Line.

    2. (Re)start the appliance:

    If the appliance is powered on, press Enter, log in as the user

    rootwith the password you have set for the appliance, and

    issue the command reboot.

    3. Wait until a list of the appliance partitions is shown. The currentlyactive partition is highlighted.

    4. Select the inactive partition and press Enter. A list of availablecommands opens.

    5. Select Boot and press Enter. The applianceswitches partitions and boots up.

  • 8/10/2019 AIG Stonesoft 1301

    32/36

    32 Maintenance Operations

    6. Refresh the policy on the engine to synchronize the policy andother configuration data between components.

    If you want to undo this operation, repeat the steps exactly as above.

    Resetting the Appliance to Factory Settings

    To reset to factory settings1. Connect to the engine command line as described above in

    Connecting to the Engine Command Line(page 31).

    2. (Re)start the appliance:

    If the appliance is powered on, press Enter, log in as the userrootwith the password you have set for the appliance, and

    issue the command reboot.3. Wait until a list of the appliance partitions is shown. The currently

    active partition is highlighted.

    4. Press Enter. A list of available commands opens.

    5. Select System Restore Optionsand press Enter.

    6. Type 1and press Enter to clear the settings. A confirmation

    prompt is shown.

    7. Type YESand press Enter to perform the reset. If you decide to

    cancel the operation, type NOand press Enter.

    To use the appliance after a factory reset, you must configure it asexplained in Initial Configuration(page 21).

    Note If the certificate for system communications on the previously

    used partition is no longer valid, see the Troubleshootingsection inthe Management Clients Online Helpfor renewal instructions.

    Note Perform a factory reset only if you have a specific need to doso. Consult Stonesoft Support before performing this operation if you

    are unsure of whether this operation is necessary or not.

    Caution Do not unplug the power from the appliance or interrupt thereset in any way. If the reset is interrupted, the appliance may

    become unusable until serviced.

  • 8/10/2019 AIG Stonesoft 1301

    33/36

    Maintenance Operations 33

    Replacing the Solid State Disk

    If necessary, you can replace the Solid State Disk in the appliance with

    another one of the same model.

    To replace the Solid State Disk1. Connect to the engine command line as described in Connecting

    to the Engine Command Line(page 31).

    2. Shut down the engine:

    If the appliance is powered on, press Enter, log in as the userrootwith the password you have set for the appliance, andissue the command halt.

    3. Unplug all power cords from the system or the wall outlets.

    4. Locate the Solid State Disk drive on the appliances back panel

    (see the illustration in Back Panel(page 10)).

    5. Press the release button to release the lever that locks the diskinto position.

    6. Pull the lever carefully to remove the disk from the drive.

    7. Press the release button on the new disk to release the lever.

    8. Insert the disk into the drive.

    9. Press the lever down to lock the disk into position.

    Caution We recommend using a grounding strap when handling a

    Solid State Disk (SSD). Uninstalled SSDs are sensitive to ESD

    damage.

    Release buttonLever

  • 8/10/2019 AIG Stonesoft 1301

    34/36

    34 Maintenance Operations

    Replacing the Interface Module

    You can replace the interface module either with the same type of

    module or with a different type of module. If the number of ports in theold module and the new module are the same, the mapping between the

    Interface IDs and the port names does not change. No further action isneeded after you have replaced the module. However, if the number ofports in the new module is not the same as in the old module, you may

    need to modify the interface definitions. For more information, see the

    Interface Module Guidedelivered with the interface module.

    To replace the interface module1. Connect to the engine command line as described in Connecting

    to the Engine Command Line(page 31).

    2. Shut down the engine:

    If the appliance is powered on, press Enter, log in as the userrootwith the password you have set for the appliance, and

    issue the command halt.3. Unplug all power cords from the system and the wall outlets.

    4. Disconnect all the cables from the appliance.

    5. (Recommended) Fasten a grounding strap to your wrist so that itcontacts your bare skin and attach the other end of the strap tothe appliance.

    6. Locate the interface modules release lever on the left of themodules front panel.

    7. Release the module from its locking position by pressing the leverright and by holding the lever down. Pull the module carefully out

    of the slot using the handle or the knob on the modules frontpanel.

    8. Replace the module with a new one. See Installing the InterfaceModule(page 12).

    Caution Do not install or remove the interface module if the

    appliance is powered on to avoid damaging the module and the

    appliance.

    Note If the unlocked module does not move, keep the release lever

    down, press the module gently toward the back of the slot, and pullthe module again by the handle or the knob.

  • 8/10/2019 AIG Stonesoft 1301

    35/36

    Disposal Instructions 35

    9. Connect the cables and plug the power cords to the system and tothe wall outlets.

    10. Power on the appliance using the power button.

    11. If the number of ports in the new module differs from the oldmodule, modify the interface definitions as necessary in the

    Management Client and refresh the policy to transfer the interfacechanges to the engine.

    Removing SFP TransceiversIf necessary, you can remove the SFP transceivers from the SFP ports.

    To remove an SFP transceiver1. Connect to the engine command line as described in Connecting

    to the Engine Command Line(page 31).2. Shut down the engine:

    If the appliance is powered on, press Enter, log in as the userrootwith the password you have set for the appliance, andissue the command halt.

    3. Unplug all power cords from the system or the wall outlets.

    4. Disconnect the cable from the SFP transceiver.

    5. Pull down the latch on the SFP transceiver.

    6. Pull the SFP transceiver carefully out of the port slot.

    If you want to replace the SFP transceiver you have removed, follow theinstructions in Connecting Cables to SFP Ports(page 19).

    Disposal InstructionsDispose of the appliance separately from household waste at anappropriate waste disposal facility at the end of its useful service life.

    Caution Do not power on the appliance if you have not installed aninterface module or a placeholder module in the appliance.

    Caution Invisible laser radiation is emitted from the end of the fiber-optic cable and from the fiber port. Do not stare into the beam andavoid direct exposure to the beam.

  • 8/10/2019 AIG Stonesoft 1301

    36/36

    Stonesoft Corporation

    International Headquarters

    Itlahdenkatu 22 A

    FI-00210 Helsinki, Finlandtel. +358 9 4767 11

    fax +358 9 4767 1349

    Stonesoft Inc.

    Americas Headquarters

    1050 Crown Pointe Parkway

    Suite 900Atlanta, GA 30338, USA

    tel. +1 866 869 4075

    Stonesoft Appliance Installation Guide

    This booklet covers the initial installation and configuration tasks

    specific to your Stonesoft Appliance.

    For information on how to prepare the Management Center for a new

    engine installation, see the other available documentation. See inside

    for further details.

    All documentation and our technical knowledge base is available at:

    www.stonesoft.com/support.