FireBrick FB6402 User Manual
   Next

FireBrick FB6402 User Manual

This User Manual documents Software version V1.43.001

Copyright © 2012-2015 FireBrick Ltd.

Table of Contents

Preface
1. Introduction
1.1. The FB6000
1.1.1. Where do I start?
1.1.2. What can it do?
1.1.2.1. FB6402 Gigabit stateful firewall
1.1.3. Ethernet port capabilities
1.1.4. Product variants in the FB6000 series
1.2. About this Manual
1.2.1. Version
1.2.2. Intended audience
1.2.3. Technical details
1.2.4. Document style
1.2.5. Document conventions
1.2.6. Comments and feedback
1.3. Additional Resources
1.3.1. Technical Support
1.3.2. IRC Channel
1.3.3. Application Notes
1.3.4. White Papers
1.3.5. Training Courses
2. Getting Started
2.1. IP addressing
2.2. Accessing the web-based user interface
2.2.1. Add a new user
3. Configuration
3.1. The Object Hierarchy
3.2. The Object Model
3.2.1. Formal definition of the object model
3.2.2. Common attributes
3.3. Configuration Methods
3.4. Web User Interface Overview
3.4.1. User Interface layout
3.4.1.1. Customising the layout
3.4.2. Config pages and the object hierarchy
3.4.2.1. Configuration categories
3.4.2.2. Object settings
3.4.3. Navigating around the User Interface
3.4.4. Backing up / restoring the configuration
3.5. Configuration using XML
3.5.1. Introduction to XML
3.5.2. The root element - <config>
3.5.3. Viewing or editing XML
3.5.4. Example XML configuration
3.6. Downloading/Uploading the configuration
3.6.1. Download
3.6.2. Upload
4. System Administration
4.1. User Management
4.1.1. Login level
4.1.2. Configuration access level
4.1.3. Login idle timeout
4.1.4. Restricting user logins
4.1.4.1. Restrict by IP address
4.1.4.2. Logged in IP address
4.1.4.3. Restrict by profile
4.1.5. Password change
4.1.6. One Time Password (OTP)
4.2. General System settings
4.2.1. System name (hostname)
4.2.2. Administrative details
4.2.3. System-level event logging control
4.2.4. Home page web links
4.2.5. Password hashing
4.2.6. OTP seed hashing
4.3. Software Upgrades
4.3.1. Software release types
4.3.1.1. Breakpoint releases
4.3.2. Identifying current software version
4.3.3. Internet-based upgrade process
4.3.3.1. Manually initiating upgrades
4.3.3.2. Controlling automatic software updates
4.3.4. Manual upgrade
4.4. Boot Process
4.4.1. LED indications
4.4.1.1. Power LED status indications
4.4.1.2. Port LEDs
5. Event Logging
5.1. Overview
5.1.1. Log targets
5.1.1.1. Logging to Flash memory
5.1.1.2. Logging to the Console
5.2. Enabling logging
5.3. Logging to external destinations
5.3.1. Syslog
5.3.2. Email
5.3.2.1. E-mail process logging
5.4. Factory reset configuration log targets
5.5. Performance
5.6. Viewing logs
5.6.1. Viewing logs in the User Interface
5.6.2. Viewing logs in the CLI environment
5.7. System-event logging
5.8. Using Profiles
6. Interfaces and Subnets
6.1. Relationship between Interfaces and Physical Ports
6.1.1. Port groups
6.1.2. Interfaces
6.2. Defining an interface
6.2.1. Defining subnets
6.2.1.1. Source filtering
6.2.1.2. Using DHCP to configure a subnet
6.2.2. Setting up DHCP server parameters
6.2.2.1. Fixed/Static DHCP allocations
6.2.2.2. Restricted allocations
6.2.2.3. Special DHCP options
6.2.3. DHCP Relay Agent
6.3. Physical port settings
6.3.1. Setting duplex mode
6.3.2. Defining port LED functions
7. Session Handling
7.1. Routing vs. Firewalling
7.2. Session Tracking
7.2.1. Session termination
7.3. Session Rules
7.3.1. Overview
7.3.2. Processing flow
7.3.3. Defining Rule-Sets and Rules
7.3.3.1. Recommended method of implementing firewalling
7.3.3.2. Changes to session traffic
7.3.3.3. Graphing and traffic shaping
7.3.3.4. Configuring session time-outs
7.3.3.5. Load balancing
7.4. Network Address Translation
7.4.1. When to use NAT
7.4.2. NAT ALGs
7.4.3. Setting NAT in rules
7.4.4. What NAT does
7.4.5. NAT with PPPoE
7.4.6. NAT with other types of external routing
7.4.7. Mixing NAT and non NAT
7.4.8. Carrier grade NAT
7.4.9. Using NAT setting on subnets
8. Routing
8.1. Routing logic
8.2. Routing targets
8.2.1. Subnet routes
8.2.2. Routing to an IP address (gateway route)
8.2.3. Special targets
8.3. Dynamic route creation / deletion
8.4. Routing tables
8.5. Bonding
8.6. Route overrides
9. Profiles
9.1. Overview
9.2. Creating/editing profiles
9.2.1. Timing control
9.2.2. Tests
9.2.2.1. General tests
9.2.2.2. Time/date tests
9.2.2.3. Ping tests
9.2.3. Inverting overall test result
9.2.4. Manual override
10. Traffic Shaping
10.1. Graphs and Shapers
10.1.1. Graphs
10.1.2. Shapers
10.1.3. Ad hoc shapers
10.1.4. Long term shapers
10.2. Multiple shapers
10.3. Basic principles
11. Tunnels
11.1. IPsec (IP Security)
11.1.1. Introduction
11.1.1.1. Integrity checking
11.1.1.2. Encryption
11.1.1.3. Authentication
11.1.1.4. IKE
11.1.1.5. Manual Keying
11.1.1.6. Identities and the Authentication Mechanism
11.1.2. Setting up IPsec connections
11.1.2.1. Global IPsec parameters
11.1.2.2. IKE proposals
11.1.2.3. IKE roaming IP pools
11.1.2.4. IKE connections
11.1.2.4.1. IKE connection mode and type
11.1.2.4.2. IKE and IPsec proposal lists
11.1.2.4.3. Authentication and IKE identities
11.1.2.4.4. IP addresses
11.1.2.4.5. Road Warrior connections
11.1.2.4.6. Routing
11.1.2.4.7. Other parameters
11.1.2.5. Setting up Manual Keying
11.1.2.5.1. IP endpoints
11.1.2.5.2. Algorithms and keys
11.1.2.5.3. Routing
11.1.2.5.4. Mode
11.1.2.5.5. Other parameters
11.1.3. Using EAP with IPsec/IKE
11.1.4. Using certificates with IPsec/IKE
11.1.4.1. Creating certificates
11.1.5. Choice of algorithms
11.1.6. NAT Traversal
11.1.7. Configuring a Road Warrior server
11.1.8. Connecting to non-FireBrick devices
11.1.8.1. Using StrongSwan on Linux
11.1.8.2. Setting up a Road Warrior VPN on an Android client
11.1.8.3. Setting up a Road Warrior VPN on an iOS (iPhone/iPad) client
11.1.8.4. Manual keying using Linux ipsec-tools
11.2. FB105 tunnels
11.2.1. Tunnel wrapper packets
11.2.2. Setting up a tunnel
11.2.3. Viewing tunnel status
11.2.4. Dynamic routes
11.2.5. Tunnel bonding
11.2.6. Tunnels and NAT
11.2.6.1. FB6000 doing NAT
11.2.6.2. Another device doing NAT
11.3. Ether tunnelling
12. System Services
12.1. Protecting the FB6000
12.2. Common settings
12.3. HTTP Server configuration
12.3.1. Access control
12.3.1.1. Trusted addresses
12.4. Telnet Server configuration
12.4.1. Access control
12.5. DNS configuration
12.5.1. Blocking DNS names
12.5.2. Local DNS responses
12.5.3. Auto DHCP DNS
12.6. NTP configuration
12.7. SNMP configuration
13. Network Diagnostic Tools
13.1. Firewalling check
13.2. Access check
13.3. Packet Dumping
13.3.1. Dump parameters
13.3.2. Security settings required
13.3.3. IP address matching
13.3.4. Packet types
13.3.5. Snaplen specification
13.3.6. Using the web interface
13.3.7. Using an HTTP client
13.3.7.1. Example using curl and tcpdump
14. VRRP
14.1. Virtual Routers
14.2. Configuring VRRP
14.2.1. Advertisement Interval
14.2.2. Priority
14.3. Using a virtual router
14.4. VRRP versions
14.4.1. VRRP version 2
14.4.2. VRRP version 3
14.5. Compatibility
15. BGP
15.1. What is BGP?
15.2. BGP Setup
15.2.1. Overview
15.2.2. Standards
15.2.3. Simple example setup
15.2.4. Peer type
15.2.5. Route filtering
15.2.5.1. Matching attributes
15.2.5.2. Action attributes
15.2.6. Well known community tags
15.2.7. Announcing black hole routes
15.2.8. Announcing dead end routes
15.2.9. Bad optional path attributes
15.2.10. <network> element
15.2.11. <route>, <subnet> and other elements
15.2.12. Route feasibility testing
15.2.13. Diagnostics
15.2.14. Router shutdown
15.2.15. TTL security
16. Command Line Interface
A. CIDR and CIDR Notation
B. MAC Addresses usage
B.1. Multiple MAC addresses?
B.2. How the FireBrick allocates MAC addresses
B.2.1. Interface
B.2.2. Subnet
B.2.3. PPPoE
B.2.4. Base MAC
B.2.5. Running out of MACs
B.3. MAC address on label
B.4. Using with a DHCP server
C. VLANs : A primer
D. FireBrick specific SNMP objects
D.1. Monitoring information
D.2. BGP information
E. Command line reference
E.1. General commands
E.1.1. Trace off
E.1.2. Trace on
E.1.3. Uptime
E.1.4. General status
E.1.5. Memory usage
E.1.6. Process/task usage
E.1.7. Login
E.1.8. Logout
E.1.9. See XML configuration
E.1.10. Load XML configuration
E.1.11. Show profile status
E.1.12. Enable profile control switch
E.1.13. Disable profile control switch
E.1.14. Show RADIUS servers
E.1.15. Show DNS resolvers
E.2. Networking commands
E.2.1. Subnets
E.2.2. Ping and trace
E.2.3. Show a route from the routing table
E.2.4. List routes
E.2.5. List routing next hops
E.2.6. See DHCP allocations
E.2.7. Clear DHCP allocations
E.2.8. Lock DHCP allocations
E.2.9. Unlock DHCP allocations
E.2.10. Name DHCP allocations
E.2.11. Show ARP/ND status
E.2.12. Show VRRP status
E.2.13. Send Wake-on-LAN packet
E.3. Firewalling commands
E.3.1. Check access to services
E.3.2. Check firewall logic
E.4. BGP commands
E.5. Advanced commands
E.5.1. Panic
E.5.2. Reboot
E.5.3. Screen width
E.5.4. Make outbound command session
E.5.5. Show command sessions
E.5.6. Kill command session
E.5.7. Flash memory list
E.5.8. Delete block from flash
E.5.9. Boot log
E.5.10. Flash log
F. Constant Quality Monitoring - technical details
F.1. Access to graphs and csvs
F.1.1. Trusted access
F.1.2. Dated information
F.1.3. Authenticated access
F.2. Graph display options
F.2.1. Data points
F.2.2. Additional text
F.2.3. Other colours and spacing
F.3. Overnight archiving
F.3.1. Full URL format
F.3.2. load handling
F.4. Graph scores
F.5. Creating graphs, and graph names
G. Configuration Objects
G.1. Top level
G.1.1. config: Top level config
G.2. Objects
G.2.1. system: System settings
G.2.2. link: Web links
G.2.3. user: Admin users
G.2.4. eap: User access controlled by EAP
G.2.5. log: Log target controls
G.2.6. log-syslog: Syslog logger settings
G.2.7. log-email: Email logger settings
G.2.8. services: System services
G.2.9. snmp-service: SNMP service settings
G.2.10. ntp-service: NTP service settings
G.2.11. telnet-service: Telnet service settings
G.2.12. http-service: HTTP service settings
G.2.13. dns-service: DNS service settings
G.2.14. dns-host: Fixed local DNS host settings
G.2.15. dns-block: Fixed local DNS blocks
G.2.16. ethernet: Physical port controls
G.2.17. sampling: Packet sampling configuration
G.2.18. portdef: Port grouping and naming
G.2.19. interface: Port-group/VLAN interface settings
G.2.20. subnet: Subnet settings
G.2.21. vrrp: VRRP settings
G.2.22. dhcps: DHCP server settings
G.2.23. dhcp-attr-hex: DHCP server attributes (hex)
G.2.24. dhcp-attr-string: DHCP server attributes (string)
G.2.25. dhcp-attr-number: DHCP server attributes (numeric)
G.2.26. dhcp-attr-ip: DHCP server attributes (IP)
G.2.27. route: Static routes
G.2.28. network: Locally originated networks
G.2.29. blackhole: Dead end networks
G.2.30. loopback: Locally originated networks
G.2.31. namedbgpmap: Mapping and filtering rules of BGP prefixes
G.2.32. bgprule: Individual mapping/filtering rule
G.2.33. bgp: Overall BGP settings
G.2.34. bgppeer: BGP peer definitions
G.2.35. bgpmap: Mapping and filtering rules of BGP prefixes
G.2.36. cqm: Constant Quality Monitoring settings
G.2.37. fb105: FB105 tunnel definition
G.2.38. fb105-route: FB105 routes
G.2.39. ipsec-ike: IPsec configuration (IKEv2)
G.2.40. ike-connection: connection configuration
G.2.41. ipsec-route: IPsec tunnel routes
G.2.42. ike-roaming: IKE roaming IP pools
G.2.43. ike-proposal: IKE security proposal
G.2.44. ipsec-proposal: IPsec AH/ESP proposal
G.2.45. ipsec-manual: peer configuration
G.2.46. profile: Control profile
G.2.47. profile-date: Test passes if within any of the time ranges specified
G.2.48. profile-time: Test passes if within any of the date/time ranges specified
G.2.49. profile-ping: Test passes if any addresses are pingable
G.2.50. shaper: Traffic shaper
G.2.51. shaper-override: Traffic shaper override based on profile
G.2.52. ip-group: IP Group
G.2.53. route-override: Routing override rules
G.2.54. session-route-rule: Routing override rule
G.2.55. session-route-share: Route override load sharing
G.2.56. rule-set: Firewall/mapping rule set
G.2.57. session-rule: Firewall rules
G.2.58. session-share: Firewall load sharing
G.2.59. etun: Ether tunnel
G.2.60. dhcp-relay: DHCP server settings for remote / relayed requests
G.3. Data types
G.3.1. autoloadtype: Type of s/w auto load
G.3.2. config-access: Type of access user has to config
G.3.3. user-level: User login level
G.3.4. eap-subsystem: Subsystem with EAP access control
G.3.5. eap-method: EAP access method
G.3.6. syslog-severity: Syslog severity
G.3.7. syslog-facility: Syslog facility
G.3.8. month: Month name (3 letter)
G.3.9. day: Day name (3 letter)
G.3.10. port: Physical port
G.3.11. Crossover: Crossover configuration
G.3.12. LinkSpeed: Physical port speed
G.3.13. LinkDuplex: Physical port duplex setting
G.3.14. LinkFlow: Physical port flow control setting
G.3.15. LinkClock: Physical port Gigabit clock master/slave setting
G.3.16. LinkLED-y: Yellow LED setting
G.3.17. LinkLED-g: Green LED setting
G.3.18. LinkPower: PHY power saving options
G.3.19. LinkFault: Link fault type to send
G.3.20. sampling-protocol: Sampling protocol
G.3.21. trunk-mode: Trunk port more
G.3.22. ramode: IPv6 route announce level
G.3.23. dhcpv6control: Control for RA and DHCPv6 bits
G.3.24. bgpmode: BGP announcement mode
G.3.25. sampling-mode: Sampling mode
G.3.26. sfoption: Source filter option
G.3.27. peertype: BGP peer type
G.3.28. ipsec-type: IPsec encapsulation type
G.3.29. ike-authmethod: authentication method
G.3.30. ike-mode: connection setup mode
G.3.31. ipsec-auth-algorithm: IPsec authentication algorithm
G.3.32. ipsec-crypt-algorithm: IPsec encryption algorithm
G.3.33. ike-PRF: IKE Pseudo-Random Function
G.3.34. ike-DH: IKE Diffie-Hellman group
G.3.35. ike-ESN: IKE Sequence Number support
G.3.36. ipsec-encapsulation: Manually keyed IPsec encapsulation mode
G.3.37. switch: Profile manual setting
G.3.38. dynamic-graph: Type of dynamic graph
G.3.39. firewall-action: Firewall action
G.4. Basic types
Index

List of Figures

2.1. Initial web page in factory reset state
2.2. Initial "Users" page
2.3. Setting up a new user
2.4. Configuration being stored
3.1. Main menu
3.2. Icons for layout controls
3.3. Icons for configuration categories
3.4. The "Setup" category
3.5. Editing an "Interface" object
3.6. Show hidden attributes
3.7. Attribute definitions
3.8. Navigation controls
4.1. Setting up a new user
4.2. Software upgrade available notification
4.3. Manual Software upload
7.1. Example sessions created by drop and reject actions
7.2. Processing flow chart for rule-sets and session-rules
B.1. Product label showing MAC address range

List of Tables

2.1. IP addresses for computer
2.2. IP addresses to access the FireBrick
2.3. IP addresses to access the FireBrick
3.1. Special character sequences
4.1. User login levels
4.2. Configuration access levels
4.3. General administrative details attributes
4.4. Attributes controlling auto-upgrades
4.5. Power LED status indications
5.1. Logging attributes
5.2. System-Event Logging attributes
7.1. Action attribute values
8.1. Example route targets
11.1. IPsec algorithm key lengths
11.2. IKE / IPsec algorithm proposals
12.1. List of system services
12.2. List of system services
13.1. Packet dump parameters
13.2. Packet types that can be captured
15.1. Peer types
15.2. Communities
15.3. Network attributes
B.1. DHCP client names used
D.1. iso.3.6.1.4.1.24693.1
D.2. iso.3.6.1.4.1.24693.179
F.1. File types
F.2. Colours
F.3. Text
F.4. Text
F.5. URL formats
G.1. config: Attributes
G.2. config: Elements
G.3. system: Attributes
G.4. system: Elements
G.5. link: Attributes
G.6. user: Attributes
G.7. eap: Attributes
G.8. log: Attributes
G.9. log: Elements
G.10. log-syslog: Attributes
G.11. log-email: Attributes
G.12. services: Elements
G.13. snmp-service: Attributes
G.14. ntp-service: Attributes
G.15. telnet-service: Attributes
G.16. http-service: Attributes
G.17. dns-service: Attributes
G.18. dns-service: Elements
G.19. dns-host: Attributes
G.20. dns-block: Attributes
G.21. ethernet: Attributes
G.22. sampling: Attributes
G.23. portdef: Attributes
G.24. interface: Attributes
G.25. interface: Elements
G.26. subnet: Attributes
G.27. vrrp: Attributes
G.28. dhcps: Attributes
G.29. dhcps: Elements
G.30. dhcp-attr-hex: Attributes
G.31. dhcp-attr-string: Attributes
G.32. dhcp-attr-number: Attributes
G.33. dhcp-attr-ip: Attributes
G.34. route: Attributes
G.35. network: Attributes
G.36. blackhole: Attributes
G.37. loopback: Attributes
G.38. namedbgpmap: Attributes
G.39. namedbgpmap: Elements
G.40. bgprule: Attributes
G.41. bgp: Attributes
G.42. bgp: Elements
G.43. bgppeer: Attributes
G.44. bgppeer: Elements
G.45. bgpmap: Attributes
G.46. bgpmap: Elements
G.47. cqm: Attributes
G.48. fb105: Attributes
G.49. fb105: Elements
G.50. fb105-route: Attributes
G.51. ipsec-ike: Attributes
G.52. ipsec-ike: Elements
G.53. ike-connection: Attributes
G.54. ike-connection: Elements
G.55. ipsec-route: Attributes
G.56. ike-roaming: Attributes
G.57. ike-proposal: Attributes
G.58. ipsec-proposal: Attributes
G.59. ipsec-manual: Attributes
G.60. ipsec-manual: Elements
G.61. profile: Attributes
G.62. profile: Elements
G.63. profile-date: Attributes
G.64. profile-time: Attributes
G.65. profile-ping: Attributes
G.66. shaper: Attributes
G.67. shaper: Elements
G.68. shaper-override: Attributes
G.69. ip-group: Attributes
G.70. route-override: Attributes
G.71. route-override: Elements
G.72. session-route-rule: Attributes
G.73. session-route-rule: Elements
G.74. session-route-share: Attributes
G.75. rule-set: Attributes
G.76. rule-set: Elements
G.77. session-rule: Attributes
G.78. session-rule: Elements
G.79. session-share: Attributes
G.80. etun: Attributes
G.81. dhcp-relay: Attributes
G.82. dhcp-relay: Elements
G.83. autoloadtype: Type of s/w auto load
G.84. config-access: Type of access user has to config
G.85. user-level: User login level
G.86. eap-subsystem: Subsystem with EAP access control
G.87. eap-method: EAP access method
G.88. syslog-severity: Syslog severity
G.89. syslog-facility: Syslog facility
G.90. month: Month name (3 letter)
G.91. day: Day name (3 letter)
G.92. port: Physical port
G.93. Crossover: Crossover configuration
G.94. LinkSpeed: Physical port speed
G.95. LinkDuplex: Physical port duplex setting
G.96. LinkFlow: Physical port flow control setting
G.97. LinkClock: Physical port Gigabit clock master/slave setting
G.98. LinkLED-y: Yellow LED setting
G.99. LinkLED-g: Green LED setting
G.100. LinkPower: PHY power saving options
G.101. LinkFault: Link fault type to send
G.102. sampling-protocol: Sampling protocol
G.103. trunk-mode: Trunk port more
G.104. ramode: IPv6 route announce level
G.105. dhcpv6control: Control for RA and DHCPv6 bits
G.106. bgpmode: BGP announcement mode
G.107. sampling-mode: Sampling mode
G.108. sfoption: Source filter option
G.109. peertype: BGP peer type
G.110. ipsec-type: IPsec encapsulation type
G.111. ike-authmethod: authentication method
G.112. ike-mode: connection setup mode
G.113. ipsec-auth-algorithm: IPsec authentication algorithm
G.114. ipsec-crypt-algorithm: IPsec encryption algorithm
G.115. ike-PRF: IKE Pseudo-Random Function
G.116. ike-DH: IKE Diffie-Hellman group
G.117. ike-ESN: IKE Sequence Number support
G.118. ipsec-encapsulation: Manually keyed IPsec encapsulation mode
G.119. switch: Profile manual setting
G.120. dynamic-graph: Type of dynamic graph
G.121. firewall-action: Firewall action
G.122. Basic data types
   Next
   Preface