StoneGate Installation Guide 3.0.7

StoneGate Installation Guide

SMC 4.0, Firewall/VPN 3.0.7, and Firewall/VPN 2.2 for IBM System z

Copyright © 2001�2007 Stonesoft Corporation. All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from Stonesoft Corporation.

Trademarks and PatentsThe products described in this documentation are protected by U.S. Patents and European Patents: U.S. Patents no. 6,650,621, 6,856,621, 6,912,200, 6,996,573, 7,099,284, 7,127,739, 7,130,266, 7,130,305, and 7,146,421; European patents no. 1065844, 1259028, 1289183, 1289202, 1313290, 1326393, 1361724, and 1379037; and may be protected by other US patents, foreign patents, or pending applications.

Stonesoft, the Stonesoft logo, StoneBeat, FullCluster, ServerCluster, StoneGate, and WebCluster are trademarks or registered trademarks of Stonesoft Corporation in the United States and/or other countries. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate are protected by patents or pending patent applications in the U.S. and other countries.

Sun, Sun Microsystems, Solaris, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Windows and Microsoft are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Linux is a registered trademark of Linus Torvalds.

All other trademarks or registered trademarks are property of their respective owners.

DisclaimerAlthough every precaution has been taken to prepare these materials, Stonesoft assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. They are not intended to represent the IP addresses of any specific individual or organization.

THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION OR TECHNIQUES CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES.

Stonesoft CorporationItälahdenkatu 22 AFI-00210 HelsinkiFinland

Stonesoft Inc.1050 Crown Pointe Parkway, Suite 900Atlanta, GA 30338 USA

Revision: SGIG_20070416

Table of Contents

INTRODUCTION

CHAPTER 1 Using StoneGate Documentation 9

How to Use This Guide 10

Typographical Conventions 10

Documentation Available 11

Product Documentation 11Support Documentation 12System Requirements 12

Contact Information 12

Licensing Issues 12Technical Support 12Your Comments 12Other Queries 12

CHAPTER 2 Planning the StoneGate Installation 13

StoneGate System Architecture 14

Example Network Scenario 15

Overview to the Installation Procedure 15

Important to Know Before Installation 16

Supported Platforms 16Date and Time Settings 16Hosts File 16Installation Files 16Checking File Integrity 16License Files 17

Firewall Cluster Interfaces 18

How Does Packet Dispatch Work? 19

INSTALLING THE MANAGEMENT CENTER

CHAPTER 3 Installing the Management Center 23

Installing the Management Center 24

Installing on Linux and Solaris 24Starting the Installation 25Selecting Basic Installation Options 25Installing a Management Server 28Installing a Log Server 29Installing a Monitoring Server 30Installing a Management Client 30Finishing the Installation 31

Starting the Management Center 33

Starting the Management Server 33Starting the Management Client 33Installing Licenses 35Starting the Log Server and Monitoring Server 37Starting Servers Manually 37If the Log Server or Monitoring Server Fails to

Start 38

Generating Server Certificates 38

Installing Dynamic Updates 39

Installing Management or Monitoring Clients Through Web Start 43

Setting up the Management Center for Monitoring Clients 43

Installing the Web Start Package 44Accessing the Web Start Clients 45

Non-Graphical Installation 46

3

CHAPTER 4 Defining a Single Firewall or Firewall Cluster 49

Configuration Overview 50

Defining Firewall Elements 50

Defining a Single Firewall 50Defining Single Firewall VLAN Tagging Interfaces 52Defining IBM System z Point to Point Interfaces for a Single Firewall 54Defining Single Firewall Network Interfaces 55

Defining a Firewall Cluster 57Cluster Interface Types 58Defining Firewall Cluster VLAN Tagging Interfaces 59Defining Firewall Cluster Network Interfaces 61Defining IBM System z Point to Point Interfaces for a Firewall Cluster 63Defining Cluster Node Dedicated Interfaces 66Defining Firewall Cluster Node Properties 68

Interface Options on IBM System z 70

IP Address Takeover Cluster Mode 70Enabling System z-Specific Options 70

Configuring IP Addressing for NAT 71

Defining Locations 71Firewall Engine Contact Addresses 73Server Contact Addresses 76Management Client Location Setting 77

Using Management-Bound Licenses 78

Saving the Initial Configuration 78

INSTALLING THE FIREWALL EN-GINE

CHAPTER 5 Installing the Engine on Intel Compatible Platforms 83

Installing the Firewall Engine 84

Checking File Integrity 84Starting the Installation 84

Configuring the Engine 85

Configuring the Engine Automatically with a USB Stick 85

Starting the Configuration Wizard 86Configuring the Operating System Settings 87Configuring the Network Interfaces 89Contacting the Management Server 90After Successful Management Server Contact 92

Installing the Engine in Expert Mode 92

Partitioning the Hard Disk Manually 93Allocating Partitions 95

CHAPTER 6 Installing the Engine on the IBM zSeries 97

Preparing z/VM for the Engine Installation 98


Checking File Integrity 100Starting the Installation 100

Configuring the Firewall Engine 103

Configuring the Operating System Settings 103Configuring the Network Interfaces 105

Configuring a CTC Device 106Configuring an IUCV Device 107Configuring a QETH Device 108Configuring an LCS Device 111Assigning Network Interfaces 112Disabling NIC Hardware Checking 114

Contacting the Management Server 115


Checking File Integrity 119Starting the Installation 119Partitioning the DASD Manually 120

ROUTING AND POLICIES

CHAPTER 7 Defining Routing and Basic Policies 129

Defining Routing 130

Adding a Default Route With a Single Network Link 132

Adding a Default Route With Multi-Link 134

4

Defining Other Routes 140Antispoofing 141Using IP Address Count Limited Licenses 142

Defining Basic Policies 142

Moving On 147

MAINTENANCE

CHAPTER 8 Upgrading and Updating 151

Getting Started with Upgrading StoneGate 152

Configuration Overview 152Checking File Integrity 153

Upgrading or Generating Licenses 154

Generating a New License 154Upgrading Licenses Under One Proof Code 155Upgrading Licenses Under Multiple Proof

Codes 155Installing Licenses 156

Upgrading the Management Center 158

Upgrading Engines Remotely 159

Upgrading the Engine 160

Upgrading Engines Locally 162

Upgrading the Firewall Engine 163

Changing IP Addressing 164

Changing the Management Server�s IP Address 164

Changing the Log Server�s IP Address 165Changing IP Addresses if the Management Server

and the Log Server Run on the Same Machine 165

CHAPTER 9 Uninstalling StoneGate 167

Uninstalling the Management Center 168

Uninstalling in Windows 168Uninstalling in Linux or Solaris 168

Uninstalling the Engines 169

APPENDICES

APPENDIX A Installation Worksheet 173

APPENDIX B Command Line Tools 179

APPENDIX C StoneGate-Specific Ports 193

APPENDIX D Example Network Scenario 199

Legal Information 205

Index 225

5

6

Introduction

CHAPTER 1 Using StoneGate Documentation

Welcome to StoneGate� High Availability Firewall and VPN solution by Stonesoft Corporation. This chapter describes how to use the StoneGate Installation Guide and lists other available documentation. It also provides directions for obtaining technical support and giving feedback.

The following sections are included:

! How to Use This Guide, on page 10! Documentation Available, on page 11! Contact Information, on page 12

9

How to Use This GuideThe Installation Guide is intended for the administrators of a StoneGate Firewall/VPN installation. It describes step by step how to install the StoneGate Management Center and the firewall engine(s). The chapters in this guide are organized in the general order you should follow when installing the system.Most tasks are explained using illustrations that include explanations on the steps you need to complete in each corresponding view in your own environment. The explanations that accompany the illustrations are numbered when the illustration contains more than one step for you to perform.

Typographical ConventionsThe following typographical conventions are used throughout the guide:

We use the following ways to indicate important or additional information:

Note � Notes provide important information that may help you complete a task.

Caution � Cautions provide important information that you must take into account before performing an action to prevent critical mistakes.

Tip: Tips provide information that is not crucial, but may still be helpful.

TABLE 1.1 Typographical Conventions

Formatting Informative Uses

Normal text This is normal text.

Management Client textText you see in the Management Client (buttons, menus, etc.) and any other interaction with the user interface are in bold-face.

References, termsCross-references and first use of acronyms and terms are in italics.

Command lineFile names, directories, and text displayed on the screen are monospaced.

User input User input on screen is monospaced bold-face.

Command parametersCommand parameter names are in monospaced italics.

10 Chapter 1: Using StoneGate Documentation

Documentation Avai lableStoneGate documentation is divided into two main categories: Product Documentation and Support Documentation. StoneGate firewall/VPN and StoneGate IPS have their separate sets of manuals, despite the fact that they are managed through the same user interface. Only the Administrator�s Guide and the online help system cover both the firewall/VPN and IPS products.

Product DocumentationThe StoneGate Guide books and the Management Client�s online help system are your primary source of technical information. The table below lists the available guides.

The Installation Guides and the Reference Guides are available as printed versions. For purchasing these, contact [email protected]. PDF versions are available on the Management Center CD-ROM and at http://www.stonesoft.com/support/.

TABLE 1.2 Product Documentation

Guide Description

Reference GuideExplains the operation and features of StoneGate comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area.

Installation GuideInstructions for planning, installing, and upgrading a StoneGate system.

Online Help

Detailed instructions for the configuration and use of StoneGate. Accessible through the Management Client�s Help menu and by using the Help button or the F1 key in any Management Client window or dialog.

Administrator�s GuideA PDF version of the Online Help. Describes how to configure and manage a StoneGate system.

StoneGate Monitoring Client User�s Guide

Describes the use of the Monitoring Client to the end users.

StoneGate VPN Client Administrator�s Guide

Instructions for administrators on installing and customizing the StoneGate VPN Client.

StoneGate VPN Client User�s Guide

Instructions for end-users on using the StoneGate VPN Client.

Appliance Installation Guides

Instructions for physically installing and maintaining StoneGate appliances (rack mounting, cabling etc.). Available for various StoneGate hardware appliances.

Documentation Available 11

http://www.stonesoft.com/support/

mailto:[email protected]

Support DocumentationThe StoneGate support documentation provides additional and late-breaking technical information. These technical documents support the StoneGate Guide books, for example, by giving further examples on specific configuration scenarios.The latest StoneGate technical documentation is available on the Stonesoft website at http://www.stonesoft.com/support/.

System RequirementsThe system requirements for running StoneGate, including the approved network interfaces, supported operating systems, and other such hardware and software requirements for StoneGate engines and the Management Center can be found at http://www.stonesoft.com/en/products_and_solutions/supported_platforms/intel_servers/ (see the technical requirements section at the bottom of the page).The hardware and software requirements for the version of StoneGate you are running can also be found in the Release Notes included on the Management Center CD-ROM and on the software download page at the Stonesoft website.

Contact InformationFor street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our website at http://www.stonesoft.com/.

Licensing IssuesYou can view your current licenses at the License Center section of the Stonesoft website at https://my.stonesoft.com/managelicense.do.For license-related queries, e-mail [email protected].

Technical SupportStonesoft offers global technical support services for Stonesoft�s product families. For more information on technical support, visit the Support section at the Stonesoft website at http://www.stonesoft.com/support/.

Your CommentsWe want to make our products suit your needs as best as possible. We are always pleased to receive any suggestions you may have for improvements.� To comment on software and hardware products, e-mail [email protected].� To comment on the documentation, e-mail [email protected].

Other QueriesFor queries regarding other matters, e-mail [email protected].

12 Chapter 1: Using StoneGate Documentation

http://www.stonesoft.com





https://my.stonesoft.com/managelicense.do


http://www.stonesoft.com/en/products_and_solutions/supported_platforms/intel_servers/index.html

http://www.stonesoft.com/en/products_and_solutions/supported_platforms/intel_servers/index.html


CHAPTER 2 Planning the StoneGate Installation

This chapter provides important information to take into account before the installation can begin, including an overview to the installation and information on obtaining the installation and license files.


! StoneGate System Architecture, on page 14! Example Network Scenario, on page 15! Overview to the Installation Procedure, on page 15! Important to Know Before Installation, on page 16! Firewall Cluster Interfaces, on page 18

13

StoneGate System ArchitectureA StoneGate system consists of the Management Center and one or more engines.

Illustration 2.1 StoneGate System Components

The Management Center consists of the following standard components:� one Management Server� one or more Log Servers� one or more Management ClientsOptionally, and for a separate license fee, you can also have:� one or more Monitoring Servers for Monitoring Clients� one or more Monitoring Clients (used for limited log browsing).The Management Center components can be installed separately on different machines or on the same machine, depending on your requirements.The Management Center can manage several StoneGate firewalls (and IPS Sensors and Analyzers). Any StoneGate firewall is either a Single Firewall or a Firewall Cluster:� A Single Firewall has only one engine node. It does not support load balancing or

high availability for firewall activity. A Single Firewall can have both dynamic and static IP addresses.

� A Firewall Cluster can include up to 16 engine nodes, which work as a single virtual entity. Each engine in the cluster enforces the same set of rules for handling the traffic. A Firewall Cluster can be configured either for dynamic load balancing or for hot standby. A Firewall Cluster always has static IP addresses.

More background information can be found in the Reference Guide.

14 Chapter 2: Planning the StoneGate Installation

Example Network ScenarioTo get a better understanding of how StoneGate fits into a network, you can consult the Example Network Scenario that shows you one way to deploy StoneGate. All illustrations of the software configuration in this Installation Guide are filled in according to this example scenario; this way, you can compare how the settings in the various dialogs relate to overall network structure whenever you like.See Example Network Scenario, on page 199.

Overview to the Instal lation ProcedureThe installation proceeds as follows:1. Plan the installation of the StoneGate firewall engines and the Management

Center and check that you have all the necessary files as explained in this chapter.

2. Install and configure the Management Center and the Management Client. This is explained in Installing the Management Center, on page 23.� Additional Management Clients can be installed as needed either using the

installation wizard or the Java Web Start distribution method.3. Import licenses for all (new) StoneGate components. This is explained in

Installing Licenses, on page 35.4. Define the firewall element(s) in the Management Center. This is explained in

Defining a Single Firewall or Firewall Cluster, on page 49.5. If you have management bound licenses, bind them to the engines. This is

explained in Using Management-Bound Licenses, on page 78.6. Generate the initial configuration for the firewall engine(s). This is explained in

Saving the Initial Configuration, on page 78.7. Install and configure the firewall engines. This is explained in:

� Installing the Engine on Intel Compatible Platforms, on page 83.� Installing the Engine on the IBM zSeries, on page 97.� Hardware installation and initial configuration of StoneGate appliances is

explained in the Appliance Installation Guide that is delivered with each appliance.

8. Configure basic routing and install a policy on the firewall. This is explained in Defining Routing and Basic Policies, on page 129.

The chapters and sections of this book proceed in the order outlined above.If you have IPS components, the same Management Center and Management Clients can be used to manage those as well.

Example Network Scenario 15

Important to Know Before Instal lationConsult the Reference Guide if you need more detailed background information on the operation of StoneGate than what is offered in this chapter.

Supported PlatformsThe Release Notes list the basic requirements for StoneGate installation. For information on supported and certified hardware, please see Hardware Requirements available at http://www.stonesoft.com/.

Date and Time SettingsMake sure that the Date, Time, and Time zone settings are correct on any computer you will use as a platform for any Management Center component, including the workstations used for remote management (Management Client). The time setting of the engines does not need to be adjusted, as it is automatically synchronized to the Management Server time setting. For this operation, the time is converted to UTC time according to the Management Server time zone setting.

Hosts FileDue to a restriction of the Java platform, the Management Server and Log Server hostnames must be resolvable on the computer running the Management Client (even if running on the same computer as the servers) to ensure good performance.To ensure that the hostnames can be resolved, you can add the IP address-hostname pairs into the local hosts file on the client computer:� In Linux: /etc/hosts� In Windows: \WINNT\system32\drivers\etc\hosts

Installation FilesStoneGate hardware appliances have pre-installed software. If you wish to upgrade to a new version, use the remote upgrade feature after the firewall is fully configured.On other systems, the software is installed from CD-ROMs:� Depending on your order, you may have received ready-made Management Center

and the Firewall/VPN engine CD-ROMs.� Otherwise, download CD-ROM .iso image files from the Stonesoft website at https:/

/my.stonesoft.com/download/ and create the installation CD-ROMs from those.

Checking File IntegrityBefore installing StoneGate, check that the installation files have not become corrupt. Using corrupted files may cause problems at any stage of the installation and use of the system. File integrity is checked using either an MD5 or SHA-1 file checksum that can be found on the installation CD-ROM and on the download page at the Stonesoft website.


http://www.stonesoft.com/

https://my.stonesoft.com/download/


Windows does not have MD5 or SHA-1 checksum tools by default, but there are several third-party programs available.

# To check MD5 or SHA-1 file checksum1. Look up the correct checksum at https://my.stonesoft.com/download/.2. Change to the directory that contains the file(s) to be checked.3. Generate a checksum of the file using the command md5sum filename or

sha1sum filename, where filename is the name of the installation file.

Illustration 2.2 Checking the File Checksums

4. Compare the displayed output to the checksum on the website. They must match.

Caution � Do not use files that have invalid checksums. If downloading the files again does not help, contact Stonesoft technical support to resolve the issue.

License FilesYou must generate license files and install them on the Management Server using the Management Client before you can bring your system fully operational. Each Management Server, Log Server, Monitoring Server (optional), and Firewall engine must have its own license, although all the licenses can be stored in a single license .jar file.You generate the licenses at the Stonesoft website based on your proof of license (for software, included in the order confirmation message sent by Stonesoft) or proof of serial number (for appliances, printed on a label attached to the appliance hardware). Evaluation licenses are also available at the website.There are two types of licenses that you can generate:� IP-address-bound licenses: For all Management Center components and optionally

engines with non-dynamic control IP addresses. If you want to change the IP address the license is bound to, you need to fill in a request at the licensing website. For engine components, the IP address must be the Primary Control IP Address (the one that is used for communications with the Management Server).

� Management bound licenses: For firewall and IPS engines (bound to the proof of license of the Management Server). Management-bound licenses allow you to change the IP addressing of an engine without generating a new license, and they can be switched from one engine to another if you delete or re-license the engine to which it is bound.

$ md5sum sg_engine_1.0.0.1000.iso869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso

Important to Know Before Installation 17


# To generate a new license1. Go to the license center at www.stonesoft.com/license/.2. Enter the required code (proof of license or proof of serial number) to the correct

field and click Continue. The license page opens.3. Click Register. The license generation page opens.4. Read the directions on the page and fill in (at least) the required fields.5. Enter the IP addresses of the Management Center components you want to use.

Note � All IP-address-bound licenses are bound to the IP address you give, and you will have to return to the licensing page if you need to change the IP address. The IP address must match to the IP address configuration of the server.

6. Enter the Management Server�s proof of license code or the engine�s IP address for the engines you want to license.� If you are using a dynamic IP address on a firewall�s control interface, you must

bind the engine licenses to the Management Server�s proof of license.� The Management Server�s proof of license can be found in the e-mail you

received detailing your licenses. Later on, this information is shown in the Management Client for all licenses imported into the system.

7. Click Register License. The license file is sent to you in a moment. It will also become available for download at the license page.

Firewall Cluster InterfacesBecause of their dual role as members of a common virtual entity and as separate physical devices, Firewall engines in a cluster have two types of interfaces:� Cluster Virtual Interface (CVI): interface that is used to handle traffic routed through

the cluster for inspection. This is an interface that is shared by all nodes in a cluster, in effect making the node appear as a single entity as far as the outside network behind the interface is concerned.

� Node Dedicated Interface (NDI): interface that is used to handle traffic from or to a single node in a cluster. These interfaces are not used for normal traffic, but for the heartbeat connections between the engines in a cluster, for control connections from the Management Server, etc.

The nodes in a Firewall cluster use a Heartbeat connection to keep track of the other nodes� operation and to synchronize their state tables so that the connections can fail-over from a non-operational node to the remaining nodes when necessary.


http://www.stonesoft.com/license/

Caution � The heartbeat connection is essential for the operation of the cluster. Take special care to ensure that the heartbeat network works correctly and reliably. Make sure you are using the correct type of network cables (after testing that they work), that the network interface cards� duplex and speed settings match, and that any network devices in between the nodes are correctly configured. Problems in the heartbeat network may seriously degrade the performance of the cluster.

There are several operating modes for CVIs. The Packet Dispatch mode is recommended for new installations as it requires no special switch or router configuration. The other modes are provided for backward compatibility. However, on IBM System z, the IP Address Takeover interface mode should be used for standby clustering (but not for load balanced clustering).

How Does Packet Dispatch Work?In Packet Dispatch mode, even though several cluster nodes can process the traffic, there is only one contact MAC address for each CVI interface. This MAC address is controlled by a dispatcher node that forwards the packets to the correct firewall nodes for processing. The dispatcher node is chosen separately for each CVI, so different nodes may be selected as dispatcher nodes for different interfaces. The MAC/IP address relation is maintained with Packet Dispatch CVIs, as the CVI�s MAC address is moved to the firewall node that functions as the dispatcher node.The packet dispatcher for any given CVI is changed when the dispatcher goes offline, for example. When the dispatcher changes, StoneGate sends and ARP message to the switch or router. The switch or router has to update its address table without significant delay when the packet dispatcher MAC address is moved to another firewall node. This is a standard network addressing operation where the switch or router learns that the MAC address is located behind a different port. Then, the switch or router forwards traffic destined to the CVI address to this new packet dispatcher.

Firewall Cluster Interfaces 19


Installing the Management Center

CHAPTER 3 Installing the Management Center

This chapter instructs how to install the StoneGate Management Center components on Windows, Linux, and Solaris platforms.


! Installing the Management Center, on page 24! Starting the Management Center, on page 33! Generating Server Certificates, on page 38! Installing Dynamic Updates, on page 39! Installing Management or Monitoring Clients Through Web Start, on page 43! Non-Graphical Installation, on page 46

23

Instal l ing the Management CenterThe Management Server contains the configuration information for your system and controls the firewalls. Place the server in a secure location.Log in to the system where you are installing the Management Center with the correct administrative rights. In Windows, you must log in with administrator rights. In Linux and Solaris you must log in as root.To install the software, you need the Management Center CD-ROM (see Installation Files, on page 16). None of the components can be started without a valid license file for each component (see License Files, on page 17). Before installing StoneGate, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity, on page 16.The remote Management Clients can be installed using the installation wizard as described in this section or they can be made available through Java Web Start (see Installing Management or Monitoring Clients Through Web Start, on page 43), which eliminates the need to update all Management Clients individually at each version upgrade.

Caution � The supported operating system platforms for running the Management Center version you are using are listed in the Release Notes for that version. Note that not all language versions of Windows are supported.

Installing on Linux and SolarisThe installation creates sgadmin user and group accounts. All the shell scripts are owned by sgadmin and can be executed either by root or the sgadmin user. The shell scripts are executed with sgadmin privileges. After the installation, the sgadmin account is disabled. The sgadmin account is deleted at uninstallation.If the CD-ROM is not automatically mounted, mount the CD-ROM in Linux with �mount /dev/cdrom /mnt/cdrom� and in Solaris with �mount /cdrom�.This section guides you through a Management Center installation in a graphical user interface. For command line installation, see Non-Graphical Installation, on page 46.

Note � In Solaris, the Management Center installation requires at least 350 MB of available disk space in the /tmp/ directory to extract the installation files.

24 Chapter 3: Installing the Management Center

Starting the Installation

Caution � Do not attempt to install the Management Center on a StoneGate Firewall/VPN appliance.

# To start the installation wizard1. Insert the StoneGate installation CD-ROM and run the setup executable:

� On Windows, run CD-ROM\StoneGate_SW_Installer\Windows\install.exe� On Linux, run CD-ROM/StoneGate_SW_Installer/Linux/setup.sh� On Solaris Bourne-compatible shells (e.g., sh, ksh), runCD-ROM/StoneGate_SW_Installer/Solaris/setup.sh

2. Wait for the installation wizard to start. First, the Java Runtime Environment (JRE) is installed for StoneGate, so this may take a while.

3. When the installation wizard shows the Introduction screen, click Next to start the installation. The License Agreement appears.

Selecting Basic Installation Options

# To select installation options

Illustration 3.1 License Agreement

1. You must accept the license agreement to continue.

You can click Cancel to stop the installation at any time.

You can click Previous at any time to go back

2. Click Next.


# To select the installation folder

Illustration 3.2 Choose Install Folder

Note � If you are going to install any of the server components as a service (so that they start automatically at operating system startup), you must define a directory path that does not contain spaces.

# To select where shortcuts are created

Illustration 3.3 Choose Shortcuts Directory

1. (Optional) To change the installation directory, enter a new location, or click Choose to browse

2. Click Next.

1. (Optional) Change the location where you want to create shortcut icons. Shortcuts can be used to manually start components and to run some maintenance tasks.

2. Click Next.


# To select which components to install

Illustration 3.4 Select the StoneGate Components to Be Installed

# To select components for the custom installation

Illustration 3.5 Choose Install Set

Note � Make sure you have a license for the Monitoring Server before installing it. The Monitoring Server is an optional component and is not included in the StoneGate Management Center license.

The installation proceeds in the following order according to the components you have chosen for the installation:� Installing a Management Server, on page 28� Installing a Log Server, on page 29� Installing a Monitoring Server, on page 30� Installing a Management Client, on page 30� Finishing the Installation, on page 31

Default choice Typical installs all mandatory Management Center components.

Select Custom to select components to install individually.

Management Client Only installation is meant for administrators� workstations.

Click Next after making your choice.

1. Select the components that you want to install.

Custom Installation only

2. Click Next.


Installing a Management Server

# To create the first administrator account

Illustration 3.6 Create a Superuser Account

Note � The account you add here is the only account that can be used to log in to the StoneGate Management Center after the installation has finished.

# To configure the Management Server properties

Illustration 3.7 Configure Management Server

Note � The user name for the Management Database is dba. The password is created randomly, but you can change it using the Management Client if needed.

Proceed to Installing a Log Server, on page 29.

1. Type in a user name. This is a special unrestricted administrator account that cannot be deleted or modified.

2. Type in the same password in both fields.

3. Click Next.

1. Enter Management Server�s IP address. The Management Server�s license must be tied to this IP address.

2. Enter IP address for the Log Server that handles any alerts generated by this Management Server.

3. Click Next.

A service automatically starts at operating system start-up.

If you want to install the Management Server as a secondary Management Server, see the Administrator�s Guide or the online help of the Management Client for detailed instructions


Installing a Log ServerIf you are not installing a Log Server, skip to the first relevant section below:� Installing a Monitoring Server, on page 30� Installing a Management Client, on page 30� Finishing the Installation, on page 31

# To configure the Log Server properties

Illustration 3.8 Configure Log Server

Note � If you need to change the port number, check that the Log Server element properties reflect this in the Management Client after the installation is complete.

# To select a log storage location

Illustration 3.9 Choose Destination for Log Files

If you are installing a Monitoring Server, continue to Installing a Monitoring Server, on page 30. Otherwise, proceed to Installing a Management Client, on page 30.

1. Type in the IP address. The Log Server�s license must be tied to this IP address.

3. (Optional) Select to establish trust with a Management Server. A running Management Server is required, unless installed at the same time.

A service automatically starts at operating system start-up.

2. Type in the IP address of the Management Server that controls this server.

4. Click Next.

1. (Optional) Type in the active storage directory for logs or click Choose to browse.

2. Click Next.


Installing a Monitoring ServerIf you are not installing a Monitoring Server, skip to the first relevant section below:� Installing a Management Client, on page 30� Finishing the Installation, on page 31

Note � Make sure you have a license for the Monitoring Server before installing it. The Monitoring Server is an optional component and is not included in the StoneGate Management Center license.

We recommend placing the Monitoring Server in a DMZ network.

# To configure the Monitoring Server properties

Illustration 3.10 Configure Monitoring Server

Continue to Finishing the Installation, on page 31.

Installing a Management ClientThe Management Client has no configurable parameters. Proceed to Finishing the Installation, on page 31.

Note � The Management Client needs to connect to the Management Server and to Log Servers. See StoneGate-Specific Ports, on page 193 for a list of the ports used.

1. Type in the IP address. The Monitoring Server�s license must be tied to this IP address.

A service automatically starts at operating system startup.

Custom Installation only

2. Type in the IP address for the Management Server that controls this server.

3. (Optional) Select to establish trust with a Management Server. A running Management Server is required, unless installed at the same time.

4. Click Next.


Finishing the Installation

Caution � If you are installing any server components as a service on a Windows system, make sure the Services window is closed before you proceed.

# To start the installation

Illustration 3.11 Pre-installation Summary

Depending on the options you selected, you may soon be prompted to generate certificates. If this happens, see Generating Server Certificates, on page 38.During the installation, an update package is imported from the installation CD. If you do not want to activate that particular package, you can disable its activation now.

# To activate the update packages

Illustration 3.12 Update Package Activation

Note � If the activation fails, the import may have also failed. In this case, you must import and activate the update packages in the Management Client.

1. Check the displayed information.

2. Click Install to install the selected components now or click Previous to make changes.

1. Select Yes to activate the update packages during the installation, or select No to import the update packages without activating them.

2. Click Next to continue the installation.


# To finish the installation wizard

Illustration 3.13 Service Start Summary

Illustration 3.14 Install Complete

Note � If any Log Server or Monitoring Server certificate was not retrieved during the installation, a certificate must be retrieved manually before the server can be started (see If the Log Server or Monitoring Server Fails to Start, on page 38).

Proceed to Starting the Management Center.

Log Server and Monitoring Server will not start if their licenses have not been imported yet (you can do this next using the Management Client).

Click Next to proceed before or after the Service statuses are shown.

Only when �Install as a Service� is selected

Click Done to close the installer.


Starting the Management CenterWhen starting the Management Center for the first time, the following steps must be completed (as instructed in the sections that follow):1. Start the Management Server.2. Log in using the Management Client.3. Install license files using the Management Client.4. Start the Log Server.5. If you have installed a Monitoring Server, start it.Proceed to Starting the Management Server.

Starting the Management ServerIf the Management Server has been installed as a service, the server is started automatically after the installation and during the operating system boot process.� In Windows, the StoneGate Management Server service can be started and

stopped manually in the Services window, which can be found in the Windows Control Panel under the Administrative Tools category.

� If the service has started, proceed to Starting the Management Client.Otherwise, the Management Server must be started manually:

# To start the Management Server manually� In Windows, use the shortcut icon in the location you selected during installation

(default: Start→Programs →StoneGate→Management Server) or run the script [Installation Directory]/bin/sgStartMgtSrv.bat.

� In Linux or Solaris, run the script [Installation Directory]/bin/sgStartMgtSrv.sh.

Starting the Management ClientAdministrators use StoneGate�s graphical user interface, the Management Client, to connect to the Management Server (remotely or locally) to configure the firewalls, VPNs, or any other feature of StoneGate.

# To start the Management Client� In Windows, use the shortcut icon in the location you selected during

installation (default: Start→Programs→StoneGate→Management Client) or run the script [installation directory]/bin/sgClient.bat.

� In Linux and Solaris, run the script [installation directory]/bin/sgClient.sh. A graphical environment is needed for the Management Client.


Illustration 3.15 Management Client Login

You can access the online help system in the Login window or any other window in the Management Client by pressing the F1 key on your keyboard.The Accept Certificate dialog is displayed when the Management Client contacts any Management Server for the first time.

Illustration 3.16 Accept Certificate

To check the fingerprint of the Certificate Authority on the Management Server:� In Windows, use the shortcut icon in the location you selected during installation

(default: Start→Programs→StoneGate→Show Fingerprint) or run the script [installation directory]/bin/sgShowFingerPrint.bat.

� In Linux and Solaris, run the script [installation directory]/bin/sgShowFingerPrint.sh on the Management Server.

If the fingerprint matches, click Accept CertificateWhen you accept the certificate, the Management Client opens the Status/Statistics view. Proceed as instructed in the next section.

1. Type in the user name and password for the Administrator you defined during Management Server installation.

2. Type in the Management Server address.

3. Leave this checkbox selected if you want the Management Client to add the Management Server�s address permanently in the Server Address list.

4. Click Login.

As a precaution, you can ensure that the communication really is with your Management Server by checking the Certificate Authority fingerprint as explained below.


Installing LicensesTo have a working system, you must have a license for all StoneGate server and engine components. Each Management Server, Log Server, Monitoring Server (optional), and Firewall engine must have its own license, although all the licenses can be stored together in a single .jar file.If you have not generated all license files yet, see License Files, on page 17. To import licenses, the license files must be available to the computer you use to run the Management Client. All licenses can be installed even though you have not yet defined all the elements the licenses will be bound to.

# To install StoneGate licensesWhen there is no valid Management Server license, a license information message is shown every time you log in using the Management Client.

Illustration 3.17 License Information Message

The message is displayed only when there is no valid license for the Management Server. Otherwise, open the Install License File(s) dialog as shown in Illustration 3.18.

Illustration 3.18 Opening the Install License File(s) Dialog

You must install licenses.Click Continue. The Install License file(s) dialog (Illustration 3.19) opens automatically.

1. Open the File menu (the number of items in the menu may vary).

2. Select System Tools→Install Licenses.The Install License File(s) dialog opens.


Illustration 3.19 Install License File(s) (Operating System Specific Dialog)

# To check that the licenses were imported correctly

Illustration 3.20 Checking License Import

Illustration 3.21 Checking Licenses

Note � Management-bound engine licenses are manually bound to the correct engines once you have configured the engine elements. In the All Licenses list, you should see one license for each Management Server, Log Server, Monitoring Server, and Firewall engine in your StoneGate system.

Proceed to the next section, Starting the Log Server and Monitoring Server.

1. Browse to the correct folder.2. Select one or more license files you want to import.

3. Click Install.

Click the Configuration button in the toolbar. The Configuration view opens.

1. Expand the Administration branch of the tree.

2. Select Licenses and click All Licenses in the list.


Starting the Log Server and Monitoring ServerIf the Log Server and the (optional) Monitoring Server have been installed as a service, the servers are started automatically during the operating system boot process. However, as the servers did not have a license when the operating system was rebooted, you may need to start them now as explained here.� In Windows, you can start or stop a Log Server or Monitoring Server installed as a

service manually in the Services window, which can be found in the Windows Control Panel under the Administrative Tools category.

� In other cases, you can start the Log Server or Monitoring Server manually as explained in Starting Servers Manually, on page 37.

� If you have problems starting a Log Server or Monitoring Server, see If the Log Server or Monitoring Server Fails to Start, on page 38.

Once you have started the servers successfully, proceed to Installing Dynamic Updates, on page 39.

Starting Servers ManuallyTo start the Log Server or Monitoring Server manually, run the scripts in a console window. Read the console messages for information on the progress. Closing the console stops the service.

# To start the Log Server and Monitoring Server manually1. Start the Log Server:

� In Windows, use the shortcut icon in the location you selected during installation (default: Start→Programs →StoneGate→Log Server) or run the script <installation directory>/bin/sgStartLogSrv.bat.

� In Linux and Solaris, run the script <installation directory>/bin/sgStartLogSrv.sh.

2. If you have a Monitoring Server, start it in the same way:� In Windows, use the shortcut icon in the location you selected during

installation (default: Start→Programs →StoneGate→Monitoring Server) or run the script <installation directory>/bin/sgStartMonitoringServer.bat.

� In Linux and Solaris, run the script <installation directory>/bin/sgStartMonitoringServer.sh.

Next, continue as follows:� If you have started all servers successfully, proceed to Installing Dynamic Updates,

on page 39.� If you have trouble starting the server, see If the Log Server or Monitoring Server

Fails to Start, on page 38.


If the Log Server or Monitoring Server Fails to StartIf the Log Server or Monitoring Server does not start automatically as a service, first try starting it manually as explained in the previous section above to see if there is some error displayed on the console.� Remember that your Log Server or Monitoring Server must be licensed, and the

licence must be for the IP address in use. The license is a file you import to the system to verify the legal purchase of the software. The licenses can be obtained through the Stonesoft license center on the Web (or from Stonesoft Order Services). To generate a license file, see License Files, on page 17.

� The Log Server or Monitoring Server must also have a valid certificate, which it uses to prove its identity to the Management Server when the two servers communicate. The certificates are generated within the system itself. If there are certificate-related problems or problems you are not able to identify, try (re)generating the certificate manually as follows:

# To manually certify a Server� In Windows, run the <installation directory>/bin/sgCertifyLogSrv.bat or

the <installation directory>/bin/sgCertifyMonitoringServer.bat script depending on server type.

� In Linux and Solaris, run the <installation directory>/bin/sgCertifyLogSrv.sh or the <installation directory>/bin/sgCertifyMonitoringServer.sh script depending on server type.

Proceed as explained in next section, Generating Server Certificates, then try starting the servers again.

Generating Server CertificatesNote � If the Management Server is not running, see Starting the Management Server, on page 33.

# To generate a certificate for a StoneGate server

Illustration 3.22 Certificate Generation

Enter the username and password for the account you created during the Management Server installation. �Superuser� refers to the administrator privilege level. Administrators with other privilege levels are not allowed to generate certificates.


Illustration 3.23 Accept Certificate

# To check the fingerprint of the Certificate Authority1. Run the script <installation directory>/bin/sgShowFingerPrint[.bat/

.sh] on the Management Server. The Log Server Selection or Monitoring Server Selection dialog opens.

2. If the fingerprint matches, click Accept in the dialog. The Log Server Selection or Monitoring Server Selection dialog opens.

# To certify a Log server

Illustration 3.24 Log Server Selection

Instal l ing Dynamic UpdatesDynamic updates provide the latest system policies and vulnerability and exploit information for intrusion detection. They may also revise the inspection rules in the default template as well as the default elements you use to configure the system.During the installation, you may have imported and activated the update package included on the installation CD-ROM. However, since update packages are released more frequently than new software versions, you should still check which update package is active in the system and whether a newer one is available to ensure your system is current.

As a precaution, you can ensure that the communication really is with your Management Server by checking the Certificate Authority fingerprint as explained below.

If not listed above, select Create a New Log Server (or Monitroring Server) and type in a name. The name will be used in the Management Client.

If your server is on the list, select it.

2. Click Ok.

1. Specify the server you want certified:


Note � You can configure the Management Center to periodically check if new update packages are available. You can also configure automatic download and activation of new update packages. See the online help for more information.

# To find the dynamic updates in the Management Client

Illustration 3.25 Checking for Updates

Illustration 3.26 Checking the Installed/Active Update Package

Note � Dynamic updates with the state Imported are not activated yet. You must activate imported dynamic update packages for them have to have an effect in the system.

# To check for the most recent dynamic update1. Go to www.stonesoft.com/download/ and follow the link to dynamic updates.2. If the download page shows that a more recent update is available, download

the latest .jar update package file. If you already have the most recent upgrade package do one of the following:� If the update package is in the Imported state, see To activate an update

package, on page 42.� If the update package is shown as Active, the most recent update package has

already been activated and no action is needed at this time.3. Save the update package file to a location reachable from the computer you use

to run the Management Client.

Click the Configuration button in the toolbar. The Configuration view opens.

1. Expand the Administration branch.

3. Select Updates.

4. Check the update package number and state.

2. Expand the Updates and Upgrades branch.


http://www.stonesoft.com/download/

4. Check that the update package file has not become corrupted during file transfer(s). Compare the file checksum according to the same procedure as with the installation files (see Checking File Integrity, on page 16).

# To import a new update package

Illustration 3.27 Importing an Update Package

Illustration 3.28 StoneGate Update Package File Browser (Operating System Specific)

In a while, the new update package appears in the system. Now you must activate it as instructed in the next section.

Click the Import Update Packages icon. A File Browser dialog opens.

1. Browse to the correct file and select it.

2. Click Import. The dialog closes and a status bar displays the progress of the import.


# To activate an update package

Illustration 3.29 Activating an Update Package

Illustration 3.30 Management Server Backup Dialog

Note � Once you have configured your system, taking a backup at this point allows you to quickly revert back to a previous configuration. This may be necessary because changes in system elements may cause firewall inspection rules to match traffic in a way you do not want, and you may need some time to redesign them.

The update package activation starts. The dialog may seem to pause occasionally while the information is processed. The included items are shown in the dialog so that you can view them after the activation is complete.

1. Right-click the new update package.

2. Select Activate from the menu. A confirmation dialog opens.

If you have a fresh installation, select No. Otherwise, we recommend that you always take a backup (click Help in the backup dialog to see instructions on how to use the options if you choose to take a backup now).


Illustration 3.31 Update Package Activation

If you want to install Management or Monitoring clients through Web Start, continue by Installing Management or Monitoring Clients Through Web Start, on page 43. Otherwise, proceed to the next chapter, Defining a Single Firewall or Firewall Cluster, on page 49.

Instal l ing Management or Monitoring Clients Through Web Start

The Management Client always has the same set of features. Management Clients installed using Web Start or the installation wizard are only installed differently:� At version updates, Web Start Management Clients are updated without user

intervention, whereas users must manually update clients installed with the installation wizard in a process similar to the original installation.

� The Web Start installation requires that one administrator copies files to the correct location and runs a script that creates the rest of the necessary files for running the application, whereas the update package using the installation wizard can be distributed as such.

� A current version of the Java Runtime Environment (JRE) must first be installed on each computer where the Web Start installation is to be used (if not previously installed). It can be downloaded for free from www.java.com or from java.sun.com.

Setting up the Management Center for Monitoring ClientsBefore Monitoring Client users can connect to the Monitoring Server, you must set up the Management Center for Monitoring Client access.

Close the tab when the activation is finished.


http://www.java.com/

http://java.sun.com/

# To set up the Management Center for Monitoring Client Access1. Define the filter(s) restricting the data the Monitoring Client users can view. See

the online help or the Administrator�s Guide for instructions.2. Define administrator accounts for monitoring users with rights level. See the

online help or the Administrator�s Guide for instructions.3. Modify the Access rules to allow communication between the Monitoring Client

users� networks or hosts and the Monitoring Server, between the Monitoring Server and the Management Server, and between the Monitoring Server and the Log Server.� See StoneGate-Specific Ports, on page 193 for information on the ports and

Services.

Note � Remember to adjust the NAT rules as well if it is necessary in your network setup.

Installing the Web Start PackageYou can place the Web Start package on a Web server, so that administrators can click a link, for example, on an Intranet page to launch the Management Client. The Web Start package can also be placed on a shared network drive. There is a limitation to this: the path to the network drive is included in the installation files, so the path, including the drive letter, must be the same for the administrators that wish to use that particular version of the installation package. If the network drive paths vary, consider placing the package on a Web server instead, for example, in the Intranet of your company.

Note � You must install a new Web Start package according to these instructions each time you upgrade the Management Server. Otherwise, any administrators that use Web Start-installed Management Clients are not able to log in.

# To install the Web Start package1. Browse to StoneGate_SW_Installer→Webstart on the installation CD-ROM.

Caution � The Web Start installation creates an index.html file. Any existing index.html file will be overwritten. We strongly recommend creating a new directory for the Web Start files.

2. Copy all the files and directories from the Webstart directory on the installation CD-ROM to the directory on the Web server or network drive where you want the Web Start files to be generated.

3. On the command line, change to the directory on your server where the Web Start files are located.


4. Run the Web Start setup script and give the URL or the path of the directory on your server where the Web Start files are located as the parameter:� Windows: cscript webstart_setup.vbs <web start directory>� Linux: run webstart_setup.sh <web start directory>

Note � The setup script generates Web Start files for both the full Management Client and the Monitoring Client.

5. If necessary, modify the configuration of the Web server to return the appropriate MIME type for.jnlp-files (application/x-java-jnlp-file). Consult the manual of your Web server for instructions on how to configure the MIME type.

6. Delete the webstart_setup.vbs and webstart_setup.sh files from the directory. For security reasons, the webstart_setup.vbs and webstart_setup.sh script files should not be in the same directory as the generated Web Start files and other shared client files.

7. Test the Web Start installation by following the instructions in Accessing the Web Start Clients below.

Accessing the Web Start ClientsAfter the Web Start package is installed on a Web server or a network drive, administrators can install the Management Client or Monitoring Client using the Web Start package if they have a current version of the Java Runtime Environment (JRE) installed on their computer.

# To access the Web Start Clients1. Click the link for the Web Start client on the Web page or the correct HTML file

for the type of client on the network drive.2. Wait for the client to be installed on your computer. The installed client starts.After the first run, the installed client is started in the same way. New versions are automatically installed when an updated Webstart package is found installed in the source directory at startup.

TABLE 3.1 Examples

Installation on Example Web Start Directory

Web server http://www.example.com/webstart/

Network drive file://localhost/C:/support/webstart/


Non-Graphical Instal lationIn Linux and Solaris, the Management Center can also be installed on the command line. Before installing StoneGate, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity, on page 16.

# To run the non-graphical installation1. Open the shell.2. Change to the correct directory:

� In Linux: CD-ROM/StoneGate_SW_Installer/Linux/� In Solaris: CD-ROM/StoneGate_SW_Installer/Solaris/

3. Run the command �./setup.sh -nodisplay� to start the installation.

Illustration 3.32 Accepting the License Agreement

4. Accept the license agreement by typing �Y�.5. After the license agreement display, you are prompted for the installation

directory.6. Press ENTER to install to the default installation directory or define a different

directory. Confirm it by typing in �Y�.

Illustration 3.33 Choosing the Link Location

7. Press ENTER to create the StoneGate links in the default directory or select one of the other options.

DO YOU ACCEPT THE TERMS OF THE LICENSE AGREEMENT? (Y/N)

Choose Link Location-------------Where would you like to create links?

->1 - Default:/StoneGate2 - In your home folder3 - Choose another location...

4 - Don’t create links

ENTER THE NUMBER OF AN OPTION ABOVE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT: 1


Illustration 3.34 Choosing the Installation Options

8. Select the StoneGate components you want to install. � Press ENTER to install all Management Center components except the

Monitoring Server.� Press 2 to install only the Management Client.� Press 3 for a customized installation.

Note � You need a graphical environment to use the Management Client. It cannot be run on the command line. Only the server components can be run in a command- line-only environment.

The installation options for the Management Center components are the same as in the graphical installation. Proceed as follows:� To install a Management Server, see Installing a Management Server, on page 28.� To install a Log Server, see Installing a Log Server, on page 29.� To install a Monitoring Server, see Installing a Monitoring Server, on page 30� To install a Management Client, see Installing a Management Client, on page 30.� After installing all components, continue to Finishing the Installation, on page 31.

Choose StoneGate Components-----------------

Please choose the Install Set to be installed by this installer.

->1 - Typical2- Management Client Only3- Customize...

ENTER THE NUMBER FOR THE INSTALL SET, OR PRESS <ENTER> TO ACCEPT THE DEFAULT : 1

Non-Graphical Installation 47


CHAPTER 4 Defining a Single Firewall or Firewall Cluster

This chapter contains the steps needed to complete the single firewall or firewall cluster configuration procedure that prepares the Management Center for a StoneGate firewall installation.Very little configuration is done directly on the engines. Most of the configuration is done using the Management Client, so the engines cannot be successfully installed before defining them in the Management Center as outlined in this chapter.


! Configuration Overview, on page 50! Defining Firewall Elements, on page 50! Interface Options on IBM System z, on page 70! Configuring IP Addressing for NAT, on page 71! Using Management-Bound Licenses, on page 78! Saving the Initial Configuration, on page 78

49

Configuration OverviewAfter you have the StoneGate Management Center (SMC) installed and running, you must configure the Firewalls. This is mostly done through the Management Client. This chapter explains all the tasks you must complete before you can install and/or configure the physical firewalls.The tasks you must complete are as follows:1. Define Firewall elements.2. Configure Locations and Contact Addresses if the connections between the

StoneGate components are subject to Network Address Translation (NAT).3. Bind management-bound licenses to specific firewall elements.4. Save the defined configuration for use during Firewall installation.Start by defining Firewall elements as explained in the next section.

Defining Firewall ElementsTo introduce a new firewall engine to the Management Center, you must define a Single Firewall or Firewall Cluster element that stores the configuration information related to the firewall.Only one interface is needed to install the firewall; the Control Interface that is used for communications between the Management Server and the Firewall/VPN engine. Although you can configure more interfaces at any later time, it is simplest to add more interfaces right away, so that traffic can also be routed through the firewall. You can use the Installation Worksheet, on page 173 to document the interfaces.The interfaces have their own numbering in the Management Center called Interface ID, which is independent of the operating system interface numbering on the firewall engine. However, if you do the engine�s initial configuring using the automatic USB memory stick configuration method, the Interface IDs in Management Center are mapped to match the physical interface numbering in the operating system (eth0 is mapped to Interface ID 0 and so on). If you do the initial configuration manually, you can freely choose how the Interface IDs in the Management Center are mapped to the physical interfaces.To begin the configuration, proceed to either of these sections:� If you plan to install firewalls that are not clustered, proceed to Defining a Single

Firewall below.� If you only plan to install clustered firewalls, proceed to Defining a Firewall Cluster,

on page 57.

Defining a Single FirewallThis section covers the basic configuration of a Single Firewall element. For more information on configuring the firewall, see the online help (click the help button in the dialogs to see help specific to that dialog) or the Administrator�s Guide.

50 Chapter 4: Defining a Single Firewall or Firewall Cluster

In the following tasks, the values filled in the images refer to the example network�s Branch Office firewall settings to help exemplify how to configure a single firewall (see the Example Network Scenario, on page 199).

Note � To activate interface options specific to the IBM System z platform, see Interface Options on IBM System z, on page 70.

You can create new Firewall elements directly in the Status/Statistics view (the first view that opens when you start the Management Client).

# To create a Single Firewall element

Illustration 4.1 Creating a New Firewall Element

# To Define the basic properties of a firewall

Illustration 4.2 Single Firewall Properties

If you have a secondary Log Server, you add it in the properties of the primary Log Server you select here (for all firewalls that send data to that primary Log Server).

1. Right-click Firewalls.

2. Select New→Single Firewall.The Single Firewall Properties dialog opens.

1. Type in a Name.

2. Select a Log Server for storing this firewall�s logs.

3. (Optional) Enter a Comment for your own reference.Continue configuring the Firewall properties as explained below.


Next, define the interfaces as follows:� If you plan to use 802.1Q VLAN tagging on the firewall�s network interfaces, the

VLAN tagging must be configured for those interfaces (as explained in the following section) before configuring the interface properties.

� On IBM System z, if you do not use VLAN tagging and you want to define point to point interfaces, proceed to Defining IBM System z Point to Point Interfaces for a Single Firewall, on page 54.

� Otherwise, proceed to Defining Single Firewall Network Interfaces, on page 55.

Note � If you first configure an interface without VLAN tagging, and later want to use VLAN tagging on that interface, the previous interface configuration must first be deleted.

Defining Single Firewall VLAN Tagging Interfaces

Caution � On the IBM System z, VLANs are not supported by virtual or real Hipersockets, OSA-2, CTC or IUCV.

# To configure an interface to use VLAN tagging

Illustration 4.3 VLAN Settings in Firewall Properties

1. Switch to VLAN Settings

2. Click Add VLAN Tagged Interface.

3. Select an Interface ID for the interface and click OK.


The Interface ID is added to the list, and you can now add the VLANs to the interface:

# To add a new VLAN to an interface

Illustration 4.4 Adding new VLANs to a VLAN tagged Interface

Note � The VLAN ID must be the same VLAN ID used in the switch at the other end of the VLAN trunk.

Repeat the steps above to add further VLANs to the interface (up to 4095).A VLAN interface is now ready to be used as a network interface. The VLAN interface is identified as Interface-ID.VLAN-ID, for example 2.100 for Interface ID 2 and VLAN ID 100.Next, configure the VLAN interfaces just like any other network interface.� On IBM System z, if you want to define point to point interfaces, proceed to Defining

IBM System z Point to Point Interfaces for a Single Firewall, on page 54.� Otherwise, proceed to Defining Single Firewall Network Interfaces, on page 55.

1. Select a row

2. Click Add VLAN. The VLAN Properties dialog opens.

4. Click OK.

3. Enter a VLAN ID (1 to 4095)


Defining IBM System z Point to Point Interfaces for a Single Firewall

# To add an interface for a firewall


# To configure a point to point interface for a Single Firewall

Illustration 4.6 Interface Properties (1/2) - NDI Mode Settings

1. Make sure you are on the Single Node tab.

2. Click Add Interface.The Interface Properties dialog opens

One NDI per firewall must be the Primary interface for Management Server contact.If Primary is down, Backup interface(s) are used.

Select Point-to-Point.

One interface per firewall must be selected as identity for authentication requests.This has no effect on routing; the IP address of the interface is used only like a label in this role.


Illustration 4.7 Interface Properties (2/2) - Other Options

Write down the networks to which each Interface ID is connected.Repeat the steps above to add further Point-to-Point interfaces. Then define other interfaces as explained below.

Defining Single Firewall Network Interfaces

# To add a network interface for a Single Firewall


Single Firewall interfaces are always of the Node Dedicated Interface (NDI) type.

2. Enter the Local Address of the firewall node.

4. Adjust the MTU if necessary.

1. Select an Interface ID. You will map it to a physical interface during the initial configuration of the engine.

3. Type in the Remote Address of the peer at the other end of the point-to-point link.

5. Click OK when done

1. Make sure you are on the Single Node tab.

2. Click Add Interface.The Interface Properties dialog opens.


# To set the interface properties

Illustration 4.9 Network Interface Properties (1/2) - Interface Mode Options

Note � If you use an IP-address-bound license for the engine, the license of the engine must be tied to the Primary Control IP address.


Note � On IBM System z, type in the Maximum Transmission Unit for the network interface in the MTU field to match it to the NIC configuration.

Write down the networks to which each Interface ID is connected.Repeat the steps above to define more interfaces. The same Interface ID can have more than one interface definition, if you want to define more than one IP addresses on the same physical interface.To route traffic through the firewall, you must define interfaces for at least two different physical network interfaces.

Select the Dynamic IP Address checkbox if this interface receives its IP address from a DHCP server.

One interface per firewall must be the Primary interface for Management Server contact.If Primary is down, Backup interface(s) are used.

One interface per firewall must be selected as identity for authentication requests.This has no effect on routing; the IP address of the interface is used only like a label in this role.

2. Enter the unicast IP address and Netmask of this interface or, for an interface with a dynamic IP address, select any DHCP Index number to identify it.

3. Click OK when done.

1. Select an Interface ID. This will map to a physical interface during the initial configuration of the engine.


The interfaces you have defined are shown as a table on the Single Node tab:


Click OK to close the Firewall Properties when you are finished defining interfaces. The Single Firewall element is added to the tree view.If you want to define Firewall Clusters, proceed to Defining a Firewall Cluster below. If you are done configuring Firewall elements, this configuration should be sufficient for the purpose of installation in most environments; however, there are two exceptions:� If you have NAT in use in your environment, proceed to Configuring IP Addressing for

NAT, on page 71.� If your environment does not have NAT and you have management-bound Firewall

licenses, proceed to Using Management-Bound Licenses, on page 78.If these exceptions do not apply to you, proceed to Saving the Initial Configuration, on page 78.

Defining a Firewall ClusterThis section covers only the basic configuration of a firewall cluster element. For information on all the options, see the online help (click the Help button in the dialogs) or the Administrator�s Guide.In the following tasks, the values filled in the images refer to the example network�s Headquarters firewall cluster settings to exemplify how to configure a firewall cluster (see the Example Network Scenario, on page 199).

Note � To activate IBM System z platform-specific network interface options, see Interface Options on IBM System z, on page 70.

You can double-click a row to edit the interface �A� signifies the interface used as the identity for

authentication requests.�C� and �c� signify the Primary and Secondary Control Interfaces respectively.


You can create new Firewall elements directly in the Status/Statistics view (the first view that opens when you start the Management Client).

# To create a Firewall Cluster element

Illustration 4.12 Creating a New Firewall Element

# To define the basic properties

Illustration 4.13 Firewall Cluster Properties

If you have a secondary Log Server, you add it in the properties of the primary Log Server you select here (for all firewalls that send data to that primary Log Server).

Cluster Interface TypesCluster Virtual Interfaces (CVI) handle the traffic that is routed through the firewall for inspection. In firewall clusters, Node Dedicated Interfaces (NDI) are used for traffic that the nodes themselves send or receive (such as the communications they have with the Management Server). Several CVIs and NDIs can be defined for the same physical network interface or VLAN segment.

1. Right-click Firewalls.

2. Select New→ Firewall Cluster.

1. Type in a Name.

2. Select a Log Server for storing this firewall�s logs.

3. (Optional) Enter a Comment for your own reference.Continue configuring the Firewall properties as explained below.


� If you plan to use 802.1Q VLAN tagging on the firewall�s network interfaces, the VLAN tagging must be configured for those interfaces before configuring the interface properties (as explained in the following section).

� Otherwise, proceed to Defining Firewall Cluster Network Interfaces, on page 61.

Note � If you first configure an interface without VLAN tagging, and later want to use VLAN tagging on that interface, the previous interface configuration must first be deleted.

Defining Firewall Cluster VLAN Tagging InterfacesAfter VLAN tagged interfaces are created, you can define them like any other interfaces. However, The CVI mode and MAC address must be the same for all VLANs on the same physical interface, and you must not use VLAN tagged interfaces for the Primary Heartbeat connection.

Caution � On the IBM System z, VLANs are not supported by virtual or real Hipersockets, OSA-2, CTC or IUCV.

# To configure an interface to use VLAN tagging

Illustration 4.14 VLAN Settings Tab in Firewall Properties

Note � In an automatic initial configuration, the interface IDs correspond to the physical interface numbering. In a manual configuration, you can freely match the Interface ID to any physical interface.

1. Switch to VLAN Settings.

6. Click OK.

3. Select an Interface ID for the interface.

2. Click Add VLAN Tagged Interface.

5. Enter the MAC Address. See Table 4.1 for Mac Address requirements.

4. (Optional) If you have a specific need to change the CVI Mode, select the correct CVI Mode. Otherwise, leave Packet Dispatch selected.


The Interface ID is added to the list, and you can now add the VLANs to the interface:

# To add a new VLAN to an interface

Illustration 4.15 Adding new VLANs to a VLAN Tagged Interface

TABLE 4.1 MAC Address Requirements by Mode

Mode MAC Address

Packet Dispatch Type in a unicast MAC address with an even number as the first octet (e.g., 10:12:34:56:78:90). All unicast CVIs and NDIs that are defined for the same physical network interface must use the same unicast MAC address.Unicast MAC

Multicast MACType in a multicast MAC address with an odd number as the first octet (e.g., 01:12:34:56:78:90).

Multicast MAC with IGMP

Type in a multicast IP address in the range from 239.252.0.0 to 239.255.255.255. This multicast IP address is used only for automatically calculating a valid multicast MAC for the CVI (e.g., 01:00:5e:12:34:56). Thus, the interface has a unicast IP address and a multicast MAC address, and it sends IGMP messages when joining or leaving the multicast group.

1. Select a row

2. Click Add VLAN. The VLAN Properties dialog opens.

3. Enter a VLAN ID (1 to 4095)

4. Click OK.


Note � The VLAN ID must be the same VLAN ID used in the switch at the other end of the VLAN trunk.

Repeat the steps above to add further VLANs to the interface (up to 4095).A VLAN interface is now ready to be used as a network interface. The VLAN interface is identified as Interface-ID.VLAN-ID, for example 2.100 for Interface ID 2 and VLAN ID 100.Configure the VLAN interfaces now just like any other network interface as outlined in the next section, Defining Firewall Cluster Network Interfaces.

Defining Firewall Cluster Network InterfacesTo route traffic through the firewall, you must define at least two CVIs (additionally, at least one NDI is needed to configure and control the node).

# To add a CVI for a Firewall Cluster

Illustration 4.16 Firewall Cluster Interfaces

1. Make sure you are on the Cluster tab

2. Click Add InterfaceThe Interface Properties dialog opens


# To set the interface properties

Illustration 4.17 Interface Properties (1/2) - CVI Mode Settings

Note � Different CVI modes can be used for different interfaces of a firewall cluster without limitations. Also, the Multicast, Multicast with IGMP, and Packet Dispatch modes may be used for different CVIs that use the same Interface ID.

Note � On the IBM System z, load-balanced clustering requires the use of the Packet Dispatch cluster mode and standby clustering requires the use of the IP Address Takeover cluster mode (see Interface Options on IBM System z, on page 70).


Note � On IBM System z, type in the Maximum Transmission Unit for the network interface in the MTU field to match it to the NIC configuration.

1. Leave as Cluster Virtual Interface

2. Select Packet Dispatch(Recommended mode for new installations)

One interface per cluster must be selected as identity for authentication requests.This has no effect on routing; the IP address of the interface is used only like a label in this role.

2. Enter the unicast IP address and Netmask of this interface.

3. Enter a MAC Address that corresponds to the interface mode (see Table 4.2 below).

1. Select an Interface ID. This will map to a physical interface during the initial configuration of the engine.



Write down the networks to which each Interface ID is connected.Repeat the steps above to add further CVIs. The same Interface ID can have more than one CVI definition, if you want to define more than one IP addresses on the same physical interface.After defining the necessary CVIs, continue defining the NDIs.� On IBM System z, to define point to point interfaces, continue as explained below.� Otherwise, proceed to Defining Cluster Node Dedicated Interfaces, on page 66.

Defining IBM System z Point to Point Interfaces for a Firewall Cluster

# To add an interface for a Firewall Cluster

Illustration 4.19 Firewall Cluster Properties - Bottom Left Corner

TABLE 4.2 MAC Address Requirements by Mode

Mode MAC Address

Packet Dispatch Type in a unicast MAC address with an even number as the first octet (e.g., 10:12:34:56:78:90). All unicast CVIs and NDIs that are defined for the same physical network interface must use the same unicast MAC address.Unicast MAC

Multicast MACType in a multicast MAC address with an odd number as the first octet (e.g., 01:12:34:56:78:90).

Multicast MAC with IGMP

Type in a multicast IP address in the range from 239.252.0.0 to 239.255.255.255. This multicast IP address is used only for automatically calculating a valid multicast MAC for the CVI (e.g., 01:00:5e:12:34:56). Thus, the interface has a unicast IP address and a multicast MAC address, and it sends IGMP messages when joining or leaving the multicast group.

IP Address Takeover No MAC address can be entered; it is not needed.

Click Add Interface.The Interface Properties dialog opens.


# To define the cluster-level properties for a Point to Point interface

Illustration 4.20 Cluster-Level Interface Properties for NDI (1/2) - NDI Mode Settings

Illustration 4.21 Cluster-Level Interface Properties for NDI (2/2) - Interface ID

Repeat the steps above to add further Point to Point NDIs.Next, configure the settings specific to each node for each NDI.

1. Select Node Dedicated Interface as the Type.

One Primary Hearbeat Interface must be defined for the cluster. It is used for communications between the nodes.Configure at least a second NDI as the Backup.

One NDI per cluster must be the Primary interface for Management Server contact.If Primary is down, Backup interface(s) are used.

One NDI per cluster must be selected as the Default IP for node-initiated connections. Its IP address is used if the firewall needs to initiate connections on a network card that has no NDI.

2. Select Point-to-Point.

1. Select an Interface ID.You will map this to a physical interface during the initial configuration of the engine.

2. Adjust the MTU, if necessary.

3. Click OK.

Disabled options are specific to individual nodes.


# To define the node-level properties for a Point to Point interface

Illustration 4.22 Firewall Cluster Properties - Nodes


1. Switch to Nodes tab.

2. Double-click the Name cell and type in a name for each node

2. Double-click the interface to edit.The Interface Properties dialog opens.

1. Select a node.


Illustration 4.24 Node Dedicated Interface Properties

Write down the networks to which each Interface ID is connected.We recommend that you now complete the interface configuration for the second node in the same way as described above. It is possible to define the NDI IP address for just one node, but the interface without an NDI may not be suitable for Multi-Link.NDIs that are not point-to-point interfaces can be defined in the same way that they are defined for other platforms, with the additional possibility to define the MTU value for each interface; continue as explained in the next section.

Defining Cluster Node Dedicated InterfacesAt least one NDI is needed to install and control the node. We recommend defining an NDI for each physical interface, if practical.NDIs have both cluster-level and node-level properties. First, you will define the cluster-level properties.

# To add an NDI for a firewall cluster

Illustration 4.25 Firewall Cluster Properties - Bottom Left Corner

1. In Local Address field, define the IP address of the firewall node.

2. In Remote Address field, type in the IP address of the peer in the other end of the point-to-point link.


Click Add Interface.The Interface Properties dialog opens.


# To set the cluster-level NDI properties

Illustration 4.26 Cluster-Level Interface Properties for NDI (1/2) - NDI Mode Settings

Note � Heartbeat and state synchronization (which takes place on the same interface) are time-critical communications, and network latency from other traffic may interfere with the operation of the cluster. Therefore, the primary heartbeat network should be dedicated only for this purpose.

Illustration 4.27 Cluster-Level Interface Properties for NDI (2/2) - Interface ID

Repeat the steps above to add further NDIs. The same Interface ID can have more than one NDI definition, if you want to define more than one IP addresses on the same physical interface.

Select Node Dedicated Interface as the Type.

One Primary Hearbeat Interface must be defined for the cluster. It is used for communications between the nodes. This must not be a VLAN tagged interfaceYou can configure a second NDI as a Backup (highly recommended).

One NDI per cluster must be the Primary interface for Management Server contact.If Primary is down, Backup interface(s) are used.

One NDI per cluster must be selected as the Default IP for node-initiated connections. Its IP address is used if the firewall needs to initiate connections on a network card that has no NDI.

Disabled options are specific to individual nodes.

1. Select an Interface ID. You will map this to a physical interface during the initial configuration of the engine.

2. Click OK.


The IP address, Netmask, and MAC address for an NDI are defined on the node specific properties of each node as explained below.

Defining Firewall Cluster Node PropertiesNext, define the node-specific properties of the NDI for each node in the cluster.

# To set the node-level NDI properties


Note � By default, the Nodes tab displays two nodes. If you have more nodes in your cluster, add more nodes by clicking the Add Node button in the Nodes tab. A Cluster can have up to 16 nodes (2 nodes on IBM System z).


1. Switch to Nodes tab.

Click if you need to add a node.2. Double-click the Name cell and

enter a name for each node.

2. Double-click interface to edit.

1. Select a node.


The Interface Properties dialog opens. Options that are defined on the cluster level are disabled in the node-level Interface Properties.

Illustration 4.30 Node Dedicated Interface Properties

Note � On IBM System z, you can type in the Maximum Transmission Unit for the network interface in the MTU field to match it to the NIC configuration.

Note � All unicast CVIs and NDIs that are defined for the same physical network interface card must naturally use the same unicast MAC address.

Repeat the interface configuration as above for each of the nodes that you want to have an NDI defined (we recommend that you define the NDI for all nodes, if practical).Write down the networks to which each Interface ID is connected.The interfaces you have defined are shown as a table on the Cluster tab:

Illustration 4.31 Firewall Cluster Properties

1. Enter the IP Address and Netmask

2. (Optional) If you have a specific need, you may define a unicast MAC address to override the MAC address of the network interface card.


�A� signifies the interface used as the identity for authentication requests�C� and �c� signify the Primary and Secondary Control Interfaces�H� and �h� signify the Primary and Secondary Heartbeat Interfaces�K� signifies the Packet Dispatch cluster mode

You can double-click a row to edit the interface


Click OK to close the Firewall Cluster Properties when you are finished defining the interfaces. The new Firewall Cluster element is added to the tree view.If you are done configuring Firewall elements, this configuration should be sufficient for the purpose of installation in most environments; however, there are two exceptions:� If you have NAT in use in your environment, proceed to Configuring IP Addressing for

NAT, on page 71.� If your environment does not have NAT and you have management-bound Firewall

licenses, proceed to Using Management-Bound Licenses, on page 78.If these exceptions do not apply to you, proceed to Saving the Initial Configuration, on page 78.

Interface Options on IBM System zThe network interfaces have the following additional options when the engine is installed on IBM System z:� IUCV and CTC Point to Point connections� Interface Maximum Transmission Unit (MTU) value to override the default MTU of

1500 bytes.� An additional CVI mode, IP Address Takeover, that is used for standby clustering

(but not for load-balanced clustering, which uses the Packet Dispatch mode). See IP Address Takeover Cluster Mode below.

By default, the System z-specific options are hidden in the Management Client. To display these options, follow the steps in Enabling System z-Specific Options below.

IP Address Takeover Cluster ModeOn IBM System z, the standby mode clustering is implemented using IP Address Take Over CVIs. As this CVI mode utilizes the IP address takeover functionality of the qeth driver, the NIC must be a network interface that uses this driver: for example, OSA-Express in QDIO mode, virtual or real Hipersockets, or a Guest LAN. Several CVI interfaces can be configured per Interface ID, if required.

Note � The CVI must be an interface that uses the qeth driver. CVI cannot be an LCS, CTC, or IUCV interface.

For more information on the qeth driver, please refer to the IBM documentation Linux for S/390 Device Drivers and Installation Commands, available at http://www-1.ibm.com/servers/eserver/System z/os/linux/library/.

Enabling System z-Specific Options

# To enable IBM System z interface options in the Management Client1. Close the Management Client (File→Exit).2. On the computer where the Management Client is installed:


http://www-1.ibm.com/servers/eserver/zseries/os/linux/library/

http://www-1.ibm.com/servers/eserver/zseries/os/linux/library/

� To change the setting for all user accounts of this computer, open the [installation directory]/data/SGClientConfiguration.txt configuration file in a text editor.

� To change the setting only for the currently logged in user, open the [your user directory]/.stonegate/SGClientConfiguration.txt configuration file in a text editor.

3. Remove the hash sign (#) from the beginning of the line �FWPropertiesForS390=True� and save the file.

4. Restart the Management Client and log in. The IBM System z platform-specific interface options are now visible in the interface properties and the Routing view.

Create a new Firewall element according to the firewall type:� Defining a Single Firewall, on page 50� Defining a Firewall Cluster, on page 57

Configuring IP Addressing for NATThe StoneGate components communicate with each other using the IP address defined for the corresponding element in StoneGate. If there is Network Address Translation (NAT) between any of the communicating components, then the NATed IP addresses must be defined (in the case of the Management Client, only if the Log Server address is NATed).

Note � A contact address is necessary only if there is a NAT device between the communicating StoneGate components.

All communications between the StoneGate components are presented as a table in StoneGate-Specific Ports, on page 193.If contact addresses are required, begin by defining Locations as explained below. If you are sure that Contact Addresses are not needed, proceed as follows:� If you have management-bound firewall licenses, proceed to Using Management-

Bound Licenses, on page 78.� Otherwise, proceed to Saving the Initial Configuration, on page 78.

Defining LocationsStoneGate components use the information you define in the Location elements to determine which IP address is used when there is NAT between the components. Elements that you do not put in any Location are members of a Default location, which is treated the same way as the other Locations.After you have the Location elements set up, you open the properties of each element as necessary, and define the Contact Addresses for the element from each Location�s viewpoint. All components in the other Locations then use the addresses defined for their Location. The Management Clients have a separate Location setting in the status


bar at the bottom of the Status/Statistics and Configuration views, which is used if there is NAT between a Log Server and the Management Client.

# To create a new Location

Illustration 4.32 Opening the Configuration View

Illustration 4.33 Creating a New Location

Illustration 4.34 Location Properties

Click the StoneGate Configuration icon in the toolbar. The Configuration view opens.

2. Right-click Locations and select New Location from the menu that opens. The Location properties dialog opens.

1. Expand Administration in the tree view.

1. Type a name

2. Select element(s).

3. Click Add.

4. Repeat steps 2-3 until all necessary elements are added.

5. Click OK.


Repeat to add other Locations as necessary.Next, configure the Contact Addresses as necessary:� Firewall Engine Contact Addresses, on page 73� Server Contact Addresses, on page 76

Firewall Engine Contact AddressesYou must define the Location and contact address for the Firewall element if NAT is used between the firewall Engine and the Log Server or Management Server. An interface with contact addresses is indicated with an asterisk (*) in the Interfaces table in the Firewall properties. Define the contact addresses for the Primary and Backup Control interfaces to enable system communications.

# To define a Location for a Firewall Element

Illustration 4.35 Opening Firewall Properties

Illustration 4.36 Firewall Properties - Upper Part

On Firewall Clusters, contact addresses for NDIs are defined in the node-level properties. Proceed according to the firewall type as explained in the next sections, To define a contact address for a Single Firewall interface and To define a contact address for a Firewall Cluster NDI.

2. Right-click the Firewall element and select Properties from the menu that opens. The Firewall Properties dialog opens.

1. Switch back to the Status/Statistics view.

You can browse back or click this button to open the view.

Select the correct Location for this firewall.


# To define a contact address for a Single Firewall interface

Illustration 4.37 Single Firewall Properties - Lower Part

# To define a contact address for a Firewall Cluster NDI

Illustration 4.38 Editing Interface Properties of Firewall Clusters

# To add a contact address

Illustration 4.39 Network Interface Properties

Primary Control Interface is marked with �C� (uppercase).Secondary Control Interfaces are marked with �c� (lowercase).

Double-click the Control Interface and proceed to Illustration 4.39

1. For clusters, switch to the Nodes tab.

2. Select a node.

3. Double-click the Control Interface and proceed to Illustration 4.39 Primary Control Interface is marked with �C� (uppercase).

Secondary Control Interfaces are marked with �c� (lowercase).

Click Edit. The Contact Addresses dialog opens.


Illustration 4.40 Contact Addresses

Note � Elements that belong to the same Location element always use the primary IP address (defined in the main Properties window of the element) when contacting each other. All elements not specifically put in a certain Location are treated as if they belonged to the same Location, the Default Location.

Click OK to close the interface properties and add contact addresses for all Control Interfaces in the same way. Other interfaces may require contact addresses if VPN Clients are used.Proceed as follows:� Proceed to the next section below to define contact addresses for the Management

Server, Log Server(s), and Monitoring Server(s).� If you do not need to add contact addresses for the servers and you have

Management Bound firewall licenses, proceed to Using Management-Bound Licenses, on page 78.

� Otherwise, proceed to Saving the Initial Configuration, on page 78.

3. (Optional) Define an address for the Default Location in the same way (see note below).

1. Select a Location and click Add to create an entry in the table below.

2. Click the Contact Address column and enter the IP address components that belong to this Location must use.

4. Click OK.


Server Contact Addresses

# To define the Management, Log, and Monitoring Server contact addresses

Illustration 4.41 Opening Server Properties

Illustration 4.42 Server Properties

Right-click a server and select Properties from the menu that opens. The Properties dialog for that server opens.

2. Click Edit. The Contact Addresses dialog opens.

1. Select the Location of this server.


Illustration 4.43 Contact Addresses

Note � Elements that belong to the same Location element always use the primary IP address (defined in the main Properties window of the element) when contacting each other. All elements not specifically put in a certain Location are treated as if they belonged to the same, Default Location.

Click OK to close the server properties and define the contact addresses for other servers as necessary in the same way.Continue with the configuration:� If NAT is performed between your Management Client and a Log Server, proceed to

the next section, Management Client Location Setting.� If you are done with setting Locations and you have management-bound firewall

licenses, continue as instructed in Using Management-Bound Licenses, on page 78.� Otherwise, proceed to Saving the Initial Configuration, on page 78.

Management Client Location SettingWhen NAT is performed between the Management Client and a Log Server, you must select the correct Location also for your Management Client in the status bar at the bottom of the Management Client Status/Statistics or Configuration view.

# To select the Management Client Location

Illustration 4.44 Configuration View - Bottom Right Corner

3. (Optional) Define an address for the Default Location in the same way (see note below).

1. Select a Location and click Add to create an entry in the table below.

2. Click the Contact Address column and enter the IP address components that belong to this Location must use.

4. Click OK.

Click the Default Location name in the status bar at the bottom of the window and select the correct Location from the list that opens.


Continue with the configuration:� If you have firewall licenses that are bound to the Management Server�s Proof-of-

License (POL) code instead of a specific IP address, continue as instructed in the next section, Using Management-Bound Licenses.

� Otherwise, proceed to Saving the Initial Configuration, on page 78.

Using Management-Bound LicensesAfter you have configured the Firewall elements in the Management Center, management-bound licenses must be manually bound to a specific firewall element, because they contain no IP address information that would automatically bind them to the correct engine.

# To bind a management-bound license to an engine1. In the Configuration view, navigate to Administration→Licenses→Firewalls in

the left panel. All imported firewall licenses appear in the right panel.2. Right-click a management-bound license (licenses that state Dynamic in place

of an IP address) and select Bind. The Select License Binding dialog opens.3. Select the correct firewall from the list and click Select to bind the license to

this firewall. The license is now bound to the selected firewall element.4. If you made a mistake, unbind the license by right-clicking it and selecting

Unbind.

Caution � When you make a configuration change on the engine (policy upload or refresh), the license is permanently bound to that engine. Such licenses cannot be re-bound to some other engine without re-licensing or deleting the engine element it is bound to; until you do that, the unbound license is shown as Retained.

Proceed to Saving the Initial Configuration below.

Saving the Init ial ConfigurationAfter defining the firewall properties, save the initial configuration for all firewalls. The initial configuration sets some basic parameters for the firewall and triggers the creation of one-time passwords used for initializing each engine�s connection with the Management Server.There are three ways to initialize your firewall engines and establish contact between them and the Management Server:� You can write down the one-time password and enter all information manually in the

command-line Configuration Wizard on the engines.� You can save the configuration on a floppy disk or a USB memory stick to import

some of the information in the command-line Configuration Wizard on the engines.� You can save the initial configuration on a USB memory stick and use the memory

stick to automatically configure the engine without using the configuration wizard.


Note � The automatic configuration is primarily intended to be used with StoneGate appliances, and may not work in all other environments.

# To save the initial configuration

Illustration 4.45 Saving the Initial Configuration

Depending on the method you want to use, follow the instructions in Illustration 4.46 (configuration wizard) or Illustration 4.47 (fully automatic).

# To prepare for configuration using the configuration wizard

Illustration 4.46 Initial Configuration Dialog

1. Right-click a Firewall.

2. Select Save Initial Configuration. The Initial Configuration dialog opens.

1. (Optional) If you plan to enter the information manually, write down or copy-paste the Management Server fingerprint for additional security.

2. If you plan to enter the information manually, write down or copy-paste the One-Time Password for each engine. Keep track on which password belongs to which engine node.

3. If you plan to import the configuration while you are in the Configuration Wizard, click Save As and save the configuration on a USB memory stick.

Saving the Initial Configuration 79

# To prepare for fully automatic configuration

Illustration 4.47 Initial Configuration Dialog

Once the firewall is fully configured, the SSH daemon can be set on and off using the Management Client. Enabling SSH in the initial configuration gives you remote command line access in case the configuration is imported correctly, but the engine fails to establish contact with the Management Server.The time zone selection is used only for converting the UTC time that the engines use internally for display on the command line. All internal operations use UTC time, which is synchronized with the Management Server time once the engine is configured.If you lose the one-time password or the saved configuration, you can repeat the procedure for the effected firewall engines.

Caution � Handle the configuration files securely. They include the one-time password that allows establishing trust with your Management Server.

You are now ready to install the StoneGate engine(s). Please see the platform-specific chapter to install the engine(s):� Installing the Engine on Intel Compatible Platforms, on page 83� Installing the Engine on the IBM zSeries, on page 97� If you have a StoneGate hardware appliance, see installation and initial

configuration instructions in the Appliance Installation Guide that was delivered with the appliance. After this, you can return to this guide to set up basic routing and policies (see Defining Routing and Basic Policies, on page 129) or see the more detailed instructions in the online help of the Management Client (or the Administrator�s Guide pdf).

4. Click Save As and save the configuration on a USB memory stick.

3. Set the engine time zone and keyboard layout.

1. Disable the backward-compatible configuration file generation.

2. (Optional) Enable the SSH daemon to allow remote access to the engine command line.


Installing the Firewall Engine

CHAPTER 5 Installing the Engine on Intel Compatible Platforms

This chapter instructs how to install the StoneGate engine on any standard Intel or Intel compatible platform, such as AMD.


! Installing the Firewall Engine, on page 84! Configuring the Engine, on page 85! Installing the Engine in Expert Mode, on page 92

83

Instal l ing the Firewall Engine

Caution � Check that the Automatic Power Management (APM) and Advanced Configuration and Power Interface (ACPI) settings are disabled in BIOS. Otherwise, the engine may not start after installation or may shut down unexpectedly.

Note � The engines must be dedicated to the firewall. No other other software can be installed on them.

Before you proceed to installing the firewalls, make sure you have completed the following steps (as instructed in the previous chapters):� Installing the Management Center� Creating the initial configuration (one-time password for Management Contact) for

each firewall engine.What you see on your screen may have a different appearance from the illustrations in this guide depending on your system configuration.StoneGate appliances are delivered with pre-installed software. Configure the software as instructed in the Appliance Installation Guide delivered with the appliance.

Checking File IntegrityBefore installing StoneGate, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity, on page 16.

Starting the InstallationThe installation is started by booting the engine machine from the installation CD-ROM as explained below.

Caution � Installing StoneGate deletes all existing data on the hard disk.

# To install StoneGate engine from a CD-ROM1. To begin, insert the StoneGate engine installation CD-ROM into the drive and

reboot the machine. The License Agreement appears.2. After going through the License Agreement, type YES and press ENTER to accept

the license agreement and continue with the configuration.

84 Chapter 5: Installing the Engine on Intel Compatible Platforms

Illustration 5.1 Selecting Install Mode

3. Choose between two types of installations: Full Install and Full Install in expert mode.� Type 1 for the normal Full Install.� If you want to partition the hard disk manually, type 2 for the Full Install in

expert mode and continue in Installing the Engine in Expert Mode, on page 92.4. Indicate the number of processors:

� For a uniprocessor machine, type 1 and press ENTER.� For a multiprocessor machine, type 2 and press ENTER.

5. To accept automatic hard disk partitioning, type YES and press ENTER. The installation process is started.

6. The automatic installation process starts.� If you want to use the automatic configuration method, do not reboot once the

installation finishes, but continue in Configuring the Engine Automatically with a USB Stick below.

� Otherwise, remove the CD-ROM and press ENTER to reboot when prompted to do so. Continue in Starting the Configuration Wizard, on page 86

Configuring the EngineDuring the initial configuration, the operating system settings, network interfaces, and the Management Server connection are defined.

Configuring the Engine Automatically with a USB StickThe automatic configuration is primarily intended to be used with StoneGate appliances, and may not work in all environments when you use your own hardware. If the automatic configuration does not work, you can still run the configuration wizard as explained in the next section and import or enter the information manually.When automatic configuration is used, Interface IDs are mapped to physical interfaces in sequential order: Interface ID 0 is mapped to eth0, Interface ID 1 is mapped to eth1, and so on.

Note � The imported configuration does not contain a password for the root account, so you must set the password manually in the Management Client before you can log in for command line access to the engine. See the online help of the management client or the StoneGate Administrator�s Guide for more information.


# To install and configure the engine with a USB stick1. Insert the USB stick.2. Remove the CD-ROM and press ENTER at the installation finished prompt.

StoneGate reboots, imports the configuration from the USB stick, and makes the initial contact to the Management Server.� If the automatic configuration fails, and you do not have a display connected,

you can check for the reason in the log (sg_autoconfig.log) written on the USB stick.

� If you see a �connection refused� error message, ensure that the Management Server IP address is reachable from the node.

The configuration is complete when the appliance successfully contacts the Management Server and reboots itself. Continue the configuration in After Successful Management Server Contact, on page 92, where you can also find an explanation on how successful management contact is indicated in the Management Client.

Starting the Configuration WizardIf there is no USB memory stick with an engine configuration inserted when the machine is rebooted after the installation, the StoneGate configuration wizard starts. The wizard can always be run again by issuing the sg-reconfigure command on the engine command line.If you have stored the configuration on a floppy disk or a USB memory stick (see Saving the Initial Configuration, on page 78), you can import it now to reduce the need for typing in information.

# To select the configuration method

Illustration 5.2 Welcome

To import a saved configuration, highlight Import using the arrow keys and press ENTER.

To skip the import, highlight Next using the arrow keys and press ENTER. Proceed to Configuring the Operating System Settings, on page 87.


# To select the import source

Illustration 5.3 Import Configuration

# To import the configuration1. Select the correct configuration file. Remember that these are specific to each

individual firewall engine node.2. Highlight Next and press ENTER to continue.Continue the configuration as explained in the next section.

Configuring the Operating System SettingsThe Configure OS Settings screen is displayed.

# To set the keyboard layout

Illustration 5.4 Configure OS Settings

Illustration 5.5 Select Keyboard Layout

Select Floppy Disk or USB Memory and press ENTER

Highlight the entry field for Keyboard Layout using the arrow keys and press ENTER. The Select Keyboard Layout dialog opens.

Highlight the correct layout and press ENTER.

Tip: Type in the first letter to move forward more quickly.


Note � If the desired keyboard layout is not available, use the best-matching available layout, or select US_English.

# To set the engine’s timezone


Note � The timezone setting affects only the way the time is displayed on the engine command line. The actual operation always uses UTC time.

Note � You do not need to manually adjust the engine time. It is automatically synchronized with the Management Server clock.

# To set the rest of the operating system settings


1. Highlight the entry field for Local Timezone using the arrow keys and press ENTER. The Select Timezone dialog opens.

2. Select the timezone from the list in the same way you selected the keyboard layout.

1. Type in the name of the firewall.

2. Type in the password for the user root. This is the only account for command line access to the engine.

3. Highlight Enable SSH Daemon and press the spacebar on your keyboard to select the option and allow remote access to engine command line using SSH.

4. Highlight Next and press ENTER. The Configure Network Interfaces window is displayed.


Configuring the Network InterfacesThe configuration utility can automatically detect which network cards are in use. You can also add interfaces manually, if necessary.

# To define the network interface drivers automatically

Illustration 5.8 Configure Network Interfaces

Check that the autodetected information is correct and that all interfaces have been detected. If there are problems, add the network interfaces manually as explained in the section To define the network interface drivers manually, on page 90 (you can overwrite any autodetected setting).

Tip: The Sniff option can be used for troubleshooting the network interfaces. Select Sniff on an interface to run network sniffer on that interface.

# To map the physical interfaces to Interface IDs

Illustration 5.9 Assigning Network Interfaces

Note � The Management interface must be the same that is configured as the primary control interface for the corresponding Firewall element in the Management Center. Otherwise the engine cannot contact the Management Center.

Highlight Next and press ENTER to continue. Proceed to Contacting the Management Server, on page 90.

Highlight Autodetect and press ENTER.

1. Change the IDs as necessary to define how physical interfaces are mapped to the Interface IDs you defined in the Firewall element.

3. Highlight the Mgmt column and press the spacebar on your keyboard to select the correct interface for contact with the Management Server.

2. If necessary, highlight the Media column and press ENTER to change settings to match those used by the device at the other end of the link.


# To define the network interface drivers manually

Illustration 5.10 Configure Network Interfaces

Illustration 5.11 Add Device Driver

Contacting the Management ServerThe Prepare for Management Contact window opens. If the initial configuration was imported from a floppy or USB memory stick, most of this information is filled in.

Note � If there is any intermediate firewall between this firewall and the Management Server, make sure that the intermediate firewall�s policy allows the initial contact and all subsequent communications. See StoneGate-Specific Ports, on page 193 for a listing of the ports and protocols used.

This task has two parts. First, you activate an initial configuration on the firewall. The initial configuration contains the information that the engine needs to connect to the Management Server for the first time. The initial configuration is replaced with a working configuration when you install a Firewall Policy on this engine using the Management Client.

Highlight Add and press ENTER.

Select a driver that is used for your network card(s) and press ENTER.Repeat as necessary, then map the interfaces to Interface IDs as explained above.


# To activate the initial configuration

Illustration 5.12 Preparing for Management Contact - Initial Configuration Settings

Note � If the engine and the Management Server are on the same network, you can leave the Gateway to management field empty.

The initial configuration contains a simple firewall policy that only allows connections between the firewall engine and the Management Server and blocks everything else.In the second part of the configuration, you define the information needed for establishing a trust relationship between the engine and the Management Server.

# To fill in the Management Server information

Illustration 5.13 Preparing for Management Contact - Contact Management Server

1. Highlight Switch Firewall Node to Initial Configuration and press spacebar to activate.

2. Fill in according to your environment. The information must match to what you defined for the Firewall element (Primary Control IP Address).

1. Highlight Contact Management Server and press spacebar to activate.

2. Fill in the Management Server IP address and the one-time password that was created for this engine when you saved the initial configuration.

3. (Optional) Fill in the Key fingerprint (also shown when you saved the initial configuration). Filling it in increases the security of the communications.

4. Highlight Finish and press ENTER


Note � The one-time password is engine-specific and can be used only for one initial connection to the Management Server. Once initial contact has been made, the engine receives a certificate from the Management Center for identification. If the certificate is deleted or expires, you need to repeat the initial contact.

The engine now tries to make initial Management Server contact. The progress is displayed on the command line.� If the initial management contact fails for some reason, the configuration can be

started again with the sg-reconfigure command. The command can also be used to change any of the settings later on.

� If you see a �connection refused� error message, ensure that the one-time password is correct and the Management Server IP address is reachable from the node. You can save a new initial configuration if unsure about the password (see Saving the Initial Configuration, on page 78).

After Successful Management Server ContactAfter you see a notification that Management Server contact has succeeded, the firewall engine installation is complete and the firewall is ready to receive a policy. In a while, the firewall�s status changes in the Management Client from Unknown to No Policy Installed, and the connection state is Connected indicating that the Management Server can connect to the node.To finish your firewall configuration, proceed to Defining Routing and Basic Policies, on page 129.

Caution � When using the command prompt, use the reboot command to reboot and halt command to shut down the node. Do not use the init command. You can also reboot the node using the Management Client.

Instal l ing the Engine in Expert ModeTo start the installation, reboot from the CD-ROM (see Installing the Firewall Engine, on page 84).The difference between the normal and expert installation is that in expert mode, you partition the hard disk manually. If you are unfamiliar with partitioning hard disks in Linux, we recommend that you use the normal installation process.To continue with the expert mode installation, continue in Partitioning the Hard Disk Manually, on page 93.


Partitioning the Hard Disk ManuallyTypically, you need five partitions for a StoneGate engine as explained in Table 5.1.

The partitions are allocated in two phases. First, disk partitions are created and second, the partitions are allocated for their use purposes.

Caution � Partitioning deletes all the existing data on the hard disk.

# To partition the hard disk1. If you are asked whether you want to create an empty partition table, type y to

continue.

Illustration 5.14 Starting Partitioning

2. Press ENTER to continue.

TABLE 5.1 StoneGate Partitions

Partition Recommended size Description

Engine root A 200 MB The bootable root partition for StoneGate engine.

Engine root B 200 MBAlternative root partition for StoneGate engine. Used in engine upgrade.

SwapTwice the physical memory

Swap partition for StoneGate engine.

Data 500 MB or moreUsed for the boot configuration files and the root user�s home directory.

SpoolRest of free disk space

Used for spooling


Illustration 5.15 Defining Partition Table

3. Create the partitions for the engine as follows:3.1 For engine root A: 200 MB, bootable, Primary, Linux partition3.2 For engine root B: 200 MB, Primary, Linux partition3.3 For swap: twice the size of physical memory, Logical, Linux swap partition.

� To change the partition type to Linux swap, select Type and enter 82 as the file system type.

3.4 For data: 500 MB or more, Logical, Linux partition3.5 For spool: allocate rest of the free disk space, Logical, Linux partition.

4. Check that the partition table information is correct.5. Select Write to commit the changes and confirm by typing yes.6. Select Quit and pressing ENTER.


Allocating PartitionsAfter partitioning the hard disk, the partitions are allocated for StoneGate.

# To allocate the partitions

Illustration 5.16 Checking Partition Table

1. Check that the partition table is correct. Type YES to continue.

Illustration 5.17 Allocating Partitions

2. Using the partition numbers of the partition table (see Illustration 5.16), assign the partitions for the engine, for example:

2.1 For the engine root A partition, type 1.2.2 For the engine root B partition, type 2.2.3 For the swap partition, type 5.2.4 For the data partition, type 6.2.5 For the spool partition, type 7.

Illustration 5.18 Accepting Partition Allocation


3. Check the partition allocation and type YES to continue.

Illustration 5.19 Installation Finished

4. The StoneGate engine installation process is started. When installation is complete, remove the CD-ROM from the machine and press ENTER to reboot.

5. Continue the configuration as described in Configuring the Engine, on page 85.


CHAPTER 6 Installing the Engine on the IBM zSeries

This chapter instructs how to prepare z/VM for installing StoneGate and how to proceed with StoneGate engine installation on IBM zSeries platform.


! Preparing z/VM for the Engine Installation, on page 98 ! Installing the Firewall Engine, on page 100! Configuring the Firewall Engine, on page 103! Installing the Engine in Expert Mode, on page 119

97

Preparing z/VM for the Engine Instal lationFor detailed information on running Linux on IBM zSeries, please refer to the IBM documentation available at http://www.redbooks.ibm.com/. For example, see the following documents:� IBM Redbook SG24-6820-00: Linux on zSeries and S390: Systems Management� IBM Redbook SG24-6824-00: Linux on IBM eserver zSeries and S/390: Large Scale

Linux Deployment� IBM Redbook SG24-6299-00: Linux on IBM eserver zSeries and S/390: ISP/ASP

Solutions� IBM Redbook SG24-6264-00: Linux for IBM eserver zSeries and S/390:

Distributions.For detailed information on configuring Linux device drivers on IBM zSeries, please refer to the IBM document Linux for S/390 Device Drivers and Installation Commands, available at http://www.ibm.com/servers/eserver/zseries/os/linux/.

Note � The VM guests running the StoneGate firewall engines are dedicated for the firewall functionality, so they should not run any other software.

# To prepare z/VM for StoneGate engine installation1. Define a VM guest for StoneGate and assign resources for the guest. in the

USER DIRECT file. You have to be logged on as MAINT for defining the VM guest user.

1.1 Edit the configuration file using command XEDIT USER DIRECT.1.2 Define real storage for the StoneGate guest. 1.3 Provide the guest with general user�s G privilege class.1.4 Assign two read/write DASDs (or CMS minidisks) dedicated for the

StoneGate guest.1.5 Assign the network interfaces to be used for StoneGate.1.6 Check for any overlap in the minidisk definitions with command DISKMAP

USER. Overlaps and other related information are placed in the USER DISKMAP file.

1.7 Locate overlaps with command XEDIT USER DISKMAP followed by the XEDIT command /overlap.

1.8 Check the syntax of USER DIRECT file with command DIRECTXA USER (EDIT.

1.9 Load the definitions to VM with command DIRECTXA USER.2. Configure the physical and the logical VM network environment.

2.1 Configure the network devices (real and virtual) used by StoneGate.2.2 The network connections from the guests that StoneGate protects must be

routed through the firewall engine.

98 Chapter 6: Installing the Engine on the IBM zSeries

http://www.redbooks.ibm.com/

http://www.ibm.com/servers/eserver/zseries/os/linux/

Caution � Plan and configure carefully the connections to and from the protected networks through StoneGate, so that it is not possible to bypass the firewall.

3. Prepare one minidisk with CMS write access and StoneGate guest read access for the StoneGate installation files.

3.1 Log on as the StoneGate VM guest user.3.2 Format the guest�s �home� A disk (device 191) with command FORMAT 191

A.4. Copy the StoneGate SGINST* installation files to the StoneGate VM guest user�s

A minidisk (device 191). For downloading the files using an FTP client on the VM:4.1 Connect to the FTP server where the SGINST* installation files are located,

using the command ftp server_net_address, and log in.4.2 To download the SGINST.PARMFILE and SGINST.EXEC text files:

� Change to text mode with the FTP command ascii.� Fix the record format and set the record length for the files using the

command locsite fix 80. (If uploading the files using FTP client running on a PC, the record format and length are set with the command quote site fix 80.)

� Download the files using the command get filename.4.3 To download the SGINST.KERNEL and SGINST.INITRD binary files:

� Change to binary mode with the FTP command binary.� Fix the record format and set the record length for the files using the

command locsite fix 80. (If uploading the files using FTP client running on a PC, the record format and length are set with the command quote site fix 80.)

� Download the files using the command get filename.5. To install the engine, proceed to Installing the Firewall Engine, on page 100.On some occasions, an FTP text file transfer from a Windows machine may corrupt the SGINST EXEC file. Compare the transferred file to Illustration 6.1 and ensure that it is intact. You can also use the REXX editor to create the file manually.

Preparing z/VM for the Engine Installation 99

Illustration 6.1 SGINST EXEC File

Instal l ing the Firewall EngineAfter installing the Management Center, creating the initial configuration, and preparing the StoneGate VM guest user, the firewall engines can be installed.The following step-by-step instructions provide an example of a typical engine installation. The screens appearing during the installation may differ slightly during your installation depending on your system configuration.



# To start the StoneGate engine installation1. Run the SGINST EXEC script. These scripts punch the StoneGate installation

files to the VM reader and then IPLs from the reader.

Illustration 6.2 Executing SGINST EXEC

2. Once the system is up, the StoneGate end-user license agreement is displayed. Scroll down to read through the license agreement.

/* REXX EXEC TO IPL STONEGATE INSTALLATION *//* FOR S/390 FROM THE VM READER. *//* */'CP CLOSE RDR' 'PURGE RDR ALL' 'SPOOL PUNCH * RDR' 'PUNCH SGINST KERNEL * (NOHEADER' 'PUNCH SGINST PARMFILE * (NOHEADER' 'PUNCH SGINST INITRD * (NOHEADER' 'CHANGE RDR ALL KEEP NOHOLD' 'CP IPL 000C CLEAR'

SGINST0000003 FILES PURGED RDR FILE 0047 SENT FROM SGS1 PUN WAS 0047 RECS 034K CPY 001 A NOHOLD NOKEEPRDR FILE 0048 SENT FROM SGS1 PUN WAS 0048 RECS 0001 CPY 001 A NOHOLD NOKEEPRDR FILE 0049 SENT FROM SGS1 PUN WAS 0049 RECS 288K CPY 001 A NOHOLD NOKEEP0000003 FILES CHANGED



3. To accept the license agreement, type YES. To cancel the installation, type NO.4. After accepting the license agreement, you will be prompted to define the two

DASDs (or CMS minidisk) to be used by StoneGate. For modifying DASD configuration manually, please see Installing the Engine in Expert Mode, on page 119.

Illustration 6.4 Defining the First DASD for StoneGate

4.1 Enter the device number for the first DASD of the StoneGate guest.

Illustration 6.5 Defining the Second DASD for StoneGate

4.2 Enter the device number for the second DASD of the StoneGate guest.

License agreement must be accepted before continuing. Type YES to continue and NO to cancel. Do you want to continue?

StoneGate Engine Installation System First you have to define two DASDs to be used with StoneGate. List of detected subchannels, device number is the first column: Device sch. Dev Type/Model CU in use PIM PAM POM CHPIDs --------------------------------------------------------------------- 0009 0000 3215/00 yes 80 80 FF 10000000 00000000 000C 0001 2540/00 80 80 FF 10000000 00000000 000D 0002 2540/00 80 80 FF 10000000 00000000 000E 0003 1403/00 80 80 FF 10000000 00000000 0191 000D 3390/0A 3990/E9 C0 C0 FF 0E0F0000 00000000 0190 000E 3390/0A 3990/E9 C0 C0 FF 0E0F0000 00000000 019D 000F 3390/0A 3990/E9 C0 C0 FF 0E0F0000 00000000 019E 0010 3390/0A 3990/E9 C0 C0 FF 0E0F0000 00000000 0150 0011 3390/0C 3990/E9 C0 C0 FF 0E0F0000 00000000 0151 0012 3390/0C 3990/E9 C0 C0 FF 0E0F0000 00000000 0592 0013 3390/0A 3990/E9 C0 C0 FF 0E0F0000 00000000 Enter the device number of first DASD:

Enter the device number of second DASD:


Illustration 6.6 Accepting the Defined DASD

4.3 To accept the DASD definition, type YES. To redefine the StoneGate DASDs, type NO.

Illustration 6.7 Selecting StoneGate Installation Type

5. For the installation type, type 1 for the normal full install mode. Installing StoneGate in expert mode is explained in Installing the Engine in Expert Mode, on page 119.

Illustration 6.8 Partitioning DASD in Normal Installation

6. The two defined StoneGate DASDs will be automatically formatted and partitioned. To continue the installation, type YES. To cancel the installation, type NO.

Caution � All the existing data on the two StoneGate DASDs will be lost during formatting.

7. The automatic installation process is started. When the installation is finished, you will be prompted to IPL StoneGate.

0150(ECKD) at ( 94: 0) is dasda : active at blocksize: 1024, 495000 block , 483 MB 0151(ECKD) at ( 94: 4) is dasdb : active at blocksize: 4096, 180000 blocks, 703 MB Check that the DASDs are correct. Type YES to continue and NO to cancel. Do you want to continue?

Existing StoneGate installation has not been detected. 1. Full install 2. Full install in expert mode Enter your choice:

Hard disk will be partitioned automatically and all existing data will be lost. Type YES to continue and NO to cancel. Do you want to continue?


Illustration 6.9 IPLing StoneGate Engine After the Installation

8. The StoneGate firewall engine is now installed and ready for configuration. IPL the StoneGate engine from the DASD number displayed on the screen, using the command #CP IPL devicenumber where devicenumber is the DASD device displayed on the screen (in this case, 0151). This is the second DASD that contains the StoneGate Data partition.

9. Proceed to Configuring the Firewall Engine, on page 103.

Configuring the Firewall EngineAfter installing and IPLing the firewall engine, the Configuration Wizard is displayed. During this initial configuration, the operating system settings, network interfaces, and Management Server connection are defined.

Configuring the Operating System Settings

# To configure the engine’s operating system settings1. After IPLing the StoneGate engine, the Configure OS Settings display opens.

Illustration 6.10 Configure OS Settings Display

2. As there is currently no initial configuration, type N to define the settings.

The StoneGate can be started by IPLing the DASD number 0151 Installation finished! Please IPL the DASD to continue.

Welcome to the StoneGate Engine Configuration Wizard. This wizard will configure the StoneGate engine and contact the management server. After this you can perform all tasks using the Management Client. Step 1 of 3: Configure OS settings ---------------------------------------------------------------------------- Current OS settings: - Host name not set - Sshd enabled not set - Root password is not set - Timezone not set Are you happy with these settings (Y/N)?


Illustration 6.11 Defining Host Name

3. Define a name for the firewall engine host.

Illustration 6.12 Enabling or Disabling SSH Daemon

4. If you want to enable the SSH daemon for SSH connections to the engine, type Y. Otherwise type N to disable the SSH daemon.

Illustration 6.13 Defining the Password for the root User

5. Enter a password for the root user and re-enter the password for confirmation.

Illustration 6.14 Defining the Time Zone for the Firewall Engine

6. Type in the (case-sensitive) timezone code or press ENTER for the list of timezones. For example, type CET for Central European Time.� To find a timezone in the list, type the first letters of the timezone to present

only the zones starting with those letters.

Illustration 6.15 Accepting OS Settings

Host name:

Enable SSH daemon (Y/N)?

=== Change root password === Enter new root password: Re-Enter it:

Select timezone (empty or prefix = list zones):

Selected: Europe/Helsinki Current OS settings: - Host name: 'SG-46' - Sshd enabled: yes - Root password is set

- Timezone: CET Are you happy with these settings (Y/N)?


7. Type Y to save the OS settings or N to reconfigure them. Continue to Configuring the Network Interfaces, on page 105.

Configuring the Network InterfacesFor detailed information on configuring Linux device drivers on IBM zSeries, please refer to the IBM document Linux for S/390 Device Drivers and Installation Commands, available at http://www.ibm.com/servers/eserver/zseries/os/linux/.

# To configure the network interfaces1. The Configure Network Interfaces display opens.

Illustration 6.16 Configure Network Interfaces Display

2. To add a driver for network interface(s), type A. The available channels are displayed.� Check the network configuration using the command #CP QUERY LAN DETAILS.

Illustration 6.17 Selecting Network Device Type

3. Configure an interface by selecting a driver:

Step 2 of 3: Configure network interfaces --------------------------------------------------------------------------- Current network interfaces: Id Interf. Driver Devno MAC Type Status -------------------------------------------------------------------------------------------------------------------------------------------------------- R)reprobe channels, P)rint channels, A)dd driver, C)lear all, M)gmt interface, N)IC id mapping, S)niff, rE)move NIC, O)ther options, D)one:

Detected following channels:

Type In use Reg. Channel DevNo(s) ----------------------------------------------------------------------------lcs+ctc (0x05) no no 0x0900qeth (0x10) no no 0x2200,0x2201,0x2202 qeth (0x10) no no 0x0900,0x0901,0x0902 qeth (0x10) no no 0x6000,0x6001,0x6002 Select the device layer:

iucv ctc qeth lcs Your selection:


http://www.ibm.com/servers/eserver/zseries/os/linux/

� The ctc driver supports virtual and real Channel-to-Channel (CTC) devices. To configure CTC, see Configuring a CTC Device, on page 106.

� The iucv driver supports z/VM Inter-User Communication Vehicle (IUCV). To configure IUCV, see Configuring an IUCV Device, on page 107.

� The qeth driver supports HiperSockets and Guest LANs, and also OSA Express Fast Ethernet (OSAX-FE) and Gigabit Ethernet (OSAX-GE) adapters in QDIO mode. To configure QETH, see Configuring a QETH Device, on page 108.

� The lcs driver supports OSA2 Fast Ethernet (OSA2-FE) adapters in non-QDIO mode. To configure LCS, see Configuring an LCS Device, on page 111.

Configuring a CTC DeviceThe ctc driver supports virtual and real Channel-to-Channel (CTC) devices.

# To configure a CTC device

Illustration 6.18 Selecting CTC Driver

1. For the network interface device layer, type ctc.

Illustration 6.19 Configuring CTC Device

2. Define the device parameters as follows:� devicename is the driver name ctc followed by the desired (zero or larger)

interface number (e.g., ctc1).

Select the device layer: iucv ctc qeth lcs Your selection:

CTC/ESCON channel device selected Parameter syntax: <devicename>,<read_channel>[,<write_channel>][,<memusage_in_kb>][,<port_no>] Memory usage zero = let the driver decide. Please refer to IBM document 'Linux for zSeries and S/390: Device Drivers and Installation Commands' for more comprehensive syntax. Each interface is added separately with corresponding parameters, do not list all Example: ctc0,0x600,0x601 Parameters:


Note � Automatic device number assignment (ctc-1) should not be used. Define the devices manually to avoid possible configuration problems.

� read_channel is the read subchannel address in hexadecimal, indicated by the leading 0x (e.g., 0x0900).

� write_channel is the write subchannel address in hexadecimal (e.g., 0x0901).� mem_usage_in_kb (optional) defines kilobytes allocated for the read and write

buffers. 0 (zero) indicates that memory allocation is determined by the device driver. The default buffer memory value depends on the device type.

� port_no (or protocol-id) (optional) defines the protocol for the channel. For more information, see the IBM documentation.

Illustration 6.20 Accepting CTC Settings

3. Confirm the device configuration by typing Y or cancel the device configuration by typing N.

4. Configure the other network interfaces and complete the network configuration as explained in Assigning Network Interfaces, on page 112.

Configuring an IUCV DeviceThe iucv driver supports z/VM Inter-User Communication Vehicle (IUCV). All IUCV connections need to be configured for the same IUCV device, separated by colons (:) as explained below.

# To configure an IUCV device

Illustration 6.21 Selecting IUCV Driver

1. For the network interface device layer, type iucv.

You have given the following configuration: - Module: ctc - Parameters: ctc0,0x900,0x901 Is it correct (Y/N)?



Illustration 6.22 Configuring IUCV Device

2. Define the device parameters as follows:� userid is the VM guest or any other user in capital letters in which to connect

(e.g., LINUX4). Multiple guests can be defined by separating userids with colons (e.g., LINUX4:VMGUESTB).

Illustration 6.23 Accepting IUCV Settings



Configuring a QETH DeviceThe qeth driver supports HiperSockets and Guest LANs, and OSA Express Fast Ethernet (OSAX-FE) and Gigabit Ethernet (OSAX-GE) adapters in QDIO mode.

# To configure a QETH device

Illustration 6.24 Selecting QETH Driver

IUCV device selected Please list guest machine ID's you want to connect to in a form: <userid>[:<userid>]... Example: LINUX1:VMGUESTB Please list all needed guest now, if you want to add more later, you need to c)lear old interfaces first Parameters:

You have given the following configuration: - Module: netiucv - Parameters: iucv=LINUX4 Is it correct (Y/N)?



1. For the network interface type, select qeth.

Illustration 6.25 Configuring QETH Device

2. Define the device parameters as follows:� devname is the driver name qeth followed by the desired (zero or larger)

interface number (e.g., qeth1).

Note � Automatic device number assignment (qeth-1) should not be used. Define the devices manually to avoid possible configuration problems.

� read_devno is the read subchannel address in hexadecimal, indicated with the leading 0x. The read subchannel address must be an even number (e.g., 0x0500).

� write_devno is the write subchannel address in hexadecimal. The write subchannel address must be readchannel+1, so it is an odd number (e.g., 0x0501).

� data_devno is the data subchannel address in hexadecimal (e.g., 0x0502).� memusage (optional) defines kilobytes allocated for the read and write buffers. 0

(zero) indicates that memory allocation is determined by the device driver. The default buffer memory value depends on the device type.

� port_no (optional) defines the relative port number of the Channel Path Identifier (CHPID). Use the default setting by typing -1, as the supported network interfaces use only the default port.

� chksum_recv (optional) enables software IP checksumming in addition to hardware checksumming. Software IP checksumming affects the performance and it is disabled by default. To enable software IP checksumming, type 1.

QETH for OSA-Express and Hipersockets channel device selected Parameter syntax: <devname>,<read_devno>,<write_devno>,data_devno,memusage,port_no,chksum_recv Please refer to IBM document 'Linux for zSeries and S/390: Device Drivers and Installation Commands' for more comprehensive syntax. Please also remember to add 'enable_takeover' paramater to IP takeover mode cluster interfaces. HiperSockets example: qeth1,0x7c00,0x7c01,0x7c02 OSA-Express example: qeth2,0x500,0x501,0x502;add_parms,0x10,0x500,0x502,portname:PORT123 Parameters (or P)rint channels):


3. Define additional configuration parameters for the interface after the device parameters as needed:� ,primary_router” . lowdevno and highdevno define the desired device

address range and name identifies the port for sharing by other operating systems. The name can be 1 to 8 characters long and must be uppercase. All operating systems sharing the port must use the same port name.

Note � Do not add the primary_router parameter when the configuration includes a cluster with a shared OSA connection or a dedicated OSA connection, or if there is a layer 2 vswitch connection.

� For OSA Express (QDIO) adapters, the following parameter may be needed. The parameter is not needed if the microcode level is at least Driver 3G - EC stream J11204, MCL032 (OSA level 3.33). To add the parameter (which defines the interface�s associated port), proceed as follows:

� Add the following after the device parameters: �;add_parms,0x10,lowdevno,highdevno,portname:name�. lowdevno and highdevno define the desired device address range and name identifies the port for sharing by other operating systems. The name can be 1 to 8 characters long and must be uppercase. All operating systems sharing the port must use the same port name.

� For all QETH devices that use IP address takeover (for standby clustering), the enable_takeover parameter must be defined:

� Add �;add_parms,0x10,lowdevno,highdevno,enable_takeover� after the device parameters or (if you defined the portname parameter) add the enable_takeover parameter after portname (separate the parameters with a comma). lowdevno and highdevno define the desired device address range.

� For all QETH devices that are used for load-balanced clustering, the layer2 parameter must be defined:

� Add the layer2 parameter �;add_parms,0x10,lowdevno,highdevno,layer2� after the device parameters or (if you defined the portname parameter) add the layer2 parameter after portname (separate the parameters with a comma). lowdevno and highdevno define the desired device address range.

� All VSwitches involved must be configured in Ethernet mode.

Illustration 6.26 Accepting QETH Settings

You have given the following configuration: - Module: qeth - Parameters: qeth0,0x500,0x501,0x502 Is it correct (Y/N)?




Configuring an LCS DeviceThe lcs driver supports OSA2 Fast Ethernet (OSA2-FE) adapters in non-QDIO mode.

# To configure an LCS device

Illustration 6.27 Selecting the LCS Driver

1. For the network interface type, select lcs.

Illustration 6.28 Configuring the LCS Device

2. Define the device parameters as follows:� devicename is the driver name lcs followed by the desired (zero or larger)

interface number (e.g., lcs1).

Note � Automatic device number assignment (lcs-1) should not be used. Define the devices manually to avoid possible configuration problems.

� read_channel is the read subchannel address in hexadecimal indicated with the leading 0x. The read subchannel address must be an even number (e.g., 0x0200).


LCS channel device selected

Parameter syntax (similar to CTC/ESCON):<devicename>,<read_channel>[,<write_channel>][,<memusage_in_kb>][,<port_no>] memusge_in_kb 0: let the driver decidePlease refer to IBM document 'Linux for zSeries and S/390: Device Drivers andInstallation Commands' for more comprehensive syntax.Example: lcs1,0x0200,0x0201,0,1

Parameters:


� write_channel (optional) is the write subchannel address in hexadecimal. The write subchannel address is read_channel+1, so it is an odd number (e.g., 0x0201).

� memusage_in_kb (optional) defines kilobytes allocated for the read and write buffers. 0 (zero) indicates that memory allocation is determined by the device driver.

� port_no (optional) defines the relative port number of the Channel Path Identifier (CHPID).

� ipchksum (optional) enables software IP checksumming in addition to hardware checksumming. Software IP checksumming affects the performance and it is disabled by default. To enable software IP checksumming, type 1.

Illustration 6.29 Accepting the LCS Settings



Assigning Network InterfacesAfter adding the interfaces, assign the management interface and the NIC IDs to the interfaces. This determines the mapping to the Interface ID numbers you defined in the Management Client (NIC ID is the same as Interface ID in this case).The defined interfaces are listed in the Current Network Interfaces display. The interfaces are named by the type of the interface (ethx for ethernet, hsix for HiperSockets, and so on).

Illustration 6.30 Current Network Interfaces

You have given the following configuration: - Module: lcs - Parameters: lcs1,0x300,0x301,0,1

Is it correct (Y/N)?

Current network interfaces: Id Interf. Driver Devno MAC Type Status ---------------------------------------------------------------------------- 0 eth0 qeth 0x0900 No MAC / GuestLAN ether no link (mgmt) 1 eth1 qeth 0x2200 00:09:6b:f6:2c:b5 ether no link 2 hsi2 qeth 0x6000 No MAC / GuestLAN ether no link ----------------------------------------------------------------------------R)reprobe channels, P)rint channels, A)dd driver, C)lear all, M)gmt interface, N)IC id mapping, S)niff, rE)move NIC, O)ther options, D)one:


# To assign NIC IDs for the network interfaces1. Define NIC IDs for the interfaces by typing N.

Illustration 6.31 Defining NIC ID for an Interface

2. For each interface, define the NIC ID number.

Tip: The S (Sniff) command can be used for troubleshooting the network interfaces. Type S and define an interface to run network sniffer on that interface.

# To define the management interface1. In the Current Network Interfaces display, the defined interfaces are listed.


2. To define the management interface, type M.

Illustration 6.33 Defining the Management Interface

3. Select a NIC ID for the management connections. This must be the same interface that you defined as the Primary Control Interface for the Firewall using the Management Client.

New NIC id for eth0 (now it's 0)?


Management interface NIC id:


Illustration 6.34 Defining the Management Interface

4. The selected management interface is indicated with (mgmt) in the interface list.

Disabling NIC Hardware CheckingWhen a cable is unplugged from an OSA card, the card�s MAC address is removed. A StoneGate firewall that uses this card notices the change and starts up in reconfiguration mode after a firewall engine reboot. The firewall engine can be configured to boot up to normal operation mode and only create a log message that a NIC does not have a MAC address. This is configured by disabling the NIC hardware checking in the network interface configuration. The NIC checking can also be disabled by adding manually an empty /data/config/base/disable-nic-check file on the firewall engine.

# To disable NIC checking at boot1. In the Current Network Interfaces display, the defined interfaces are listed.


2. Select O for Other options to configure the NIC checking at boot.




Illustration 6.36 Disabling NIC Checking

3. Select N to enable/disable the NIC checking during a firewall rebooting.

Contacting the Management Server

# To contact the Management Server1. Next, the Prepare for Management Contact display opens.

Illustration 6.37 Prepare for Management Contact Display

2. Type N to change the settings.

Illustration 6.38 Switching to Initial Configuration

3. Select Y to activate the initial configuration. If you run the sg-reconfigure command later, you can choose to:� switch to an initial configuration by selecting Y.� use the current configuration by selecting N. In this case, the currently active

security policy will remain active. All other changes (host name, time zone, SSH daemon, NIC mapping, management contact, etc.) will take effect after completing the configuration.

Advanced NIC options ---------------------------------------------------------------------------- - Disable NIC checking at boot: : no--------------------------------------------------------------------------- N)ic checking, D)one:

Step 3 of 3: Prepare for management contact ----------------------------------------------------------------------------Currrent management contact settings: Switch to initial configuration: No - Node IP address not set - Node netmask not set - Gateway IP address not set Perform initial contact: No - Management IP address not set - Management One-time password not set - Key fingerprint not set Are you happy with these settings (Y/N)?

Switch to initial configuration (Y/N)?


4. Define IP addressing for the management connection as follows:

Illustration 6.39 Defining IP Addressing for Network Management Interface

4.1 For Node IP address, type the IP address used for the management connections to the firewall node. The IP address must be the same as specified control IP address in the firewall element on the Management Server.

4.2 For Netmask, define the netmask for the node�s management IP address.� If the management interface is a point-to-point device (CTC or IUCV), you

need to define the IP addresses for the firewall and the peer in Peer IP address: type the IP address of the peer in the other end of the management interface�s point-to-point link.

4.3 For Gateway to management, define the address of the default gateway needed for the firewall engine to contact the Management Server. If the engine and the Management Server are on the same network, you can leave this line empty.

4.4 For Use VLAN, type N if no VLAN tagging is used for the node�s management interface (usually, no VLAN tagging is used). � If VLAN tagging is used, type Y. Then, define the VLAN ID of the

management interface.

Illustration 6.40 Selecting Initial Management Server Contact

5. Select Y to perform the initial connection to the Management Server. During this contact, the trust relationship is established between the engine and the Management Server. (The necessary information for the initial contact can be retrieved in the Management Client: right-click the correct firewall element and select Save Initial Configuration.)

Enter data for switching to the initial configuration and/orcontacting the management server. Fields marked with * must be filled.Firewall node: Node IP address:* Netmask:* Gateway to management: Use VLAN (Y/N)?

Perform new initial contact (Y/N)?


Illustration 6.41 Defining Management Server IP Address

5.1 Define the Management Server�s IP address for the connection.

Illustration 6.42 Entering One-Time Password

5.2 To contact the Management Server, enter the one-time password (10 case-sensitive alphanumeric characters, e.g. o4tAR7Vz5N). The password is engine-specific and can be used only for one initial connection to the Management Server.

Tip: You can copy the one-time password from the Management GUI when saving the initial configuration and paste it to the console used for engine installation. Select the text string in the Operation Completed window, press Control+C to copy the text, and paste the text string to the console.

Illustration 6.43 Entering Management Server’s Key Fingerprint

5.3 Enter the Management Server�s key fingerprint for verifying the management connection (16 hexadecimal values separated by colons, e.g. 0D:32:1D:B2:03:54:DC:9E:A0:B7:18:7D:C5:0B:FD:2F).

Tip: You can copy the key fingerprint from the Management GUI when saving the initial configuration and paste it to the console used for engine installation. Select the text string in the Operation Completed window, press Control+C to copy the text, and paste the text string to the console.

Illustration 6.44 Accepting Management Contact Settings

6. To accept the settings, type Y and press ENTER. To reconfigure the settings, type N.

Enter data required for contacting the management server.Fields marked with * must be filled, others are optional. Management IP address:*

One time password:*

Key fingerprint:

Are you happy with these settings (Y/N)?


Illustration 6.45 Accepting Firewall Configuration

7. To complete the configuration, select S to save the settings and exit the configuration program. After this, the firewall engine�s SSL keys are generated automatically for authenticating the communication with the other StoneGate components.

8. If the initial Management Server contact was selected, the firewall engine tries to connect to the Management Server. If the initial management contact fails for some reason, the configuration can be started again with the sg-reconfigure command.

Note � If the firewall cannot communicate with the Management Server and you receive a �connection refused� error message, ensure that the one-time password is correct and the Management Server IP address is reachable from the node.

Illustration 6.46 Management Contact Successful

After a successful Management Server contact, the firewall engine installation is complete and ready for security policy upload from the Management Center. This is displayed in the Management Client; the node�s status has changed from Unknown to No Policy Installed, and the connection state is Connected indicating that the Management Server is able to connect to the node.

Caution � When using the command prompt, use reboot and halt commands to reboot and shut down the node. The init command must not be used.

Proceed toDefining Routing and Basic Policies, on page 129

Your choices: ---------------------------------- R) Reconfigure P) Print current settings S) Save and exit C) Cancel ---------------------------------- Your selection:

Contact succeeded. Press Enter to continue


Instal l ing the Engine in Expert ModeInstallation of the StoneGate engine in expert mode is essentially the same as the normal full install described in Installing the Firewall Engine, on page 100. The difference is that in expert mode minidisks are created on the engine manually rather than having it done automatically by the StoneGate engine installation.If you are unfamiliar with partitioning minidisks in Linux it is recommended that you use the normal installation process as outlined in Installing the Firewall Engine, on page 100.The following step-by-step instructions provide an example of a typical engine installation. The screens appearing during the installation may differ slightly during your installation depending on your system configuration.



# To start the StoneGate engine installation1. Run the SGINST EXEC script. These scripts punch the StoneGate installation

files to the VM reader and then IPLs from the reader.

Illustration 6.47 Executing SGINST EXEC

2. Once the system is up, the StoneGate end-user license agreement is displayed. Scroll down to read through the license agreement.


SGINST0000003 FILES PURGED RDR FILE 0047 SENT FROM SGS1 PUN WAS 0047 RECS 034K CPY 001 A NOHOLD NOKEEPRDR FILE 0048 SENT FROM SGS1 PUN WAS 0048 RECS 0001 CPY 001 A NOHOLD NOKEEPRDR FILE 0049 SENT FROM SGS1 PUN WAS 0049 RECS 288K CPY 001 A NOHOLD NOKEEP0000003 FILES CHANGED

License agreement must be accepted before continuing. Type YES to continue and NO to cancel. Do you want to continue?


3. To accept the license agreement, type YES. To cancel the installation, type NO.4. Continue in Partitioning the DASD Manually, on page 120.

Partitioning the DASD ManuallyYou need five minidisk partitions for a StoneGate engine as explained in Table 6.1. As there is the limitation of three minidisks per DASD, two dedicated DASDs (or CMS minidisk) are needed for StoneGate.

Note � The term �spool� is used here to indicate StoneGate partition used for spooling. It does not refer to z/VM spooling.

The partitions are allocated in two phases. First, the two DASDs (or CMS minidisk) are partitioned and second, the partitions are allocated for their use purposes.

# To partition the DASD1. After accepting the license agreement, you will be prompted to define the two

DASDs (or CMS minidisk) to be used by StoneGate.

TABLE 6.1 StoneGate Partitions


Engine root A 200 MBThe root partition for StoneGate engine.This partition must be on DASD with blocksize of 1024.

Engine root B 200 MB

Alternative root partition for StoneGate engine. Used in engine upgrade.This partition must be on DASD with blocksize of 1024.

SwapTwice the physical memory

Swap partition for StoneGate engine.

Data 500 MB or moreUsed for the boot configuration files and the root user�s home directory. This partition must be on DASD with blocksize of 4096.

SpoolRest of free disk space

Used for spooling. This partition must be on DASD with blocksize of 4096.


Illustration 6.49 Defining the First DASD for StoneGate

1.1 Enter the device number for the first DASD of the StoneGate guest.

Illustration 6.50 Defining the Second DASD for StoneGate

1.2 Enter the device number for the second DASD of the StoneGate guest.

Illustration 6.51 Accepting the Defined DASD

1.3 To accept the DASD definition, type YES. To redefine the StoneGate DASDs, type NO.

StoneGate Engine Installation System First you have to define two DASDs to be used with StoneGate. List of detected subchannels, device number is the first column: Device sch. Dev Type/Model CU in use PIM PAM POM CHPIDs --------------------------------------------------------------------- 0009 0000 3215/00 yes 80 80 FF 10000000 00000000 000C 0001 2540/00 80 80 FF 10000000 00000000 000D 0002 2540/00 80 80 FF 10000000 00000000 000E 0003 1403/00 80 80 FF 10000000 00000000 0191 000D 3390/0A 3990/E9 C0 C0 FF 0E0F0000 00000000 0190 000E 3390/0A 3990/E9 C0 C0 FF 0E0F0000 00000000 019D 000F 3390/0A 3990/E9 C0 C0 FF 0E0F0000 00000000 019E 0010 3390/0A 3990/E9 C0 C0 FF 0E0F0000 00000000 0170 0011 3390/0C 3990/E9 C0 C0 FF 0E0F0000 00000000 0171 0012 3390/0C 3990/E9 C0 C0 FF 0E0F0000 00000000 0592 0013 3390/0A 3990/E9 C0 C0 FF 0E0F0000 00000000 Enter the device number of first DASD:

Enter the device number of second DASD:

0170(ECKD) at ( 94: 0) is dasda : active at blocksize: 1024, 495000 block , 483 MB 0171(ECKD) at ( 94: 4) is dasdb : active at blocksize: 4096, 180000 blocks, 703 MB Check that the DASDs are correct. Type YES to continue and NO to cancel. Do you want to continue?


Illustration 6.52 Selecting StoneGate Installation Type

2. For the installation type, type 2 for the expert mode installation. Installing StoneGate in normal mode is explained in Configuring the Firewall Engine, on page 103.

Illustration 6.53 Formatting the First DASD in Expert Mode

3. The first defined StoneGate DASD will be formatted with blocksize 1024 for the StoneGate engine partitions. To continue with formatting, type YES. If the DASD is already formatted with the correct blocksize, type NO.

Caution � All the existing data on the DASD will be lost during formatting.

Illustration 6.54 Formatting the Second DASD in Expert Mode

4. The second defined StoneGate DASD will be formatted with blocksize 4096 for the StoneGate Data partition. To continue with formatting, type YES. If the DASD is already formatted with the correct blocksize, type NO.

Caution � All the existing data on the DASD will be lost during formatting.

Existing StoneGate installation has not been detected. 1. Full install 2. Full install in expert mode Enter your choice:

Next step is to low-level format the DASD number 0170. This will took some time. However, if it's already formatted you might want to skip this by answering NO. NOTICE: The blocksize MUST be 1024. Type YES to continue and NO to cancel. Do you want to continue?

Next step is to low-level format the DASD number 0171. This will took some time. However, if it's already formatted you might want to skip this by answering NO. NOTICE: The blocksize MUST be 4096. Type YES to continue and NO to cancel. Do you want to continue?


Illustration 6.55 Partitioning DASD

5. Partition the first DASD that has blocksize 1024 as described in Table 6.2.

6. To create a partition: 6.1 Type n to create a partition.

Illustration 6.56 Selecting First Track for a Partition

6.2 Type in the first free track for the partition (e.g., 2).

Illustration 6.57 Defining Size for a Partition

6.3 Type the size for the partition (e.g., +200M for 200 MB partition).

Command action m print this menu p print the partition table n add a new partition d delete a partition

v change volume serial t change partition type r re-create VTOC s show mapping (partition number - data set name) q quit without saving changes w write table to disk and exit Command (m for help):

TABLE 6.2 StoneGate Partitions for the First DASD


Partition 1 200 MB Engine root A partition

Partition 2 200 MB Engine root B partition

Partition 3Rest of the free disk space

Swap partition

First track (1 track = 33 KByte) ([2]-50084):

You have selected track 2 Last track or +size[c|k|M] (2-[50084]):


6.4 Repeat these steps for the other partitions on the DASD.7. Type w to write the partition table information on the disk.8. Partition the second DASD that has blocksize 4096 as described in Table 6.3.

9. To create a partition: 9.1 Type n to create a partition.

Illustration 6.58 Selecting the First Track for a Partition

9.2 Type in the first free track for the partition (e.g., 2).

Illustration 6.59 Defining the Size for a Partition

9.3 Type the size for the partition (e.g., +500M for 500 MB partition).9.4 Repeat these steps for the other partitions on the DASD.

10.Type w to write the partition table information on the disk.

TABLE 6.3 StoneGate Partitions for the Second DASD


Partition 1 500 MB or more Data partition

Partition 2Rest of free disk space

Spool partition

First track (1 track = 33 KByte) ([2]-50084):

You have selected track 2 Last track or +size[c|k|M] (2-[50084]):


Illustration 6.60 Accepting Partition Configuration

11.Check that the partition table information is correct and type YES to continue or NO to reconfigure the partitions.

12.Allocate the partitions as described in Table 6.1.13.To allocate a partition:

13.1 Select the DASD where the partition is located: 0 for the first DASD, 1 for the second DASD.

13.2 Select the partition number to be allocated: 1 for the first partition, 2 for the second and 3 for the third.

14.Repeat the previous steps to allocate all partitions.

Illustration 6.61 Accepting Partition Allocation

15.Type YES to accept the partition allocation or NO to change the allocations.16.StoneGate is now installed and ready for configuration. IPL StoneGate from

DASD using the CMS command #CP IPL devicenumber, where devicenumber is the DASD device containing StoneGate Data partition.

rereading partition table... major minor #blocks name 94 0 1652805 dasd/0170/disc 94 1 204798 dasd/0170/part1 94 2 204798 dasd/0170/part2 94 3 524271 dasd/0170/part3 94 4 2404080 dasd/0171/disc 94 5 511968 dasd/0171/part1 94 6 1892016 dasd/0171/part2 Check that partitions have been created correctly. Type YES to continue and NO to cancel. Do you want to continue?

The following partitions have been selected: root A: /dev/discs/disc0/part1 root B: /dev/discs/disc0/part2 swap: /dev/discs/disc0/part3 data: /dev/discs/disc1/part1 spool: /dev/discs/disc1/part2 Check that partitions have been assigned correctly. Type YES to continue and NO to cancel.


17.Continue the configuration as described in Configuring the Firewall Engine, on page 103.


Routing and Policies

CHAPTER 7 Defining Routing and Basic Policies

After successfully installing the firewall and establishing a contact between the firewall engine(s) and the Management Server, the firewall is left in the initial configuration state. Now you must define basic routing and policies to be able to use the firewall for access control. Both of these tasks are done using the Management Client.


! Defining Routing, on page 130! Defining Basic Policies, on page 142! Moving On, on page 147

129

Defining RoutingIn StoneGate, routing is done entirely through the Management Client. Most often you only have one or two simple tasks to do with routing:� Define the default route. This is the route packets to any IP addresses not

specifically included in the routing configuration should take. The default route should always lead to the Internet if the site has Internet access.

� Add routes to your internal networks that are not directly connected to the firewall, if there are any. Directly connected networks are added automatically based on the IP addresses you defined for the firewall�s interfaces.

Routing is most often done using the following elements:� Network elements: represent a group of IP addresses.� Router elements: represent next-hop routers that are used for basic (non-Multi-Link)

routing and to represent the ISP routers inside Outbound Multi-Link elements.� NetLink elements: represent next-hop routers that are used for Multi-Link routing.

In Multi-Link routing, traffic is automatically distributed between two (usually Internet) connections so that the fastest available connection is used for outgoing traffic.

Note � With IBM System z point to point interfaces, the peer (remote end point) of a point-to-point interface is illustrated as a Host element in the Routing tree. Define routing through this link as you would with a Router element.

# To access routing information

Illustration 7.1 Opening the Routing View for a Firewall

2. Select Routing from the menu that opens. The Routing Configuration view for the selected Firewall opens.

1. Right-click the Firewall whose routing you want to configure.

130 Chapter 7: Defining Routing and Basic Policies

Illustration 7.2 Routing View

Illustration 7.3 Expanded Routing Tree

First, add a default route. This is done using the Any Network element as explained on the next pages. Routing decisions are done from the most specific to the least specific route. The Any Network element (which covers all IP addresses) is always the last route that is considered. In other words, only packets that have a destination IP address that is not included anywhere in your routing configuration are forwarded to the interface with the Any Network element.

Note � Adding a Network in the Routing tree makes that network routable, but does not allow any host in that network to make connections. The firewall�s policy defines which connections are allowed. All other connections are blocked.

A StoneGate firewall always includes the Multi-Link feature, which automatically selects the fastest network link for outgoing connections if you have more than one default (Internet) interface. If two or more network interfaces can be used as the default route, follow the Multi-Link instructions.Proceed to the correct section below:� Adding a Default Route With a Single Network Link, on page 132� Adding a Default Route With Multi-Link, on page 134

You can switch between Firewalls within the view.

Networks Corresponding to the interface definitions have been automatically added under all interfaces.


Adding a Default Route With a Single Network Link

# To add a router

Illustration 7.4 Adding a Router

If this interface receives its IP address from a DHCP server, a special Router named Gateway (DHCP Assigned) is now added to the Routing tree; if that is the case, skip to Illustration 7.6. If the interface has a fixed IP address, the Router Properties dialog opens.

Illustration 7.5 Router Properties

Right-click the Network under the interface to be used as the default route (to the Internet) and select New→Router from the menu that opens.

1. Type a name for the Router

2. Enter the IP address of your Internet router.

3. Click OK.


# To add the default route

Illustration 7.6 Adding The Any Network Element

Actually, you are not creating a new element in this case, but just inserting the existing default element �Any Network�. This is the only existing element available through this menu. Others are stored in Resources on the left.

Note � The Any Network element must appear in the Routing tree only once for each firewall in the single-link configuration described above. If you need to insert Any Network more than once, use the Multi-Link configuration instead (see Adding a Default Route With Multi-Link, on page 134).

Illustration 7.7 Finished Default Route

In the illustration above, one internal network is connected to the Internet through StoneGate. Do note that in StoneGate, it makes no difference to the firewall which interfaces are internal and which are external. The configuration you create for the firewall is the only deciding factor for which traffic is allowed and which is not.

Right-click the Router you just created and select New→Any Network.

Internal network is behind this interface

The Internet is behind this interface


Adding a Default Route With Multi-Link

# To add a NetLink

Illustration 7.8 Adding a NetLink

# To add a Router

Illustration 7.9 NetLink Element Properties

Right-click the Network under an interface that should be used as one of the default routes (to the Internet) and select New→NetLink

1. Give the NetLink a name 2. Click

Select for Gateway


Illustration 7.10 Select Element - Navigating to Network Elements

Illustration 7.11 Select Element - Adding a New Router


Create a Router element for all NetLinks in the same way, so that they are ready in the system when you create the other NetLinks.

Click Network Elements.

Right-click Routers and select New Router from the menu that opens.


2. Enter the IP address of the Internet router for this NetLink.

3. Click OK.


Illustration 7.13 Select Element

# To add a Network


Next, select the Network(s) that belong to the NetLink (the ISP network).


1. Click Routers.

2. Select the correct Router and click Select.

All Routers you created are now available directly in the Gateway list.

Click Select for Network.

1. Navigate to Networks. Existing elements are listed.2. If the correct Network(s) are not on the list, click the New button and select Network.If the correct Network(s) are listed, skip to Illustration 7.17.


Illustration 7.16 Network Element Properties


1. Type in a name for the Network

2. Type in the IP address and netmask

3. (Optional) Select this checkbox to include broadcast addresses in the Network

4. Click OK.

Select the correct Network and click the Select button.


# To define the remaining properties


Define all the necessary NetLinks in the same way.Next, you will use the NetLinks to define the default route to the Internet.

1. Type in the name of the service provider for your reference

Probing settings are used for a specific Multi-Link feature that is explained in the other guidebooks and the online help. Leave these empty for now.

2. Click OK.


# To add the default route

Illustration 7.19 Adding the Any Network Element

Actually, you are not creating a new element in this case, but just inserting the existing default element �Any Network�. This is the only existing element available through this menu. Others are stored in Resources on the left.

Illustration 7.20 Finished Default Route

In the illustration above, internal networks are connected to the Internet using two Internet connections. Do note that in StoneGate, it makes no difference to the firewall which interfaces are internal and which are external. The configuration you create for the firewall is the only deciding factor for which traffic is allowed.

Caution � The configuration outlined above is only a part of the Multi-Link configuration. For additional steps required for a fully-featured Multi-Link, see the Reference Guide for an overview and the online help or the Administrator�s Guide PDF for step-by-step instructions.

Right-click each NetLink and select New→Any Network.

The Internet is behind these interfaces


Defining Other RoutesYou may have more internal networks than just those connected directly to the firewall. Those have to be manually added to the Routing tree.Usually, non-ISP routes use a single-link configuration, as explained below, but a Multi-Link configuration can be used instead, if there are alternative links to the same network. If that is the case, add the routes using NetLinks instead of Routers in a similar way as with the default route (see Adding a Default Route With Multi-Link, on page 134).

# To add a router

Illustration 7.21 Adding a Router Element


Right-click the Network that is the correct route to some other network and select New→Router.Once created, elements are stored in the Resources tree. You can drag and drop existing elements from there.


2. Enter the IP address of the gateway device that connects the networks.

3. Click OK.


# To add networks

Illustration 7.23 Adding Internal Network

Illustration 7.24 Network Element Properties

Add as many Networks as you need to the Router element.

AntispoofingSpoofing an IP address means that someone uses the IP address of some legitimate (internal) host to gain access to protected resources. Antispoofing, which prevents spoofing, is done automatically in StoneGate. Antispoofing is based on the routing information. Often, you do not have to change antispoofing rules at all; by default, connection attempts with a source IP address from a certain internal network are only allowed through if they are coming from the correct interface as defined in the Routing tree. As the routing entry is usually needed for the communications to work, antispoofing rarely needs additional modifications.If you need to make exceptions to this rule, you can add individual Host elements in the Antispoofing view behind interfaces through which they are allowed to make transmissions. For more information, see the online help (press F1 on your keyboard when any Management Client window is active).

Right-click the Router you just added and select New→Network.Existing Networks can be added by dragging and dropping them from the Resources list on the left.

1. Type in a name for the Network

2. Type in the IP address and netmask

3. (Optional) Select this checkbox to include broadcast addresses in the Network

4. Click OK.


Using IP Address Count Limited LicensesIf you have a license that is based on a restriction on the number of IP addresses in your networks, you must exclude the Internet interface from the IP address counting. Otherwise, addresses on the Internet are counted towards the license restriction and some of your internal hosts may not be allowed to connect through the firewall.Firewalls that have some other type of license do not require this action, so if you have such a license (an unlimited license or a throughput-based license), continue in the next section, Defining Basic Policies.

# To exclude an interface from IP address counting� Right-click the Internet interface in the Routing tree and select Exclude from IP

Counting from the menu that opens.Only one interface can be excluded from IP address counting.

Note � If you want to use Multi-Link with an IP address limited license, all network links must be made accessible through a single interface. See more information at www.stonesoft.com/support.

Defining Basic PoliciesThe final step in getting your firewall up and running is creating the rules according to which the traffic is inspected. In addition to the rules in the policy, also the other configuration information is transferred to the firewall when you install a policy on it (including the interface definitions and routing information).To walk you through the basics of rule editing in StoneGate, the following illustrations show you how to create a simple rule that allows pinging from one host in your internal network to any address.

# To create a policy

Illustration 7.25 Viewing Firewall Policies

Click the Security Policies shortcut icon in the toolbar and select Firewall Policy.


http://www.stonesoft.com/support

Illustration 7.26 Creating A Policy

Illustration 7.27 Firewall Policy Properties

# To add a rule for pinging

Illustration 7.28 Security Policy Editor

Note � Inherited rules are not editable through the policy that inherits the rules.

Right-click Firewall Policies and select New→Firewall Policy.

1. Name the new Policy

2. Select a template. Only the Default template is available, as you have not created your own templates yet.

3. Click OK.

1. (Optional) Click the Inherited Rules button to view and hide rules inherited from the Default template.

2. Double-click the green row now to add a rule.


Illustration 7.29 Create a Host

Illustration 7.30 Host Properties

Illustration 7.31 Setting The Source

Right-click Hosts and select New Host from the menu that opens.

1. Type in a name for the Host.

2. Enter the IP address

3. Click OK. The new host is added to the list of hosts in Resources.

2. Drag and drop the Host you created to the Source Cell.

1. Click Hosts in the Resources list. The list of hosts is shown.


Illustration 7.32 Setting The Destination

Illustration 7.33 Adding the Service

Note � The default Services cannot be edited, but you can create a new Service of any type and set its properties as you please. See the online help for more information.

Illustration 7.34 Setting the Action

Right-click the Destination cell and select Set to ANY from the menu that opens.

1. Click the Service cell in the rule to display Services in the Resources list.

2. Navigate to ICMP and drag and drop the Ping item to the Service Cell.

Click the Action cell and select Allow from the list of Actions.


Illustration 7.35 Next Steps

By default, the firewall maintains connection tracking information on connections allowed by a rule. As one result, you only have to add rules for allowing the opening of connections. Once the connection is opened, reply packets that belong to that connection are then allowed through as long as they are appropriate for the state of that particular connection. Only if connection opening needs to be allowed from the other end as well, a second rule needs to be added.In the case of the ping rule in our example, the replies to pings made by the Test host are allowed through without any modification to the rules. However, if someone else tries to ping our Test host through the firewall, the connection is blocked.

Note � The test rule may not work in all environments without NAT. Add a rule on the NAT Rules tab to translate the IP address. Multi-Link Load balancing requires additional configuration and a specific type of NAT rule.

Illustration 7.36 Policy Install

Click the Save and Install icon in the toolbar when you are finished to save the new rule and transfer changes to the firewall.

Or right-click the rule and select either Add Rule Before or Add Rule After to create more rules.

1. Select the correct Firewall.

2. Click the Add button.

3. Click OK.


Moving OnAfter a successful policy installation, your system is ready to process traffic. You can control the firewall using the right-click menu as shown in Illustration 7.37.

# To check system status and issue commands to firewalls

Illustration 7.37 Right-Click Menu For Nodes - Commands

3. Use the Commands submenu to command engines Online/Offline. Only nodes in Online mode process traffic.Depending on the selection in the Status tree, you can give commands individually for each node, for a selected group of nodes, for a whole cluster, or several firewalls at once.

2. Check the status of the firewalls and SMC in the Status tab.You can select a firewall or server to view more information about it in the Info tab.

1. Switch to the Status/Statistics view.

Moving On 147

Illustration 7.38 Right-Click Menu for the Firewall

This concludes the configuration instructions in this Installation Guide. To continue setting up your system, consult the online help (or the Administrator�s Guide PDF), particularly the Introduction to StoneGate in the Getting Started section.You can access the online help by pressing the F1 key, by selecting Help→Help Topics in the main menu or by clicking the Help button in a dialog. Depending on which window is currently active, you see either a help topic that is related to the current window or the front page of the help system.

Illustration 7.39 Online Help

In Properties, you can change Interface settings and many other settings for the selected firewalls.

Turn on Status Surveillance if you want to receive alerts when the status of the Firewall changes.

You can view Logs pre-filtered to entries generated by the selected firewalls.

You can check current firewall policy and transfer changes.

See instructions for setting up and customizing the firewall.The top-level �book� icons open with a double-click.


Maintenance

CHAPTER 8 Upgrading and Updating

When there is a new version of the StoneGate Management Center or the firewall engine software, you should upgrade as soon as possible. You can download the new version and generate licenses for it if needed at the Stonesoft website as further explained.


! Getting Started with Upgrading StoneGate, on page 152! Upgrading or Generating Licenses, on page 154! Upgrading the Management Center, on page 158! Upgrading Engines Remotely, on page 159! Upgrading Engines Locally, on page 162! Changing IP Addressing, on page 164

151

Getting Started with Upgrading StoneGateYou can upgrade Management Center components as well as the firewall engines without uninstalling the previous version. The firewall engines may be upgraded locally or remotely.You can configure the Management Server to automatically check for new updates and engine upgrades and inform you of them. See the online help for more information.During a Firewall cluster upgrade, it is possible to have the upgraded nodes online and operational side by side with the older version nodes. For full functionality, all nodes should be upgraded to the same version as soon as possible. Also, you can change the hardware of the nodes one by one while the other nodes handle the traffic.It is important to upgrade the Management Center components before upgrading the engines, because the old Management Center version may not be able to recognize the new version engines and generate a valid configuration for them. Older versions of engines can be controlled by newer Management Center versions. See the Release Notes for possible version-specific restrictions.

Caution � If you are upgrading from a Management Server version that is older than 3.0.1: first upgrade to 3.5.3 locally, start the Management Server, shut it down, and only then upgrade to the most recent version.

Caution � All the Management Center components (Management Server, Management Client, Log Server, and the optional Monitoring Server and Monitoring Client) must use the same software version to work together.

If you also want to change the component�s IP addressing, see Changing IP Addressing, on page 164 for more information. For more detailed instructions, see the online help.Proceed to the Configuration Overview to begin with the configuration.

Configuration OverviewThe upgrade procedure is the same for StoneGate Firewall/VPN and IPS systems:1. Check the latest known issues list on the Stonesoft website for the version you

are about to install at http://www.stonesoft.com/en/support/technical_support_and_documents/.

2. Obtain the installation files at https://my.stonesoft.com/download/ and check the installation file integrity (see Checking File Integrity, on page 153).

3. Read the release notes for the new version you are about to install. They can be found at the Stonesoft website (at http://www.stonesoft.com/en/support/technical_support_and_documents/).

4. Update the licenses (if necessary, see Upgrading or Generating Licenses, on page 154).

152 Chapter 8: Upgrading and Updating

http://www.stonesoft.com/en/support/technical_support_and_documents/





5. Upgrade the Management Server, the Log Servers, Monitoring Servers (if any), and the Management Clients (see Upgrading the Management Center, on page 158). The operation of StoneGate Firewall engines is not interrupted even if the Management Center is offline.

6. Upgrade the Firewall engines one by one. Confirm that the upgraded engine operates normally before upgrading the next engine (see Upgrading Engines Remotely, on page 159 or Upgrading Engines Locally, on page 162).

7. You should also check if there are new dynamic update packages available and import and activate them (see Installing Dynamic Updates, on page 39).

Checking File IntegrityBefore installing StoneGate, check the installation file integrity using the MD5 or SHA-1 file checksums. The checksums are on the StoneGate installation CD-ROM and on the product-specific download pages at the Stonesoft website at http://www.stonesoft.com/download/. For more information on MD5 and SHA-1, see RFC1321 and RFC3174, respectively. The RFCs can be obtained from http://www.rfc-editor.org/.Windows does not have MD5 or SHA-1 checksum programs by default, but there are several third-party programs available.

# To check MD5 or SHA-1 file checksum1. Obtain the checksum files from Stonesoft website at http://

www.stonesoft.com/download/.2. Change to the directory that contains the file(s) to be checked.3. Generate a checksum of the file using the command md5sum filename or

sha1sum filename, where filename is the name of the installation file.

Illustration 8.1 Checking the File Checksums

4. Compare the displayed output to the checksum on the website.

Caution � Do not use files that have invalid checksums.

After checking the file integrity, burn the ISO file on a CD-ROM using appropriate software and read the release-specific information on Stonesoft�s website.Create the installation CD-ROM, then proceed to Upgrading or Generating Licenses. If you are absolutely sure you do not need to upgrade your licenses, proceed to Upgrading the Management Center, on page 158.

$ md5sum sg_engine_1.0.0.1000.iso869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso

Getting Started with Upgrading StoneGate 153



http://www.rfc-editor.org/

http://www.rfc-editor.org/



Upgrading or Generating LicensesWhen you installed StoneGate for the first time, you installed licenses that work with all versions of StoneGate up to that particular version. If the first two numbers in the old and the new version are the same, the upgrade can be done without upgrading licenses (for example, when upgrading from 3.5.3 to 3.5.4). When the first two numbers in the old version and the new version are different, you must first upgrade your licenses (for example, when upgrading from 3.5.4 to 4.0.0).If you are simultaneously installing new StoneGate components that you have not previously licensed, or if you want to change the IP address for an IP address bound license, you also need to generate new licenses.If you do not need to upgrade licenses or create new ones, proceed to Upgrading the Management Center, on page 158.If you need new licenses:� Proceed to Upgrading Licenses Under Multiple Proof Codes, on page 155 to upgrade

one or more licenses at once.� Proceed to Upgrading Licenses Under One Proof Code, on page 155 to upgrade the

licenses one by one.� Proceed to Generating a New License to generate a completely new license.

Generating a New LicenseYou generate the licenses at the Stonesoft website based on your proof of license (POL, for software, included in the order confirmation message sent by Stonesoft) or proof of serial number (POS, for appliances, printed on a label attached to the appliance hardware). Evaluation licenses are also available at the website.Generated licenses are always for the newest software version you are entitled to, but you can use them with older versions as well.If you are licensing several components of the same type, remember to generate one license for each (it may be more convenient to use the multi-upgrade feature, see Upgrading Licenses Under Multiple Proof Codes, on page 155).There are two types of licenses that you can generate:� IP-address-bound licenses: For all Management Center components and optionally

engines with non-dynamic control IP addresses. If you want to change the IP address the license is bound to, you need to fill in a request at the licensing website.

� Management bound licenses: For Firewall and IPS engines (bound to the proof of license of the Management Server). These licenses can be switched from one engine to another if you delete the previous element it was bound to or re-license it and refresh its policy.


Note � Management bound licenses can only be imported to Management Server version 3.0 or newer. If necessary, upgrade your Management Server before importing the engine licenses.

# To generate a new license1. Take your Web browser to www.stonesoft.com/license/.2. Enter the required code (proof of license or proof of serial number) to the correct

field and click Submit. The license page opens.3. Click Register. The license generation page opens.4. Read the directions on the page and fill in (at least) the required fields.5. Enter the IP addresses of the Management Center components you want to

license (if any). The license is bound to the IP address you give, and you will have to return to the licensing page if you need to change the IP address.

6. Enter the Management Server�s proof of license code (or the engine�s IP address) for the engines you want to license (if any).

7. Click Submit request. The license file is sent to you in a moment, and also becomes downloadable in the License Center.

Note � Evaluation license orders or requests for an IP address change of an existing license may need manual processing. See the license page for current delivery times and details.

Proceed to Installing Licenses, on page 156.

Upgrading Licenses Under One Proof CodeA license file generated under one POL or POS code contains the license information for several components. You can also always use the multi-upgrade form to upgrade the licenses (see Upgrading Licenses Under Multiple Proof Codes, on page 155).

# To generate a new license1. Take your Web browser to www.stonesoft.com/license/.2. Enter the required code (proof of license or proof of serial number) in the correct

field and click Submit. The license page opens.3. Click Update. The license upgrade page opens.4. Follow the directions on the page that opens to upgrade the license.Repeat for other licenses. When done, proceed to Installing Licenses, on page 156.

Upgrading Licenses Under Multiple Proof CodesIf you have several existing licenses with different POL or POS codes that you need to upgrade, you can make the work easier by generating the new licenses all at once.� With any version of the Management Center, you can generate the new licenses by

selecting StoneGate multi-upgrade on the licensing website and copy-pasting the




POL or POS codes (from the Management Client, e-mail, or elsewhere) directly in the field reserved for this on the Upgrade Multiple StoneGate Licenses page. Proceed to Installing Licenses, on page 156 after doing this.

� With Management Center version 3.2 or newer, you can generate a text file by exporting information on licenses from the Management Client and import the text file to the licensing website as explained below.

# To upgrade multiple licenses1. Click the Configuration button.2. Expand the Administration tree and navigate to the type of Licenses you want to

upgrade, or to All Licenses.3. Ctrl-select or Shift-select the licenses you want to upgrade.

Illustration 8.2 Exporting License Information

4. Right-click one of the selected items and select Export License Info from the menu that opens. A file save dialog opens.

5. Select a location and type in a name for the file. The default file ending is .req, but you may change this to something else if required.

6. Click Save. The license information is exported to the file you specified and a message pops up.

7. (Optional) Click the link in the message to launch the Stonesoft License Center website�s multi-upgrade form in the default Web browser on your system.

8. Upload the license file to the Stonesoft License Center website using the multi-upgrade form, and submit the form with the required details. The upgraded licenses are sent to you.

You can view and download your current licenses at the license website (log in by entering the proof-of-license or proof-of-serial number code at the License Center main page).After receiving the new licenses, proceed to Installing Licenses.

Installing LicensesAfter you have generated a license file (Generating a New License, on page 154), you import the license file into the Management Center.

Select one or more licenses for elements of any type.

Right-click to export.


# To install StoneGate licenses1. Click the Configuration button.2. Expand the Administration tree and navigate to Licenses.3. If the firewall or IPS engine(s) you want to re-license have a management bound

license, unbind the previous license by right-clicking on the license or the engine and selecting Unbind from the menu that opens.

4. Import the licenses from a .jar license file by selecting File→System Tools→Install Licenses from the menu.

5. Select a license file and click Install. The licenses are imported and activated.

Illustration 8.3 Binding a Dynamic License

6. You need to bind each license to a specific engine if your engine licenses are management bound (i.e., tied to the Management Server�s proof of license).

6.1 Right-click the license and select Bind. The Select License Binding dialog opens.

6.2 Select the correct engine from the list and click Select to bind the license to this element. The license is now bound to the selected element.

6.3 If you made a mistake, unbind the license by right-clicking it and selecting Unbind.

Caution � When you upload a policy on the engine, the license is permanently bound to that engine. Such licenses cannot be re-bound to some other engine without re-licensing or deleting the engine element it is bound to in the Management Client. When unbound, such a license is shown as Retained.

7. Check the displayed license information, and that all the components you meant to license have disappeared from the Unlicensed Components folder.

8. You can leave the old licenses as they are, but if you so wish, you can remove them by right-clicking them and selecting Delete from the menu that opens.

If you are upgrading your system, proceed to Upgrading the Management Center.


Upgrading the Management CenterThis section provides an outline that should be sufficient in most cases. For more detailed instructions on how to upgrade the StoneGate Management Center, refer to the Management Center installation process described in Installing the Management Center, on page 23.There is no need to uninstall the previous version. The install shield will detect the components that need to be upgraded. When upgrading from an older version, you may need to do an intermediate upgrade before upgrading to the most recent version. See the Release Notes for more information.

Caution � We recommend that you backup the Management Server before upgrading it. You are also prompted during an upgrade process for making an automatic backup of the Management Server data. For more information on backing up StoneGate, refer to the online help.

Before you start the installation, stop the previously installed Management Center components running on the target machine.

# To upgrade StoneGate Management Center components1. Check that the StoneGate Management Server and Log Server processes or

services have stopped and that the Management Client is not running on the machine.

2. Insert the StoneGate installation CD-ROM and run the install executable. The License Agreement is shown.

3. Read and accept the License Agreement to continue with the installation.

Illustration 8.4 Defining the Installation Directory

Installation directory is detected automatically.


Illustration 8.5 Selecting the Components for Upgrade

4. When upgrading the Management Server, you are prompted for backing up the current Management Server data as a precaution. Select Yes to back up the Management Server data to the <installation directory>/backups/ directory.

Caution � If you are working on a Windows system and you run any StoneGate component as a service, make sure the Services window is closed before you complete the next step.

5. Check the pre-installation summary and click Install to continue. The upgrade begins.� If any system components change in the upgrade, you will be notified of the

changes at the end of the upgrade. Click the links in the notification to view the report(s) of system changes in your Web browser.

6. When the upgrade is complete, click Done to close the window. You may have to reboot before you can start the upgraded components.

If you have installed Web Start Management Clients, install a new Web Start package in the same way as the original installation was made, see Installing Management or Monitoring Clients Through Web Start, on page 43.The Management Center upgrade is complete. If you are installing new engine versions as well, proceed to Upgrading Engines Remotely or Upgrading Engines Locally, on page 162.

Upgrading Engines RemotelyStoneGate Firewall engines can be upgraded from the Management Server remotely. During a Firewall cluster upgrade process, it is possible to have the upgraded nodes online and operational side by side with the older version nodes.

All installed components must be upgraded at the same time. You can add more components, if you wish (in that case, see Installing the Management Center, on page 23 for installation instructions).


You can set up the Management Server to check periodically for engine upgrades on the Stonesoft website and to inform you of the engine upgrades. You can also configure that the engine upgrades are automatically downloaded. See the online help for more information.

Caution � If you are upgrading a Firewall cluster, all the nodes must be together online between upgrading individual nodes. Do not command another node offline before the upgraded node is back online.

Before upgrading, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity, on page 153.If you have not configured the engine upgrade files to be downloaded automatically, you must first import the engine upgrade file in the system. If the file is already in the system, proceed to Upgrading the Engine below.

# To manually import the upgrade file1. If you have not configured automatic remote upgrades for engines, select File

System→Tools→Import Engine Upgrades. The StoneGate Engine Upgrades File Browser dialog opens.

2. Select the engine upgrade (sg_engine_version_platform.zip file) from the installation CD-ROM and click Import. � The engine upgrade is imported to the <installation directory>/data/engineupgrades/ directory on your Management Server.

Upgrading the Engine

# To command a node offline for the upgrade

Illustration 8.6 Commanding Node Offline for Upgrade

If you want to activate the new version now (and not just transfer it), right-click the node you want to upgrade and select Commands→Go Offline from the menu that opens.


# To start the upgrade

Illustration 8.7 Starting Upgrade Process

# To select remote upgrade task options

Illustration 8.8 Remote Upgrade

Caution � Do not activate the new configuration simultaneously on all the nodes of a Firewall cluster. Activate the new configuration one node at a time.

When you have made the selections, click OK. The time it takes to upgrade your node varies depending on the performance of your machine and the network environment.

Right-click the node and select Upgrade Software from the menu that opens.

1. Select whether you want to just transfer the new software and activate it later, or whether you want to do both now.

2. Check the node selection and modify, if necessary.

3. Check the Engine Version for the upgrade and change it, if necessary.


Illustration 8.9 Task Progress

If you have set the upgrade to run in the background, you can follow its progress in the Running Tasks branch of the Tasks tree in the Configuration view.If you chose to activate the new configuration, once the engine is successfully upgraded, the machine is automatically rebooted and the upgraded engine is brought up to offline state.

# To finish the upgrade1. Click the Close button in the Task Progress dialog.2. Right-click the upgraded node and select Commands→Go Online to command

the node online.If you are upgrading a Firewall cluster, begin the upgrade on the next node only after the upgraded node is back online. StoneGate operates normally with two different versions of the engines online during the upgrade.Proceed to check for new dynamic updates and import and activate them as explained in Installing Dynamic Updates, on page 39.

Upgrading Engines Local lyIn addition to upgrading the Firewall engines remotely from the Management Server, it is possible to upgrade the engines locally at the site as described in this section. During a Firewall cluster upgrade process, it is possible to have the upgraded nodes online and operational side by side with the older version nodes.

Caution � If you are upgrading a Firewall cluster, all the nodes must be together online between upgrading individual nodes. Do not command another node offline before the upgraded node is back online.

Proceed to Upgrading the Firewall Engine.

If you do not want to follow the upgrade process, select this checkbox and click Run in Background to receive a notification when the upgrade is finished.


Upgrading the Firewall EngineFollow the procedure below to upgrade StoneGate engines to the latest version locally at the engine location.

# To upgrade the firewall engine1. Log in to the node as root.2. Insert the StoneGate engine installation CD-ROM into the engine�s drive.

� For IBM System z firewall engine, see Chapter 6, Installing the Engine on the IBM zSeries on preparing for the installation.

3. There are two ways to upgrade the node:� Normal upgrade: type the command sg-upgrade to start the upgrade process.

Continue in Step 7.� Upgrade with configuration options: reboot the node from the CD-ROM with the

command reboot. The upgrade uses the installation wizard. Continue in Step 4.

Illustration 8.10 Upgrade Options

4. If the node is rebooted from the CD-ROM, choose one of these four options:� Upgrade existing installation: choose this option to upgrade the previous

installation to a new version. This option is recommended for most upgrades.� Re-install using configuration from existing installation: choose this option to

re-install the engine using the existing configuration files. Refer to the platform- specific engine installation chapter for instructions.

� Full re-install: choose this option to reinstall the engine completely by removing the engine�s current configuration. Refer to the platform-specific engine installation chapter for instructions.

� Full re-install in expert mode: choose this option to re-install the engine in expert mode by removing the engine�s current configuration. Refer to the platform-specific engine installation chapter for instructions.

� On IBM System z, a fifth option Rescue: revert to previous installation is displayed if the currently inactive StoneGate root partition contains an engine installation. This option can be used to roll back an unsuccessful engine upgrade by reactivating the partition which contains the previous engine installation. (On other platforms, the active partition can be selected during the boot process.)

5. Select 1 to upgrade the previous installation and press ENTER to continue. The upgrade process starts.

Upgrading Engines Locally 163

Illustration 8.11 Upgrading Engine

6. When the process is finished, remove the CD-ROM from the drive (if applicable) and press ENTER to reboot.

7. In the Management Client, right-click the upgraded node and select Go Online to command the node online. The node can also be put online with command sg-cluster online on the node.

8. If you are upgrading a Firewall cluster, start the upgrade on the next firewall node only after the upgraded node is brought online and operational. StoneGate can operate normally with two different versions of the firewall engines online during the upgrade.

Check for new dynamic updates and import and activate them as explained in Installing Dynamic Updates, on page 39.

Changing IP AddressingThe following instructions explain how you can change IP addresses without losing management connectivity. When you change IP addressing, other connections between the different components may be temporarily lost. You must make sure that the connections return to normal after the IP address changes.

Note � If you do not mind losing management connectivity, you can change IP addressing by running the sg-reconfigure command on the engine command line to return the engine to the initial configuration state and to re-establish initial contact between the engine and the Management Server. See the online help for more information.

See the following sections:� Changing the Management Server�s IP Address, on page 164� Changing the Log Server�s IP Address, on page 165� Changing IP Addresses if the Management Server and the Log Server Run on the

Same Machine, on page 165

Changing the Management Server’s IP AddressThis section explains how to change the Management Server�s IP address if the Management Server and the Log Server are on different machines. If your Management Server and Log Server are on the same machine, see Changing IP


Addresses if the Management Server and the Log Server Run on the Same Machine, on page 165.

Note � If your firewall policies do not use the Default template, check that they allow all the necessary connections.

# To change the Management Server’s IP address1. Request an IP address change for your Management Server license at the

Stonesoft License center (see Upgrading or Generating Licenses, on page 154).2. For firewalls only: Edit your firewall policies and add Access rules (and possibly

NAT rules) that allow policy upload connections from the new Management Server IP address to the firewall.� The services needed for the communications between the different StoneGate

components are explained in StoneGate-Specific Ports, on page 193.3. Run the sgChangeMgtIPOnMgtSrv script on the Management Server (see

Command Line Tools, on page 179.4. Run the sgChangeMgtIPOnLogSrv script on all the Log Servers (see Command

Line Tools, on page 179).5. For firewalls only: Remove the rules that you created in Step 2. After running the

IP change scripts, the Alias elements in the inherited rules point to the right IP addresses, so the rules have become useless.

Changing the Log Server’s IP AddressWhen you change the Log Server�s IP address, the traffic between the Log Server and the engines is interrupted but the logs are spooled on the engines. Changing the IP address may also mean that the transfer of engine status and statistics information is temporarily interrupted.

# To change the Log Server’s IP address1. Request an IP address change for your Log Server license at the Stonesoft

License center (see Upgrading or Generating Licenses, on page 154).2. Open the <installation directory>/data/LogServerConfiguration.txt

file on the Log Server and update the IP address information.3. Open the Log Server properties and update the IP address.4. Refresh the policies on the engines to transfer the changed IP address

information to them.

Changing IP Addresses if the Management Server and the Log Server Run on the Same MachineThis section explains how to change the Management Server�s IP address if the Management Server and the Log Server are on the same machine. If your

Changing IP Addressing 165

Management Server and Log Server are on separate machines, see Changing the Management Server�s IP Address, on page 164.When you change the Log Server�s IP address, the traffic between the Log Server and the engines is interrupted but the logs are spooled on the engines. Changing the IP address may also mean that the transfer of engine status and statistics information is temporarily interrupted.

Note � If your firewall policies do not use the Default template, check that they allow all the necessary connections.

# To change IP Addresses if the Management Server and Log Server run on the same machine

1. Request an IP address change for your Management Server and Log Server licenses at the Stonesoft License center (see Upgrading or Generating Licenses, on page 154).

2. For firewalls only: Edit your firewall policies and Access rules (and possibly NAT rules) that allow policy upload connections from the new IP addresses to the firewall.� The services needed for the communications between the different StoneGate

components are explained in StoneGate-Specific Ports, on page 193.3. Run the sgChangeMgtIPOnMgtSrv script on the Management Server (see

Command Line Tools, on page 179).4. Run the sgChangeMgtIPOnLogSrv script on the Log Server (see Command Line

Tools, on page 179).5. Open the <installation directory>/data/LogServerConfiguration.txt

file on the Log Server and update the IP address information.6. Open the Log Server properties and update the IP address.7. For firewalls only: Remove the rules that you created in Step 2. After running the

IP change scripts, the Alias elements in the inherited rules point to the right IP addresses, so the rules have become useless.


CHAPTER 9 Uninstalling StoneGate

This chapter instructs how to uninstall the StoneGate software.


! Uninstalling the Management Center, on page 168! Uninstalling the Engines, on page 169

167

Uninstal l ing the Management CenterThe Management Client uses a �.stonegate� directory in the user�s home directory in the operating system. The directory contains the Management Client configuration files. These files are not automatically deleted but can be removed manually after the uninstallation.

Uninstalling in WindowsIt is not possible to uninstall components one by one. If you have several Management Center components installed on the same computer, they are always all uninstalled.

# To uninstall in graphical mode1. Stop the Management Center components on the machine before you uninstall

StoneGate.2. Go to Start→Settings→Control Panel→Add/Remove Programs or alternatively

run the SG_HOME\uninstall\uninstall.bat script.3. In the Add/Remove Programs window, select StoneGate from the list of currently

installed programs and click the Change/Remove button.

Illustration 9.1 Uninstall StoneGate Management Center

4. Click Next. The uninstallation begins.

# To uninstall in non-graphical mode1. Run the uninstall script

�SG_HOME\uninstall\uninstall.bat -nodisplay�.

Uninstalling in Linux or Solaris

# To uninstall in graphical mode1. Stop the Management Center components on the machine before you uninstall

StoneGate.2. Run the SG_HOME/uninstall/uninstall.sh script.

168 Chapter 9: Uninstalling StoneGate

# To uninstall in non-graphical mode� Run the uninstall script

�. SG_HOME/uninstall/uninstall.sh -nodisplay�.The sgadmin account is deleted during the uninstallation.

Uninstal l ing the EnginesServers on which StoneGate Firewall engines are installed are dedicated to their task as a Firewall/VPN device. To remove StoneGate and transfer your server to other use, you must format the hard disk and install an operating system.

Caution � StoneGate appliances are designed to run only the StoneGate firewall software. Do not attempt to remove the firewall software or install any other software on the appliances. To clear an appliance, use the system restore options in the appliance�s boot menu.

Uninstalling the Engines 169

170 Chapter 9: Uninstalling StoneGate

Appendices

APPENDIX A Installation Worksheet

For planning the configuration of network interfaces for the StoneGate engine nodes, use the worksheet in Table A.1:� In Interface ID, write the Interface ID (and the VLAN ID, if VLAN tagging is used)� On the CVI line, write the Interface ID�s CVI information (if any) and on the NDI line,

write the interfaces NDI information (if any). Use multiple lines for a Interface ID if it has multiple CVIs/NDIs defined.

� For Mode, mark all the modes that apply for this Interface ID.� In IP Address and Netmask, define the CVI or NDI network address.� In MAC/IGMP IP Address, define the MAC address used, or if the interface is CVI

that uses Multicast with IGMP, define the multicast IP address used for generating automatically the multicast MAC address.

� In Comments, define for example a name of the connected network, or how the NDI addresses differ between the nodes, or a management interface�s contact address if different from the interface�s IP address.

Interface modes are explained below the table. These same character codes are displayed in the firewall element interface properties of the Management Client.

173

174 Appendix A: Installation Worksheet

TAB

LE

A.1

Sto

neG

ate

Fir

ewal

l Eng

ine

Inte

rfac

es

Inte

rfa

ce

IDTy

peM

odea

IP A

ddre

ssN

etm

ask

MA

C /

IGM

P I

P A

ddre

ssC

omm

ents

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

a.CV

I mod

es: U

=U

nica

st M

AC, M

=M

ultic

ast M

AC, I

=M

ultic

ast w

ith IG

MP,

K=

Pack

et D

ispat

ch, A

=In

terf

ace�s

IP a

ddre

ss u

sed

as th

e id

entit

y fo

r aut

hent

icatio

n re

ques

tsN

DI m

odes

: H=

Prim

ary

hear

tbea

t, h=

Back

up h

eartb

eat,

C=

Prim

ary

cont

rol I

P ad

dres

s, c=

Back

up c

ontro

l IP

addr

ess,

D=

Def

ault

IP a

ddre

ss fo

r out

goin

g co

nnec

tions


TAB

LE

A.1

Sto

neG

ate

Fir

ewal

l Eng

ine

Inte

rfac

es

Inte

rfa

ce

IDTy

peM

odea

IP A

ddre

ssN

etm

ask

MA

C /

IGM

P I

P A

ddre

ssC

omm

ents

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

a.CV

I mod

es: U

=U

nica

st M

AC, M

=M

ultic

ast M

AC, I

=M

ultic

ast w

ith IG

MP,

K=

Pack

et D

ispat

ch, A

=In

terf

ace�s

IP a

ddre

ss u

sed

as th

e id

entit

y fo

r aut

hent

icatio

n re

ques

tsN

DI m

odes

: H=

Prim

ary

hear

tbea

t, h=

Back

up h

eartb

eat,

C=

Prim

ary

cont

rol I

P ad

dres

s, c=

Back

up c

ontro

l IP

addr

ess,

D=

Def

ault

IP a

ddre

ss fo

r out

goin

g co

nnec

tions


APPENDIX B Command Line Tools

This appendix describes the command line tools for StoneGate Management Center and the engines.


! Management Center Commands, on page 180! Engine Commands, on page 187.

179

Management Center CommandsMost of the Management Server and Log Server commands are found in the <installation directory>/bin/ directory. In Windows, the command line tools are *.bat script files. In Linux and Unix, the files are *.sh scripts. The command for post-processing report files is in the <installation directory>/data/reports/bin/ directory. It runs the sgPostProcessReport.bat (in Windows) or .sh script (in Linux/Unix) on the Management Server.

Note � Using the Management Client is the recommended configuration method, as most of the same tasks can be done through it.

180 Appendix B: Command Line Tools

TABLE B.1 Management Center Command Line Tools

Command Description

sgArchiveExport i=INPUT_FILEpass=PASSWORD [ e=FILTER_EXPRESSION ] [ f=FILTER_FILE ] [ format=CSV|XML ] [ host=ADDRESS ] [ login=LOGIN_NAME ] [ o=OUTPUT_FILE ] [ -v ] [ -h ]

Displays or exports logs from the log archive files. This command is available only on the Log Server.Enclose the file and filter names in double quotes if they contain spaces.i=INPUT_FILE parameter defines the source archive from which the logs will be exported.pass=PASSWORD parameter defines the password for the user account used for this export.e=FILTER_EXPRESSION parameter defines the filter that you want to use for filtering the log data for exporting. Type the name as shown in the Management Client. f=FILTER_FILE parameter defines the StoneGate filter exported to a file that you want to use for filtering the log data for exporting.format=[CSV|XML] parameter defines the file format for the output file. If this option is not defined, the XML format is used.host=ADDRESS parameter defines the address of the Management Server used for checking the login information. If this option is not defined, Management Server is expected to be on the same host where the script is run.login=LOGIN_NAME parameter defines the username for the account that is used for this export. If this option is not defined, the username root is used.o=OUTPUT_FILE parameter defines the destination file where the logs will be exported. If this option is not defined, the output is displayed on screen.-h option displays information on using the script.-v option displays verbose output on the command execution.

sgBackupLogSrv

Creates a backup of Log Server configuration data. The backup file is stored in the <installation directory>/backups/ directory. You can restore the backup using the sgRestoreLogBackup command. When creating or restoring the backup, twice the size of log database is required on the destination drive. Otherwise, the backup or restoration process fails.

Management Center Commands 181

sgBackupMgtSrv

Creates a backup of all Management Server configuration and database data. The backup file is stored in the <installation directory>/backups/ directory. You can restore the entire backup (the Management Server database and/or configuration files) using the sgRestoreMgtBackup command. You can restore just the Management Server database using the sgRecoverMgtDatabase command.When creating or restoring the backup, twice the size of the Management Server database is required on the destination drive. Otherwise, the backup or restoration process fails.

sgCertifyLogSrvCertifies the Log Server on the Management Server. The certificate is required to allow secure communication between the Log Server and the Management Server.

sgCertifyMgtSrv

Recreates the Management Server�s certificate. The Management Server certificate is required for secure communications between the StoneGate system components, as well as for the VPN connections that use the certificate authentication.

sgCertifyMonitoringServerCertifies the Monitoring Server on the Management Server. The certificate is required to allow secure communication between the Monitoring Server and the Management Server.

sgChangeMgtIPOnLogSrv NEW_IP_ADDR

Changes the Management Server�s IP address on the Log Server. Use this command to configure a new Management Server�s IP address on the Log Server. Restart the Log Server after this command.NEW_IP_ADDR is the new Management Server�s IP address.

sgChangeMgtIPOnMgtSrv NEW_IP_ADDR

Changes the Management Server�s IP address. Use this command when you want to change the Management Server�s IP address to reflect changes made in the operating system. Restart the Management Server after this command. NEW_IP_ADDR is the new Management Server�s IP address

sgClient Starts the StoneGate Management Client.

sgCreateAdminCreates a superuser administrator account. The Management Server needs to be stopped before running this command.

TABLE B.1 Management Center Command Line Tools (Continued)

Command Description


sgExport [-host=host] -login=login name -password=password -file=file path and name -type= <all|nw|ips|sv|pa|rb|al>

[-recursion] [-name= <Element Name 1, Element Name 2, ...>]

Exports StoneGate Management Server database elements from an XML file. Run the command without arguments to see usage instructions.The optional Host parameter specifies the address of the host that holds or will hold the import file. If no specific host address is given, the host where the script is executed is used for the operation.Login and password can be for any valid Administrator account.The type parameter specifies which types of elements are included in the export file: all=all exportable elements, nw=network elements, ips=IPS elements sv=services, pa=protocol agents, rb=security policies, al=alerts.The optional recursion parameter includes referenced elements in the export, for example, the network elements used in a policy that you export.The optional name parameter allows you to specify by name the element(s) that you want to export.

sgImport [host=host] login=login name password=password file=file path and name

Imports StoneGate Management Server database elements from an XML file. Run the command without arguments to see usage instructions.The optional Host parameter specifies the address of the host that holds or will hold the import file. If no specific host address is given, the host where the script is executed is used for the operation.Login and password can be for any valid Administrator account.When importing, existing (non-default) elements are overwritten, unless the element types mismatch.


Command Description


sgImportExportUser [host=host] login=login name pass=password action=[import|export] file=file path and name

Imports and exports a list of Users and User Groups in an LDIF file from/to the Management Server�s internal LDAP database. To import User Groups, all User Groups in the LDIF file must be directly under the stonegate top-level group (dc=stonegate).Host specifies the address of the host that holds or will hold the LDIF file. If no specific host address is given, the host where the script is executed is used for the operation.Example: sgImportExportUser login=ricky pass=abc123 action=export file=c:\temp\exportedusers.ldif

The user information in the export file is stored as plaintext. Handle the file securely.

sgInfo

Creates a ZIP file that contains copies of configuration files and the system trace files containing logs on problem situations. The ZIP file is stored in the user�s home directory. The file location is displayed on the last line of screen output. Provide the generated file to Stonesoft support for troubleshooting purposes.

sgReinitializeLogServerRecreates the Log Server configuration if the configuration file has been lost.

sgReplicate [-h|--help]

[-nodiskcheck]

[-backup backupname]

-standby-server management-name

Replicates Management Server backup to the Secondary Management Server.-h | --help options display the help message-backup backupname option specifies the location of the backup file. If this is not specified, you are prompted to select the backup file from a list of files found in the backups directory.-nodiskcheck option disables the free disk space check before the backup restoration.-standby-server management-name option specifies the Secondary Management Server on which the backup is replicated.


Command Description


sgRestoreArchive ARCHIVE_DIR

Restores logs from archive files to the Log Server. This command is available only on the Log Server. ARCHIVE_DIR is the number of the archive directory (0 � 31) from where the logs will be restored. By default, only archive directory 0 is defined. The archive directories can be defined in the <installation directory>/data/LogServerConfiguration.txt file: ARCHIVE_DIR_xx=PATH.

sgRestoreCertificateRestores the Certificate Authority (CA) or the Management Server certificate from a backup file in the <installation directory>/backups/ directory.

sgRestoreLogBackupRestores the Log Server (logs and/or configuration files) from a backup file in the <installation directory>/backups/ directory.

sgRestoreMgtBackupRestores the Management Server (database and/or configuration files) from a backup file in the <installation directory>/backups/ directory.

sgShowFingerPrintDisplays the CA certificate�s fingerprint on the Management Server.

sgStartLogDatabaseStarts the Log Server�s database. (The Log Server�s database is started and stopped automatically when starting/stopping the Log Server service.)

sgStartLogSrv Starts the Log Server and its database.

sgStartMgtDatabaseStarts the Management Server�s database. (The Management Server�s database is started and stopped automatically when starting/stopping the Management Server service.)

sgStartMgtSrv Starts the Management Server and its database.

sgStartMonitoringServer Starts the Monitoring Server used by the Monitoring Client.

sgStopLogDatabase Stops the Log Server�s database.

sgStopMgtDatabaseStops the Management Server�s database. (The Management Server�s database is started and stopped automatically when starting/stopping the Management Server service.)

sgStopMonitoringServer Stops the Monitoring Server used by the Monitoring Client.


Command Description


sgStopRemoteMgtSrv [-host HOST] [-port PORTNUM] [-login LOGINNAME] [-pass PASSWORD]

Stops the Management Server service when run without arguments. To stop a remote Management Server service, provide the arguments to connect to the Management Server.HOST is the Management Server�s host name if not localhost.PORT is the Management Server�s Management Client port number (by default, 8902).LOGINNAME is a StoneGate administrator account for the login.PASSWORD is the password for the administrator account.

sgTextBrowser pass=PASSWORD [ e=FILTER_EXPRESSION ] [ f=FILTER_FILE ] [ format=CSV|XML ] [ host=ADDRESS ] [ login=LOGIN_NAME ] [ o=OUTPUT_FILE ] [ m=current|stored ] [ -v ] [ -h ]

Displays or exports current or stored logs. This command is available only on the Log Server.Enclose the file and filter names in double quotes if they contain spaces.pass=PASSWORD parameter defines the password for the user account used for this operation.e=FILTER_EXPRESSION parameter defines the filter that you want to use for filtering the log data. Type the name as shown in the Management Client. f=FILTER_FILE parameter defines the StoneGate filter exported to a file that you want to use for filtering the log data.format=[CSV|XML] parameter defines the file format for the output file. If this option is not defined, the XML format is used.host=ADDRESS parameter defines the address of the Management Server used for checking the login information. If this option is not defined, Management Server is expected to be on the same host where the script is run.login=LOGIN_NAME parameter defines the username for the account that is used for this export. If this option is not defined, the username root is used.o=OUTPUT_FILE parameter defines the destination file where the logs will be exported. If this option is not defined, the output is displayed on screen.m=current|stored parameter defines whether you want to view or export logs as they arrive on the Log Server (current) or logs stored in the active storage directory (stored). If this option is not defined, the current logs are used.-h option displays information on using the script.-v option displays verbose output on the command execution.


Command Description


Engine CommandsStoneGate engine commands can be run from the command line on the firewall or sensor.

TABLE B.2 StoneGate-specific Command Line Tools on Engines

Command Engine Type Description

sg-blacklist [-i FILENAME] [-f FILENAME] [-v]show |

add [src ADDR/MASKLEN] [dst ADDR/MASKLEN][ proto {tcp|udp|icmp|NUM}] [srcport PORT[-PORT][dstport PORT[-PORT][duration NUM] |del [src ADDR/MASKLEN] [dst ADDR/MASKLEN][ proto {tcp|udp|icmp|NUM}] [srcport PORT[-PORT][dstport PORT[-PORT][duration NUM] |iddel NODE_ID ID |flush

firewall

Used to manage blacklisting on the engine command line if blacklisting is configured. You must enter one of the commands, as well as any parameters required by the command.-i option takes input to add/delete from a file.-f option only shows entries in one blacklist file.-v option enables verbose mode.show command shows the currently active blacklist entries.add command adds a new blacklist entry with the specified parameters.del command deletes a blacklist entry that contains the specified parameters.iddel NODE_ID ID command deletes a blacklist entry on the specified node number with the specified ID number.flush command clears all blacklist entries.src ADDR/MASKLEN parameter defines the source address to add or delete in the blacklist entry.dst ADDR/MASKLEN parameter defines the destination address to add or delete in the blacklist entry.proto {tcp|udp|icmp|NUM} parameter defines the protocol type and number to add or delete in the blacklist entry.srcport PORT[-PORT] parameter defines the TCP/UDP source port or range to add or delete in the blacklist entry.dstport PORT[-PORT] parameter defines the TCP/UDP destination port or range to add or delete in the blacklist entry.duration NUM parameter defines the duration of the blacklist entry in seconds.

Engine Commands 187

sg-bootconfig

[--primary-console=tty0|ttyS PORT,SPEED][--secondary-console= [tty0|ttyS PORT,SPEED]][--flavor=up|smp][--initrd=yes|no][--crashdump=yes|no|Y@X][--append=kernel options][--help]apply

analyzer, firewall, sensor

Can be used to edit boot command parameters for future bootups.--primary-console=tty0|ttyS PORT,SPEED parameter defines the terminal settings for the primary console.--secondary-console= [tty0|ttyS PORT,SPEED] parameter defines the terminal settings for the secondary console.--flavor=up|smp [-kdb] parameter defines whether the kernel is uniprocessor or multiprocessor.--initrd=yes|no parameter defines whether Ramdisk is enabled or disabled.--crashdump=yes|no|Y@X parameter defines whether kernel crashdump is enabled or disabled, and how much memory is allocated to the crash dump kernel (Y). The default is 24M. X must always be 16M.--append=kernel options parameter defines any other boot options to add to the configuration.--help parameter displays usage information.apply command applies the specified configuration options.

sg-clear-allanalyzer, firewall, sensor

Use this only if you want to return a StoneGate appliance to its factory settings.Clears all configuration from the engine. You must have a serial console connection to the engine to use this command.

TABLE B.2 StoneGate-specific Command Line Tools on Engines (Continued)



sg-cluster [status [-c SECONDS]][online][lock-online][offline][lock-offline][standby]

firewall

Used to display or change the status of the node.status [-c SECONDS] command displays cluster status. When -c SECONDS is used, status is shown continuously with the specified number of seconds between updates.online command sends the node online.lock-online command sends the node online and keeps it online even if another process tries to change its state.offline command sends the node offline.lock-offline command sends the node offline and keeps it offline even if another process tries to change its state.standby command sets an active node to standby.

sg-contact-mgmtfirewall, sensor

Used for establishing a trust relationship with the Management Server as part of engine installation or reconfiguration (see sg-reconfigure below). The engine contacts the Management Server using the one-time password created when the engine�s initial configuration is saved.

sg-logger

-f FACILITY_NUMBER -t TYPE_NUMBER

[-e EVENT_NUMBER] [-i "INFO_STRING"][-s] [-h]

firewall

Can be used in scripts to create log messages with the specified properties.-f FACILITY_NUMBER parameter defines the facility for the log message.-t TYPE_NUMBER parameter defines the type for the log message.-e EVENT_NUMBER parameter defines the log event for the log message. The default is 0 (H2A_LOG_EVENT_UNDEFINED).-i "INFO_STRING" parameter defines the information string for the log message.-s parameter dumps information on option numbers to stdout-h parameter displays usage information.



Engine Commands 189

sg-reconfigure

[--boot][--maybe-contact][--no-shutdown]


Used for reconfiguring the node manually.--boot option applies bootup behavior. Do not use this option unless you have a specific need to do so.--maybe-contact option contacts the Management Server if requested. This option is only available on firewall engines.--no-shutdown option allows you to make limited configuration changes on the node without shutting it down. Some changes may not be applied until the node is rebooted.

sg-selftest [-d] [-h] firewallRuns cryptography tests on the engine.-d option runs the tests in debug mode.-h option displays usage information.

sg-toggle-active SHA1 SIZE |--force [--debug]


Switches the engine to previous configuration and back. This change takes effect when you reboot the firewall engine.SHA1 SIZE option is used to verify signature of the inactive partition before changing it to active.--debug option reboots the engine with the debug kernel.--force option switches the active configuration without verifying.

sg-upgrade firewallUpgrades the node by rebooting from the installation CD-ROM. Alternatively, the node can be upgraded remotely using the Management Client.

sg-versionanalyzer, firewall, sensor

Displays the software version and build number for the node.




The table below lists some general operating system commands that may be useful in running your StoneGate engines. Some commands can be stopped by pressing Ctrl+c.

sginfo [-f] [-d] [-s] [-p] [--] [--help]


Gathers system information you can send to Stonesoft support if you are having problems. Use this command only when instructed to do so by Stonesoft support.-f option forces sgInfo even if the configuration is encrypted.-d option includes core dumps in the sgInfo file.-s option includes slapcat output in the sgInfo file.-p option includes passwords in the sgInfo file (by default passwords are erased from the output).-- option creates the sgInfo file without displaying the progress--help option displays usage information.



TABLE B.3 General Command Line Tools on Engines

Command Description

dmesgShows system logs and other information. Use the -h option to see usage.

halt Shuts down the system.

ipDisplays IP-address related information. Type the command without options to see usage. Example: type ip addr for basic information on all interfaces.

pingTool for sending ICMP echo packages to test connectivity. Type the command without options to see usage.

ps Reports status of running processes.

rebootReboots the system. Upon reboot, you enter a menu with startup options. For example, this menu allows you to return the engine to the previous configuration.

scp Secure copy. Type the command without options to see usage.

sftpSecure FTP (for transferring files securely). Type the command without options to see usage.

Engine Commands 191

sshSSH client (for opening a terminal connection to other hosts). Type the command without options to see usage.

tcpdumpGives information on network traffic. Use the -h option to see usage.

topDisplays the top CPU processes taking most processor time. Use the -h option to see usage.

tracerouteTraces the route packets take to the specified destination. Type the command without options to see usage.

vpninfoOutputs various VPN related information. Type the command without options to see usage.

TABLE B.3 General Command Line Tools on Engines (Continued)

Command Description


APPENDIX C StoneGate-Specific Ports

The following illustrations show the connections between the StoneGate components, as well as the ports that are used for gateway-to-gateway VPN and mobile VPN connections. The complete list of ports is presented in the table that follows.

Illustration C.1 Basic Communications Between StoneGate Components

193

Illustration C.2 Service Communications of Firewall/VPN Engine

The following table lists all the ports used in communication between various StoneGate Firewall/VPN components. The ports used by StoneGate IPS are detailed in StoneGate IPS Reference Guide.

TABLE C.1 StoneGate-Specific Ports

Listening Host Port/Protocol Contacting

Hosts Service DescriptionService Element

Short Name

DHCP server 67/UDPFW/VPN Engine

DHCP requests relayed by the firewall and requests from a firewall that uses dynamic IP address.

BOOTPS (UDP)

DNS server 53/TCPFW/VPN Engine

Optional dynamic DNS updates for inbound load sharing

DNS (TCP)

194 Appendix C: StoneGate-Specific Ports

DNS server 53/UDP

Management Client, Management Server, Log Server

DNS queries to resolve DNS names

DNS (UDP)

External LDAP server

389/TCPManagement Server, FW/VPN Engine

External LDAP queries. LDAP (TCP)

FW/VPN Engine

15000/TCPManagement Server, Analyzer

Blacklist entries sent to firewall SG Blacklisting

FW/VPN Engine

161/UDP SNMP server SNMP monitoring. SNMP (UDP)

FW/VPN Engine

2535/TCP VPN Client VPN Client configuration downloadSG VPN Client Configuration

FW/VPN Engine

2543/TCP Any User authentication (Telnet)SG User Authentication

FW/VPN Engine

2746/UDP VPN Client UDP encapsulated IPsecSG UDP Encapsulation

FW/VPN Engine

3000-3001/UDP3002-3003, 3010/TCP

FW/VPN Engine

Heartbeat and state synchronization between the cluster nodes.

SG State Sync (Multicast), SG State Sync (Unicast), SG Data Sync

FW/VPN Engine

4500/UDP VPN Client NAT-Traversal for VPN Client. NAT-T

FW/VPN Engine

4950/TCPManagement Server

Engine remote upgradeSG Remote Upgrade

FW/VPN Engine


Policy upload SG Commands

FW/VPN Engine

500/UDPVPN Client, external VPN gateway

Internet Key Exchange (IKE) for IPsec.

ISAKMP (UDP)

TABLE C.1 StoneGate-Specific Ports (Continued)



Short Name

195

FW/VPN Engine


StoneGate internal LDAPS replication.

LDAPS (TCP)

FW/VPN Engine

67/UDP Any DHCP relay on firewall engine. BOOTPS (UDP)

FW/VPN Engine

68/UDP DHCP server Replies to DHCP requests. BOOTPC (UDP)

FW/VPN Engine


Connectivity monitoring, status monitoring for old version engines

SG Monitoring

Log Server 3020/TCPFW/VPN Engine, Log Server

Log and alert messages, monitoring (status, statistics).

SG Log

Log Server8914-8918/TCP

Management Client, Monitoring Server

Management Client and Monitoring Server connections to the Log Server.

SG Data Browsing, SG Data Browsing (Monitoring Server)

Management Server

3021/TCPFW/VPN Engine

Engine's initial contact. SG Initial Contact

Management Server

3023/TCPFW/VPN Engine

Backup monitoring (status) connection.

SG Monitoring Backup

Management Server

5936/TCP Log Server Log Server's initial contact.SG Log Initial Contact

Management Server

8902-8913/TCP

Management Client, Log Server, Alert Server, Monitoring Server

Management Client, Log Server, Alert Server, and Monitoring Server connections to the Management Server.

SG Control

Management Server

8906/TCP

FW/VPN Engine with dynamic IP address

Management connection for engine with a dynamic IP address.

SG Dynamic Control




Short Name


Monitoring Agent on Server Pool members

7777/UDPFW/VPN Engine

If servers belonging to a Server Pool are configured with the Monitoring Agent, the engines will frequently poll the servers� Monitoring Agent on this port for availability and load information.

SG Server Pool Monitoring

Monitoring Server

8919-8921/TCP

Monitoring Client

Monitoring Client connection to Monitoring Server.

SG Control (Monitoring Client)

Primary Management Server

8903, 8907/TCP

Secondary Management Server

Management database replication to the secondary Management Server.

SG Control

RADIUS server

1812, 1645/UDP

FW/VPN Engine

RADIUS authentication requests.RADIUS (Authentication), RADIUS (Old)

RPC server111/UDP, 111/TCP

FW/VPN Engine

RPC number resolve.SUNRPC (UDP), Sun RPC (TCP)

Secondary Management Server

8902, 8905, 8913/TCP

Primary Management Server

Management database replication to the secondary Management Server.

SG Control

SNMP Server 162/UDPFW/VPN Engine

SNMP traps from the engine. SNMP Trap (UDP)

Stonesoft Server


Queries availability of new dynamic update packages and engine upgrades.

HTTPS

TACACS+ server

49/TCPFW/VPN Engine

TACACS+ authentication requests. TACACS (TCP)

VPN Client 2535/TCPFW/VPN Engine

Configuration downloadSG VPN Client Configuration

VPN Client 2543/TCPFW/VPN Engine

User authenticationSG User Authentication

VPN Client 2746/UDPFW/VPN Engine

UDP encapsulationSG UDP Encapsulation




Short Name

197

VPN Client 500/UDPFW/VPN Engine

Internet Key Exchange (IKE) for IPsec

ISAKMP (UDP)




Short Name


APPENDIX D Example Network Scenario

To give you a better understanding of how StoneGate fits into a network, this section outlines a network with two firewalls: a single firewall at a branch office and a firewall cluster at headquarters.


! Overview of the Example Network, on page 200! Example Management Center, on page 201! Example Single Firewall, on page 202! Example Firewall Cluster, on page 202

199

Overview of the Example NetworkThe illustration below shows you the whole example network. The different components of this configuration are explained in detail in the sections that follow.

Illustration D.1 The Example Network Scenario

200 Appendix D: Example Network Scenario

Example Management CenterThe Management Center in the example scenario is distributed across three networks: the Management Server and the HQ Log Server are at the headquarters site, the Branch Office Log Server is at the Branch office site and the Monitoring Server is placed in a DMZ so that access to the management network can be kept as limited as possible.

TABLE D.1 Management Center in the Example Network Scenario

Management Center

ComponentDescription

Management Server

This Management Server manages all the StoneGate firewalls and Log Servers of the example network.The Management Server in the Headquarters� Management Network with the IP address 192.168.10.200.

HQ Log ServerThis Log Server receives log data from the HQ firewall.The server is located in the Headquarters� Management Network with the IP address 192.168.10.201.

Branch Office Log Server

This Log Server receives log data from the Branch Office firewall.The server is located in the Branch Office Intranet with the IP address 172.16.2.201.

Monitoring Server

The Monitoring Server provides limited access to logs for administrators who need no other functions of the Management System.The Monitoring Server is located in DMZ 3 network with address 192.168.3.230.

Management Client

The Management Client can be at any location where it can connect to the Management Server and the Log Servers (for alert and log management). It is also possible to use multiple Management Clients in different locations. In this example, the Management Client is located on the Management Server and in the Headquarters intranet.

Example Management Center 201

Example Single FirewallIn the example network scenario, Branch Office Firewall is a single firewall located in the Branch Office network.

Example Firewall ClusterIn the example network scenario, Headquarters Cluster is located in the Headquarters network. The cluster consists of two cluster nodes: Node1 and Node2.

TABLE D.2 Single Firewall in the Example Network Scenario

Network Description

External network

The Branch Office site is connected to the Internet through this link.

IP address: 212.20.2.254.

Next hop router: 212.20.2.1.

Internal networkThe Branch Office has one internal network.

IP address: 172.16.2.1.

Leased Line

In addition to the Internet connection, the example organization has a leased line between the Headquarters and the Branch Office site.

IP address: 192.168.40.254


TABLE D.3 Firewall Cluster in the Example Network Scenario

Network Description

Heartbeat network

The heartbeat and cluster synchronization goes through the heartbeat network.

CVI: no CVI defined.

NDI: 10.42.1.1 (Node1) and 10.42.1.2 (Node2).

Management network

The management network interface is used for the control connections from the Management Server and for connecting to the HQ Log Server, the Authentication Server and the External LDAP server.

CVI: 192.168.10.1.

NDI: 192.168.10.21 (Node1) and 192.168.10.22 (Node2).


ISP A external network

This is one of the two Internet connections from the Headquarters site. It is provided by ISP A.

CVI: 212.20.1.254.

NDI: 212.20.1.21 (Node1) and 212.20.1.22 (Node2).


ISP B external network

This is the other of the two Internet connections from the Headquarters site. It is provided by ISP B.

CVI: 129.40.1.254.

NDI: 129.40.1.21 (Node1) and 129.40.1.22 (Node2).


Leased Line

In addition to the two Internet connections, the example organization has a leased line between the Headquarters and the Branch Office site. The physical network interface card connected to ISP B external network is also connected to the HQ Leased Line.

CVI: 192.168.30.254.

NDI: 192.168.30.21 (Node1) and 192.168.30.22 (Node2).


HQ intranet

This VLAN (VLAN ID 16) is connected to the same network interface on the firewall with the HQ Accounting VLAN.

CVI: 172.16.1.1.

NDI: 172.16.1.21 (Node1) and 172.16.1.22 (Node2).

HQ Accounting network

This VLAN (VLAN ID 17) is connected to the same network interface on the firewall with the HQ Intranet VLAN.

CVI: 172.17.1.1.

NDI: 172.17.1.21 (Node1) and 172.17.1.22 (Node2).

DMZ 1 network

This is the Headquarters� DMZ 1 network for the publicly available servers.

CVI: 192.168.1.1.

NDI: 192.168.1.21 (Node1) and 192.168.1.22 (Node2).

DMZ 2 network


CVI: 192.168.2.1.

NDI: 192.168.2.21 (Node1) and 192.168.2.22 (Node2).

TABLE D.3 Firewall Cluster in the Example Network Scenario (Continued)

Network Description

Example Firewall Cluster 203

DMZ 3 network


CVI: 192.168.3.1.

NDI: 192.168.3.21 (Node1) and 192.168.3.22 (Node2).

DMZ 4 network


CVI: 192.168.4.1.

NDI: 192.168.4.21 (Node1) and 192.168.4.22 (Node2).

TABLE D.3 Firewall Cluster in the Example Network Scenario (Continued)

Network Description


Legal Information

LicensesStonesoft products are sold pursuant to their relevant End-User License Agreements. By installing or otherwise using Stonesoft products in any way, end-users agree to be bound by such agreement(s). See Stonesoft's website, www.stonesoft.com for further details.If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense (�DoD�), the Software is subject to �Restricted Rights�, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations (�DFAR�) in paragraph 252.227-7013(c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Government�s rights in the Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (�FAR�). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions.

Product Export RestrictionsThe products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.

Licenses 205

http://www.stonesoft.com/

Patent NoticeMulti-Link, Multi-Link VPN, and the StoneGate clustering technology�as well as other technologies included in StoneGate�are protected by pending patent applications in the U.S. and other countries.

End-User Licence AgreementSTONEGATE TM END USER LICENSE AGREEMENT 2-2006This End User License Agreement (the �Agreement�) is an agreement between the legal entity using the Stonesoft StoneGate Software and, if applicable, StoneGate Hardware on which such Software was installed, including all individuals using the Software on behalf of the legal entity (�Licensee�) and Stonesoft Corp., a corporation organized under the laws of Finland (�Stonesoft�) with its principal place of business at Itälahdenkatu 22 A, Helsinki FIN-00210, Finland.PLEASE READ CAREFULLY THE TERMS OF THIS AGREEMENT PRIOR TO FIRST USE OF YOUR STONEGATE APPLIANCE OR SOFTWARE. BY USING ANY PART OF THE STONESOFT PRODUCT OR COPYING THE STONESOFT SOFTWARE IN ANY WAY, YOU AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS YOU MAY NOT USE THE SOFTWARE. IN THIS CASE YOU ARE ENTITLED, PRIOR TO THE FIRST USE OF THE SOFTWARE, TO RETURN YOUR STONEGATE APPLIANCE OR SOFTWARE TO THE PLACE OF PURCHASE FOR A FULL REFUND.Definitions�Appliance� means the Hardware together with the installed Software.�Channel Partner� means distributors and resellers authorized by Stonesoft or its distributors to sell the StoneGate Product.�Hardware� means the Stonesoft StoneGate hardware on which the Software operates, which is delivered to Licensee with the Software pre-installed if Licensee has purchased a StoneGate Appliance.�License File� means the file, which enables the Product to operate. This file can be generated by Licensee from Stonesoft�s website at www.stonesoft.com, by using the Proof of License, which is provided to Licensee along with the Product.�Product� means the StoneGate product(s) delivered under this Agreement, consisting of the Software, any tools, documentation, or associated materials that may accompany such delivery and, if applicable, the Hardware.�Proof of License� means the code provided by Stonesoft to Licensee, along with the Product, for the License File creation.�Software� means the object code copy of the StoneGate Firewall and VPN software solution developed by Stonesoft and all third party software that Stonesoft may license from third parties and deliver to the Licensee as part of the Software, as well as all related manuals and other documentation and any future upgrades provided by Stonesoft or its Channel Partner under this Agreement or any related maintenance agreement. Specifically excluded from this definition, are all software components licensed under the terms of the GNU General Public License or the GNU Lesser General Public License, as published by the Free Software Foundation (for example, software components relating to the Linux operating system kernel). Such components are distributed to you solely under the terms of those respective licenses, copies of which you have received along with the Software.1. grant of License1.1 Subject to the terms and conditions of this Agreement, and subject to the payment of the agreed purchase price of the Product, Licensee is granted a non-exclusive, non-transferable, non-assignable license for one (1) installation of the Software, and any upgrades thereto, only for the use and configuration specified in the License File. If Hardware is delivered, Licensee is entitled to use the Software only on the Hardware on which it was pre-installed and only in accordance with the relevant end user documentation provided by Stonesoft or its Channel Partner.1.2 In the event of a warranty replacement, Licensee may use the License File on a replacement Product. In such case, the terms of this Agreement shall apply to the use of the Software on the replacement Product.1.3 Licensee may use the Products only in its own internal business operations. Licensee will not (i) allow others or develop methods for others to use the Products, (ii) rent the Products, (iii) use the Products for providing services to third parties or (iv) make the Products available on a time-sharing basis without a prior written consent of Stonesoft.1.4 Licensee may make a reasonable number of back-up copies of the Software and any future upgrades. Licensee will reproduce all confidentiality and proprietary notices on each of these copies. Licensee may not (or permit others to) otherwise copy, reproduce, transfer, assign, sub-license, distribute, translate, modify, adapt, decompile, decipher, disassemble or reverse engineer the Software except to the extent expressly authorized by law.1.5 Should Licensee purchase only Software to be used together with other hardware than specified in this agreement, Licensee may use Software only for the number of IP addresses (actual number of IP addresses on the trusted side of the firewall calculated without any technology changing or hiding the IP address information) specified in the sales agreement or in License file.

206 Legal Information

1.6 This Subsection 1.6 shall apply if Licensee is licensing the Product for evaluation purposes:1.6.1 The evaluation license is valid for a single period of thirty (30) days from the delivery of the Product (�Evaluation Period�), and is designed to allow Licensee to evaluate a single copy of the Product in a single computer during such period. Licensee may use the evaluation licenses only for the purposes of internal evaluation and testing and not in a production environment.1.6.2 In the event that Licensee wishes to enter into a longer-term license agreement with Stonesoft that extends after the end of the Evaluation Period, Licensee may request a License File from Stonesoft which, if provided to Licensee, will allow Licensee to use the Product after such Evaluation Period, but only subject to all of the terms and conditions of this Agreement. In the event that Licensee determines not to enter into a licensing transaction with Stonesoft at the end of the Evaluation Period, or in the event that Stonesoft advises Licensee that no End User license will be granted, then Licensee�s rights under this Agreement shall terminate and Licensee shall promptly return to Stonesoft or destroy all copies of the Product, and so certify to Stonesoft. The evaluation license shall expire automatically in the event of any breach of its terms by Licensee.1.6.3 The evaluation license is valid and may be used for one (1) Evaluation Period only. In case the evaluation license is used beyond the Evaluation Period without a prior written approval by Stonesoft, Licensee shall be deemed to have acquired a StoneGate End User License and in connection therewith becomes liable for paying the then-current License Fee.1.6.4 Notwithstanding any provision herein to the contrary, evaluation licenses are granted on an �as-is� basis and Stonesoft makes no warranties of design, merchantability, fitness for a particular purpose or otherwise for such license and in no event shall Stonesoft be liable for any direct, special, indirect, incidental or consequential damages related the use of the Products during the Evaluation Period, even if Stonesoft has been advised of or otherwise has reason to know of the possibility of such damages. 2. Software Maintenance and Support2.1 Stonesoft provides support and maintenance and future upgrades for the Software only under a separate Support and Maintenance Agreement for so long as these services are generally available.3. Intellectual Property RIGHTS3.1 Title to the Software and all patents, copyrights, trade secrets and other proprietary rights in or related thereto are and will remain the exclusive property of Stonesoft and its licensors and subcontractors, whether or not specifically recognized or perfected under the laws of the country where the Software is used or located. Licensee will not take any action that jeopardizes such proprietary rights or acquire any right in the Software, except the limited license specified in this Agreement. Stonesoft and its licensors will own all rights in any copy, translation, modification, adaptation or derivation of the Software, including any improvement or development thereof.4. Term And Termination4.1 This Agreement is effective until terminated. Stonesoft may terminate this Agreement with immediate effect at any time upon Licensee�s breach of any of the provisions hereof. Upon termination of this Agreement, Licensee agrees to cease all use of the Products and to return to Stonesoft or destroy each copy of the Software and all documentation and related materials in Licensee�s possession, and so certify to Stonesoft. Except for the license granted herein and as expressly provided herein, the terms of this Agreement shall survive termination.5. Indemnification5.1 If notified promptly in writing of any action (and provided that Stonesoft has been promptly notified of all prior claims relating to such action) brought against Licensee based on a claim that the unaltered Software supplied by Stonesoft to Licensee under this Agreement infringes a patent or copyright, Stonesoft shall defend such action at its expense and pay any costs or damages finally awarded in such action which are attributable to such claim, provided that Stonesoft shall have sole control of the defense of any such action and all negotiations for its settlement or compromise.5.2 If a final injunction is obtained against Licensee�s use of the Software by reason of infringement of a patent or copyright, or if in Stonesoft�s opinion any of the Software supplied to Licensee hereunder is likely to become the subject of a successful claim of infringement of a patent or copyright, Stonesoft shall, at its option and expense, either procure for Licensee the right to continue using such Software or replace or modify the same so that it becomes non-infringing or, at Stonesoft�s election, terminate this Agreement and provide Licensee a prorated refund (depreciated on a straight-line 3 year basis) for the Product and accept its return.5.3 Notwithstanding the foregoing, Stonesoft or its suppliers shall not have any liability to Licensee under this Section if the infringement or claim is based upon (a) the use of the Software in combination with other equipment or software which is not furnished by Stonesoft (if such claim would have been avoided were it not for such combination), (b) Software which has been modified or altered by Licensee or (c) intellectual property rights owned Licensee or any of their respective affiliates. No cost or expenses shall be incurred for the account of Stonesoft without the prior written consent of Stonesoft.5.4 THE FOREGOING STATES THE ENTIRE LIABILITY OF STONESOFT WITH RESPECT TO INFRINGEMENT OF PATENTS OR COPYRIGHTS BY THE SOFTWARE OR ANY PART THEREOF.6. Software Warranty AND Warranty Disclaimers6.1 Stonesoft warrants that, for the warranty period of ninety (90) days from the date Licensee receives the original License File, the Software will substantially conform to its specifications.

End-User Licence Agreement 207

6.2 Stonesoft�s or its suppliers or its Channel Partners� entire liability and Licensee�s exclusive remedy, with respect to the Software, shall be at Stonesoft�s option to either, (i) replace the Software; (ii) correct the defect through updates and/or upgrades; or (iii) if prompt correction of the error or replacement of the Software is not reasonably feasible, refund to Licensee of the purchase price paid for the Product upon return of the Product to Stonesoft by Licensee, in which case the license for the Software shall terminate.6.3 This limited warranty is void if the defect has resulted from accident, abuse, or misapplication or any other use not consistent with the terms and conditions of this Agreement.6.4 The Products are not designed, manufactured or intended for use in hazardous environments requiring fail-safe performance, such as in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, weapons systems, direct life-support machines, or any other application in which the failure of the Product could lead directly to death, personal injury, or severe physical or property damage or environmental damage (collectively, �High Risk Activities�). Stonesoft and its Channel Partners expressly disclaim any express or implied warranty of fitness for High Risk Activities.6.5 EXCEPT FOR THE LIMITED WARRANTIES SET FORTH IN THIS SECTION, THE SOFTWARE IS PROVIDED ON AN �AS IS� BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. STONESOFT DOES NOT WARRANT THAT THE SOFTWARE WILL MEET THE LICENSEE�S REQUIREMENTS OR THAT ITS OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, STONESOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. Some jurisdictions do not allow the exclusion of implied warranties or limitations on how long an implied warranty may last, so the above limitations may not apply to Licensee.6.6 Warranties for any Hardware delivered to Licensee are found in the applicable Stonesoft Hardware Warranty delivered with such Hardware, if applicable. No warranty to any Stonesoft or other Hardware is provided under this Agreement.7. LIMITATION OF LIABILITY7.1 IN NO EVENT, WHETHER IN TORT, CONTRACT OR OTHERWISE, SHALL STONESOFT OR ITS SUPPLIERS BE LIABLE TOWARDS LICENSEE OR ANY THIRD PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, COSTS, LOSS OR EXPENSE, (INCLUDING BUT NOT LIMITED TO LOST PROFITS, LOSS OR INTERRUPTION OF USE, LOSS OF DATA, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR TECHNOLOGY) ARISING OUT OF THE SUBJECT MATTER OF THIS AGREEMENT IRRESPECTIVE OF WHETHER STONESOFT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to Licensee.7.2 UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER IN TORT, CONTRACT OR OTHERWISE, SHALL STONESOFT OR ITS SUPPLIERS BE LIABLE FOR DAMAGES IN EXCESS OF THE PURCHASE PRICE OF THE RELEVANT PRODUCT.8. CONFIDENTIALITY8.1 Licensee acknowledges and agrees that the Products incorporates confidential and proprietary information developed or acquired by Stonesoft including but is not limited to technical or non-technical data, formulas, patterns, compilations, devices, methods, techniques, drawings and processes related with the Software.8.2 Licensee may use confidential information solely in accordance with this Agreement and will take all reasonable precautions necessary to safeguard the confidentiality of such information. Licensee will hold in confidence and not disclose, reproduce, distribute or transmit, directly or indirectly, in any form, by any means, or for any purpose the confidential information except to those of its employees, agents, consultants or subcontractors who require access for Licensee�s authorized use of the Products in accordance with the terms of this Agreement. Licensee will not allow the removal or defacement of any confidentiality or proprietary notice placed on the Products or the related material.8.3 Licensee shall not be restricted under this section 8 (Confidentiality) regarding information that Licensee affirmatively establishes that (i) has or becomes generally available to the public other than as a result of an act or omission of Licensee or any of its employees, agents, subcontractors or consultants (ii) was in the possession of Licensee before receiving the information or material related with the Products (iii) is independently developed by Licensee, or (iv) is required to be disclosed by law, court order or other legal process, provided that Licensee shall first provide Stonesoft with prompt notice thereof.9. EXPORT CONTROLS9.1 Licensee agrees that the Products will not be shipped, transferred, or exported into any country or used in any manner prohibited by any applicable law.9.2 Licensee is specifically advised and acknowledges that exports of the Products are subject to compliance with the export control regulations under the laws of Finland and/or the European Council (EC), as promulgated from time to time by the relevant authorities. The Products shall not be exported or re-exported, directly or indirectly, (i) without all export or re-export licenses and Finnish or other governmental approvals required by any applicable laws, or (ii) in violation of any applicable prohibition against the export or re-export of any part of the Products.9.3 In addition, Licensee acknowledges and understands that upon entry into the United States, Stonesoft Products may become subject to U.S. export control laws and regulations. Licensee agrees to comply with all such applicable laws and regulations and acknowledges that it has the responsibility to obtain license to export, re-export, or import said products.


10. EQUITABLE RELIEF10.1 Licensee acknowledges that (i) any use or threatened use of the Software in a manner inconsistent with this Agreement, or (ii) any other misuse of the confidential information of Stonesoft will cause immediate irreparable harm to Stonesoft for which there is no adequate remedy at law. Accordingly, Licensee agrees that Stonesoft shall be entitled to immediate and permanent injunctive relief from a court of competent jurisdiction in the event of any such breach or threatened breach by Licensee. The parties agree and stipulate that Stonesoft shall be entitled to such injunctive relief without posting a bond or other security; provided however that if the posting of a bond is a prerequisite to obtaining injunctive relief, then a bond in the amount of $1000 shall be sufficient. Nothing contained herein shall limit Stonesoft�s right to any remedies at law, including the recovery of damages from Licensee for breach of this Agreement.11. Government Restricted Rights11.1 If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, Licensee will receive no greater than Restricted Rights (as defined in FAR 52.227-14, FAR 52.227-19(c)(1-2) or DFAR 252.227-7013(c)(1)(ii), DFAR 252.221-7015(c), DFAR 252.227-7014 or DFAR 252.227-7018 as applicable). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions.12. GeneraL12.1 The terms of this Agreement may not be modified except by a written agreement issued by a duly authorized representative of Stonesoft.12.2 Licensee agrees to comply with all applicable data protection and other local laws that apply to licensee�s use of the Product, including but not limited to EU Directive 94/46/EC, and Licensee agrees to fully indemnify Stonesoft against any failure of Licensee to so comply with such local laws.12.3 This Agreement is governed by the laws of Finland, without giving effect to the conflict of law principles thereof. The application of the United Nations Convention of Contracts for the International Sale of Goods is expressly excluded. All disputes arising under or relating to this Agreement shall be resolved exclusively in the appropriate Finnish court sitting in Helsinki, Finland.12.4 This Agreement sets forth all rights for the Licensee of the Products and is the entire agreement between the parties. These terms supersede any other communications with respect to the license of the Software or use of the Products. No provision hereof shall be deemed waived unless such waiver shall be in writing and signed by Stonesoft or a duly authorized representative of Stonesoft. If any provision of these terms is held invalid, the remainder of these terms shall continue in full force and effect.

Software Licensing InformationThe StoneGate software includes several open source or third-party software packages to support certain features. This section provides the appropriate software licensing information for those products.

GNU General Public LicenseVersion 2, June 1991Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAEveryone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

Software Licensing Information 209

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.The precise terms and conditions for copying, distribution and modification follow.GNU GENERAL PUBLIC LICENSETERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may

be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided

that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)


The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE

EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO


YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONSHow to Apply These Terms to Your New ProgramsIf you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.>Copyright (C) <year> <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAAlso add information on how to contact you by electronic and paper mail.If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of authorGnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program�Gnomovision� (which makes passes at compilers) written by James Hacker. <signature of Ty Coon>, 1 April 1989 Ty Coon, President of ViceThis General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.

GNU LESSER GENERAL PUBLIC LICENSEVersion 2.1, February 1999Copyright (C) 1991, 1999 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAEveryone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.[This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.]PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.


To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.GNU LESSER GENERAL PUBLIC LICENSETERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you".A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of


warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:a) The modified work must itself be a software library.b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.This option is useful when you wish to copy part of the code of the Library into a program that is not a library.4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work


under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.


This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OROTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFYAND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONSHow to Apply These Terms to Your New LibrariesIf you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.<one line to give the library's name and a brief idea of what it does.>Copyright (C) <year> <name of author>This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAAlso add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names:Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker.<signature of Ty Coon>, 1 April 1990Ty Coon, President of ViceThat's all there is to it!

OpenSSL ToolkitThis software includes the OpenSSL toolkit.LICENSE ISSUES==============


The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected] License---------------Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.All advertising materials mentioning features or use of this software must display the following acknowledgment:�This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.(http://www.openssl.org/)�The names �OpenSSL Toolkit� and �OpenSSL Project� must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected] derived from this software may not be called �OpenSSL� nor may �OpenSSL� appear in their names without prior written permission of the OpenSSL Project.Redistributions of any form whatsoever must retain the following acknowledgment: �This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)�THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT �AS IS� AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes cryptographic software written by Eric Young, ([email protected]). This product includes software written by Tim Hudson ([email protected]).Original SSLeay License-----------------------Copyright (C) 1995-1998 Eric Young ([email protected]). All rights reserved.This package is an SSL implementation written by Eric Young ([email protected]). The implementation was written so as to conform with Netscape�s SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.All advertising materials mentioning features or use of this software must display the following acknowledgement: �This product includes cryptographic software written by Eric Young ([email protected])� The word �cryptographic� can be left out if the rouines from the library being used are not cryptographic related:-).If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: �This product includes software written by Tim Hudson ([email protected])�THIS SOFTWARE IS PROVIDED BY ERIC YOUNG �AS IS� AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]


OpenLDAPThis software includes the OpenLDAP client developed by The OpenLDAPFoundation. Original version of the OpenLDAP client can be downloaded from http://www.openldap.org This software includes the OpenLDAP server. The OpenLDAP Public License Version 2.7, 7 September 2001Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain copyright statements and notices,2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and3. Redistributions must contain a verbatim copy of this document.The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use the Software under terms of this license revision or under the terms of any subsequent revision of the license.THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS �AS IS� AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.OpenLDAP is a trademark of the OpenLDAP Foundation.Copyright 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distributed verbatim copies of this document is granted.

libradius1This software includes the libradius1 package.Copyright (C) 1995,1996,1997,1998 Lars Fenneberg <[email protected]>Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copy ight and permission notice appear on all copies and supporting documentation, the name of Lars Fenneberg not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that copying and distribution is by permission of Lars Fenneberg.Lars Fenneberg makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.------------------------------------------------------------------------------Copyright 1992 Livingston Enterprises, Inc.Livingston Enterprises, Inc. 6920 Koll Center Parkway Pleasanton, CA 94566Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies and supporting documentation, the name of Livingston Enterprises, Inc. not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that copying and distribution is by permission of Livingston Enterprises, Inc.Livingston Enterprises, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.------------------------------------------------------------------------------[C] The Regents of the University of Michigan and Merit Network, Inc. 1992, 1993, 1994, 1995 All Rights Reserved.Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies of the software and derivative works or modified versions thereof, and that both the copyright notice and this permission and disclaimer notice appear in supporting documentation.THIS SOFTWARE IS PROVIDED �AS IS� WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN AND MERIT NETWORK, INC. DO NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET LICENSEE'S REQUIREMENTS OR THAT OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. The Regents of the University of Michigan and Merit Network, Inc. shall not be liable for any special, indirect, incidental or consequential damages with respect to any claim by Licensee or any third party arising from use of the software.------------------------------------------------------------------------------Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.


License to copy and use this software is granted provided that it is identified as the �RSA Data Security, Inc. MD5 Message-Digest Algorithm� in all material mentioning or referencing this software or this function.License is also granted to make and use derivative works provided that such works are identified as �derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm� in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided �as is� without express or implied warranty of any kind.These notices must be retained in any copies of any part of this documentation and/or software.

TACACS+ ClientThis software contains TACACS+ client.Copyright (c) 1995-1998 by Cisco systems, Inc.Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies of the software and supporting documentation, the name of Cisco Systems, Inc. not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that modification, copying and distribution is by permission of Cisco Systems, Inc.Cisco Systems, Inc. makes no representations about the suitability of this software for any purpose. THIS SOFTWARE IS PROVIDED �AS IS� AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithmCopyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.License to copy and use this software is granted provided that it is identified as the �RSA Data Security, Inc. MD5 Message-Digest Algorithm� in all material mentioning or referencing this software or this function.License is also granted to make and use derivative works provided that such works are identified as �derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm� in all material mentioning or referencing the derived work.RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided �as is� without express or implied warranty of any kind.These notices must be retained in any copies of any part of this documentation and/or software.

libwwwThis software contains libwww software.Copyright © 1995-1998 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University). All Rights Reserved.This program is distributed under the W3C's Intellectual Property License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See W3C License http://www.w3.org/Consortium/Legal/ for more details.------------------------------------------------------------------------------Copyright © 1995 CERN. "This product includes computer software created and made available by CERN. This acknowledgment shall be mentioned in full in any product which includes the CERN computer software included herein or parts thereof."

W3C® SOFTWARE NOTICE AND LICENSEhttp://www.w3.org/Consortium/Legal/2002/copyright-software-20021231This work (and included software, documentation such as READMEs, or other related items) is being provided by the copyright holders under the following license. By obtaining, using and/or copying this work, you (the licensee) agree that you have read, understood, and will comply with the following terms and conditions.Permission to copy, modify, and distribute this software and its documentation, with or without modification, for any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the software and documentation or portions thereof, including modifications: 1. The full text of this NOTICE in a location viewable to users of the redistributed or derivative work. 2. Any pre-existing intellectual property disclaimers, notices, or terms and conditions. If none exist, the W3C Software Short Notice should be included (hypertext is preferred, text is permitted) within the body of any redistributed or derivative code. 3. Notice of any changes or modifications to the files, including the date changes were made. (We recommend you provide URIs to the location from which the code is derived.)THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.


COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION.The name and trademarks of copyright holders may NOT be used in advertising or publicity pertaining to the software without specific, written prior permission. Title to copyright in this software and any associated documentation will at all times remain with copyright holders.____________________________________This formulation of W3C's notice and license became active on December 31 2002. This version removes the copyright ownership notice such that this license can be used with materials other than those owned by the W3C, reflects that ERCIM is now a host of the W3C, includes references to this specific dated version of the license, and removes the ambiguous grant of "use". Otherwise, this version is the same as the previous version and is written so as to preserve the Free Software Foundation's assessment of GPL compatibility and OSI's certification under the Open Source Definition. Please see our Copyright FAQ for common questions about using materials from our site, including specific terms and conditions for packages like libwww, Amaya, and Jigsaw. Other questions about this notice can be directed to [email protected] Reagle <[email protected]>Last revised by Reagle $Date: 2003/01/16 15:01:10 $Last revised by Reagle $Date: 2003/01/16 15:01:10 $

XML-RPC C Library LicenseThis software contains software covered by the XML-RPC C Library License.Copyright (C) 2001 by First Peer, Inc. All rights reserved.Copyright (C) 2001 by Eric Kidd. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Expat LicenseThis software contains software covered by the Expat License.Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center LtdPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ABYSS Web Server LicenseThis software contains software covered by the ABYSS Web Server LicenseCopyright (C) 2000 by Moez Mahfoudh <[email protected]>. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.


2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Python 1.5.2 LicenseThis software contains software covered by the Python 1.5.2 License.Copyright 1991, 1992, 1993, 1994 by Stichting Mathematisch Centrum, Amsterdam, The Netherlands.All Rights ReservedPermission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the names of Stichting Mathematisch Centrum or CWI or Corporation for National Research Initiatives or CNRI not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.While CWI is the initial source for this software, a modified version is made available by the Corporation for National Research Initiatives (CNRI) at the Internet address ftp://ftp.python.org.STICHTING MATHEMATISCH CENTRUM AND CNRI DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM OR CNRI BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The Apache Software License, Version 1.1This product includes software developed by the Apache Software Foundation (http://www.apache.org/)."Copyright (C) 1999 The Apache Software Foundation. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: "This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.4. The names "log4j" and "Apache Software Foundation" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected]. Products derived from this software may not be called �Apache�, nor may �Apache� appear in their name, without prior written permission of the Apache Software Foundation.THIS SOFTWARE IS PROVIDED `ÀS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.

Bouncy Castle notice and license.Copyright (c) 2000 The Legion Of The Bouncy Castle (http://www.bouncycastle.org) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the �Software�), to deal in the Software without restriction, including without limitation the rights to use, copy, modify,


merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED �AS IS�, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Package: discover-dataDebian package author: Branden RobinsonThe contents of this package that are not in the debian/ subdirectory are simple compilations of data and are therefore not copyrightable in the United States (c.f. _Feist Publications, Inc., v. Rural Telephone Service Company, Inc., 499 U.S. 340 (1991)_)._Feist_ holds that: Article I, s 8, cl. 8, of the Constitution mandates originality as a prerequisite for copyright protection. The constitutional requirement necessitates independent creation plus a modicum of creativity. Since facts do not owe their origin to an act of authorship, they are not original and, thus, are not copyrightable. Although a compilation of facts may possess the requisite originality because the author typically chooses which facts to include, in what order to place them, and how to arrange the data so that readers may use them effectively, copyright protection extends only to those components of the work that are original to the author, not to the facts themselves. This fact/expression dichotomy severely limits the scope of protection in fact-based works. Therefore, the hardware information lists that comprise the "meat" of this package enjoy no copyright protection and are thus in the public domain. Note, however, that a number of trademarks may be referenced in the hardware lists (names of vendors and products). Their usage does not imply a challenge to any such status, and all trademarks, service marks, etc. are the property of their respective owners.The remainder of this package is copyrighted and licensed as follows: Package infrastructure: Copyright 2001,2002 Progeny Linux Systems, Inc. Copyright 2002 Hewlett-Packard Company Written by Branden Robinson for Progeny Linux Systems, Inc.lst2xml conversion script: Copyright 2002 Progeny Linux Systems, Inc. Copyright 2002 Hewlett-Packard Company Written by Eric Gillespie, John R. Daily, and Josh Bressers for Progeny Linux Systems, Inc.Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Copyright (c) 1999, 2004 Tanuki SoftwarePermission is hereby granted, free of charge, to any person obtaining a copy of the Java Service Wrapper and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sub-license, and/or sell copies of the Software, and to permit persons towhom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Portions of the Software have been derived from source code developed by Silver Egg Technology under the following license:Copyright (c) 2001 Silver Egg TechnologyPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sub-license, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:


The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.



Index

A

administration client, see management cli-ent

advanced configuration and power interface (ACPI), 84

automatic power management (APM), 84

B

BIOS settings, 84

C

certificate authoritychecking fingerprint, 34, 39

changing IP addressing, 164�166checking file integrity, 16�17, 153checksum, 153checksums, 16�17cluster virtual interface, see CVIcommand line installation

see non-graphical installationcommand line tools, 179commands

engine, 187log server, 180management server, 180

compatibility with different platforms, 16

configuringengine on IBM zSeries, 103engine on Intel or compatible, 85

contact addressfirewall engine, 73log server, 77management server, 76

contact information, 12CTC device

configuring, 106customer support, 12CVI, 18

defining mode for, 62CVIs

interface modes, 18

D

database user account, 28date and time settings, 16defining

firewall cluster, 57single firewall, 50

deployment example, 199documentation available, 11dynamic updates, 39

E

end-user license agreement, 205

225

example network scenario, 15, 199

F

file integrity, 16�17, 153fingerprint of certificates, 34, 39, 185firewall

contact address, 73defining cluster, 57defining single, 50engine commands, 147�148firewall cluster interfaces, 18

G

generating licenses, 154�155, 156�157GUI client, see management client

H

hardware requirements, 12heartbeat connection, 18host files, 16

I

IBM system zconfiguring point-to-point interfaces, 54, 63enabling interface options, 70point-to-point interfaces, 130

IBM zSeriesactivating initial configuration, 115disabling NIC boot-time check, 114enable_takeover QETH parameter, 110engine configuration, 103installation, 97�126IPLing stonegate DASD, 103one-time password, 117partitioning ending DASD, 120restart engine configuration, 118SGINST EXEC script, 119sniffing network interface, 113

importing initial configuration, 87importing licenses, 156�157initial configuration

activating on IBM zSeries, 115activating on Intel and compatible, 90saving, 78

installingclients using web start, 44�45dynamic updates, 39engine on IBM zSeries, 97�126engine on Intel or compatible, 83files for, 16licenses, 35log server, 29management center, 23�47management client, 30management server, 28monitoring server, 30overview to, 15

integrity of files, 16�17interface mode for CVIs, 62interface modes for CVIs, 18interface options for IBM system z, 70interface types for firewall cluster, 18IP-address-bound licenses, 17IUCV device

configuring, 107

L

LCS deviceconfiguring, 111

legal information, 205licenses, 17�18

generating, 154�155installing, 35, 156�157IP-address-bound, 17management bound, 17retained, 78retained type, 157upgrading, 154, 155�156

linux for management center, 24locations, 71�73

226226

log server, 29�30, 37changing IP address, 165�166contact address, 77

M

management bound licenses, 17, 78management center

components, 14installing, 23�47uninstalling, 168�169upgrading, 158

management clientconfiguration files, 168installing, 30starting, 33web start, 45

management serverchanging IP address, 164�166contact address, 76installing, 28starting, 33

management server database user account, 28

MD5 checksum, 16�17, 153monitoring server, 30

N

NAT (network address translation)contact address, 73locations, 71�73

NDI, 18network interfaces

cluster, 61CVI (Cluster Virtual Interface), 61NDI (Node Dedicated Interface), 54, 65, 66, 68single firewall, 55

NIC boot-time check on IBM zSeriesdisabling, 114

node dedicated interface, 18non-graphical installation, 46�47

O

one-time passwordcreating, 78on IBM zSeries, 117on Intel and compatible, 92

overview to the installation, 15

P

packet dispatch mode, 19partitioning

engine DASD on IBM zSeries, 120engine hard disk on Intel or compatible, 93

platforms supported, 16point-to-point system z interfaces, 54, 63policies, 142�146

Q

QETH parametersenable_takeover, 110

R

requirements for hardware, 12rescue install option, 163restart engine configuration

on IBM zSeries, 118on Intel and compatible, 92

retained licenses, 78, 157routing, 130�142

S

serverslog server, 29�30management server, 28monitoring server, 30

sgadmin user account, 24SGINST EXEC script, 100SHA-1 checksum, 16�17, 153

227

single firewalldefining VLAN ID, 53network interfaces, 55VLAN tagging, 52

sniffing network interfaceon IBM zSeries, 113on Intel and compatible, 89

solaris for management center, 24starting

log server, 37management client, 33management server, 33

stonegate architecture, 14support services, 12supported platforms, 16system architecture, 14system requirements, 12

T

technical support, 12typographical conventions, 10

U

uninstallingengines, 169management center, 168�169

updating, 151�166

upgradeschanging IP addressing, 164�166

upgrading, 151�166engine, locally, 162engine, remotely, 160licenses, 154, 155�156management center, 158

USER DIRECT file, 98

V

VLAN IDdefining on firewall cluster, 61defining on single firewall, 53

VLAN taggingfirewall cluster, 59single firewall, 52

W

web start, 43�45

Z

z/VMpreparing for engine installation, 98using FTP, 99

zSeries, see IBM zSeries

228228

Available StoneGate manuals:

Product Documentation

Administrator’s Guide

Installation Guides*

Reference Guides*

End-User Documentation

Monitoring Client User’s Guide

VPN Client User’s Guide

For PDF versions of the above guides and the StoneGate technical knowledge base, visit www.stonesoft.com/support

*Available for order as a printed book.

•

•

•

•

•

Copyright 2006 Stonesoft Corporation. All rights reserved. All specifications are subject to change. The products described herein are protected by one or more of the following US and European patents: US Patent Nos. 6,912,200, 6,650,621 and 6,856,621, European Patent Nos. 1065844, 1289183, 1289202, 1326393 and 1259028; and may be protected by other US patents, foreign patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners.

Stonesoft Corp.

Itälahdenkatu 22 A 0021O HelsinkiFinlandtel. +358 9 4767 11fax. +358 9 4767 1234

Stonesoft Inc.

1050 Crown Pointe ParkwaySuite 900Atlanta, GA 30338, USAtel. +1 770 6681 125fax. +1 770 6681 131

Documents

StoneGate Installation Guide 3.0.7