Embed Size (px)
Citation preview
Stonesoft NextGeneration FirewallQuick Start Guide5.5 and laterRevision B
Overview | 2
OverviewThis quick start guide provides high-level instructions for setting up pre-installed Stonesoft® Next GenerationFirewall by Forcepoint (Stonesoft NGFW) appliances. This information includes installation, initial configuration,post-setup tasks, and updates.
For complete details, see the Stonesoft Next Generation Firewall Installation Guide.
1. Check your shipmentMake sure your shipment includes all the items listed in the Packing Slip.
2. Get product documentationDownload the documentation for this product.
1. Go to https://support.forcepoint.com/Documentation.2. On the My Documentation page, click All Documents.3. Browse to the Network Security section, then select the Stonesoft Next Generation Firewall version to
display a list of documents.4. Download Stonesoft NGFW documentation for your version, including these documents.
• Stonesoft Next Generation Firewall Product Guide• Stonesoft Next Generation Firewall Installation Guide• Stonesoft Next Generation Firewall Release Notes• Stonesoft Management Center Release Notes• Hardware guide for your appliance model
Note: The titles of the 5.9 and 5.10 versions of the documents refer to the McAfee NextGeneration Firewall and the McAfee Security Management Center.
3. Plan your configurationDetermine the number and type of security engines to install and where to place the engines on your networks.
4. Set up the appliancePrepare the appliance for network integration.
1. Install any additional hardware components, such as interface modules.2. For rack-mounted appliances, install the appliance in a rack.3. Connect the appliance to your networks.
Note: Do not turn on the appliance.
Overview | 3
5. Install and configure the SMC and theManagement Client
Install the Stonesoft Management Center (SMC) on a Microsoft Windows or Linux server, then install theManagement Client on additional computers.
For system requirements, see the Stonesoft Management Center Release Notes for your version.
1. Go to https://support.forcepoint.com, log on to your account, then select the appropriate product and version.2. Download the SMC installation file.3. Go to https://stonesoftlicenses.forcepoint.com/, then generate and download the license files for the SMC
servers.4. To start the SMC installation, extract and run the setup.exe (Windows) or setup.sh (Linux) file.5. Follow the on-screen instructions to perform the initial SMC configuration.
Note: Configuring the Web Portal Server is optional and requires an extra license.
6. Log on to the Management Client by using the shortcut icon created during the installation.7. When prompted, accept the Stonesoft Management Center certificate, then install the SMC server licenses.8. (Optional) Install the Management Client on additional computers, or use Java Web Start to distribute
Management Clients from the Management Server or a web server.To distribute Management Clients from the Management Server:
• Select Home.• Right-click the Management Server and select Properties.• On the Web Start tab, select Enable.• Configure the options as needed.
Note: Make sure that the listening port is not in use on the server. The default listeningport is 80 on Windows and 8080 on Linux.
• From the client computer, connect to the Management Server using a web browser.
http://<IP address>:<port>
<IP address> is the IP address of the Management Server used for distributing the Management Clients,and <port> is the listening port (omit the port if you are using port 80 on Windows or 8080 on Linux).
• Click the Web Start Management Client link.
6. Define engine elementsUse the Management Client to configure engine elements and export the initial configuration.
Note: These steps describe the basic process for creating Single Firewall, Single IPS, and SingleLayer 2 Firewall elements. For cluster or virtual elements, see the installation guide.
1. Go to https://stonesoftlicenses.forcepoint.com/, then generate and download the license files for theengines.
Note: Each engine requires a separate license. If you use the Plug and Play configurationmethod, you do not need to create the licenses manually.
2. Select Menu > System Tools > Install Licenses.3. In the dialog box that opens, select one or more license files to install, then click Install.4. Add the security engine.
Overview | 4
• Select Configuration.• Right-click Security Engines, select New, then select the type of engine.• Enter the name and Log Server information, and configure other options as needed.
5. Add two or more interfaces.
• Select Interfaces, click Add, then select the type of interface (typically Physical).• Configure the interface properties and click OK.
Note: Depending on the appliance model, you might need to configure additional interfacessuch as wireless, ADSL, modem interfaces, or an integrated switch. See the installationguide and the hardware guide for your model.
6. Add an IP address for each non-wireless interface.
Note: You can't add an IP address for modem interfaces. Modem interfaces use DHCP toretrieve an IP address.
• Right-click the interface and select New, then select the IP address type.
• Physical and tunnel interfaces — Select IPv4 Address or IPv6 Address.• ADSL interfaces — Select IPv4 Address.
• Configure the IP address settings and click OK.• Save your changes.
7. If your appliance has a wireless interface, add an IP address to the interface.
• Right-click the wireless interface and select New SSID Interface.• Configure the interface settings, then right-click the SSID interface and select New > IPv4 Address or
New > IPv6 Address.• Configure the IP address settings and click OK.• Save your changes.
8. If your appliance has an integrated switch, add an IP address to the port group interface.
• Right-click the switch and select New Port Group Interface.• Configure the interface settings, then right-click the port group interface and select New > IPv4
Address or New > IPv6 Address.• Configure the IP address settings and click OK.• Save your changes.
9. Configure routing.10. Save the initial configuration.
• Select Home.• Right-click the engine and select Configuration > Save Initial Configuration.• Depending on your method, configure additional information.
• Automatic — Select the time zone and keyboard layout, click Save As, and save the configurationto the root directory of a USB drive.
• NGFW Initial Configuration Wizard — Make note of the one-time password, the ManagementServer IP address, and the Management Server certificate fingerprint. Click View Details to viewthis information.
• Plug and Play — (Single Firewalls only) Select the time zone and keyboard layout, then selectUpload to Installation Server.
Note: There are more considerations when selecting Plug and Play. For example,both the SMC and the engines must be registered for Plug and Play configurationbefore you configure the engines. See Knowledge Base article 9662.
• Click OK.
Overview | 5
7. Install and configure enginesPrepare the Stonesoft NGFW appliance and import the initial configuration.
Tip: The software is pre-installed on the appliances. Do not reinstall the software unlessinstructed to do so by Forcepoint support.
1. Connect a computer or laptop to the appliance.
• For Plug and Play configuration, Automatic configuration, or configuration using the NGFW InitialConfiguration Wizard on the command line, connect a serial cable to the appliance.
• For configuration using the NGFW Initial Configuration Wizard in a web browser, connect an Ethernetcable from the client device to physical port eth0_1 on the appliance. If the appliance does not have a porteth0_1, use port eth1_0. If using non-modular interfaces, use port eth1.
2. If you connected a serial cable to the appliance, use a terminal console program to connect to the appliancewith these settings:
• Bits per second — 9600 or 115,200• Data bits — 8• Parity — None• Stop bits — 1.
Note: The serial console port speed is 9600 bps in most Stonesoft NGFW appliances. Thespeed is 115,200 bps in the latest Stonesoft NGFW appliance models. See the hardwareguide for your appliance model for more information.
3. Apply the initial configuration.
Method Task
Automatic Insert the USB drive and turn on the appliance.
The appliance automatically reads from the USB drive and applies the initialconfiguration.
NGFW InitialConfiguration Wizard onthe command line
1. Turn on the appliance.2. If you exported the initial configuration to a USB drive, start the NGFW
Initial Configuration Wizard and insert the USB drive.
Note: On some Stonesoft NGFW appliance models, theNGFW Initial Configuration Wizard starts automatically.For more information about the NGFW Initial ConfigurationWizard, see the installation guide.
3. Follow the on-screen instructions to complete the configuration.
NGFW InitialConfiguration Wizard in aweb browser
1. Turn on the appliance.2. On the client device, open a web browser, then connect to
https://169.254.169.169.3. When offered a web browser client certificate, accept the certificate.4. Follow the on-screen instructions to complete the configuration.
Note: To use the NGFW Initial Configuration Wizard in a webbrowser, the Stonesoft NGFW software version must be 6.1 orlater.
Plug and Play Turn on the appliance.
Overview | 6
Method TaskThe appliance automatically connects to the Installation Server and applies theinitial configuration.
8. Upgrade the engineUpgrade the software for a single engine to the latest version.
1. Go to https://support.forcepoint.com and download the engine upgrade file, sg_engine_version_platform.zip.2. Import the engine upgrade file.
• In the Management Client, select Menu > File > Import > Import Engine Upgrades.• Select the engine upgrade file and click Import.
3. Apply the upgrade.
• Select Home.• Right-click the node and select Configuration > Upgrade Software.• Select the operation to perform.
• Remote Upgrade (transfer + activate) — Install the upgrade and restart the node with the newsoftware version.
• Remote Upgrade (transfer) — Install the upgrade without immediately restarting the node. The nodeoperates with the currently installed version.
• Remote Upgrade (activate) — Restart the node and activate the new software version.• Select the engine upgrade file and click OK.
4. After the upgrade finishes, refresh the engine policy.
9. Perform post-setup tasksWe recommend performing these post-setup tasks; see the product guide.
1. Configure the policy and routing for the engine.2. Set up accounts for administrators.3. Schedule configuration backups at regular intervals.
701-0003B00
Copyright © 1996 - 2016 Forcepoint LLC Forcepoint™ is a trademark of Forcepoint LLC.
SureView®, ThreatSeeker®, TRITON®, Sidewinder® and Stonesoft® are registered trademarks of Forcepoint LLC. Raytheon is a registered trademark of Raytheon Company.
All other trademarks and registered trademarks are property of their respective owners.
