3Com 3C16111 - SuperStack 3 Firewall Web Site Filter User Manual
Summary of 3C16111 - SuperStack 3 Firewall Web Site Filter
Page 1
Http://www.3com.Com/ part no. Dua1611-0aaa02 published august 2001 superstack ® 3 firewall user guide superstack 3 firewall 3cr16110-95 superstack 3 firewall web site filter 3c16111 dua1611-0aaa02.Book page 1 thursday, august 2, 2001 4:01 pm.
Page 2
3com corporation 5400 bayfront plaza santa clara, california 95052-8145 copyright © 2001, 3com technologies. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) witho...
Page 3: Ontents
C ontents a bout t his g uide how to use this guide 12 conventions 12 terminology 13 feedback about this user guide 15 registration 16 i g etting s tarted 1 i ntroduction what is the superstack 3 firewall? 19 firewall and 3com network supervisor 20 firewall features 21 firewall security 21 web url f...
Page 4
Redundant power system (rps) 31 attaching the firewall to the network 32 3 q uick s etup for the f irewall introduction 35 setting up a management station 36 configuring basic settings 36 setting the password 37 setting the time zone 38 configuring wan settings 39 automatic wan settings 39 manual wa...
Page 5
Global options 61 dynamic ranges 62 static entries 63 viewing the dhcp server status 63 using the network diagnostic tools 64 choosing a diagnostic tool 64 5 s etting up w eb f iltering changing the filter settings 67 restricting the web features available 68 setting blocking options 69 specifying t...
Page 6
Managing the firewall configuration file 90 importing the settings file 91 exporting the settings file 92 restoring factory default settings 92 using the installation wizard to reconfigure the firewall 92 upgrading the firewall firmware 92 7 s etting a p olicy changing policy services 97 amending ne...
Page 7: III
Viewing the current ipsec security associations 125 configuring a vpn security association 125 adding/modifying ipsec security associations 126 security policy 127 setting the destination network for the vpn tunnel 131 configuring the firewall to use a radius server 132 changing the global radius se...
Page 8
Examples of network access policies 159 resetting the firewall 162 resetting the firewall 163 reloading the firmware 163 direct cable connection 164 direct connection instructions 165 12 t roubleshooting g uide introduction 167 potential problems and solutions 167 power led not lit 167 power led fla...
Page 9
Intrusion attacks 176 external access 176 port scanning 177 ip spoofing 177 trojan horse attacks 177 14 n etworking c oncepts introduction to tcp/ip 179 ip and tcp 179 ip addressing 179 network address translation (nat) 182 limitations of using nat 182 dynamic host configuration protocol (dhcp) 183 ...
Page 10
D t echnical s upport online technical services 201 world wide web site 201 3com knowledgebase web services 201 3com ftp site 202 support from your network supplier 202 support from 3com 202 returning products for repair 204 i ndex r egulatory n otices dua1611-0aaa02.Book page 10 thursday, august 2,...
Page 11: Bout
A bout t his g uide this guide describes the following products: ■ superstack 3 firewall 3cr16110-95 ■ superstack 3 firewall 3cr16110-97 upgraded to v6.X firmware ■ superstack 3 firewall web site filter 3c16111 introduction this guide describes how to set up and maintain the superstack ® 3 firewall ...
Page 12
12 a bout t his g uide how to use this guide table 1 shows where to look for specific information in this guide. Conventions table 2 and table 3 list conventions that are used throughout this guide. Table 1 where to find specific information if you are looking for... Turn to... A description of the ...
Page 13
Terminology 13 terminology this section lists terminology used in this guide. Dmz — demilitarized zone port. The firewall has an extra port. If you connect publicly-accessible servers and workstations to this port, they are accessible from the internet but still protected from denial of service atta...
Page 14
14 a bout t his g uide a network number and a host number, or a network number, a subnet number, and a host number. Ip spoof — a type of dos attack. An ip spoof uses a fake ip address to bypass security settings which may bar access from the real ip address. Irc — internet relay chat. Provides a way...
Page 15
Feedback about this user guide 15 radius — remote authentication dial-in user service. Radius enables network administrators to effectively deploy and manage vpn client based remote users. The radius server allows multiple users to share a single group security association but require an additional ...
Page 16
16 a bout t his g uide ■ part number dua1611-0aaa02 ■ page 24 do not use this e-mail address for technical support questions. For information about contacting technical support, see appendix a. Registration to register your firewall point your web browser to http://www.3com.Com/ssfirewall click on h...
Page 17: Etting
I g etting s tarted chapter 1 introduction chapter 2 installing the hardware chapter 3 quick setup for the firewall dua1611-0aaa02.Book page 17 thursday, august 2, 2001 4:01 pm.
Page 18
18 dua1611-0aaa02.Book page 18 thursday, august 2, 2001 4:01 pm.
Page 19: Ntroduction
1 i ntroduction this chapter contains the following: ■ what is the superstack 3 firewall? ■ firewall and 3com network supervisor ■ firewall features ■ introduction to virtual private networking (vpn) what is the superstack 3 firewall? The superstack ® 3 firewall is a dedicated firewall appliance whi...
Page 20
20 c hapter 1: i ntroduction ■ the demilitarized zone (dmz) port is used for public servers, such as web or ftp servers. Machines attached to this port are visible from the wan port, but are still protected from hacker attacks. Users on the secure lan port can also access servers on the dmz port. Fi...
Page 21
Firewall features 21 3com network supervisor offers the following support to firewall users: ■ if your 3com network supervisor management station is located on the lan, it discovers the firewall automatically and displays it on the topology map. ■ the topology map indicates that the firewall is a 3c...
Page 22
22 c hapter 1: i ntroduction figure 2 firewall security functions - default firewall policy the firewall examines every packet that comes from outside the lan and discards any packet that has not been authorized from inside the lan. This is known as stateful packet inspection. Users on the lan have ...
Page 23
Firewall features 23 the firewall will protect your network against the following denial of service attacks: ■ ping of death ■ smurf attack ■ syn flood ■ land attack ■ ip spoofing ■ teardrop to find more information on dos and other attacks refer to chapter 13, “types of attack and firewall defences...
Page 24
24 c hapter 1: i ntroduction purchase a twelve month web site filter (3c16111) subscription. Both the trial and the twelve month subscription are valid for an unlimited number of users. High availability given the mission critical nature of many internet connections each component involved in your c...
Page 25
Introduction to virtual private networking (vpn) 25 nat automatically translates multiple ip addresses on the private lan to one public address that is sent out to the internet. It enables the firewall to be used with broadband modems such as the officeconnect cable modem, and with low cost internet...
Page 26
26 c hapter 1: i ntroduction terminating device at the other end of the tunnel must be using the same level and type of encryption. See “configuring virtual private network services” on page 123 for more details. Dua1611-0aaa02.Book page 26 thursday, august 2, 2001 4:01 pm.
Page 27: Nstalling The
2 i nstalling the h ardware this chapter contains the following: ■ before you start ■ positioning the firewall ■ firewall front panel ■ firewall rear panel ■ redundant power system (rps) ■ attaching the firewall to the network warning: before installing the firewall, you must read the safety informa...
Page 28
28 c hapter 2: i nstalling the h ardware ■ a superstack 3 firewall cd. ■ warranty information. ■ software license agreement. Positioning the firewall when installing the firewall, make sure that: ■ it is out of direct sunlight and away from sources of heat. ■ cabling is away from power lines, fluore...
Page 29
Firewall front panel 29 caution: disconnect all cables from the unit before continuing. Remove the self-adhesive pads from the underside of unit, if already fitted. 1 place the unit the right way up on a hard, flat surface with the front facing towards you. 2 locate a mounting bracket over the mount...
Page 30
30 c hapter 2: i nstalling the h ardware the firewall front panel contains the following components: 1 lan port - use a category 5 cable with rj-45 connectors. Connect this port to any workstation or network device that has a 10base-t or 100base-tx port. 2 dmz port - use a category 5 cable with rj-4...
Page 31
Firewall rear panel 31 to diagnose faults see “troubleshooting guide” on page 167. 8 power/self test led - this led shows green to indicate that the unit is switched on. This led flashes for about 90 seconds while self-test is running, and also when restarting. If you have installed a 3com rps unit ...
Page 32
32 c hapter 2: i nstalling the h ardware ■ superstack 3 - advanced rps (3c16071) ■ and 60w rps power module - (3c16072) attaching the firewall to the network figure 6 illustrates one possible network configuration. Figure 6 network connection diagram showing sample network never connect two ports on...
Page 33
Attaching the firewall to the network 33 to attach the firewall to your network: 1 connect the ethernet port labeled wan on the front of the firewall to the ethernet port on the internet access device. Refer to the documentation for the internet access device to find out the configuration of its eth...
Page 34
34 c hapter 2: i nstalling the h ardware the firewall is now attached to the network. By default, no traffic that originates from the internet is allowed onto the lan, and all communications from the lan to the internet are allowed. That is, all inbound connections are blocked and all outbound conne...
Page 35: Uick
3 q uick s etup for the f irewall this chapter contains the following: ■ introduction ■ setting up a management station ■ configuring basic settings ■ configuring wan settings ■ configuring lan settings ■ confirming firewall settings introduction the first time the firewall is started it runs an ins...
Page 36
36 c hapter 3: q uick s etup for the f irewall the process followed by the installation wizard is described in the following sections: ■ configuring basic settings ■ configuring wan settings ■ configuring lan settings ■ confirming firewall settings setting up a management station the firewall has th...
Page 37
Configuring basic settings 37 figure 7 installation wizard startup screen click the next button to start configuring your firewall using the installation wizard. The set your password screen will be displayed as shown in figure 8 below. If you want to configure your firewall manually, click the canc...
Page 38
38 c hapter 3: q uick s etup for the f irewall figure 8 set password screen click the next button to continue. Setting the time zone select the time zone appropriate to your location and click the next button to continue. The time zone you choose will affect the time recorded in the logs. Figure 9 s...
Page 39
Configuring wan settings 39 installation wizard will prompt you for the required settings. Configuring wan settings the installation wizard detects if the firewall has been automatically allocated an address for its wan port. ■ if the firewall has been allocated an ip address then it will attempt to...
Page 40
40 c hapter 3: q uick s etup for the f irewall manual wan settings if the installation wizard is unable to detect an automatic address server on the wan port or if the wan port is not connected it will display a dialog box informing you of this and offer the choice of: ■ connecting your firewall (if...
Page 41
Configuring wan settings 41 ■ using a single static ip address — this address must be taken by the firewall’s wan port to allow devices connected to the lan port to communicate with devices connected to the wan port. Network address translation (nat) will be enabled. ■ using multiple static ip addre...
Page 42
42 c hapter 3: q uick s etup for the f irewall to configure the wan networking of your firewall enter the following 1 in the firewall wan ip address field enter the single address which has been allocated to your firewall. Enter the subnet mask for the above ip address in the wan/dmz subnet mask fie...
Page 43
Configuring wan settings 43 click the next button to proceed to the getting to the internet screen shown in figure 14 below. Figure 14 setting the firewall wan configuration the getting to the internet screen contains the following fields: 1 firewall wan ip address — choose one of the addresses allo...
Page 44
44 c hapter 3: q uick s etup for the f irewall using an ip address provided by a pppoe server select the provided you with two or more ip addresses option and click the next button. The firewall’s isp settings (pppoe) screen will be displayed as shown in figure 15 below. Figure 15 configuring the fi...
Page 45
Configuring lan settings 45 ■ if there is no dhcp server found on the network connected to the lan port then the firewall’s dhcp server is activated allowing automatic address configuration on your lan. ■ if there is a dhcp server found on the network connected to the lan port then the firewall deac...
Page 46
46 c hapter 3: q uick s etup for the f irewall otherwise the firewall’s dhcp server screen will be displayed as shown in figure 17 below. Figure 17 configuring the firewall’s dhcp server if you want to use the firewall as a dhcp server to automatically provide ip addresses for the computers on your ...
Page 47
Confirming firewall settings 47 figure 18 firewall configuration summary ■ if you want to keep a hard copy of this page click the print this page button. ■ to accept the settings click the next button. ■ to change the configuration of the firewall click the back button. ■ if you want to configure th...
Page 48
48 c hapter 3: q uick s etup for the f irewall figure 19 congratulations page click the restart button to complete the configuration of the firewall using the installation wizard. The firewall will take under a minute to restart during which time the power/self test led will flash. When the power/se...
Page 49: Onfiguring The
Ii c onfiguring the f irewall chapter 4 basic settings of the firewall chapter 5 setting up web filtering chapter 6 using the firewall diagnostic tools chapter 7 setting a policy chapter 8 advanced settings chapter 9 configuring virtual private network services chapter 10 configuring high availabili...
Page 50
50 dua1611-0aaa02.Book page 50 thursday, august 2, 2001 4:01 pm.
Page 51: Asic
4 b asic s ettings of the f irewall chapters 4 to 10 describe in detail, each of the management operations available from the firewall’s web interface. You can access these operations using a web browser. Refer to figure 20 below for menu structure details of the web interface of the firewall. Figur...
Page 52
52 c hapter 4: b asic s ettings of the f irewall ■ chapter 7 — “setting a policy” describes the functions available in the policy menu of the web interface. These functions enable you to control the traffic across your firewall. ■ chapter 8 — “advanced settings” describes the functions available in ...
Page 53
Setting the administrator password 53 ■ rom version ■ firmware version ■ device up-time in days, hours, minutes, and seconds problems appear in red text. For example, if the internet router was not contacted, or the default password was not changed, this would be listed. Items listed in red require ...
Page 54
54 c hapter 4: b asic s ettings of the f irewall setting the inactivity timeout the administrator inactivity timeout setting allows you to extend or reduce the period of time before the administrator is automatically logged out of the web interface. The firewall is pre-configured to logout the admin...
Page 55
Setting the time 55 automatically adjust clock for daylight savings changes check this box to enable the firewall to adjust to daylight savings time automatically depending on the time zone you have chosen. This features works with ntp on or off. Display utc (universal time) in logs instead of local...
Page 56
56 c hapter 4: b asic s ettings of the f irewall changing the basic network settings click the settings tab from the network menu to display the network settings window (see figure 24 below). Figure 24 network settings, standard window setting the network addressing mode the network addressing mode ...
Page 57
Changing the basic network settings 57 when using ip addresses on a lan which have not been assigned by an internet service provider, it is a good idea to use addresses from a special address range allocated for this purpose. The following ip address ranges can be used for private ip networks and do...
Page 58
58 c hapter 4: b asic s ettings of the f irewall connect/disconnect pressing the connect button in the network addressing mode section will initiate a pppoe session. If all fields have been entered correctly, the firewall will connect to the internet. You can terminate a pppoe session by pressing th...
Page 59
Specifying dmz addresses 59 specifying the dns settings in the other settings section, specify the dns servers. Up to three dns servers can be specified, although not all have to be used. The firewall uses these servers to look up the addresses of machines used to download the web site filter and fo...
Page 60
60 c hapter 4: b asic s ettings of the f irewall click network, and then select the dmz addresses tab. A window similar to that in figure 25 displays. Figure 25 dmz address window type the addresses for the dmz individually or as a range. Type an individual address in the from address box. To enter ...
Page 61
Setting up the dhcp server 61 the firewall can allocate up to 255 static or dynamic ip addresses. 3com recommends you use a dedicated dhcp server if more addresses are required. To set up the dhcp server on the firewall click network, and then select the dhcp server tab. A window similar to that in ...
Page 62
62 c hapter 4: b asic s ettings of the f irewall subnet mask enter the subnet mask for your network. This value will be given out by the dhcp server and will be used by client devices to determine the extent of your network. Domain name type the registered domain name for the network in the domain n...
Page 63
Viewing the dhcp server status 63 delete range to remove a range of addresses from the dynamic pool, select it from the scrolling list of dynamic ranges, and click delete range. Static entries static addresses are used by client machines that support bootp or those which require a fixed ip address. ...
Page 64
64 c hapter 4: b asic s ettings of the f irewall to delete a binding, which frees the ip address in the dhcp server, select the binding from the list and then click delete. Using the network diagnostic tools the firewall has several tools built in which can help you solve network problems. Click net...
Page 65
Using the network diagnostic tools 65 find network path use the find network path tool to show on which port, lan, wan or dmz where appropriate, an ip host is located. This is helpful to determine if the firewall is properly configured. For example, if the firewall thinks that a machine known to be ...
Page 66
66 c hapter 4: b asic s ettings of the f irewall packet trace requires an ip address. Use the firewall’s dns name lookup tool to find the ip address of a host. 1 enter the ip address of the remote host in the trace on ip address box, and click start. 2 initiate an ip session with the remote host usi...
Page 67: Etting Up
5 s etting up w eb f iltering this chapter describes the commands and options available in the filter menu. The menu is broken up into five sections shown in the user interface as tabs. To access a command click on filter on the left hand side of the screen and then on the appropriate tab. This foll...
Page 68
68 c hapter 5: s etting up w eb f iltering figure 29 filter settings window content filtering only applies to nodes on the lan port. Select the options in the settings window, described below, to tailor the content filtering to meet the needs of your organization. Restricting the web features availa...
Page 69
Changing the filter settings 69 cookies cookies are used by web servers to track usage. Unfortunately, cookies can be programmed not only to identify the visitor to the site, but also to track that visitor's activities. Because they represent a potential loss of privacy, some administrators may choo...
Page 70
70 c hapter 5: s etting up w eb f iltering ■ drugs/drug culture ■ militant/extremist ■ sex education ■ questionable/illegal & gambling ■ alcohol & tobacco visit http://www.Cyberpatrol.Com/cybernot to check the listing of a site or to submit a new site. Specifying when filtering applies use the time ...
Page 71
Filtering web sites using a custom list 71 figure 30 custom list window you can add or remove web sites from the custom list. For example, if a local radio station runs a contest on its web site that is disrupting normal classroom internet use, a school’s technology coordinator can easily add that s...
Page 72
72 c hapter 5: s etting up w eb f iltering enable filtering on custom list use this to enable or disable the custom filtering without re-entering all site names. You do not have to re-enter names when the web site filter is updated each week, as the custom list does not expire. Disable all web traff...
Page 73
Updating the web filter 73 updating the web filter since content on the internet is constantly changing, make sure you update the web site filter used by the firewall on a regular basis. When you subscribe to the web site filter, you can specify that it is updated automatically every week for one ye...
Page 74
74 c hapter 5: s etting up w eb f iltering downloading an updated filter list download now click this button to download and update the web site filter immediately. This process may take a couple of minutes, depending on internet traffic conditions and requires a valid subscription to the web site f...
Page 75
Blocking websites by using keywords 75 blocking websites by using keywords click filter and then select the keywords tab. A window similar to that in figure 32 displays. Figure 32 keywords window you can block web urls that contain specified keywords. This functions as a second line of defense again...
Page 76
76 c hapter 5: s etting up w eb f iltering agree to the terms outlined in an organization’s acceptable use policy before you allow them to browse the web any further. Click filter, and then select the consent tab. A window similar to that in figure 33 displays. Figure 33 consent window configuring u...
Page 77
Filtering by user consent 77 consent page url (optional filtering) when users begins an internet session on a computer that is not always filtered, they are shown a consent page and given the option to access the internet with or without filtering. Create this page in html. It may contain the text f...
Page 78
78 c hapter 5: s etting up w eb f iltering create this page, and can add the text from the acceptable use policy, and notification that violations of the aup are blocked and logged. Consent page url (mandatory filtering) when users access a page that you include in the list of mandatory filtered ip ...
Page 79: Sing The
6 u sing the f irewall d iagnostic t ools this chapter describes the commands and options available in the log menu and the tools menu. Each menu is broken up into sections shown in the user interface as tabs. To access a command click on either log or tools on the left hand side of the screen and t...
Page 80
80 c hapter 6: u sing the f irewall d iagnostic t ools the firewall logs the following events: ■ unauthorized connection attempts ■ blocked web, ftp and gopher sites, and blocked nntp newsgroups ■ blocked activex and java ■ blocked cookies and proxy attempts ■ attacks such as ip spoofing, ping of de...
Page 81
Viewing the log 81 information. Much of this information refers to the internet traffic passing through the firewall. Tcp, udp, or icmp packets dropped these log messages describe all traffic blocked from the internet to the lan. The source and destination ip addresses of the packet is shown. If the...
Page 82
82 c hapter 6: u sing the f irewall d iagnostic t ools when activex or java code is compressed into an archive it is not always possible to differentiate between the two. If either activex or java blocking is enabled, all code archives are blocked. Cookie blocked the ip addresses of the local machin...
Page 83
Changing log and alert settings 83 sending the log use the sending the log feature to inform your administrator of the performance of the firewall and to make sure that the log file always has space for new entries. Mail server to enable sending log or alert messages via e-mail, you must specify the...
Page 84
84 c hapter 6: u sing the f irewall d iagnostic t ools every connection’s source and destination ip addresses, ip service, and number of bytes transferred. To support syslog, you must have an external server running a syslog daemon on udp port 514. Syslog is a standard feature of unix. Enter the sys...
Page 85
Changing log and alert settings 85 when log overflows in some cases, the log buffer may fill up, which can happen if there is a problem with the mail server and the log cannot be successfully e-mailed. By default the firewall overwrites the log and discards its contents. As a security measure, you c...
Page 86
86 c hapter 6: u sing the f irewall d iagnostic t ools attacks when enabled, log messages showing syn floods, ping of death, ip spoofing, and attempts to manage the firewall from the internet are generated. This is enabled by default. Dropped tcp when enabled, log messages showing blocked incoming t...
Page 87
Generating reports 87 blocked web sites when enabled, all log entries that are categorized as a blocked web site are generated as an alert message. This is disabled by default. Click update to save your changes. Generating reports the firewall can analyze the event log to show the following: ■ top 2...
Page 88
88 c hapter 6: u sing the f irewall d iagnostic t ools reset data click reset data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the firewall is restarted. Current sample period displays the current ...
Page 89
Restarting the firewall 89 services, such as http, ftp, realaudio and so forth, and the number of megabytes received from the service during the current sample period. Use the bandwidth usage by service report to make sure the internet services being used are appropriate for the organization. If ser...
Page 90
90 c hapter 6: u sing the f irewall d iagnostic t ools when the front panel power led stops flashing you can refresh your browser. To reset the firewall clearing it of all settings see “resetting the firewall” on page 162 for details. Managing the firewall configuration file the configuration tool a...
Page 91
Managing the firewall configuration file 91 importing the settings file use this function to import a previously saved settings file back into the firewall. 1 click import. A window similar to that in figure 39 displays. Figure 39 import window 2 click browse to find a file which was previously save...
Page 92
92 c hapter 6: u sing the f irewall d iagnostic t ools exporting the settings file you can save the firewall configuration settings to a file on a local system and then reload those settings. 1 click export. A window similar to that in figure 40 displays. Figure 40 export window 2 choose the locatio...
Page 93
Upgrading the firewall firmware 93 when upgrading the firmware, all settings will be reset to factory default. 3com recommends that you export the firewall’s configuration settings before uploading new firmware and then import them again after the upgrade has been completed. The firewall checks to s...
Page 94
94 c hapter 6: u sing the f irewall d iagnostic t ools figure 42 save settings window 2 click yes if you have saved the settings. A window similar to that in figure 43 displays. Figure 43 firmware upload window 3 click browse... And select the firmware file you have downloaded from the 3com ftp site...
Page 95
Upgrading the firewall firmware 95 interrupted this way, it may result in the firewall not responding to attempts to log in. If your firewall does not respond, see chapter 12, “troubleshooting guide”. 5 restart the firewall for the changes to take effect. Dua1611-0aaa02.Book page 95 thursday, august...
Page 96
96 c hapter 6: u sing the f irewall d iagnostic t ools dua1611-0aaa02.Book page 96 thursday, august 2, 2001 4:01 pm.
Page 97: Etting A
7 s etting a p olicy this chapter describes the commands and options available in the policy menu. The menu is broken up into sections shown in the user interface as tabs. To access a command click on policy on the left hand side of the screen and then on the appropriate tab. This following sections...
Page 98
98 c hapter 7: s etting a p olicy click policy, and then select the services tab. A window similar to that in figure 44 displays. Figure 44 services window amending network policy rules the services window contains a table showing the defined network policy rules. At the bottom of the table is the d...
Page 99
Changing policy services 99 dmz in checkbox if you are using the dmz port on the firewall access to the protocol is not permitted from the internet to the dmz when this check box is cleared. When the service is selected, users on the internet can access all hosts on the dmz via that protocol. The de...
Page 100
100 c hapter 7: s etting a p olicy http protocol even if both netbios passthrough boxes are left unchecked. Enabling stealth mode by default, the firewall responds to incoming connection requests as either blocked or open. If you check the box to enable stealth mode and click on the update button, n...
Page 101
Adding and deleting services 101 adding and deleting services if a protocol is not listed in the services window, you can add the service. Click policy, and then select the add service tab. A window similar to that in figure 45 displays. Figure 45 add service window the scroll list on the right side...
Page 102
102 c hapter 7: s etting a p olicy the new service appears in the list box to the right, along with its numeric protocol description. Note that some well-known services add more than one entry to the list box. Adding a custom service to add a custom service: 1 from add a known service drop-down list...
Page 103
Editing policy rules 103 marked name service (dns) [53,6] deletes just the tcp portion of the service. Editing policy rules network access policy rules evaluate network traffic’s source ip address, destination ip address, and ip protocol type to decide if the ip traffic is allowed to pass through th...
Page 104
104 c hapter 7: s etting a p olicy rules are arranged in order of precedence from the most specific to the most general. For example if you block all ftp traffic in one rule and allow a machine with a specific ip address to use ftp in another rule then the second rule will override the first and wil...
Page 105
Editing policy rules 105 would only be necessary if you wanted the server on the wan to initiate connections with the pc on the lan network port. Destination the destination for a rule refers to the target of the connection made by the source. As with the source this can be set to a network port spe...
Page 106
106 c hapter 7: s etting a p olicy adding a new rule to add a new rule click on the add new rule button and fill in the fields that you want to change. To keep the field general rather than use a specific value leave the field at its default value. All fields can be left as default apart from the ac...
Page 107
Updating user privileges 107 changing the timeout for privileged users to change the amount of time a privileged user can keep their connection open without using it enter the time in minutes into the timeout privileged users after box and click the update button. The changes made in this dialog box...
Page 108
108 c hapter 7: s etting a p olicy changing passwords and privileges to change a user’s password or privileges: 1 highlight the name in the scrollable box. 2 make the changes. 3 click update user. Deleting a user to delete a user, highlight the name and click remove user. To configure a user’s machi...
Page 109
Setting management method 109 setting management method you can manage your firewall locally, or remotely from a remote host such as a laptop. Click the button labeled policy on the left side of the browser window and then click the tab labeled management at the top of the window. A window similar t...
Page 110
110 c hapter 7: s etting a p olicy selecting remote management when remote management is selected, a management sa is automatically generated. The management sa uses manual keying to set up a vpn tunnel between the firewall and the vpn client. The management sa also defines inbound and outbound secu...
Page 111: Dvanced
8 a dvanced s ettings this chapter describes the commands and options available in the advanced menu. The menu is broken up into sections shown in the user interface as tabs. To access a command click on filter on the left hand side of the screen and then on the appropriate tab. This following secti...
Page 112
112 c hapter 8: a dvanced s ettings the problem with installing a proxy server on the lan is that each client must be configured to support the proxy, which adds to administration tasks. The alternative is to move the proxy to the wan or dmz, depending upon the level of protection desired, and enabl...
Page 113
Automatic proxy/web cache forwarding 113 figure 50 deploying the firewall and webcache together 1 install the webcache as described in the superstack 3 webcache user guide (dua1611-5aaa0x) taking into account any safety information. A install the webcache on a hub or switch connected to the dmz port...
Page 114
114 c hapter 8: a dvanced s ettings c in the proxy web server port field enter the number 8080 d click update to save your changes. 3 no configuration is necessary on the client machines. The firewall will intercept any http requests for external urls and will forward the traffic to the webcache. Sp...
Page 115
Specifying intranet settings 115 figure 51 connecting the firewall to protect an internal part of the network installing the firewall to protect the intranet the following describes how to install and configure the firewall to provide intranet firewalling. 1 connect the ethernet port labeled lan on ...
Page 116
116 c hapter 8: a dvanced s ettings figure 52 intranet window to enable intranet firewalling, it is necessary to identify which machines are protected against unauthorized access by specifying the ip addresses of these machines. You can do this in two ways: ■ inclusively by specifying which machines...
Page 117
Setting static routes 117 ■ firewall’s wan link is connected directly to the internet router — use this setting if the firewall is protecting the entire network. This is the default setting. Click update to save the configuration. ■ specified address ranges are attached to the lan link — select this...
Page 118
118 c hapter 8: a dvanced s ettings figure 53 isolating a network using a second router to configure static routes click advanced and then select the static routes tab. A window similar to that in figure 54 displays. Figure 54 static routes window r1 r2 f s s desi gn net w or k cor e net w or k dua1...
Page 119
Setting up one-to-one nat 119 lan the ip address and subnet on the firewall’s lan port are shown at the top of the window. See “specifying the lan settings” on page 57 to change these settings. Dmz/wan the ip addresses of the dmz, if appropriate, and wan ports are shown. These differ from that of th...
Page 120
120 c hapter 8: a dvanced s ettings . You cannot include the firewall wan ip address in a range. To set up one-to one nat click advanced, and then select the one-to-one nat tab. A window similar to that in figure 55 displays. Ensure that nat is enabled before configuring one-to-one nat. See “setting...
Page 121
Setting up one-to-one nat 121 private range begin type the beginning ip address of the private address range being mapped in the private range begin box. This is the ip address of the first machine being made accessible from the internet. Do not include the firewall wan ip address in any range. Publ...
Page 122
122 c hapter 8: a dvanced s ettings dua1611-0aaa02.Book page 122 thursday, august 2, 2001 4:01 pm.
Page 123: Onfiguring
9 c onfiguring v irtual p rivate n etwork s ervices this chapter describes the commands and options available in the vpn menu. The menu is broken up into sections shown in the user interface as tabs. To access a command click on vpn on the left hand side of the screen and then on the appropriate tab...
Page 124
124 c hapter 9: c onfiguring v irtual p rivate n etwork s ervices figure 56 vpn summary window changing the global ipsec settings the firewall’s security uses the ipsec protocol to transmit encrypted data. The settings in the current ipsec settings section affect all traffic transmitted across the f...
Page 125
Configuring a vpn security association 125 check the disable all windows networking (netbios) broadcasts check box to disable netbios traffic. Click the update button to save your changes. Enable fragmented packet handling check the enable fragmented packet handling box to allow the firewall to redu...
Page 126
126 c hapter 9: c onfiguring v irtual p rivate n etwork s ervices figure 57 vpn configure window adding/modifying ipsec security associations to add a new security association (sa) click the drop down box labelled security associations and select the option labelled add new sa. Set up the new sa usi...
Page 127
Configuring a vpn security association 127 sa name enter a descriptive name for the security association in the sa name field. This allows you to identify the link for which this security association was created. The sa name field is not available when using groupvpn. Disable this sa check the disab...
Page 128
128 c hapter 9: c onfiguring v irtual p rivate n etwork s ervices leave the disable all windows networking (netbios) broadcasts box unchecked for the enable windows networking (netbios) broadcast setting to have effect. See “disable all windows networking (netbios) broadcasts” on page 124 for detail...
Page 129
Configuring a vpn security association 129 the incoming spi and outgoing spi are only used when manual keying is employed. These fields do not appear when using ike as your ipsec keying mode. Encryption method the firewall supports seven encryption methods for establishing a vpn tunnel. These are sh...
Page 130
130 c hapter 9: c onfiguring v irtual p rivate n etwork s ervices select your preferred method from the encryption method drop-down box. Shared secret a shared secret is a predefined field that the two endpoints of a vpn tunnel use to set up an ike sa. This field can be any combination of table 5 fi...
Page 131
Configuring a vpn security association 131 alphanumeric characters with a minimum length of 4 characters and a maximum of 128 characters. Precautions should be taken when delivering/exchanging this shared secret to assure that a third party cannot compromise the security of a vpn tunnel. Enter your ...
Page 132
132 c hapter 9: c onfiguring v irtual p rivate n etwork s ervices this option does not appear for the groupvpn sa. This sa allows does not restrict the ip address of the client. You do not need to configure the destination network if you are configuring a vpn tunnel to a single vpn device such as fi...
Page 133
Configuring the firewall to use a radius server 133 does not respond within the specified number of retries, the vpn connection will be dropped. This field may range between 0 and 30. A value of 3 is recommended for a typical network. Radius server timeout in seconds the radius server timeout in sec...
Page 134
134 c hapter 9: c onfiguring v irtual p rivate n etwork s ervices enter the shared secret or administrative password of your radius server in the shared secret field. Click the update button to save your changes. When configured for a radius server the firewall will record both successful and failed...
Page 135
Using the firewall with check point firewall-1 135 selected for firewall vpn. If securemote is used, fwz must also be selected. 2 create the remote object(s). These are the resources behind the remote firewall (workstations, network or group objects). Refer to the following example: a from the manag...
Page 136
136 c hapter 9: c onfiguring v irtual p rivate n etwork s ervices f select gateway for the type. G leave the firewall-1 installed box unchecked. H go to the encryption tab. Select the other radio button and select the group or network the firewall will be encrypting for. I select the encryption meth...
Page 137
Configuring the ire vpn client for use with the firewall 137 9 select the manual ipsec and the logging radio buttons. 10 press the edit button. Select the spi key for this vpn tunnel. 11 press the ok button when finished with the ipsec properties and press the ok button when finished with the encryp...
Page 138
138 c hapter 9: c onfiguring v irtual p rivate n etwork s ervices setting up the groupvpn security association 1 click on vpn on the left hand side of the screen and then on the summary tab. A ensure that the enable vpn checkbox is ticked. B click the update button to save any changes you have made....
Page 139
Configuring the ire vpn client for use with the firewall 139 installing the ire vpn client software 1 insert the cd that came with the firewall into your cd-rom drive. 2 go to the vpn client directory on the cd.S 3 double-click setup.Exe and follow the vpn client setup program's step-by-step instruc...
Page 140
140 c hapter 9: c onfiguring v irtual p rivate n etwork s ervices 5 close the security policy editor saving changes when prompted. 6 delete the export file from the hard drive if it was previously copied there. The client is now set up to access your network safely across the internet. Dua1611-0aaa0...
Page 141: Onfiguring
10 c onfiguring h igh a vailability this chapter describes the commands and options available in the high availability menu. The menu is broken up into sections shown in the user interface as tabs. To access a command click on high availability on the left hand side of the screen and then on the app...
Page 142
142 c hapter 10: c onfiguring h igh a vailability primary firewall and the backup firewall then two addresses are required. High availability does not allow the use of dynamic ip address assignment from your isp. ■ each firewall in the high availability pair must have the same upgrades and subscript...
Page 143
Configuring high availability 143 ■ configuring high availability on the backup firewall both steps must be completed before the two firewalls will function as a high availability pair. Configuring high availability on the primary firewall click the high availability button on the left side of the f...
Page 144
144 c hapter 10: c onfiguring h igh a vailability the primary and backup firewalls use a “heartbeat” signal to communicate with one another. This heartbeat is sent between the firewalls over the network segment connected to the lan ports of the two firewalls. The interruption of this heartbeat signa...
Page 145
Making configuration changes 145 4 log into the backup firewall. Click the tools button on the left side of the browser window, and then click the configuration tab at the top of the window. Next, click the import button. 5 click the browse button and select the file that was previously saved using ...
Page 146
146 c hapter 10: c onfiguring h igh a vailability checking high availability status if a failure of the primary firewall occurs, the backup firewall will assume the primary firewall’s lan and wan ip addresses. It is therefore not possible to determine which firewall is active by logging into the lan...
Page 147
Checking high availability status 147 if the backup firewall has taken over for the primary, for example, in the event of a failure to the primary firewall, the first line in the status window indicates that the backup firewall is currently active. Check the status of the backup firewall by logging ...
Page 148
148 c hapter 10: c onfiguring h igh a vailability figure 62 log screen showing switchover of firewall forcing transitions in some cases, it may be necessary to force a transition from one active firewall to another – for example, to force the primary firewall to become active again after a failure w...
Page 149
Forcing transitions 149 caution: if the preempt mode checkbox has been checked for the primary firewall, the primary unit will take over operation from the backup unit after the restart is complete. Dua1611-0aaa02.Book page 149 thursday, august 2, 2001 4:01 pm.
Page 150
150 c hapter 10: c onfiguring h igh a vailability dua1611-0aaa02.Book page 150 thursday, august 2, 2001 4:01 pm.
Page 151: III
Iii a dministration and t roubleshooting chapter 11 administration and advanced operations chapter 12 troubleshooting guide dua1611-0aaa02.Book page 151 thursday, august 2, 2001 4:01 pm.
Page 152
152 dua1611-0aaa02.Book page 152 thursday, august 2, 2001 4:01 pm.
Page 153: Dministration And
11 a dministration and a dvanced o perations this chapter provides some background on firewall concepts and describes some administration functions not available through the menu structure. The following sections are covered in this chapter: ■ introducing the web site filter ■ activating the web sit...
Page 154
154 c hapter 11: a dministration and a dvanced o perations in evaluating a site for inclusion in the list, the team consider the effect of the site on a typical twelve year old searching the internet unaccompanied by a parent or educator. Any easily accessible pages with graphics, text or audio whic...
Page 155
Introducing the web site filter 155 sexual orientation. Any picture or text that elevates one group over another. Also includes intolerant jokes or slurs. ■ satanic/cult: satanic material is defined as: pictures or text advocating devil worship, an affinity for evil, or wickedness. A cult is defined...
Page 156
156 c hapter 11: a dministration and a dvanced o perations ■ questionable/illegal & gambling: pictures or text advocating materials or activities of a dubious nature which may be illegal in any or all jurisdictions, such as illegal business schemes, chain letters, copyright infringement, computer ha...
Page 157
Using network access policy rules 157 you must have already registered the firewall before activating the web site filter. Using network access policy rules network access policy rules are the tools you use to control traffic between the lan, dmz and wan ports of your firewall. Use this list to help...
Page 158
158 c hapter 11: a dministration and a dvanced o perations ■ does this rule conflict with any existing rules? Once you have answered these questions, to add rules you type the information into the correct boxes in the policy rules window. A action select the allow or deny option button depending on ...
Page 159
Using network access policy rules 159 when evaluating rules, the firewall uses the following criteria: ■ a rule defining a specific service is more specific than the default rule. ■ a defined ethernet link, such as lan, wan, or dmz, is more specific than * (all). ■ a single ip address is more specif...
Page 160
160 c hapter 11: a dministration and a dvanced o perations 4 enter the blocked network’s starting ip address in the source addr. Range begin box and the blocked network’s ending ip address in the source addr. Range end box. 5 select * from the destination ethernet list. 6 since the intent is to bloc...
Page 161
Using network access policy rules 161 restoring the default rules will delete all custom rules and public lan servers. If an ike vpn security association has been created, a service will need to be recreated to permit ike negotiations. Protocols/services to filter although the firewall is shipped in...
Page 162
162 c hapter 11: a dministration and a dvanced o perations while some of these services such as telnet or ftp are inherently risky, blocking access to these services completely may be too drastic a policy for many sites. Not all systems, though, generally require access to all services. For example,...
Page 163
Resetting the firewall 163 resetting the firewall to reset the firewall: 1 disconnect the power from the firewall. 2 using a blunt pointed object, fully press in the reset button on the back panel. 3 whilst holding this button in, reconnect the power to the unit. 4 continue holding the reset button ...
Page 164
164 c hapter 11: a dministration and a dvanced o perations make sure that you are using the browser that supports html uploads, otherwise you cannot upload the firmware. 2 in the box labeled please select a firmware file, type in the full file and path name of the firmware image that you want to upl...
Page 165
Direct cable connection 165 only provide limited protection the first time the administrator’s password is set. In principle, an individual inside the network could capture all network transmissions and then perform mathematical analyses to discover the new administrator password. Though this is mor...
Page 166
166 c hapter 11: a dministration and a dvanced o perations dua1611-0aaa02.Book page 166 thursday, august 2, 2001 4:01 pm.
Page 167: Roubleshooting
12 t roubleshooting g uide this chapter contains the following: ■ introduction ■ potential problems and solutions ■ troubleshooting the firewall vpn client ■ frequently asked questions about pppoe introduction the firewall has been designed to help you detect and solve possible problems with its ins...
Page 168
168 c hapter 12: t roubleshooting g uide power led flashes continuously if the power led continues to flash after 120 seconds, please contact technical support (see appendix a for information about contacting technical support). Power and alert led lit continuously if the power and alert leds are bo...
Page 169
Potential problems and solutions 169 ■ remember that passwords are case-sensitive; make sure the caps lock key is off. ■ click reload or refresh in the web browser and try again. For security reasons, the firewall sends a slightly different authentication page each time you log in to the web interfa...
Page 170
170 c hapter 12: t roubleshooting g uide machines on the wan are not reachable make sure the intranet settings in the advanced section are correct. Troubleshooting the firewall vpn client if the firewall client is unable to negotiate with the firewall, the firewall vpn client viewer will display det...
Page 171
Troubleshooting the firewall vpn client 171 restarting the firewall with active vpn tunnel if you restart the firewall with a vpn client active you must deactivate and reactivate the ire vpn client. Restarting the firewall kills all the current vpn tunnels on the firewall side. In this case the ire ...
Page 172
172 c hapter 12: t roubleshooting g uide frequently asked questions about pppoe why are isps using pppoe in their broadband services? The theory is that pppoe makes it easier for the end user of broadband services to connect to the internet by simulating a dial-up connection. The isp realizes signif...
Page 173: Irewall And
Iv f irewall and n etworking c oncepts chapter 13 types of attack and firewall defences chapter 14 networking concepts dua1611-0aaa02.Book page 173 thursday, august 2, 2001 4:01 pm.
Page 174
174 dua1611-0aaa02.Book page 174 thursday, august 2, 2001 4:01 pm.
Page 175: Ypes Of
13 t ypes of a ttack and f irewall d efences this chapter describes the some of attacks that hackers may use to infiltrate and attack your network. It also details the way in which the firewall will counter the attacks. The following sections are covered in this chapter: ■ denial of service attacks ...
Page 176
176 c hapter 13: t ypes of a ttack and f irewall d efences the return address of the ping has been faked (spoofed) to appear to come from a machine on another network (the victim). The victim is then flooded with responses to the ping. As many responses are generated for only one attack, the attacke...
Page 177
Trojan horse attacks 177 port scanning port scanning is the testing of ports to see which are active and which are disabled. Although ports are scanned as part of normal traffic the scanning of many ports in a short period of time is a common precursor to an attack firewall response: none - the fire...
Page 178
178 c hapter 13: t ypes of a ttack and f irewall d efences dua1611-0aaa02.Book page 178 thursday, august 2, 2001 4:01 pm.
Page 179: Etworking
14 n etworking c oncepts this appendix contains the following: ■ introduction to tcp/ip ■ network address translation (nat) ■ dynamic host configuration protocol (dhcp) ■ port numbers ■ virtual private network services introduction to tcp/ip protocols are rules that networking hardware and software ...
Page 180
180 c hapter 14: n etworking c oncepts (called dotted decimal notation), for example, 123.45.67.89 . Because computers use a binary number system, each number in the set must be less than 255. There are three components that contribute to an ip address: ■ ip address itself ■ subnet mask ■ default ga...
Page 181
Introduction to tcp/ip 181 most large centralized companies have a network manager in charge of all ip address numbers. Other companies have a distributed administration scheme that allows the local network manager to set local ip addresses. In this case, the local manager gets a sub network or “int...
Page 182
182 c hapter 14: n etworking c oncepts the network, use an ip address of 0.0.0.0 in fields that apply to a default gateway. Network address translation (nat) network address translation (nat) is used to re-map all the addresses on a lan to a single address on the internet. This can be useful for thr...
Page 183
Dynamic host configuration protocol (dhcp) 183 ■ not all applications lend themselves easily to address translation by nat devices. Especially, the applications that carry ip addresses inside the payload. ■ nat devices operate on the assumption that each session is independent. Application, such as ...
Page 184
184 c hapter 14: n etworking c oncepts port numbers the port numbers are divided into three ranges: ■ well known ports — those from 0 to 1023 ■ registered ports — those from 1024 to 49151 ■ dynamic or private ports — those from 49152 to 65535 well known port numbers the well known ports are controll...
Page 185: Internet
Virtual private network services 185 ■ basic terms and concepts introduction to virtual private networks virtual private networks (vpn) provide an easy, affordable, and secure means for businesses to conduct operations and provide network connectivity to all offices and partners. Using 3com’s intuit...
Page 186
186 c hapter 14: n etworking c oncepts ■ linking two or more private networks together vpn is the perfect way to connect branch offices and business partners to the primary business. Using vpn over the internet, instead of leased site-site lines, offers significant cost savings and improved performa...
Page 187
Virtual private network services 187 communications can range in length, but are typically 16 or 32 characters. The longer the key, the more difficult it is to break the encryption. The reason for this is most methods used to break encryption involve trying every possible combination of characters, ...
Page 188
188 c hapter 14: n etworking c oncepts when des is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code. 3com's implementation of des uses a 56-bit key. 3com...
Page 189
Virtual private network services 189 the spi must be unique, is from one to eight characters long, and is comprised of hexadecimal characters. Valid hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f. The range from “0” to “ff” inclusive, is reserved by the internet engineerin...
Page 190
190 c hapter 14: n etworking c oncepts dua1611-0aaa02.Book page 190 thursday, august 2, 2001 4:01 pm.
Page 191: Ppendices
V a ppendices appendix a safety information appendix b technical specifications and standards appendix c cable specifications appendix d technical support index regulatory notices dua1611-0aaa02.Book page 191 thursday, august 2, 2001 4:01 pm.
Page 192
192 dua1611-0aaa02.Book page 192 thursday, august 2, 2001 4:01 pm.
Page 193: Afety
A s afety i nformation warning: please read the ‘important safety information’ section before you start. Vorsicht: bitte lesen sie den abschnitt ‘wichtige sicherheitsinformationen’ sorgfältig durch, bevor sie das gerät einschalten. Avertissement: veuillez lire attentivement la section ‘consignes imp...
Page 194
194 a ppendix a: s afety i nformation warning: there are no user-replaceable fuses or user-serviceable parts inside the unit. If you have a physical problem with the unit that cannot be solved with problem solving actions in this guide, contact your supplier. Warning: disconnect the power adapter be...
Page 195
Consignes importantes de sécurité 195 vorsicht: es sind keine von dem benutzer zu ersetzende oder zu wartende teile in dem gerät vorhanden. Wenn sie ein problem mit dem switch haben, das nicht mittels der fehleranalyse in dieser anleitung behoben werden kann, setzen sie sich mit ihrem lieferanten in...
Page 196
196 a ppendix a: s afety i nformation avertissement: l’appareil fonctionne à une tension extrêmement basse de sécurité qui est conforme à la norme cei 950. Ces conditions ne sont maintenues que si l'équipement auquel il est raccordé fonctionne dans les mêmes conditions. Avertissement: il n’y a pas d...
Page 197: Echnical
B t echnical s pecifications and s tandards this appendix lists the technical specifications for the superstack 3 firewall. The firewall has been designed and certified to the following standards: table 7 technical specifications of the firewall physical width: 440 mm (17.3 in.) depth: 230 mm (9.0 i...
Page 198
198 a ppendix b: t echnical s pecifications and s tandards functional iso/iec 8802-3, ieee 802.3, icsa firewall certification safety ul1950, en 60950, csa 22.2 #950, iec 950 emc en55022 class a, en 50082-1, fcc part 15 part class a, ices-003 class a, vcci class a, en 55024, cns 13438 class a environ...
Page 199: Able
C c able s pecifications cable specifications the firewall supports the following cable types and maximum lengths: ■ category 5 cable. ■ maximum cable length of 100 m (327.86 ft). Pinout diagrams figure 66 and figure 67 below show the pin connections when using a straight through category 5 cable. T...
Page 200
200 a ppendix c: c able s pecifications figure 68 and figure 69 below show the pin connections when using a crossover category 5 cable. It is not necessary to use a crossover cable with your firewall as the normal/uplink switch beside each port serves the same purpose. Figure 68 connecting the firew...
Page 201: Echnical
D t echnical s upport 3com provides easy access to technical support information through a variety of services. This appendix describes these services. Information contained in this appendix is correct at time of publication. For the most recent information, 3com recommends that you access the 3com ...
Page 202
202 a ppendix d: t echnical s upport 3com ftp site download drivers, patches, software, and mibs across the internet from the 3com public ftp site. This service is available 24 hours a day, 7 days a week. To connect to the 3com ftp site, enter the following information into your ftp client: ■ hostna...
Page 203
Support from 3com 203 ■ a list of system hardware and software, including revision levels ■ diagnostic error messages ■ details about recent configuration changes, if applicable here is a list of worldwide technical telephone support numbers. These numbers are correct at the time of publication. Ref...
Page 204
204 a ppendix d: t echnical s upport returning products for repair before you send a product directly to 3com for repair, you must first obtain an authorization number. Products sent to 3com without authorization numbers will be returned to the sender unopened, at the sender’s expense. To obtain an ...
Page 205
Returning products for repair 205 u.S.A. And canada 1 800 net 3com (1 800 638 3266) enterprise customers: 1 800 876 3266 1 408 326 7120 (not toll-free) country telephone number fax number dua1611-0aaa02.Book page 205 thursday, august 2, 2001 4:01 pm.
Page 206
206 a ppendix d: t echnical s upport dua1611-0aaa02.Book page 206 thursday, august 2, 2001 4:01 pm.
Page 207: Ndex
I ndex numbers 0.0.0.0 182 10 mbps status led 30 100 mbps staus led 30 10base-t cable dmz connection 33 lan connection 33 255.255.255.0 181 3com knowledgebase web services 201 3com network supervisor 20 3com url 201 a acceptable use policy 76, 88 access remote 24 access to urls, restricting 23 activ...
Page 208
208 i ndex syn flood 21 teardrop 21 dhcp client 25 overview 24 dhcp server setting up 60 viewing status 63 diagnostic tools 64 diagram 31 direct connection 165 disable web proxy 69 display report 88 dmz addresses, specifying 59 dmz port 13 dmz port 20 attaching internet servers to 33 dns name lookup...
Page 209
I ndex 209 ip address classes 180 defined 13, 180 firewall default 36 sharing 24 ip spoof 14 irc 14 isp 14 j java blocking 81 defined 68 k keyword 75 field 75 l lan port 19 static route settings 119 users 22 lan settings configuring using installation wizard 44 land attack 14 led 100 mbps 30 alert 3...
Page 210
210 i ndex ping tool 65 point-to-point portocol over ethernet 14 policy rules 103 creating 157 policy, security 21 port numbers registered 184 well-known 184 ports dmz 20 lan 19 wan 19 positioning the firewall 28 power adapter socket 31 power led 31 power led, startup status 33 power supply redundan...
Page 211
I ndex 211 3com knowledgebase web services 201 3com url 201 network suppliers 202 product repair 204 technical support report 66 terminology 13 tests, self-diagnostics 33 the learning company 153 tools diagnostics 64 dns name lookup 64 packet trace 65 ping 65 top web site hits 71 troubleshooting 167...
Page 212
212 i ndex dua1611-0aaa02.Book page 212 thursday, august 2, 2001 4:01 pm.
Page 213
R egulatory n otices fcc s tatement this equipment has been tested and found to comply with the limits for a class a digital device, pursuant to part 15 of the fcc rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a comme...
Page 214
Dua1611-0aaa02.Book page 214 thursday, august 2, 2001 4:01 pm.